[Full-disclosure] Context Advisory - .NET 1.1 through .NET 4.5 Elevation of Privilege
===ADVISORY=== Systems Affected: .NET 1.1 through .NET 4.5 Severity: Important Category: Elevation of Privilege Author: Context Information Security Reported to vendor: 23th April 2012 Advisory Issued:9th January 2013 Reference: CVE-2013-0004 ===ADVISORY=== Description --- The Microsoft .NET framework is containeds an error in the Intermediate Language (IL) verifier which could allow hosted partial trust code to elevate privileges to escape a sandboxed environment resulting in arbitrary code execution with the permissions of the user. Analysis The .NET framework contains a verifier for IL code which is enabled in partial trust scenarios. This is used to ensure that the code that is to be JIT’ed is logically consistent and does not permit any mechanism of circumventing type safety. The vulnerability addressed in the security bulletin is due to a bug in that verification process which allows malicious code to call an object’s constructor more than once which would allow an otherwise immutable object’s state to be changed leading to common time-of-check/time-of-use issues. Technologies Affected - Microsoft .Net Frameworks 1.1 through 4.5 Vendor Response --- Microsoft advises users to patch the .NeETt Framework to the latest version. See the following Microsoft security bulletin for more details: http://technet.microsoft.com/en-us/security/bulletin/ms13-004 There are a number of mitigations which reduce the severity of the issues which are also detailed in Microsoft’s bulletin. Disclosure Timeline --- 23rd April 2012 – Vendor Notification 8th January 2013 – Vendor Patch Released Credits James Forshaw of Context Information Security About Context Information Security -- Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. Web: www.contextis.com Email: disclos...@contextis.co.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Context IS Advisory - Citrix XenServer Hypervisor Privilege Escalation
==ADVISORY=== Systems Affected: Citrix XenServer 5.0 through 6.0.2 Severity:High Category: Privilege Escalation Author: Context Information Security Reported to vendor: 24th May 2012 Advisory Issued: 30th October 2012 Reference:CVE-2012-4606 ==ADVISORY=== Description --- The XenServer remote VNC terminal emulator contains a vulnerability which would allow a user of a guest VM to get code executing in the hypervisor leading to elevation of privilege on the server on which the guest VM was being hosted. Analysis Citrix XenServer is distributed with a VT100 terminal emulator which is exposed via the VNC protocol to allow a remote user to administer their hosted para-virtualised machine. The application does not correctly handle certain escape sequences which can lead to an unprivileged guest VM being able to gain code execution in the fully privileged Dom0 allowing the entire hosting server to be controlled. It should be noted that the vulnerable code was also used in the QEMU-KVM terminal that can be used by emulated virtual machines; this is under a different CVE, CVE-2012-3515. Technologies Affected - Citrix XenServer 6.0 Citrix XenServer 5.6 Citrix XenServer 5.5 Citrix XenServer 5.0 Vendor Response -- Vendor issued a security hot fix of the 5th September 2012. See http://support.citrix.com/article/CTX134708 for support information and download locations for different versions of XenServer. Disclosure Timeline --- 24th May 2012 – Vendor notified 5th September 2012 – Vendor issues fix Credits --- James Forshaw of Context Information Security About Context Information Security -- Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. Web:www.contextis.com Email: disclos...@contextis.co.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Context IS Advisory - SAP Host Control Remote Code Execution
===ADVISORY=== Systems Affected:SAP AG Netweaver 7.02 Severity:High Category:Remote Code Execution Author: Michael Jordon, Context Information Security Reported to vendor: 16th September 2011 Advisory Issued: 17th August 2012 ===ADVISORY=== Description --- The SAPHostControl Service was found to be vulnerable to remote argument injection. This vulnerability allows for full command execution as the SAP administrator through the SOAP management console from an unauthenticated perspective. Analysis The issue relates to how the web service passes arguements into the database command line as part of the authentication process. By manipulating these arguments a database script can be created and run which will execute commands as the SAP administrator on the target server. For further details on the vulnerability and exploit see: http://www.contextis.com/research/blog/sap4/ Technologies Affected - SAP NetWeaver 7.02 (SAPHostControl Service) Vendor Response --- SAP release a patch for the issue ref: 1341333. https://websmp130.sap-ag.de/sap/support/notes/1341333 Disclosure Timeline --- 16th September 2011 – Vendor Disclosure 8th May 2012 - Patch Released 17th August 2012 - Advisory Issued (SAP requested 3 months delay between patch release and advisory being issued) Credits Michael Jordon of Context Information Security About Context Information Security -- Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants. Context are ideally placed to work with clients worldwide with offices in the UK, Australia and Germany. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. Web: www.contextis.com Email: disclos...@contextis.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Context IS Advisory - .NET 1.0 through .NET 4 Remote Code Execution
