Re: [Full-disclosure] [ESNC-2013-005] Remote Code Injection in SAP ERP Central Component - Project System
Please unsubscribe. Address to be inactive. -Original Message- From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of ESNC Security Sent: Monday, May 6, 2013 10:31 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] [ESNC-2013-005] Remote Code Injection in SAP ERP Central Component - Project System [ESNC-2013-005] Remote Code Injection in SAP ERP Central Component - Project System Please refer to http://www.esnc.de for the original security advisory, updates and additional information. 1. Business Impact Project System, which is part of SAP ERP, provides tools to track project costs and resources. It is tightly integrated with Controlling, Human Resources, and Logistics modules. This vulnerability allows execution of arbitrary program code of the user's choice. According to SAP, the user can: * Inject and run their own code, * Obtain additional information that should not be displayed, * Modify data, delete data. Since this issue exists on a remote function module, attacker can directly call the RFC from the network or from Internet via SOAP-RFC services. Risk Level: High 2. Advisory Information -- ESNC Security Advisory ID: ESNC-2013-005 -- CVE ID: CVE-2013-3244 -- Original security advisory: http://www.esnc.de/sap-security-audit-and-scan-services/security-advisories/58-remote-code-injection-in-sap-erp-project-system -- Vendor Patch Date: 11.12.2012 -- Public Advisory Date: 07.05.2013 -- Researcher: Ertunga Arsal 3. Vulnerability Information -- Vendor: SAP -- Affected Components: ERP Central Component PS-IS -- Affected Versions: Please refer to SAP note for more information -- Vulnerable Function: CJDB_FILL_MEMORY_FROM_PPB -- Vulnerability Class: Remote Code Injection -- CVSS v2 score by the vendor: 7.5 AV:N/AC:M/AU:S/C:P/I:P/A:C -- Remotely Exploitable: Yes -- Authentication Required: Yes -- Additional Notes: An exploit for this vulnerability is available in ESNC Penetration Testing Suite 4. Solution Please apply the security patch [SAP Note 1776695] supplied by the vendor. More information can be found at vendor's site: https://service.sap.com/sap/support/notes/1776695 To prevent this and similar flaws, enterprises can use ESNC Code Security for scanning their own ABAP code or for assessing the security of the ABAP programs installed on their SAP systems. About ESNC ESNC GmbH, Germany is a company specialized in SAP penetration testing, ABAP security review and SAP vulnerability assessment services. It's flagship product ESNC Security Suite is used by many large enterprises for security scanning their SAP ABAP and Java AS systems, running ABAP code inspection, enforcing security compliance and for providing SAP security monitoring. For more information about our products and services, please visit our web page at http://www.esnc.de ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in VideoJS
Please unsubscribe. Address to be inactive -Original Message- From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of MustLive Sent: Monday, May 6, 2013 4:45 PM To: submissi...@packetstormsecurity.org; full-disclosure@lists.grok.org.uk; 1337 Exploit DataBase Subject: [Full-disclosure] Vulnerabilities in VideoJS Hello list! I want to inform you about vulnerabilities in VideoJS. This is popular video and audio player, which is used at hundreds thousands of web sites and in multiple web applications. This is Cross-Site Scripting vulnerability in VideoJS. There is also DoS hole related to this player, which I've found at 27.01.2013 at vine.co, which was using VideoJS Flash Component v3.0 (http://vine.co/v/b5HpgZT3ZwL). Which concerned with Flash Player, Adobe fixed it already at 12th of February. More information is in my advisory for DoS vulnerability in Adobe Flash Player (http://seclists.org/fulldisclosure/2013/Apr/9). Here is my video demonstration of BSOD in Adobe Flash in Mozilla Firefox with using VideoJS (http://www.youtube.com/watch?v=xi29KZ3LD80). - Affected products: - Vulnerable are versions before VideoJS Flash Component 3.0.2 and VideoJS 4.0. Versions VideoJS Flash Component 3.0.2 and VideoJS 4.0 are not vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be read in repository on github). Also there are bypass methods which work in the last version, but the developers haven't fixed them due to their low impact. This week developers are planning to officially release VideoJS 4.0 (but swf-file with fixed XSS hole is already available at video.js and video-js-swf repositories on github). Updated version of VideoJS.swf is available