Re: [FD] taglib 1.11.1 vuln

2018-05-29 Thread Alan Coopersmith 
On 05/27/18 07:12 PM, 熊文彬 wrote:
> taglib vulnerability
> 
> Author : Webin security lab - dbapp security Ltd
> ===
> 
> 
> Introduction:
> =
> TagLib Audio Meta-Data Library
> 
> http://taglib.org/

I can't find a matching bug for this in https://github.com/taglib/taglib/issues
- did you actually tell the authors of this software about this bug or just
the rest of the world and not the people who can fix it?

-- 
-Alan Coopersmith-   alan.coopersm...@oracle.com
 Oracle Solaris Engineering - https://blogs.oracle.com/alanc

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] foilChat sign up email PIN confirmation bypass

2018-05-29 Thread Harry Sintonen 

foilChat sign up email PIN confirmation bypass
==
https://sintonen.fi/advisories/foilchat-signup-email-pin-confirmation-bypass.txt


Overview


foilChat (https://www.foilchat.com/) allows anyone to register with any email
address due to a vulnerability.


Description
---

foilChat user names equal to user's email address. At sign up the user is 
required
to provide an email address. The email address is sent a 4 digit PIN code that 
the
user is required to enter to the application to complete the registration.

foilChat backend fails to prevent brute force attempts of the PIN code. The 
attacker
can attempt all 1 different PIN codes until the correct one is found, and 
then
use the correct PIN to complete the registration.


Impact
--

The attacker can sign up to foilChat with any email address, bypassing the 
security
model of the application. Notably the user name (email address) is the only way 
to
confirm identity within the application.


Details
---

The discovered vulnerabilities, described in more detail below, enable the 
attack
described here in brief.

1. Initiate the sign up procedure in the application with a spoofed email 
address

2. Brute force the correct PIN code

for p in `seq -w 0 `; do
  echo $p; if curl -s -d "email=victim@example.invalid=$p" \
  https://api.foilserver.com/v2.4.3/users/check_credentials |
  grep -q true; then break; fi
done

3. Once correct PIN is found, complete the sign up with the PIN code


The attacker is now registered with the spoofed email address (user name):

https://sintonen.fi/advisories/foilchat-signup-pin-bypass.png


Vulnerabilities
---

1. CWE-307: Improper Restriction of Excessive Authentication Attempts

The foilChat backend fails to restrict the number of 'users/check_credentials' 
API
calls for a given email address. The attacker can try different PIN codes until 
the
correct PIN code is found, and thus bypass the email confirmation.

This issue could be fixed in several ways. One way would be to restrict the 
number of
'users/check_credentials' API calls that can be made. Even better, rather than 
having
a separate 'users/check_credentials' API call at all, the correct PIN should be
required for the actual 'users/signup' API call instead.


Vulnerable versions
---

foilChat confirmed the issue fixed 2018-05-24.


Credits
---

The vulnerability was discovered by Harry Sintonen.


Timeline


2018.05.10  discovered the vulnerability
2018.05.10  reported the vulnerability via CERT-FI that forwarded it to foilChat
security contact
2018.05.24  foilChat reported the vulnerability fixed
2018.05.24  public disclosure of the advisory

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SEC Consult SA-20180529-0 :: Unprotected WiFi access & Unencrypted data transfer in Vgate iCar2 OBD2 Dongle

2018-05-29 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180529-0 >
===
  title: Unprotected WiFi access & Unencrypted data transfer
product: Vgate iCar 2 WiFi OBD2 Dongle
 vulnerable version: Vgate iCar 2 WiFi OBD2 Dongle
  fixed version: -
 CVE number: CVE-2018-11476
 CVE-2018-11477
 CVE-2018-11478
 impact: Critical
   homepage: http://www.vgate.com.cn
  found: 2018-04-24
 by: T. Weber (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"Based in Shenzhen, China, Vgate Technology.co ltd. specializes in the
development, design and manufacture of diagnostic equipment, tools and
accessories in the automotive aftermarket industry.
We offers a selective range of products from automotive diagnostic tools
including code readers and scan tools, to test and inspection equipment such as
sensor testers and battery testers. Aside from the above, we also carry garage
equipment like infrared paint dryers and pipe expanders, and automotive
diagnostic accessories such as OBD diagnostic cable assemblies, SAE J1962
connectors, and vehicle to PC (or PDA) interface adapters (VAG-COM interfaces).
Though the company is young in age, we are strong in experiences in that all of
our major engineers have extensive R experience in the automotive aftermarket
technology. With the combination of our experienced and distinguished
specialists, low-cost manufacturing and exceptional customer service, M.B is
able to become the supplier of choice who delivers high quality products,
user-friendly designs and most competitive prices to both professional and
amateur (or DIYers) automotive technicians.

We are proud of ourselves in providing cost effective, timely and innovative
solutions with a first class service."

Source: http://www.vgate.com.cn/en/Aboutus.html


Business recommendation:

By using the vulnerabilities which are documented in this advisory an attacker
can easily send arbitrary messages to the automotive communication bus
(CAN/FlexRay/...) of the car electronics and potentially take over
safety-critical car functions.

The vendor told SEC Consult in a phone call that our identified security
issues are common practice for such hardware and therefore will not be fixed!

SEC Consult recommends not to use this product until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.


Vulnerability overview/description:
---
1) Unprotected WiFi Access (CVE-2018-11476)
The dongle opens an unprotected wireless LAN which cannot be configured with an
encryption / password. This enables anyone within the range of the WLAN to
connect to the network without authentication.

2) Unencrypted Data Transfer (CVE-2018-11477)
The data packets which are sent between the App and the OBD dongle are not
encrypted. The combination of this vulnerability with the lack of a wireless
network protection exposes all transferred car data to the public.

3) Unauthenticated Access to On-board Diagnostics (OBD) (CVE-2018-11478)
The OBD port is used to receive measurement data and debug information from the
car. This on-board diagnostics can also be used to send commands to the car
which is different for every vendor / car product line / car.

The mentioned features are usually needed for maintenance purposes but can be
abused by attackers. This is possible because the OBD interface is directly
accessible through port 35000 on the (unprotected) wireless access point of the
OBD device.

Because of the fact that it is never intended that other people have access to
the data bus (e.g. CAN) of your car while you are driving, this vulnerability is
seen as highly critical and a safety-critical threat to the public.


Proof of concept:
-
Detailed of proof of concepts have been removed as the vendor did not provide
a patch.

1) Unprotected WiFi Access (CVE-2018-11476)
The unprotected wireless LAN is named "V-LINK". To create it, the "Fn-Link
(6110R-IF)" is used. It acts as wireless UART bridge to hand over the commands
of the App to the ELM327 compatible "iCar-2" chip.

2) Unencrypted Data Transfer (CVE-2018-11477)
All commands starting with "AT" and the "0100"/"0120" are strings which were
sent from the App to the OBD Dongle. The "X" character is a wildcard for an
arbitrary hexadecimal value and is used to anonymize car data in responses
for this advisory.

The following plain-text co