===ADVISORY=== Systems Affected:.NET 1.0 through .NET 4 Severity:High Category:Remote Code Execution Author: Context Information Security Reported to vendor: 17th March 2011 Advisory Issued: 8th May 2012 Reference: CVE-2012-0160, CVE-2012-0161 ===ADVISORY=== Description --- The Microsoft .NET framework (in all released versions) is vulnerable to a number of attacks through the misuse of binary serialization which could be leveraged to disclose important information or to achieve remote code execution. Analysis The .NET framework has a number of serialization mechanisms a developer can use to load and save object instances either to permanent storage locations or for use in the transport of objects across boundaries. Probably the most important of these is the IFormatter serializers, specifically BinaryFormatter which has existed in one form since the very first version of the framework. It is common to see this used as a mechanism for data storage, object marshalling and object cloning. This can lead to situations where an attacker can introduce malicious objects into an application either remotely over a network or through a sandboxed environment. Through the use of specific functionality an attacker can then leverage this situation to circumvent security mechanisms and gain remote code execution without user interaction or to disclosure important information. Technologies Affected - Microsoft .Net Frameworks 1.0 through 4.0 Vendor Response --- Microsoft advises users to patch the .Net Framework to the latest version. See the following Microsoft security bulletin for more details: http://technet.microsoft.com/en-us/security/bulletin/ms12-035 There are a number of mitigations which reduce the severity of the issues which are also detailed in Microsoft’s bulletin. Disclosure Timeline --- 13th March 2011 – Vendor Notification 8th May 2012 – Vendor Patch Released Credits James Forshaw of Context Information Security About Context Information Security -- Context was launched in 1998 and has a client base that includes some of the world’s most high profile blue chip companies, alongside government organisations. An exceptional level of technical expertise underpins all Context services, while a detailed and comprehensive approach helps clients to attain a deeper understanding of security vulnerabilities, threats or incidents. The company’s strong track record is based above all, on the technical skills, professionalism, independence and integrity of its consultants. Many of the world's most successful organisations turn to Context for technical assurance, incident response and investigation services. Context is also at the forefront of research and development in security technology. As well as publishing white papers and blogs addressing current and emerging security threats and trends, Context consultants are frequently invited to present at open and closed industry events around the world. Context delivers a comprehensive portfolio of advanced technical services and with offices in the UK, Germany and Australia, is ideally placed to work with clients worldwide. Web:www.contextis.com Email: disclos...@contextis.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Context IS Advisory - SAP AG Netweaver 7.02 Remote Code Execution
===ADVISORY=== Systems Affected: SAP AG Netweaver 7.02 Severity: High Category: Remote Code Execution Author: Nico Leidecker, Context Information Security Ltd Reported to vendor: 29th September 2011 Advisory Issued: 17th February 2012 ===ADVISORY=== Buffer Overflow In SAPHostControl Description --- The SAPHostControl Service was found to be vulnerable to remote code execution via a stack based buffer overflow. By sending a certain string to the service, attackers could cause a condition whereby they are able to inject and execute malicious code. This code will execute with Administrator privileges. Analysis The SAPHostControl service expects commands to be sent wrapped into SOAP messages. One of those messages has parameters which are insecurely handled. These parameter values are copied into a static buffer on the stack via sprintf without bounds checking. This leaves the service vulnerable to a buffer overlow which can lead to remote code execution. Technologies Affected -- SAP NetWeaver 7.02 (SAPHostControl Service) Vendor Response -- SAP release a patch for the issue ref: 1638811. https://service.sap.com/sap/support/notes/1638811 Disclosure Timeline --- 29th September 2011 – Vendor Disclosure 12th December 2011 - Patch Released 17th February 2012 - Advisory Issued (SAP requested 3 months delay between patch release and advisory being issued) Credits Nico Leidecker of Context Information Security Ltd About Context Information Security Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants. Context are ideally placed to work with clients worldwide with offices in the UK, Australia and Germany. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. Web: www.contextis.com Email: disclos...@contextis.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Context IS Advisory - Apache Reverse Proxy Bypass Vulnerability