in the next repositories: https://github.com/videojs/video-js-swf https://github.com/MustLive/video-js-swf - Affected vendors: - Earlier Zencoder, now Brightcove http://videojs.com -- Details: -- Cross-Site Scripting (WASC-08): http://site/video-js.swf?readyFunction=alert(document.cookie) But the fix in VideoJS Flash Component 3.0.2 is not protecting from the next attacks: http://site/video-js.swf?readyFunction=alert http://site/video-js.swf?readyFunction=prompt http://site/video-js.swf?readyFunction=confirm Which are small ones and the developers don't worry about them, so after I've drawn their attention last week on incomplete fix, they still released such fix. But they will think about improving their protection in the future versions. Timeline: 2013.01.27 - found DoS (BSOD) vulnerability. 2013.01.28 - recorded video PoC. And in the night have informed Adobe. 2013.02.07 - found XSS vulnerability. 2013.02.08 - informed developers of VideoJS about both vulnerabilities. They thanked and promised to fix it. 2013.02.12 - Adobe fixed DoS vulnerability. 2013.02.23 - reminded VideoJS developers and asked for date of releasing the fix. 2013.03.09 - again reminded developers. 2013.03.26 - again reminded developers. 2013.04.08 - reminded developers on github and resent previous letter to Zencoder's developers (since Brightcove, which acquired Zencoder, ignored the hole for two months). 2013.04.08-30 - discussed with developers (on github and by e-mail). And made my own fix to force developers to fix the hole. 2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in source code on github. 2013.05.02 - developers compiled fixed version of swf (after my reminding) and uploaded to both repositories. 2013.05.02 - tested version 3.0.2 and found that developers haven't fixed the hole completely and informed them. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Unscribe
Email address to be inactive. Please unsubscribe. -Original Message- From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of SEC Consult Vulnerability Lab Sent: Tuesday, May 7, 2013 12:57 AM To: bugtraq; full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] SEC Consult SA-20130507-0 :: Multiple vulnerabilities in NetApp OnCommand System Manager SEC Consult Vulnerability Lab Security Advisory 20130507-0 === title: Multiple vulnerabilities product: NetApp OnCommand System Manager vulnerable version: = 2.1 and =2.0.2 fixed version: 2.2 (only XSS fixed) CVE: CVE-2013-3320 (XSS) CVE-2013-3321 (File inclusion) CVE-2013-3322 (OS command execution) impact: medium homepage: http://www.netapp.com/ found: 2012-11-06 by: M. Heinzl SEC Consult Vulnerability Lab https://www.sec-consult.com/ === Vendor description: --- You don't need to be a storage expert to manage NetApp storage systems. Configuration and ongoing storage management are easy using the Web-based OnCommand® System Manager. System Manager is the simple yet powerful management solution for NetApp storage it'seasy for small to midsize businesses to use and efficient for large enterprises and service providers. Source: http://www.netapp.com/us/products/management-software/system-manager.html Vulnerability overview/description: --- NetApp OnCommand System Manager suffers from multiple permanent and reflective cross-site scripting vulnerabilities, a local file inclusion vulnerability as well as an OS command execution vulnerability. Malicious, authenticated users can exploit these flaws to change the contents of the displayed site, redirect the user to other sites, steal user credentials, execute system commands and read sensitive information. The vendor will not fix the file inclusion and OS command execution issues, as it is considered a design feature. Proof of concepts: - 1) Multiple Reflective Cross-Site Scripting Vulnerabilities (internal bug number 654355) - CVE-2013-3320 When configuring CIFS (Configuration Protocols CIFS Configuration Setup), JavaScript can be inserted into the parameters domain-name and value. Request (domain-name): POST /zapiServlet HTTP/1.1 Host: 127.0.0.1:1195 [...] netapp version=1.7 xmlns=http://www.netapp.com/filer/admin;cifs-setupauth-typeworkgroup/auth-typedomain-nameimg src=x onerror=alert(1) /domain-namesecurity-stylemultiprotocol/security-styleserver-nameFILER/server-name/cifs-setup/netapp Furthermore, when creating new LUNs or editing already existing ones (Storage LUNs (Create or Edit)), JavaScript can be inserted into the parameter comment. 