[Full-disclosure] [NETRAGARD-20110910 SECURITY ADVISORY] [Sonexis ConferenceManager Blind SQL Injection Vulnerability] [ http://www.netragard.com ]
*** NETRAGARD ADVISORY http://www.netragard.com Research Driven Penetration Testing [POSTING NOTICE] -- If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. The advisory can be found on the Netragard website at http://www.netragard.com/ For more information about Netragard visit http://www.netragard.com [Advisory Information] -- Contact : Adriel T. Desautels Advisory ID : NETRAGARD-20110910 Product Name: Sonexis ConerenceManager Product Version : 9.3.14.0 (Tested On) Vendor Name : Cambium Group, LLC. Type of Vulnerability : Multiple Critical Vulnerabilities Impact : Critical Date Discovered : 01/19/2011 Vendor Notified : 01/26/2011 [Notes About This Advisory] -- Netragard's team discovered and exploited this vulnerability on January 19th 2011 during the delivery of research based penetration testing services. Netragard notified the vendor about this vulnerability on January 26th 2011. Netragard did not receive any communications back from Sonexis after initial notification. According to an advisory published by Solitionary, Solutionary discovered this same vulnerability on 01/27/2011. Solutionary notified Sonexis of the vulnerability on 02/18/2011 and received a vendor response back on 03/02/2011. Solutionary published a low detail advisory for this issue on 04/06/2011. It is Netragard's policy to refrain from publishing vulnerabilities until after methods for remediation have been created/provided. Exceptions to this policy are made in the event that vendors are non-responsive or in the event that the vulnerability becomes public knowledge. [Product Description] -- The Sonexis ConferenceManager offers unbeatable value. Our high-quality audio platform is recognized for its ease-of-use, security, and cost-effectiveness — and it offers a comprehensive set of integrated Web conferencing capabilities. Better still, our unique architecture allows you unlimited flexibility. You're never more than a license key away from increasing users, adding Web functionality, or changing from one protocol to another. Simply put, it's the best thing to happen to conferencing. Taken From: http://www.sonexis.com/products/product_details.asp [Technical Summary] -- The Sonexis ConferenceManager does not adhere to best practices as defined by the Open Web Application Security Project (OWASP), the de facto standard for Web Application Security. Specifically, the Sonexis Conference Manager fails the OWASP Data Validation Criterion as well as others that are not discussed in this advisory. This advisory discloses details about a Blind SQL Injection vulnerability that was discovered by Netragard during the delivery of research driven Advanced Penetration Testing services. Successful exploitation of this vulnerability enables the attacker to take full control of the affected system. Netragard has created and will provide Proof of Concept code for this vulnerability shortly after the publication of this Advisory. Netragard has not received any information from the vendor since initial notification. As of the time of the authoring of this Advisory no official vendor patches have been made public. Netragard has provided methods for mitigation in this advisory. For more information about OWASP criterion please visit the URL Below: -- https://www.owasp.org/index.php/Category:Vulnerability -- [Technical Details] -- The tests shown below can be used to determine if your Sonexis ConferenceManager is vulnerable. Test Environment: - web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 --- TEST 1 --- Validated SQL command execution with the wait+for+delay+'0:0:3'-- SQL command. If command execution is a success then time should return a real value of roughly 3 seconds. netragard:~$ time curl -d txtConferenceID=1'+waitfor+delay+'0:0:3'-- http://xxx.xxx.xxx.xxx/login/hostlogin.asp; /dev/null 21 real0m3.281s --- Command Execution Successful! user0m0.000s sys 0m0.004s --- END TEST 1 --- --- TEST 2 --- Validated SQL command execution with the wait+for+delay+'0:0:5'-- SQL command. If command
[Full-disclosure] [NETRAGARD-20110910 (Corrected) SECURITY ADVISORY] [Sonexis ConferenceManager Blind SQL Injection Vulnerability] [ http://www.netragard.com ]