===ADVISORY== Systems Affected:Apache httpd Severity:High Category:Proxy Bypass Author: Context Information Security Ltd Reported to vendor: 16th November 2011 Advisory Issued: 5th October 2011 Reference: CVE-2011-3368 ===ADVISORY== Description --- Context discovered a security vulnerability which allows for Apache in reverse proxy mode to be used to access internal/DMZ systems due to a weakness in its handling of URLs being processed by mod_rewrite. Analysis If the Apache configuration file is configured as follows (as previously recommended by Apache): RewriteRule ^(.*) http://internalserver$1 [P] And not with a trailing slash: RewriteRule ^(.*) http://internalserver/$1 [P] Then a request can be made to the proxy server to alter the URL using the user authentication URI syntax, such as: GET @InternalNotAccessibleServer/console HTTP/1.0 Causing the proxy to rewrite the URL to: http://internalserver@InternalNotAccessibleServer/console And provide access to the internal server which is not externally accessible. For an in-depth analysis of this security issue read Context’s blog at: http://www.contextis.com/research/blog/reverseproxybypass/ Technologies Affected - Apache httpd 1.3 all versions Apache httpd 2.x all versions Vendor Response --- Apache have released a patch for this issue but recommend configuration files are reviewed. Patch available from: http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/ Disclosure Timeline --- 16th November 2011 – Vendor Notification 5th October 2011 – Patch Released by Apache Credits Michael Jordon and David Robinson of Context Information Security Ltd About Context Information Security -- Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. Web:www.contextis.com Email: disclos...@contextis.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Context IS Advisory - Remote Code Execution in Firefox's WebGL Implementation
===ADVISORY== Systems Affected:Firefox Severity: High Category:Remote Code Execution Author: Context Information Security Ltd Reported to Vendor: 23rd March 2011 Advisory Issued: 19/8/2011 Reference: CVE-2011-2987, CVE-2011-2988 ===ADVISORY== Description --- Context discovered two memory corruption issues related to Firefox code that processes WebGL, that could result in remote code execution via a malicious web page. Analysis CVE-2011-2987 is a heap buffer overflow caused when an overly long string is passed to the WebGL shader compiler. When a long string is passed to the ShaderSource method on the exposed WebGL context interface it can result in memory corruption leading to either an invalid memcpy call or stack exhaustion. CVE-2011-2988 is a heap buffer overflow due to incorrect reallocation in the ANGLE library shader pre-processor. By compiling a large program, with a significant amount of pre-processing elements an allocation can be made to fail which results in a pointer being aliased. Further code will then write to this pointer causing memory corruption. The bugs were found during Context’s research into WebGL: http://www.contextis.co.uk/resources/blog/webgl/ Technologies Affected - Firefox 4/4.0.1 Firefox 5 Vendor Response --- Mozilla have resolved these issues in Firefox 6. For more details see: http://www.mozilla.org/security/announce/2011/mfsa2011-29.html Disclosure Timeline --- 21st June 2011 – Vendor Notification 16th August 2011 – Patch Released in Firefox 6 Credits James Forshaw of Context Information Security Ltd About Context Information Security -- Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. Web:www.contextis.co.uk Email: disclos...@contextis.co.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Context IS Advisory - MS11-066 .NET 4 - Microsoft Chart Control
===ADVISORY=== Systems Affected:.NET 4 - Microsoft Chart Control Severity:High Category:Information Disclosure Author: Context Information Security Ltd Reported to vendor: 3rd October 2010 Advisory Issued: 11th August 2011 Reference: MS11-066, CVE-2011-1977 ===ADVISORY=== Description --- The Microsoft Chart Control is vulnerable to an information disclosure vulnerability. By sending a specific GET request to an application implementing the chart control, attackers could read arbitrary files on the system. Analysis The Microsoft Chart Control plots graphs and with the default configuration stores those as image files in a directory on the system. The graph images are retrieved using GET requests and a file path parameter. When the control retrieves a request, it verifies that the requested file path lies within the allowed directory and if so reads and returns the file’s