2) Multiple permanent cross-site scripting vulnerabilities (internal bug number 654355) - CVE-2013-3320 When creating new users or editing already existing ones (Configuration Local Users and Groups Users (Create or Edit)), JavaScript can be inserted into the parameters full-name and comment. Request (full-name): POST /zapiServlet HTTP/1.1 Host: 127.0.0.1:1457 [...] netapp version=1.7 xmlns=http://www.netapp.com/filer/admin;useradmin-user-modifyuseradmin-useruseradmin-user-infofull-nametestimg src=x onerror=alert(1) /full-namecommenttest/commentnametest/namepassword-maximum-age4294967295/password-maximum-agepassword-minimum-age0/password-minimum-ageuseradmin-groupsuseradmin-group-infonameAdministrators/name/useradmin-group-info/useradmin-groups/useradmin-user-info/useradmin-user/useradmin-user-modify/netapp Furthermore, when creating new groups or editing already existing ones (Configuration Local Users and Groups Groups (Create or Edit)), JavaScript can be inserted into the parameter comment. When creating new shares or editing already existing ones (Storage Shares (Create or Edit)), JavaScript can be inserted into the parameter comment. 3) Local File Inclusion (internal bug number 654357) - CVE-2013-3321 * When retrieving log files through SnapMirror (Diagnostics SnapMirror Log), the path can be changed to read arbitrary files from the file system. 4) OS Command Execution (internal bug number 654360) - CVE-2013-3322 * When using the Halt/Reboot interface (Configuration System Tools Halt/Reboot), arbitrary OS commands can be injected. * To exploit these issues, the attacker must be authenticated as root. The vendor will not fix these issues, as it is considered a design feature. Hence no proof of concept will be included within this advisory. Vendor contact timeline: 2012-11-06: Contacting vendor
[Full-disclosure] [2.0 Update] Cisco Security Advisory: Cisco Prime Data Center Network Manager Remote Command Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco Prime Data Center Network Manager Remote Command Execution Vulnerability Advisory ID: cisco-sa-20121031-dcnm Revision 2.0 Last Updated 2013 May 08 16:00 UTC (GMT) For Public Release 2012 October 31 16:00 UTC (GMT) +- Summary === Cisco Prime Data Center Network Manager (DCNM) contains a remote command execution vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the computer that is running the Cisco Prime DCNM application. Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121031-dcnm Note: After this advisory was initially published, it was found that in addition to the DCNM SAN server component that is part of the DCNM solution, the DCNM LAN server is also affected by the same vulnerability. This advisory has been updated to revision 2.0 to indicate that the DCNM LAN server component is also vulnerable, to provide the Cisco bug ID that tracks the vulnerability in the DCNM LAN server component, and to update fixed software information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iF4EAREIAAYFAlGKc/0ACgkQUddfH3/BbTr51AD/e7nVceiqF36VT7LQ5YmcjMax RMkX04N8wsdOgdZRyXkA+gMSU94ERrtaerlOHWlBBnhmFnLNcXYyCuS9Suobtcvc =eECl -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified Customer Voice Portal Software
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified Customer Voice Portal Software Advisory ID: cisco-sa-20130508-cvp Revision 1.0 For Public Release 2013 May 8 16:00 UTC (GMT) +-- Summary === Cisco Unified Customer Voice Portal Software (Unified CVP) contains multiple vulnerabilities. Various components of Cisco Unified CVP are affected; see the Details section for more information on the vulnerabilities. These vulnerabilities can be exploited independently; however, more than one vulnerability could be exploited on the same device. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130508-cvp -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAlGIWaUACgkQUddfH3/BbTpQMQD9HWwMuwQ7YSyrqYDSDkcnesWh XsvSL0PXA8lMaS+bSKMBAI/ChGvff6/MJuP6KqAAfHUkVQe8qyxsJGyk0lluGNtQ =HN7d -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in VideoJS
learn to fucking internet. -illwill illw...@illmob.org http://illmob.org On 5/7/2013 11:09 AM, Ron Yount wrote: Please unsubscribe. Address to be inactive -Original Message- From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of MustLive Sent: Monday, May 6, 2013 4:45 PM To: submissi...