Please disregard the previous release of this advisory as it was sent prematurely and contained errors. The corrected version is shown below and can also be found on our website at the following URL: http://www.netragard.com/pdfs/research/NETRAGARD-20110910.txt *** NETRAGARD ADVISORY http://www.netragard.com Research Driven Penetration Testing [POSTING NOTICE] -- If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. The advisory can be found on the Netragard website at http://www.netragard.com/ For more information about Netragard visit http://www.netragard.com [Advisory Information] -- Contact : Adriel T. Desautels Advisory ID : NETRAGARD-20110910 (Corrected) Researcher : Kevin Finisterre Team Product Name: Sonexis ConferenceManager Product Version : 9.3.14.0 (Tested On) Vendor Name : Sonexix Technology, Inc. Type of Vulnerability : Blind SQL Injection Impact : Critical Date Discovered : 01/19/2011 Vendor Notified : 01/26/2011 [Notes About This Advisory] -- Netragard's team discovered and exploited this vulnerability on January 19th 2011 during the delivery of research based penetration testing services. Netragard notified the vendor about this vulnerability on January 26th 2011. Netragard did not receive any communications back from Sonexis after initial notification. According to an advisory published by Solutionary, Solutionary discovered this same vulnerability on 01/27/2011. Solutionary notified Sonexis of the vulnerability on 02/18/2011 and received a vendor response back on 03/02/2011. Solutionary published a low detail advisory for this issue on 04/06/2011. It is Netragard's policy to refrain from publishing vulnerabilities until after methods for remediation have been created/provided. Exceptions to this policy are made in the event that vendors are non-responsive or in the event that the vulnerability becomes public knowledge. [Product Description] -- The Sonexis ConferenceManager offers unbeatable value. Our high-quality audio platform is recognized for its ease-of-use, security, and cost-effectiveness — and it offers a comprehensive set of integrated Web conferencing capabilities. Better still, our unique architecture allows you unlimited flexibility. You're never more than a license key away from increasing users, adding Web functionality, or changing from one protocol to another. Simply put, it's the best thing to happen to conferencing. Taken From: http://www.sonexis.com/products/product_details.asp [Technical Summary] -- The Sonexis ConferenceManager does not adhere to best practices as defined by the Open Web Application Security Project (OWASP), the de facto standard for Web Application Security. Specifically, the Sonexis ConferenceManager fails the OWASP Data Validation Criterion as well as others that are not discussed in this advisory. This advisory discloses details about a Blind SQL Injection vulnerability that was discovered by Netragard during the delivery of research driven penetration testing services. Successful exploitation of this vulnerability enables the attacker to take full control of the affected system. Netragard has created and will provide Proof of Concept code for this vulnerability shortly after the publication of this Advisory. Netragard has not received any information from the vendor since initial notification. As of the time of the authoring of this Advisory no official vendor patches have been made public. Netragard has provided methods for mitigation in this advisory. For more information about OWASP criterion please visit the URL Below: -- https://www.owasp.org/index.php/Category:Vulnerability -- [Technical Details] -- The tests shown below can be used to determine if your Sonexis ConferenceManager is vulnerable. Test Environment: - web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Microsoft SQL Server 2000 --- TEST 1 --- Validated SQL command execution with the wait+for+delay+'0:0:3'-- SQL command. If command execution is a success then time should return a real value of roughly 3 seconds. netragard:~$
[Full-disclosure] Exploit Acquisition Program
Greetings Full Disclosure: Netragard, LLC is currently looking to introduce new researchers into the Exploit Acquisition Program. This program is designed to acquire viable and functional 0-day exploits and vulnerability information from the security community. We are only interested in working with ethical and verifiable exploit developers and researchers. You must be willing to engage in a binding contractual agreement with Netragard to participate in the program. Anonymous participation is not permitted. If you are interested in participating in the Exploit Acquisition Program then please email e...@netragard.com with a subject of REGISTER. Make sure to add your PGP Public Key Block to the email in order to help facilitate secure communications. Regards, EAP, Netragard, LLC http://www.netragard.com --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Netragard's Exploit Acquisition Program -- We're back at it again.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We've brought back our Exploit Acquisition Program. For those interested in selling research, have a read. http://snosoft.blogspot.com/2010/01/resurrection-of-eap.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAktaJfIACgkQQwbn1P9Iaa3GYwCcCbgeInSodccat5AKd66NvDqr YrAAoKGjdArdZA3qX6tuyUTZFAdo24kB =+X7r -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [NETRAGARD SECURITY ADVISORY] [ Java for Mac OS X 10.6 Update 1 ][NETRAGARD-20091219]