contents. However, the verification process was found to be flawed, resulting in the ability to traverse directories to load arbitrary files. The Microsoft Chart Control is included in the .NET Framework 4 or can be downloaded separately for .NET 3.5 (http://code.msdn.microsoft.com/mschart). This vulnerability was found using the Context App Tool (CAT http://cat.contextis.com). Technologies Affected - Microsoft .Net Framework 4 Vendor Response --- Microsoft advises users to patch the .Net Framework to the latest version. See the following Microsoft security bulletin for more details: http://www.microsoft.com/technet/security/Bulletin/MS11-066.mspx Disclosure Timeline --- 3rd October 2010 – Vendor Notification 4th October 2010 – First Vendor Response 16th November 2010 – Vendor Confirms Vulnerability 9th August 2011 – Vendor Patch Released Credits Nico Leidecker and James Forshaw of Context Information Security Ltd About Context Information Security -- Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. Web:www.contextis.com Email: disclos...@contextis.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CAT Version 1 Released - Web App Testing Tool
Under native Windows, CAT will only use IE to render the HTML. I can see your point as to why you might not want to use IE and I will look into adding in a Gecko rendering option for the next version. Under Mono it uses the Mono provided WebBrowser control, which rendering engine is used depends on the operating system's configuration e.g. Gecko or WebKit. For more details see: http://www.mono-project.com/WebBrowser The license can be see here: http://www.contextis.co.uk/resources/tools/cat/download/Cat_EULA.txt Cheers, Mike From: valdis.kletni...@vt.edu [valdis.kletni...@vt.edu] Sent: 04 August 2011 15:35 To: Context IS - Disclosure Cc: full-disclosure@lists.grok.org.uk; webapp...@securityfocus.com; websecur...@webappsec.org; owasp-...@lists.owasp.org Subject: Re: [Full-disclosure] CAT Version 1 Released - Web App Testing Tool On Thu, 04 Aug 2011 01:45:16 BST, Context IS - Disclosure said: > CAT is a tool for manual web application penetration testing and includes t > he following features: Sounds at least potentially interesting. A few questions: > - CAT uses Internet Explorer's rendering engine for accurate HTML > representation Is this optional/switchable? Might be nice to *not* use the actual IE render engine if you're working on serving up a client-side exploit via XSS - that would be shooting yourself in the foot then. ;) > - MONO Support for Linux and OSX (Currently in Beta). What render engine does it use for Linux/OSX? Or is this referring to using MONO to talk from a Windows test box to a Linux/OSX target? > - It is totally free! What license? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CAT Version 1 Released - Web App Testing Tool
Context App Tool (CAT) Version 1 has been released. http://cat.contextis.com CAT is a tool for manual web application penetration testing and includes the following features: - Request Repeater – Used for repeating a single request - Proxy – Classic Inline proxy - Fuzzer – Allows for batch of tests to be sent to a server for brute forcing, parameter fuzzing, forced browsing etc. - Log – View a list of requests to sort, search repeat etc. Allows for a sequence of requests to be repeated and modified. - Authentication Checker – Two synchronised proxies which can be used to check authentication and authorisation controls. - SSL Checker – Request a specific page with various SSL ciphers and versions. - Notepad – A text/RTF editor which can be used as a scratch pad for conversions etc. - Web Browser – An integrated web browser with proxy pre-configured based on the Internet Explorer's rendering engine. - Addons – Freely accessible API/SDK to extend CAT with additional functionality. Some highlights of CAT: - CAT uses Internet Explorer's rendering engine for accurate HTML representation - It supports many different types of text conversions including: URL, Base64, Hex, Unicode, HTML/XML, SQL and JavaScript no quotes - It offers integrated SQL Injection and XSS Detection - Advanced Authentication and Authorisation using Synchronised Browsing - Silverlight WCF Support - Faster performance due to HTTP connection caching - SSL Version and Cipher checker using OpenSSL - Greater flexibility for importing/exporting logs and saving projects - Tabbed Interface allowing for multiple tools at once e.g. multiple repeaters and different logs - The ability to repeat and modify a sequence of requests (particularly useful in SSO testing) - Ability to extend CAT using Addons with publicly available documentation and sample code - MONO Support for Linux and OSX (Currently in Beta). - Scriptable fuzz cases. - It is totally free! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Whitepaper: Assessing Cloud Node Security
