Re: [Full-disclosure] [ESNC-2013-005] Remote Code Injection in SAP ERP Central Component - Project System
Please unsubscribe. Address to be inactive. -Original Message- From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of ESNC Security Sent: Monday, May 6, 2013 10:31 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] [ESNC-2013-005] Remote Code Injection in SAP ERP Central Component - Project System [ESNC-2013-005] Remote Code Injection in SAP ERP Central Component - Project System Please refer to http://www.esnc.de for the original security advisory, updates and additional information. 1. Business Impact Project System, which is part of SAP ERP, provides tools to track project costs and resources. It is tightly integrated with Controlling, Human Resources, and Logistics modules. This vulnerability allows execution of arbitrary program code of the user's choice. According to SAP, the user can: * Inject and run their own code, * Obtain additional information that should not be displayed, * Modify data, delete data. Since this issue exists on a remote function module, attacker can directly call the RFC from the network or from Internet via SOAP-RFC services. Risk Level: High 2. Advisory Information -- ESNC Security Advisory ID: ESNC-2013-005 -- CVE ID: CVE-2013-3244 -- Original security advisory: http://www.esnc.de/sap-security-audit-and-scan-services/security-advisories/58-remote-code-injection-in-sap-erp-project-system -- Vendor Patch Date: 11.12.2012 -- Public Advisory Date: 07.05.2013 -- Researcher: Ertunga Arsal 3. Vulnerability Information -- Vendor: SAP -- Affected Components: ERP Central Component PS-IS -- Affected Versions: Please refer to SAP note for more information -- Vulnerable Function: CJDB_FILL_MEMORY_FROM_PPB -- Vulnerability Class: Remote Code Injection -- CVSS v2 score by the vendor: 7.5 AV:N/AC:M/AU:S/C:P/I:P/A:C -- Remotely Exploitable: Yes -- Authentication Required: Yes -- Additional Notes: An exploit for this vulnerability is available in ESNC Penetration Testing Suite 4. Solution Please apply the security patch [SAP Note 1776695] supplied by the vendor. More information can be found at vendor's site: https://service.sap.com/sap/support/notes/1776695 To prevent this and similar flaws, enterprises can use ESNC Code Security for scanning their own ABAP code or for assessing the security of the ABAP programs installed on their SAP systems. About ESNC ESNC GmbH, Germany is a company specialized in SAP penetration testing, ABAP security review and SAP vulnerability assessment services. It's flagship product ESNC Security Suite is used by many large enterprises for security scanning their SAP ABAP and Java AS systems, running ABAP code inspection, enforcing security compliance and for providing SAP security monitoring. For more information about our products and services, please visit our web page at http://www.esnc.de ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in VideoJS
Please unsubscribe. Address to be inactive -Original Message- From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of MustLive Sent: Monday, May 6, 2013 4:45 PM To: submissi...@packetstormsecurity.org; full-disclosure@lists.grok.org.uk; 1337 Exploit DataBase Subject: [Full-disclosure] Vulnerabilities in VideoJS Hello list! I want to inform you about vulnerabilities in VideoJS. This is popular video and audio player, which is used at hundreds thousands of web sites and in multiple web applications. This is Cross-Site Scripting vulnerability in VideoJS. There is also DoS hole related to this player, which I've found at 27.01.2013 at vine.co, which was using VideoJS Flash Component v3.0 (http://vine.co/v/b5HpgZT3ZwL). Which concerned with Flash Player, Adobe fixed it already at 12th of February. More information is in my advisory for DoS vulnerability in Adobe Flash Player (http://seclists.org/fulldisclosure/2013/Apr/9). Here is my video demonstration of BSOD in Adobe Flash in Mozilla Firefox with using VideoJS (http://www.youtube.com/watch?v=xi29KZ3LD80). - Affected products: - Vulnerable are versions before VideoJS Flash Component 3.0.2 and VideoJS 4.0. Versions VideoJS Flash Component 3.0.2 and VideoJS 4.0 are not vulnerable to mentioned XSS hole, except XSS via JS callbacks (as it can be read in repository on github). Also there are bypass methods which work in the last version, but the developers haven't fixed them due to their low impact. This week developers are planning to officially release VideoJS 4.0 (but swf-file with fixed XSS hole is already available at video.js and video-js-swf repositories on github). Updated version of VideoJS.swf is available in the next repositories: https://github.com/videojs/video-js-swf https://github.com/MustLive/video-js-swf - Affected vendors: - Earlier Zencoder, now Brightcove http://videojs.com -- Details: -- Cross-Site Scripting (WASC-08): http://site/video-js.swf?readyFunction=alert(document.cookie) But the fix in VideoJS Flash Component 3.0.2 is not protecting from the next attacks: http://site/video-js.swf?readyFunction=alert http://site/video-js.swf?readyFunction=prompt http://site/video-js.swf?readyFunction=confirm Which are small ones and the developers don't worry about them, so after I've drawn their attention last week on incomplete fix, they still released such fix. But they will think about improving their protection in the future versions. Timeline: 2013.01.27 - found DoS (BSOD) vulnerability. 