[Advisory Summary] --- Advisory Author : Adriel T. Desautels Researcher : Kevin Finisterre Advisory ID : NETRAGARD-20091219 Product Name: Mac OS X Java Runtime Product Version : Java for Mac OS X 10.6 Update 1 Vendor Name : http://www.apple.com, http://www.sun.com Type of Vulnerability : Buffer Overflow Impact : Arbitrary Code Execution Vendor Notified : Yes Patch Released : http://support.apple.com/kb/HT3969 Discovery Date : 11/13/2009 [POSTING NOTICE] --- If you intend to post this advisory on your web-site you must provide a clickable link back to http://www.netragard.com. The contents of this advisory may be updated without notice. [Product Description] --- Mac OS X is the only major consumer operating system that comes complete with a fully configured and ready-to-use Java runtime and development environment. Professional Java developers are increasingly turning to the feature-rich Mac OS X as the operating system of choice for both Mac-based and cross-platform Java development projects. Mac OS X includes the full version of J2SE 1.5, pre-installed with the Java Development Kit (JDK) and the HotSpot virtual machine (VM), so you don't have to download, install, or configure anything. Deploying Java applications on Mac OS X takes advantage of many built-in features, including 64-bit support, resolution independence, automatic support of multiprocessor hardware, native support for the Java Accessibility API, and the native Aqua look and feel. As a result, Java applications on Mac OS X look and perform like native applications on Mac OS X. [Technical Summary] --- On November 4th, 2009 ZDI-09-076 was released and subsequently credited to 'Anonymous'. Given the historic track record with regards to lagging behind 3rd party coordinated disclosures we decided to validate wether or not OSX was vulnerable in its current state. More importantly we wanted to validate that the vulnerable classes were reachable via standard web browser. The ZDI release contained limited information but that didn't prevent us from creating a working Proof of Concept (PoC) for this issue. As previously mentioned, the prime reason that we decided to look into this vulnerability was because we suspected that it was possible to remotely trigger and exploit the risk via the Safari Web Browser. We were right. The easiest way to validate this was to find an example applet that used the getSoundbank() function and then to modify it. A quick glance at the Sun manual page gave us a hint as to how to use the function. http://java.sun.com/j2se/1.3/docs/api/javax/sound/midi/MidiSystem.html#getSoundbank(java.net.URL) public static Soundbank getSoundbank(URL url) throws InvalidMidiDataException, IOException Constructs a Soundbank by reading it from the specified URL. The URL must point to a valid MIDI soundbank file. Parameters: url - the source of the sound bank data Returns: the sound bank Throws: InvalidMidiDataException - if the URL does not point to valid MIDI soundbank data recognized by the system IOException - if an I/O error occurred when loading the soundbank We used a google query to find an example: http://www.google.com/search?hl=ensource=hpq=javax.sound.midi+getSoundbank+appletaq=foq=aqi= Luckily the example was an applet which eliminates the question of accessibility to the vulnerability via applet tag. http://music.columbia.edu/pipermail/jmsl/2004-November/000555.html If you modify the above code example we can trigger the bug and get and some additional information about it. All of the testing below was done with appletviewer and the following html page, coupled with our compiled proof of concept class. $ cat index.html title getSoundBank pwn /title /headbody applet code=test.class width=150 height=25 /applet [Technical Details] --- http://www.zerodayinitiative.com/advisories/ZDI-09-076/ tells us there is a 'vulnerability [that] allows remote attackers to execute arbitrary code on vulnerable installations of Sun Microsystems Java.' ZDI also states that 'The specific flaw exists in the parsing of long file:// URL arguments to the getSoundbank() function.' and that 'Exploitation of this vulnerability can lead to system compromise under the credentials of the currently logged in user.' The code shown below in the Proof of Concept section allows us to validate the statements made by ZDI by triggering the bug and subsequently crashing the JVM. When the JVM crashes
[Full-disclosure] [NETRAGARD SECURITY ADVISORY] [ Safari 3.2.3 Arbitrary Code Execution + PoC ][NETRAGARD-20090622]
*** NETRAGARD ADVISORY http://www.netragard.com The Specialist in Anti- Hacking [Advisory Summary] --- Advisory Author : Adriel T. Desautels Researcher : Kevin Finisterre Advisory ID : NETRAGARD-20090622 Product Name: Mac OS X Publication Subscription Product Version : Safari 3.2.3 Vendor Name : http://www.apple.com Type of Vulnerability : Buffer Overflow Impact : Arbitrary Code Execution Vendor Notified : Yes Patch Released : APPLE-SA-2009-05-12 Discovery Date : 08/2008 [POSTING NOTICE] --- If you intend to post this advisory on your web-site you must provide a clickable link back to http://www.netragard.com as the contents of this advisory may be updated without notice. [Product Description] --- Now your favorite web browser is also the fastest on any platform. With page load speeds that outperform every other major browser on the Mac or PC, Safari also introduces a few new features to