Context Information Security have released a whitepaper on Assessing Cloud Node Security. Synopsis: Some major Cloud providers currently expose their clients’ data to the risk of compromise as a result of serious flaws in the implementation of their technologies. This is the key finding of a major new survey of the security of Cloud nodes completed by Context Information Security. The growing trend in migrating systems to use Cloud infrastructure to take advantage of the cost savings and flexibility that this form of IT provision can offer has caused concern within the security community, because this virtual and dynamic environment creates a new threat landscape. This whitepaper is the result of research undertaken by Context into the technical risks associated with Cloud computing infrastructure nodes. Context rented a range of Cloud nodes currently offered by the major providers and performed a review of their security, including the limitations imposed by providers on the types of technical security testing allowed to be performed. The methodology, results, challenges and recommended mitigations are detailed in this whitepaper, which sets out best practices for securing Cloud nodes as an end user and will help end users to assess and reduce any associated risk to their systems. Information about the general security issues discovered in actual Cloud nodes has also been fed back to the providers to enable them to resolve these issues. Read the whitepaper in full at: http://www.contextis.co.uk/resources/white-papers/assessing-cloud-node-security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Avaya Aura AES - Authorisation Bypass
===ADVISORY=== Systems Affected:Avaya Aura AES (Application Enablement Services) 4.x.x Severity:Medium Category:Authorisation Bypass Author: Context Information Security Ltd Reported to vendor: 9th September 2010 Advisory Issued: 6th January 2011 ===ADVISORY=== Description --- The Avaya AES application suffers from an authorisation bypass vulnerability that allows a low level user to execute administrative functions. Analysis A flaw in the authorisation function validating whether a user is permitted to execute a desired function, allows low level users to execute some administrative functions leading to an authorisation bypass and privilege escalation vulnerability. Technologies Affected -- Avaya Aura™ Application Enablement Services (4.x.x) Vendor Response --- https://support.avaya.com/css/P8/documents/100121813 Disclosure Timeline -- 9th September 2010 – Vendor Disclosure 10th December 2010 – Vendor Releases Advisory Credits - Ben Heinkel of Context Information Security Ltd About Context Information Security -- Context Information Security is an independent security consultancy specialising in both technical security and information assurance services The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. Web:www.contextis.co.uk Email: disclos...@contextis.co.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Heap Offset Overflow in Citrix ICA Clients
===ADVISORY=== Systems Affected:Citrix ICA Client Severity:High Category:Heap Offset Overflow Author: Context Information Security Ltd Reported to vendor: 20th February 2008 Advisory Issued: 4th August 2010 ===ADVISORY=== Description --- The Citrix Presentation Server Client (test on v10.150) does not perform bounds checking on the type field in an ICA "graphics" packet. This lack of checking allows for a remote exploitation of a user that has the client installed. The exploit can be triggered by sending a user to a malicious webpage that causes an ICA file to be downloaded. This automatically connects to a simulated ICA server, which can trigger the remote code execution and take control over the client. Analysis The ICA client software is vulnerable to an offset overflow heap exploit. The ICA client does not correctly validate input from network data in the graphics packets. This allows arbitrary code execution on a victim's computer that connects to a malicious ICA server. A user with the ICA client installed will automatically connect to an ICA server that is provided via a URL. Therefore if a user clicks on a malicious link, opens an ".ICA" file via email or is redirected to a malicious server the exploit will be launched against the user. The exploit works by providing an ".ICA" file to the web browser which instructs the browser to load the ICA client and connect to the malicious server. The server is not a real ICA server but software which simulates the initially negotiation of an ICA connection and then launches the exploit. Technologies Affected - Citrix Client 10 for Windows, Mac, Linux, Solaris and Windows Mobile Vendor Response --- Citrix advise users to upgrade to the latest version of the Citrix client. See the following Citrix support article for more details: http://support.citrix.com/article/CTX125975 Disclosure Timeline --- 20th February 2008 - Vendor Notification 26th February 2008 - Vendor Response for more Details 3rd March 2008 - Vendor Confirm Vulnerability 3rd August 2010 - Vendor Patch Released Credits Michael Jordon of Context Information Security Ltd About Context Information Security -- Context Information Security is an independent security consultancy specialising in both technical security and information assurance services The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants. The company's client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. Web:www.contextis.co.uk Email: disclos...@contextis.co.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Context App Tool - New Web Application Testing Tool Released