@packetstormsecurity.org; full-disclosure@lists.grok.org.uk; 1337 Exploit DataBase Subject: [Full-disclosure] Vulnerabilities in VideoJS Hello list! I want to inform you about vulnerabilities in VideoJS. This is popular video and audio player, which is used at hundreds thousands of web sites and in multiple web applications. This is Cross-Site Scripting vulnerability in VideoJS. There is also DoS hole related to this player, which I've found at 27.01.2013 at vine.co, which was using VideoJS Flash Component v3.0 (http://vine.co/v/b5HpgZT3ZwL). Which concerned with Flash Player, Adobe fixed it already at 12th of February. More information is in my advisory for DoS vulnerability in Adobe Flash Player (http://seclists.org/fulldisclosure/2013/Apr/9). Here is my video demonstration of BSOD in Adobe Flash in Mozilla Firefox with using VideoJS (http://www.youtube.com/watch?v=xi29KZ3LD80). - Affected products: - Vulnerable are versions before VideoJS Flash Component 3.0.2 and VideoJS 4.0. Versions VideoJS Flash Component 3.0.2 and VideoJS 4.0 are not vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be read in repository on github). Also there are bypass methods which work in the last version, but the developers haven't fixed them due to their low impact. This week developers are planning to officially release VideoJS 4.0 (but swf-file with fixed XSS hole is already available at video.js and video-js-swf repositories on github). Updated version of VideoJS.swf is available in the next repositories: https://github.com/videojs/video-js-swf https://github.com/MustLive/video-js-swf - Affected vendors: - Earlier Zencoder, now Brightcove http://videojs.com -- Details: -- Cross-Site Scripting (WASC-08): http://site/video-js.swf?readyFunction=alert(document.cookie) But the fix in VideoJS Flash Component 3.0.2 is not protecting from the next attacks: http://site/video-js.swf?readyFunction=alert http://site/video-js.swf?readyFunction=prompt http://site/video-js.swf?readyFunction=confirm Which are small ones and the developers don't worry about them, so after I've drawn their attention last week on incomplete fix, they still released such fix. But they will think about improving their protection in the future versions. Timeline: 2013.01.27 - found DoS (BSOD) vulnerability. 2013.01.28 - recorded video PoC. And in the night have informed Adobe. 2013.02.07 - found XSS vulnerability. 2013.02.08 - informed developers of VideoJS about both vulnerabilities. They thanked and promised to fix it. 2013.02.12 - Adobe fixed DoS vulnerability. 2013.02.23 - reminded VideoJS developers and asked for date of releasing the fix. 2013.03.09 - again reminded developers. 2013.03.26 - again reminded developers. 2013.04.08 - reminded developers on github and resent previous letter to Zencoder's developers (since Brightcove, which acquired Zencoder, ignored the hole for two months). 2013.04.08-30 - discussed with developers (on github and by e-mail). And made my own fix to force developers to fix the hole. 2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in source code on github. 2013.05.02 - developers compiled fixed version of swf (after my reminding) and uploaded to both repositories. 2013.05.02 - tested version 3.0.2 and found that developers haven't fixed the hole completely and informed them. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in multiple web applications with VideoJS
Hello list! These are Cross-Site Scripting vulnerabilities in multiple web applications with VideoJS. Earlier I've wrote about vulnerabilities in VideoJS (http://seclists.org/fulldisclosure/2013/May/21). This is popular video and audio player, which is used at hundreds thousands of web sites and in multiple web applications. Among them are VideoJS - HTML5 Video Player for WordPress, Video.js for Drupal, bo:VideoJS for Joomla, videojs-youtube, Telemeta (CMS). And a lot of other web applications. All developers of these applications, the same as developers of all other web applications with VideoJS, need to update it in their software. - Affected products: - Vulnerable are web applications which are using VideoJS Flash Component 3.0.2 and previous versions. Version VideoJS Flash Component 3.0.2 is not vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be read in repository on github). Also there are bypass methods which work in the last version, but the developers haven't fixed them due to their low impact. So update to last version of VideoJS.swf. Vulnerable are the next web applications: VideoJS - HTML5 Video Player for WordPress 3.2.3 and previous versions. Video.js for Drupal 6.x-2.2 and previous 6.x-2.x versions and 7.x-2.2 and previous 7.x-2.x versions (only these versions are using VideoJS Flash Component). bo:VideoJS for Joomla 2.1.1 and previous versions (with VideoJS Flash Component). videojs-youtube (all versions). Telemeta 1.4.4 and previous versions. All these developers were informed last week. - Affected vendors: - VideoJS and VideoJS Flash Component were developed by Zencoder. Earlier