the mix. Thanks to the built-in RSS reader in Safari, you can scan the latest news, information, and articles from thousands of websites in one simple-to-read, searchable article list that Safari assembles for you. The first browser to feature a built-in RSS reader, Safari is the ideal way to browse the entire web without using a second application. Introduced in Mac OS X v10.5, Publication Subscription is a technology that offers developers a way to subscribe to web feeds from their applications. Web feeds are documents that contain frequently updated information. You can use Publication Subscription to allow your applications to subscribe to podcasts, photocasts, and any other feed-based document. Publication Subscription handles all the feed downloads and updates automatically. Publication Subscription technologies make use of libxml2 in order to parse RSS data. Libxml2 is the XML C parser and toolkit developed for the Gnome project (but usable outside of Gnome), it is free software available under the MIT License. XML itself is a metalanguage used to design markup languages, i.e. text language where semantic and structure are added to the content using extra markup information enclosed between angle brackets. [Technical Summary] --- The 'libxml' library is prone to a heap-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary within the context of an application using the affected library. Failed exploit attempts will result in a denial-of-service vulnerability. -- http://www.securityfocus.com/bid/31126 Safari uses the vulnerable libxml library and can be attacked via the feed:// input vector. [Technical Details] Libxml2 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking in the xmlParseAttValueComplex() function. By parsing exceedingly long XML entity names using Libxml2, a remote attacker can overflow a buffer and execute arbitrary code on the system. If code execution fails a Denial of Service condition may happen. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3529 https://bugzilla.redhat.com/show_bug.cgi?id=461015 http://rhn.redhat.com/errata/RHBA-2008-0878.html https://bugzilla.redhat.com/show_bug.cgi?id=460396 [Proof Of Concept] --- The following testcases allowed for the creation of the below PoC https://bugzilla.redhat.com/attachment.cgi?id=315476 https://bugzilla.redhat.com/attachment.cgi?id=315477 https://bugzilla.redhat.com/attachment.cgi?id=315478 https://bugzilla.redhat.com/attachment.cgi?id=315479 https://bugzilla.redhat.com/attachment.cgi?id=315480 https://bugzilla.redhat.com/attachment.cgi?id=315481 https://bugzilla.redhat.com/attachment.cgi?id=315482 #!/usr/bin/ruby # # The application PubSubAgent quit unexpectedly. # # Process: PubSubAgent [3764] # Path:/System/Library/Frameworks/PubSub.framework/ Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent # Identifier: PubSubAgent # Version: ??? (???) # Code Type: X86 (Native) # Parent Process: launchd
[Full-disclosure] [NETRAGARD SECURITY ADVISORY] [AirCell GoGo Inflight Internet -- No Encryption ][NETRAGARD-2009042]
** Netragard, L.L.C Advisory* ** Penetration Testing - Vulnerability Assessments - Web Application Security SNOsoft Research Team -- http://www.netragard.com -- The Specialist in Anti-Hacking [POSTING NOTICE] -- If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. The advisory can be found on the Netragard website at http://www.netragard.com/ For more information about Netragard visit http://www.netragard.com [Advisory Information] -- Contact : Adriel T. Desautels Advisory ID : NETRAGARD-20090427 Product Name: GoGo Inflight Internet Product Version : Unknown Vendor Name : Aircell LLC. Type of Vulnerability : No link layer security option Impact : Varies Vendor Notified : 20090427 [Product Description] -- As a service of Aircell LLC, Gogo provides all passengers access to the Internet, email, text messaging and corporate VPNs from the comfort of their seats while airborne. Aircell has been authorized by the FAA and FCC to use cellular frequencies for inflight broadband communications, leading a Wi-Fi revolution 35,000 feet above the ground. Think of it as a mobile hotspot, equipped with twin turbines and 50,000 lbs of thrust. Partnering with a variety of carriers, Gogo provides coast-to-coast, border-to-border connectivity for all passengers. Launching with American Airlines in 2008, Gogo will continue to expand, giving everyone the ability to stay in touch, in flight®. Taken From: http://www.gogoinflight.com/jahia/Jahia/site/gogo/companyInfo [Technical Summary] -- The GoGo Inflight Internet service does not encrypt wireless connections between GoGo Inflight Internet users (Users) and the GoGo Inflight Internet Wireless Access Points (WAP). As a result any Users connection can be intercepted by another user and the data that they transmit can be stolen or their respective connections can be hijacked. [Impact] -- [Impact varies from installation to installation] - Theft of customer data - Access to business networks - Infection of Users computer systems - Theft of personal information - Theft of Social