CAT is an application to facilitate manual web application penetration testing. It was designed to cope with a more demanding level of application testing, taking away some of the more repetitive nature of testing and allowing the tester to focus their time instead on the individual application, enabling them to conduct a much more thorough test. Conceptually it is similar to other proxies available both commercially and open source. CAT provides a richer feature set and greater performance, combined with a more intuitive user interface to aid a professional manual penetration tester. There are a number of differences between CAT and currently available web proxies. Some key differences are: * Uses Internet Explorer's rendering engine for accurate HTML representation * Supports many different types of text conversations including: URL, Base64, Hex, Unicode, HTML/XML, SQL and JavaScript no Quotes * Integrated SQL Injection and XSS Detection * Synchronised Proxies for Authentication and Authorisation checking * Faster due to HTTP connection caching * SSL Version and Cipher checker using OpenSSL * Greater flexibility for importing/exporting logs and saving projects * Tabbed Interface allowing for multiple tools at once e.g. multiple repeaters and different logs * The ability to repeat and modify a sequence of requests (particular useful in SSO testing) * Free! There are a number of features which CAT has to enable a wide variety of testing to be conducted: * Request Repeater – Used for repeating a single request * Proxy – Classic Inline proxy * Fuzzer – Allows for batch of tests to be sent to a server for brute forcing, parameter fuzzing, forced browsing etc. * Log – View a list of requests to sort, search repeat etc. Allows for a sequence of requests to be repeated and modified. * Authentication Checker – Two synchronised proxies which can be used to check authentication and authorisation controls. * SSL Checker – Request a specific page with various SSL ciphers and versions. * Notepad – A text/RTF editor which can be used as a scratch pad for conversions etc. * Web Browser – An integrated web browser with proxy pre-configured based on the Internet Explorer's rendering engine. For more information and to download a copy go to http://cat.contextis.com Look forward to any feedback, Michael Jordon About Context Information Security -- Context Information Security Limited is a specialist information security consultancy based in London and Dusseldorf. Context promotes the holistic approach to information security and helps clients to identify, assess and control their exposure to risk within the fields of IT, telephony and physical security. Context employs experienced information security professionals who are subject-matter experts in their various technical specialisms. Context works extensively within the finance, legal, defence and government sectors, delivering high-end information security projects to organisations for which security is a priority. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Context IS Advisory - Autocomplete Data Theft in Mozilla Firefox
===ADVISORY=== Name: Autocomplete Data Theft in Mozilla Firefox Systems Affected: Mozilla Firefox 3.5, Mozilla Firefox 3.0 Severity: Moderate Category: Data Leakage Author: Context Information Security Ltd Advisory: 4 November 2009 CVE: CVE-2009-3370 ===ADVISORY=== Description: A malicious web page can extract out all the data stored within the autocomplete history of a user's Firefox browser. The web page must convince a user to hold down the left or right-arrow keys then the contents of the autocomplete popup can be read. This may includes the search history box within the browser, or other personal details. Analysis A malicious web page can be created that includes a text field with the same 'name' attribute as data entered on other sites (e.g 'q' for Google). The form autocompletion popup in Firefox can then be triggered and manipulated by a variety of key presses. For example, by pressing the 'a' key, autocomplete entries starting with that letter will be shown. Entries in the poupup can be selected by using the up/ down arrow keys. When the left or right arrow key is pressed, the currently selected entry from the popup is entered into the text field and can be read through JavaScript. In Firefox, a web page can use the 'createEvent' and 'initKeyEvent' JavaScript methods to create synthetic key events. It was discovered that these events could be used to trigger an autocomplete popup and change the currently selected entry in the popup. However, it was not possible for synthetic events to cause the text field to be filled with the current entry. Therefore some user interaction is required to enable the web page to steal the contents of the drop-down. If