2013.01.28 - recorded video PoC. And in the night have informed Adobe. 2013.02.07 - found XSS vulnerability. 2013.02.08 - informed developers of VideoJS about both vulnerabilities. They thanked and promised to fix it. 2013.02.12 - Adobe fixed DoS vulnerability. 2013.02.23 - reminded VideoJS developers and asked for date of releasing the fix. 2013.03.09 - again reminded developers. 2013.03.26 - again reminded developers. 2013.04.08 - reminded developers on github and resent previous letter to Zencoder's developers (since Brightcove, which acquired Zencoder, ignored the hole for two months). 2013.04.08-30 - discussed with developers (on github and by e-mail). And made my own fix to force developers to fix the hole. 2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in source code on github. 2013.05.02 - developers compiled fixed version of swf (after my reminding) and uploaded to both repositories. 2013.05.02 - tested version 3.0.2 and found that developers haven't fixed the hole completely and informed them. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Unscribe
Email address to be inactive. Please unsubscribe. -Original Message- From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of SEC Consult Vulnerability Lab Sent: Tuesday, May 7, 2013 12:57 AM To: bugtraq; full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] SEC Consult SA-20130507-0 :: Multiple vulnerabilities in NetApp OnCommand System Manager SEC Consult Vulnerability Lab Security Advisory 20130507-0 === title: Multiple vulnerabilities product: NetApp OnCommand System Manager vulnerable version: = 2.1 and =2.0.2 fixed version: 2.2 (only XSS fixed) CVE: CVE-2013-3320 (XSS) CVE-2013-3321 (File inclusion) CVE-2013-3322 (OS command execution) impact: medium homepage: http://www.netapp.com/ found: 2012-11-06 by: M. Heinzl SEC Consult Vulnerability Lab https://www.sec-consult.com/ === Vendor description: --- You don't need to be a storage expert to manage NetApp storage systems. Configuration and ongoing storage management are easy using the Web-based OnCommand® System Manager. System Manager is the simple yet powerful management solution for NetApp storage it'seasy for small to midsize businesses to use and efficient for large enterprises and service providers. Source: http://www.netapp.com/us/products/management-software/system-manager.html Vulnerability overview/description: --- NetApp OnCommand System Manager suffers from multiple permanent and reflective cross-site scripting vulnerabilities, a local file inclusion vulnerability as well as an OS command execution vulnerability. Malicious, authenticated users can exploit these flaws to change the contents of the displayed site, redirect the user to other sites, steal user credentials, execute system commands and read sensitive information. The vendor will not fix the file inclusion and OS command execution issues, as it is considered a design feature. Proof of concepts: - 1) Multiple Reflective Cross-Site Scripting Vulnerabilities (internal bug number 654355) - CVE-2013-3320 When configuring CIFS (Configuration Protocols CIFS Configuration Setup), JavaScript can be inserted into the parameters domain-name and value. Request (domain-name): POST /zapiServlet HTTP/1.1 Host: 127.0.0.1:1195 [...] netapp version=1.7 xmlns=http://www.netapp.com/filer/admin;cifs-setupauth-typeworkgroup/auth-typedomain-nameimg src=x onerror=alert(1) /domain-namesecurity-stylemultiprotocol/security-styleserver-nameFILER/server-name/cifs-setup/netapp Furthermore, when creating new LUNs or editing already existing ones (Storage LUNs (Create or Edit)), JavaScript can be inserted into the parameter comment. 2) Multiple permanent cross-site scripting vulnerabilities (internal bug number 654355) - CVE-2013-3320 When creating new users or editing already existing ones (Configuration Local Users and Groups Users (Create or Edit)), JavaScript can be inserted into the parameters full-name and comment. Request (full-name): POST /zapiServlet HTTP/1.1 Host: 127.0.0.1:1457 [...] netapp version=1.7 xmlns=http://www.netapp.com/filer/admin;useradmin-user-modifyuseradmin-useruseradmin-user-infofull-nametestimg src=x onerror=alert(1) /full-namecommenttest/commentnametest/namepassword-maximum-age4294967295/password-maximum-agepassword-minimum-age0/password-minimum-ageuseradmin-groupsuseradmin-group-infonameAdministrators/name/useradmin-group-info/useradmin-groups/useradmin-user-info/useradmin-user/useradmin-user-modify/netapp Furthermore, when creating new groups or editing already existing ones (Configuration Local Users and Groups Groups (Create or Edit)), JavaScript can be inserted into the parameter comment. When creating new shares or editing already existing ones (Storage Shares (Create or Edit)), JavaScript can be inserted into the parameter comment. 3) Local File Inclusion (internal bug number 654357) - CVE-2013-3321 * When retrieving log files through SnapMirror (Diagnostics SnapMirror Log), the path can be changed to read arbitrary files from the file system. 4) OS Command Execution (internal bug number 654360) - CVE-2013-3322 * When using the Halt/Reboot interface (Configuration System Tools Halt/Reboot), arbitrary OS commands can be injected. * To exploit these issues, the attacker must be authenticated as root. The vendor will not fix these issues, as it is considered a design feature. Hence no proof of concept will be included within this advisory. Vendor contact timeline: 2012-11-06: Contacting vendor