Zencoder, now Brightcove http://videojs.com -- Details: -- Cross-Site Scripting (WASC-08): Original example for VideoJS: http://site/video-js.swf?readyFunction=alert(document.cookie) VideoJS - HTML5 Video Player for WordPress: http://site/wp-content/plugins/videojs-html5-video-player-for-wordpress/videojs/video-js.swf?readyFunction=alert(document.cookie) Video.js for Drupal: http://site/sites/all/libraries/video-js/video-js.swf?readyFunction=alert(document.cookie) bo:VideoJS for Joomla: http://site/plugins/content/bo_videojs/video-js/video-js.swf?readyFunction=alert(document.cookie) videojs-youtube: http://site/lib/video-js.swf?readyFunction=alert(document.cookie) Telemeta: http://site/htdocs/video-js/video-js.swf?readyFunction=alert(document.cookie) Timeline: 2013.02.07 - found XSS vulnerability. 2013.02.08 - informed developers of VideoJS about both vulnerabilities. They thanked and promised to fix it. 2013.02.23 - reminded VideoJS developers and asked for date of releasing the fix. 2013.03.09 - again reminded developers. 2013.03.26 - again reminded developers. 2013.04.08 - reminded developers on github and resent previous letter to Zencoder's developers (since Brightcove, which acquired Zencoder, ignored the hole for two months). 2013.04.08-30 - discussed with developers (on github and by e-mail). And made my own fix to force developers to fix the hole. 2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in source code on github. 2013.05.02 - developers compiled fixed version of swf (after my reminding) and uploaded to both repositories. 2013.05.02 - tested version 3.0.2 and found that developers haven't fixed the hole completely and informed them. 2013.05.03 - informed developers of VideoJS - HTML5 Video Player for WordPress. 2013.05.04 - informed developers of Video.js for Drupal, bo:VideoJS for Joomla, videojs-youtube, Telemeta. Alongside with sending letter to developer of bo:VideoJS, also I informed Joomla VEL. They put this extension from JED to VEL. 2013.05.05 - since developer of videojs-youtube had no e-mails in his github account and the his e-mail mentioned at different web sites was not working already, so I published my letter on github. 2013.05.07 - Telemeta developers answered and thanked (the only one among these developers). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerability in Fujitsu Desktop Update (for Windows)
Hi @ll, Fujitsu's update utility Fujitsu Desktop Update (see http://support.ts.fujitsu.com/DeskUpdate/Index.asp), which is factory-preinstalled on every Fujitsu (Siemens) PC with Windows, has a vulnerability which allows the execution of a rogue program in the security context of the current user. The application is registered as control panel item via [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{070B64FF-795D-4DAA-88AD-6D3277C7E445}] @=Fujitsu DeskUpdate The shell object with GUID {070B64FF-795D-4DAA-88AD-6D3277C7E445} is registered with [HKLM\SOFTWARE\Classes\CLSID\{070B64FF-795D-4DAA-88AD-6D3277C7E445}] @=Fujitsu DeskUpdate InfoTip=expand:@C:\\Program Files (x86)\\Fujitsu\\DeskUpdate\\DeskUpdate.exe,-132 System.ControlPanel.Category=dword:0005 System.Software.TasksFileUrl=C:\\Program Files (x86)\\Fujitsu\DeskUpdate\\duconfig.xml [HKLM\SOFTWARE\Classes\CLSID\{070B64FF-795D-4DAA-88AD-6D3277C7E445}\DefaultIcon] @=expand:C:\\Program Files (x86)\\Fujitsu\\DeskUpdate\\DeskUpdate.exe,-0 [HKLM\SOFTWARE\Classes\CLSID\{070B64FF-795D-4DAA-88AD-6D3277C7E445}\Shell\Open\Command] @=C:\\Program Files (x86)\\Fujitsu\\DeskUpdate\\DeskUpdate.exe The last entry is a pathname with unquoted spaces and allows the execution of the rogue programs C:\Program.exe and/or C:\Program Files.exe, as documented in http://msdn.microsoft.com/library/ms682425.aspx Stefan Kanthak PS: long pathnames containing spaces exist for about 20 years now in Windows, EVERY developer should know how to use them properly, and EVERY QA should check their proper use! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in Windows 8 Professional x64 factory preinstallation of Fujitsu Lifebook A512 [continued]