a web page can convince a user to hold down or repeatedly press the left or right-arrow keys, it can systematically grab each entry in the drop-down box. Technologies Affected - Mozilla Firefox 3.5.3 and below Mozilla Firefox 3.0.0.14 and below Resolution -- Mozilla fixed this issue in the 3.5.4 and 3.0.0.15 releases of Firefox: http://www.mozilla.org/security/announce/2009/mfsa2009-52.html CVE --- This issue has been assigned CVE number CVE-2009-3370. Disclosure Timeline --- 8th August 2009 - Initial Discovery and Vendor Notification 8th August 2009 - Vendor Response 27 October 2009 - Vendor Advisory Release 4 November 2009 - Context Information Security Advisory Release Credits --- Paul Stone of Context Information Security Ltd About Context Information Security -- Context Information Security Limited is a specialist information security consultancy based in London and Dusseldorf. Context promotes the holistic approach to information security and helps clients to identify, assess and control their exposure to risk within the fields of IT, telephony and physical security. Context employs experienced information security professionals who are subject-matter experts in their various technical specialisms. Context works extensively within the finance, legal, defence and government sectors, delivering high-end information security projects to organisations for which security is a priority. Web:www.contextis.co.uk Email: disclos...@contextis.co.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Context IS Advisory - MS08-39 OWA XSS
===ADVISORY=== Systems Affected:Microsoft Outlook Web Access 2003 and 2007 (Exchange Server 2003 SP2, Exchange Server 2007, Exchange Server 2007 SP1) Severity:High Category:Cross Site Scripting, Cross Site Request Forgery Author: Context Information Security Ltd Reported to vendor: 10th January 2008 Advisory Issued: 10th July 2008 ===ADVISORY=== Description --- Several Cross Site Scripting vulnerabilities were found in within Outlook Web Access (OWA) 2003/2007. An attacker can craft a malicious email which will trigger within a user's browser. Different version of OWA and different clients (Light and Premium) have different attack vectors which can result in an attacker gaining *persistent* control over a victim's use of Outlook Web Access. An attacker would have full control and access to the victims e-mail account. This control could be further abused by utilising techniques such as JavaScript root-kits or web worms. Analysis An attacker can craft a malicious email which contains the attack strings to compromise an OWA client. The user would only need to view the email to be victim to the XSS attack. Furthermore, persistent XSS can be gained by changing certain values within OWA to a particular XSS attack string. This string (consisting of HTML/JavaScript) is subsequently injected into *any* page which uses this value, including "new email", "reply email" (for OWA 2003) and most pages (for OWA 2007). Logging out of the application and back in will not clear the attack. Furthermore, the attack can be propagated by using the control over the OWA client to email the attack link to all users in the victim's inbox/contacts. At this point the attack would spread as a XSS worm (albeit one requiring the user to view the incoming email). This could potentially affect all users of the OWA application. Technologies Affected - Microsoft Exchange Server 2003 Microsoft Exchange Server 2007 Microsoft Exchange Server 2007 SP1 Vendor Response --- On 9th July 2008, Microsoft issued a security bulletin MS08-039 and an associated patch for Exchange Server 2003 and Exchange Server 2007 SP1 Patches are available from: http://www.microsoft.com/technet/security/bulletin/ms08-039.mspx Context would recommend that these patches be installed as soon as practical to all Exchange Servers providing OWA functionality. CVE --- This issue has been assigned CVE numbers CVE-2008-2247 and CVE-2008-2248. Disclosure Timeline --- 10 January 2008 - Initial Discovery and vendor notification. 14th January 2008 - Vendor response requesting further details. 14th March 2008 - Vendor response requesting PoC. PoC provided. 9th July 2008 - Vendor advisory release. 10th July 2008 - Context Information Security Ltd advisory release. Credits Michael Jordon of Context Information Security Ltd About Context Information Security -- Context Information Security Limited is a specialist information security consultancy based in London and Frankfurt. Context promotes the holistic approach to information security and helps clients to identify, assess and control their exposure to risk within the fields of IT, telephony and physical security. Context employs experienced information security professionals who are subject-matter experts in their various technical specialism's. Context works extensively within the finance, legal, defence and government sectors, delivering high-end information security projects to organisations for which security is a priority. Web:www.contextis.co.uk Email: [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