Security Numbers - Theft of Credit Card numbers - Manipulation of in-transit data - etc. [Proof Of Concept] -- Connect to GoGo Inflight Internet on your next flight and you will see that the connection between your device and the WAP is not encrypted. Connecting does not require paying for the service, it only requires establishing a connection to the WAP. Important Notes: -- Because this vulnerability exists at the link layer it is possible for an attacker to defeat or subvert a users SSL based connection. This subversion would enable the attacker to capture credit card information or any other information submitted over the web. It may also be possible to subvert, defeat or hijack VPN connections as the attacker can interfere with the entire connection process. [Vendor Status and Chronology] -- Current Vendor Status: Unable to establish communications with vendor. Chronology: 09/04/2009 07:11:57 PM EST - Vulnerability Discovered 09/27/2009 14:15:53 PM EST - Vendor Notified 04/28/2009 09:18:17 AM EST - Requested vendor feedback via email 04/28/2009 09:19:17 AM EST - Email Read Receipt Received 04/30/2009 11:40:25 AM EST - No response from vendor 04/30/2009 11:41:25 AM EST - Requested vendor feedback via email 04/30/2009 11:46:58 AM EST - Email Read Receipt Received 05/04/2009 09:00:00 AM EST - Began advisory release process No vendor response. [Solution] -- Implement WPA2 at the link layer. [Disclaimer] http:// www.netragard.com- Netragard,
[Full-disclosure] [NETRAGARD SECURITY ADVISORY] [Cambium Group, LLC. CAMAS Content Management System -- Multiple Critical Vulnerabilities][NETRAGARD-20070820]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * Netragard, L.L.C Advisory*** The Specialist in Anti-Hacking. [Posting Notice] - - If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. The advisory can be found on the Netragard website at http://www.netragard.com/ For more information about Netragard visit http://www.netragard.com [Advisory Information] - - Contact : Adriel T. Desautels Researcher : Kevin Finisterre Advisory ID : NETRAGARD-20070820 Product Name: CAMAS (Content Management System) Product Version : Unknown Vendor Name : Cambium Group, LLC. Type of Vulnerability : Multiple Critical Vulnerabilities Impact : Critical Vendor Notified : 08/22/2007 [Product Description] - - Cambium Group's content management system (CAMAS) give you independence from outdated content and expensive web masters. Let the user-friendly interface of CAMAS save you time and money with the freedom to manage your entire web channel yourself. Taken From: http://www.cambiumgroup.com/interior.php/pid/3/sid/3 [Technical Summary] - - The Cambium Group Content Management System (CAMAS) Failed most Open Web Application Security Project (OWASP) criterion during testing. Specific areas of vulnerability that were identified are as follows: Note: A reference to each is provided at the following URL: - -- https://www.owasp.org/index.php/Category:Vulnerability -- [+] Authentication Testing (FAIL) - - CAMAS does not transport all authentication credentials over a secure encrypted channel. It is possible to capture users credentials in transit. [+] Code Quality Testing (FAIL) - - CAMAS does not follow industry best practices as defined by OWASP. Specifically, CAMAS is missing critical security functionality that leaves CAMAS powered websites open to attack by internet based hackers. [+] Error Handling Testing (FAIL) - - CAMAS is missing proper error handling and event logging capabilities as defined by OWASP. This lack of proper error handling and logging results in information leakage that can be used by an attacker to further compromise a CAMAS powered website. [+] Input Validation Testing (FAIL) - - CAMAS does not perform proper Input Validation. In some areas CAMAS does not perform any input validation. As a result it is possible to execute arbitrary database commands against databases that support CAMAS powered websites. It is also possible to take control of CAMAS powered websites, databases and web-servers. CAMAS does not use Parameterized Stored Procedures which is the industry standard for defending against SQL Injection. [+] Logging and Auditing Testing (FAIL) - - CAMAS is missing Logging and Auditing functionality as defined by OWASP. [+] Password Management (FAIL) - - CAMAS does not perform proper password storage and management. CAMAS does not properly support password aging, strong password enforcement, or strong password cryptographic protection. During testing Netragard was able to crack 98% of the passwords that were stored by CAMAS. [+] Sensitive Data Protection Testing (FAIL) - - CAMAS does not provide sufficient levels of Data Protection for businesses whose users use CAMAS powered websites to access sensitive information or to login to third party websites through login forms hosted on CAMAS powered websites. [Impact] - - [Impact varies from installation to installation] - - Theft of customer data - - Hijack online banking portal - - Hijack online banking portal links - - Capture data entered into forms - -