On Sunday, May 05, 2013 10:13 PM I wrote: Hi @ll, Fujitsus http://www.fsc-pc.de/ factory preinstallation (as found on a Fujitsu Lifebook A512 purchased a month ago) of Windows 8 Professional x64 (I'm VERY confident that other variants of Fujitsu's Windows 8 factory installation are just the like) has the following vulnerabilities which can lead to code execution in the context of the LocalSystem account. A. Command lines with unquoted paths containing spaces: [...] and missed some more REALLY nice vulnerabilities (just like the one Microsoft fixed with https://support.microsoft.com/kb/2781197 alias http://technet.microsoft.com/security/bulletin/ms13-034, which of course is present too). A.6: TWO vulnerabilities in the preinstalled services from Fujitsu: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PFNService] ImagePath=expand:C:\\Program Files\\Fujitsu\\Plugfree NETWORK\\PFNService.exe [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PowerSavingUtilityService] ImagePath=expand:C:\\Program Files\\Fujitsu\\PSUtility\\PSUService.exe A.7: SIX vulnerabilities in the preinstalled services from Intel: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AMPPALR3] ImagePath=expand:C:\\Program Files\\Intel\\BluetoothHS\\BTHSAmpPalService.exe [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EvtEng] ImagePath=expand:C:\\Program Files\\Intel\\WiFi\\bin\\EvtEng.exe [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jhi_service] ImagePath=expand:C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\DAL\\jhi_service.exe [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LMS] ImagePath=expand:C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\LMS\\LMS.exe [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWiFiDHCPDNS] ImagePath=expand:C:\\Program Files\\Intel\WiFi\\bin\\PanDhcpDns.exe [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegSrvc] ImagePath=expand:C:\\Program Files\\Common Files\\Intel\\WirelessCommon\RegSrvc.exe JFTR: two other services of Intel don't show this vulnerability! [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHSSecurityMgr] ImagePath=expand:C:\\Program Files\\Intel\\BluetoothHS\\BTHSSecurityMgr.exe [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UNS] ImagePath=expand:C:\\Program Files (x86)\\Intel\\Intel(R) Management Engine Components\\UNS\\UNS.exe Stefan Kanthak ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AlienVault OSSIM multiple SQL Injection vulnerabilities
RunRunLevel Web Security Research - AlienVault OSSIM multiple SQL Injection vulnerabilities Vendor Website : http://www.alienvault.com INDEX --- 1. Background 2. Description 3. Affected Products 4. Vulnerabilities 5. Solution 6. Credit 7. Disclosure Timeline 1. BACKGROUND --- OSSIM by AlienVault is an Open Source Security Information and Event Management (SIEM) platform, comprising a collection of tools designed to aid network administrator in computer security, intrusion detection and prevention. (Wikipedia) 2. DESCRIPTION --- The RunRunLevel Web Security Research Team discovered several vulnerabilities in the OSSIM web interface. All web vulnerabilities are caused by lack/unproper input validation. The Web Security Reseach Team also found that OSSIM MySQL database was running with root privileges, allowing to a full system compromise of the OSSIM platform. 3. AFFECTED PRODUCTS --- AlienVault OSSIM 4.1.2 (stable version and below) 4. VULNERABILITIES --- The vulnerabilities can be classified as SQL Injection. No input validation is performed when processing parameters on the following URL's: 4.1 /ossim/forensics/base_qry_main.php [action_lst[0] parameter] 4.2 /ossim/forensics/base_qry_main.php [action_lst[1] parameter] 4.3 /ossim/forensics/base_qry_main.php [action_lst[18] parameter] 4.4 /ossim/forensics/base_qry_main.php [action_lst[6] parameter] 4.5 /ossim/forensics/base_qry_main.php [hostid[0] parameter] 4.6 /ossim/forensics/base_qry_main.php [sort_order parameter] 4.7 /ossim/forensics/base_qry_main.php [time[0][8] parameter] 4.8 /ossim/net/getnet.php [sortname parameter] 4.9 /ossim/session/users_edit.php [login parameter] 4.10 /ossim/session/users_edit.php [name parameter] Together with the SQLi vulns was found that the MySQL Database server was running with system administrator privileges. 4.11 MySQL database running with root privileges 5. SOLUTION --- Vendor contacted, but no response provided. 6. CREDIT --- The vulnerabilities were discovered by the RunRunLevel Web Security Research Team. 7. DISCLOSURE TIMELINE --- 2013-03-01 - Vulnerability Discovered 2013-03-10 - Vendor Informed 2013-04-01 - No Response from Vendor 2013-05-01 - No Response from Vendor 2013-05-09 - Public Disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright jo...@grok.org.uk - Introduction Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to full-disclosure-requ...@lists.grok.org.uk, send the word 'help' in either the message subject or body for details. - Moderation Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing full-disclosure@lists.grok.org.uk. Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a consensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/