[CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application
Title: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application Published: December 7, 2013 Reported to Vendor: May 2013 CVE Reference: CVE-2013-6986 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6986 CVSS v2 Base Score: 4.9 CVSS v2 Vector (AV:L/AC:L/Au:N/C:C/I:N/A:N/E:H/RL:U/RC:C) Credit: This issue was discovered by Daniel E. Wood http://www.linkedin.com/in/danielewood Originally posted here: http://seclists.org/fulldisclosure/2013/Dec/39 Vendor: ZippyYum, LLC | http://www.zippyyum.com Application: https://itunes.apple.com/us/app/subwayoc/id510770549?mt=8 Tested Version: 3.4 File: SubwayOCKiosk.app App Name: Subway CA Kiosk Build Time-stamp: 2012-06-07_09-20-17 1. Introduction: Subway CA is a mobile application available both on iOS and Android based devices that allows customers to build and order food menu items that can be paid for through the application using a payment card such as a debit or credit card. 2. Vulnerability Description: The application stores sensitive data insecurely to cache files located within ../Caches/com.ZippyYum.SubwayOC/ directory on the device. Loading Cache.db and/or Cache.db-wal in a tool that can read sqlite databases (such as RazorSQL) will allow a malicious user to read unencrypted sensitive data stored in clear-text. Sensitive data elements found within Cache.db and Cache.db-wal: - password and encryptionKey for the application/user account - customerPassword - customerEmail - deliveryStreet - deliveryState - deliveryZip - paymentMethod - paymentCardType - paymentCardNumber - paymentSecurityCode - paymentExpMonth - paymentExpYear - paymentBillingCode - customerPhone - longitude (of device) - latitude (of device) - email 3. Vulnerability History: May 9, 2013: Vulnerability identification May 15, 2013: Unofficial vendor notification August 4, 2013: Official vendor notification via report September 20, 2013: Vulnerability remediation notification* December 7, 2013: Vulnerability disclosure *Current Version: 3.7.1 (Tested: only customerName, customerEmail, customerPhone, location, paymentCardType are in clear-text within Subway.sqlite-wal) signature.asc Description: Message signed with OpenPGP using GPGMail
EMC Data Protection Advisor DPA Illuminator EJBInvokerServlet Remote Code Execution
EMC Data Protection Advisor DPA Illuminator EJBInvokerServlet Remote Code Execution tested against: Microsoft Windows Server 2008 r2 sp1 EMC Data Protection Advisor 5.8 sp5 vulnerability: the DPA Illuminator service (DPA_Illuminator.exe) listening on public port 8090 (tcp/http) and 8453 (tcp/https) is vulnerable. It exposes the following servlet: http://[host]:8090/invoker/EJBInvokerServlet https://[host]:8453//invoker/EJBInvokerServlet due to a bundled invoker.war The result is remote code execution with NT AUTHORITY\SYSTEM privileges. proof of concept url: http://retrogod.altervista.org/9sg_ejb.html ~rgod~
Air Gallery 1.0 Air Photo Browser - Multiple Vulnerabilities
Document Title: === Air Gallery 1.0 Air Photo Browser - Multiple Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1165 Release Date: = 2013-12-09 Vulnerability Laboratory ID (VL-ID): 1165 Common Vulnerability Scoring System: 6.5 Product Service Introduction: === View your entire photo library in a standard web browser! Show off your photos easily! Excellent for showing slides during a meeting, browsing through friends photos and more! - View your photos in a browser over WiFi - Optional password protection - Show albums, events, faces (your photo library needs to have these albums in order to show it) - One click slideshows - Easy navigation - Supports bonjour publishing (Copy of the Homepage: https://itunes.apple.com/app/id499204622 ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the SharkFood Air Gallery 1.0 Air Photo Browser mobile application for Apple iOS. Vulnerability Disclosure Timeline: == 2013-12-09:Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): SharkFood Product: Air Gallery - Air Photo Browser iOS 1.0 Exploitation Technique: === Remote Severity Level: === High Technical Details Description: 1.1 A local command/path injection web vulnerabilities has been discovered in the SharkFood Air Gallery 1.0 Air Photo Browser mobile application for Apple iOS. A local command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application. The vulnerability is located in the vulnerable `devicename` value of the file dir und sub category `header` (header-title) section. Local attackers are able to inject own malicious system specific commands or path value requests as the physical iOS hardware devicename. The execute of the injected command or path request occurs with persistent attack vector in the index and sub category list of the web interface. The security risk of the local command/path inject vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.5(+)|(-)6.6. Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific commands or unauthorized path requests. Vulnerable Module(s): [+] Content header-title Vulnerable Parameter(s): [+] devicename Affected Module(s): [+] Index- File Dir Listing [+] Sub Folder/Category - File Dir Listing 1.2 A local command/path injection web vulnerability has been discovered in the SharkFood Air Gallery 1.0 Air Photo Browser mobile application for Apple iOS. A local command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application. The second local command/path inject vulnerability is located in the in the album name value of the web-interface index and sub category list module. Local attackers are able to manipulate iOS device `photo app` (default) album names by the inject of a payload to the wrong encoded albumname input fields. The execute of the injected command/path request occurs in the album sub category list and the main album name index list. The security risk of the command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.6(+). Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access and no direct user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific commands or unauthorized path requests. Vulnerable Module(s): [+] Poster group-header groupinfo Vulnerable Parameter(s): [+] album name Affected Module(s): [+] Index - Item Name List [+] Sub Category - Title List Proof of Concept (PoC): === 1.1 The local command/path inject web vulnerability can be exploited by local attackers with restricted or low privileged device user account without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below. 1. Install the
LiveZilla 5.1.1.0 Stored XSS in operator clients
Author: Jakub Zoczek [zoc...@gmail.com] CVE Reference: CVE-2013-7003 Product: LiveZilla Vendor: LiveZilla GmbH [http://livezilla.net] Affected version: 5.1.1.0 Severity: Medium CVSSv2 Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Status: Fixed 0x01 Background LiveZilla, the widely-used and trusted Live Help and Live Support System. 0x02 Description LiveZilla in version 5.1.1.0 is prone to multiple Stored Cross-Site Scripting issues in Webbased Operator Client and LiveZilla Client. Attacker can put payloads in fields like full name , company, or create crafted filename to exploit this vulnerability. 0x03 Proof of Concepts Name and Surname variant: My name is Jakub and this is looong username img src=a onerror=alert(document.cookie)h Operator who will try to chat with attacker with this name will get javascript code executed. Screenshots: http://postimg.org/image/orvwl36on/ http://postimg.org/image/uhh72ij6f/ http://postimg.org/image/6f0d7n2jb/ http://postimg.org/image/6hk8uh66v/ http://postimg.org/image/7z5p61axj/ Uploaded filename variant: If attacker (while chatting) will try to upload specially crafted file with name: cimg src=a onerror=alert(document.cookie)hh.jpg - then operator would get javascript code execution without any interaction. Screenshots: http://postimg.org/image/kp9xj4ivr/ http://postimg.org/image/pqhbkhqc7/ http://postimg.org/image/7c6sgie1j/ 0x04 Fix Vulnerabilities was fixed in LiveZilla 5.1.2.0 version. 0x05 Timeline 21.11.2013 - Vendor notified 01.12.2013 - Ping 02.12.2013 - Vendor responded with information about planing fix 06.12.2013 - Fixed version released 10.12.2013 - Public Disclosure
[security bulletin] HPSBUX02943 rev.1 - HP-UX Running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04031205 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04031205 Version: 1 HPSBUX02943 rev.1 - HP-UX Running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-12-04 Last Updated: 2013-12-04 Potential Security Impact: Remote unauthorized access, disclosure of information, and other vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified in the Java Runtime Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other exploits. References: CVE-2013-3829, CVE-2013-4002, CVE-2013-5772, CVE-2013-5774, CVE-2013-5776, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5848, CVE-2013-5849, CVE-2013-5852, SSRT101346. SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, and B.11.31 running HP JDK and JRE v6.0.20 and earlier. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-3829(AV:N/AC:L/Au:N/C:P/I:P/A:N)6.4 CVE-2013-4002(AV:N/AC:M/Au:N/C:N/I:N/A:C)7.1 CVE-2013-5772(AV:N/AC:H/Au:N/C:N/I:P/A:N)2.6 CVE-2013-5774(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2013-5776(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2013-5778(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2013-5780(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3 CVE-2013-5782(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5783(AV:N/AC:L/Au:N/C:P/I:P/A:N)6.4 CVE-2013-5784(AV:N/AC:M/Au:N/C:N/I:P/A:N)4.3 CVE-2013-5787(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5789(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5790(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3 CVE-2013-5797(AV:N/AC:M/Au:S/C:N/I:P/A:N)3.5 CVE-2013-5801(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2013-5802(AV:N/AC:L/Au:N/C:P/I:P/A:P)7.5 CVE-2013-5803(AV:N/AC:H/Au:N/C:N/I:N/A:P)2.6 CVE-2013-5804(AV:N/AC:L/Au:N/C:P/I:P/A:N)6.4 CVE-2013-5809(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5812(AV:N/AC:L/Au:N/C:P/I:N/A:P)6.4 CVE-2013-5814(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5817(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5818(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2013-5819(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2013-5820(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2013-5823(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0 CVE-2013-5824(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5825(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0 CVE-2013-5829(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5830(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5831(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2013-5840(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2013-5842(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5843(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5848(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2013-5849(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3 CVE-2013-5852(AV:N/AC:H/Au:N/C:C/I:C/A:C)7.6 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following Java version upgrade to resolve these vulnerabilities. The upgrade is available from the following location: http://www.hp.com/java OS Version Release Version HP-UX B.11.11, B.11.23, B.11.31 JDK and JRE v6.0.21 or subsequent MANUAL ACTIONS: Yes - Update For Java v6.0 update to Java v6.0.21 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 HP-UX
[security bulletin] HPSBUX02944 rev.1 - HP-UX Running Java7, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04031212 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04031212 Version: 1 HPSBUX02944 rev.1 - HP-UX Running Java7, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-12-04 Last Updated: 2013-12-04 Potential Security Impact: Remote unauthorized access, disclosure of information, and other vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified in Java Runtime Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other exploits. References: CVE-2013-3829, CVE-2013-4002, CVE-2013-5772, CVE-2013-5774, CVE-2013-5775, CVE-2013-5776, CVE-2013-5777, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5805, CVE-2013-5806, CVE-2013-5809, CVE-2013-5810, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5838, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5844, CVE-2013-5846, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5852, CVE-2013-5854, SSRT101346. SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.23, and B.11.31 running HP JDK and JRE v7.0.07 and earlier. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-3829(AV:N/AC:L/Au:N/C:P/I:P/A:N)6.4 CVE-2013-4002(AV:N/AC:M/Au:N/C:N/I:N/A:C)7.1 CVE-2013-5772(AV:N/AC:H/Au:N/C:N/I:P/A:N)2.6 CVE-2013-5774(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2013-5775(AV:N/AC:L/Au:N/C:P/I:P/A:P)7.5 CVE-2013-5776(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2013-5777(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2013-5778(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2013-5780(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3 CVE-2013-5782(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5783(AV:N/AC:L/Au:N/C:P/I:P/A:N)6.4 CVE-2013-5784(AV:N/AC:M/Au:N/C:N/I:P/A:N)4.3 CVE-2013-5787(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5789(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5790(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3 CVE-2013-5797(AV:N/AC:M/Au:S/C:N/I:P/A:N)3.5 CVE-2013-5801(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2013-5802(AV:N/AC:L/Au:N/C:P/I:P/A:P)7.5 CVE-2013-5803(AV:N/AC:H/Au:N/C:N/I:N/A:P)2.6 CVE-2013-5804(AV:N/AC:L/Au:N/C:P/I:P/A:N)6.4 CVE-2013-5805(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2013-5806(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2013-5809(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5810(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2013-5812(AV:N/AC:L/Au:N/C:P/I:N/A:P)6.4 CVE-2013-5814(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5817(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5818(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2013-5819(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2013-5820(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2013-5823(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0 CVE-2013-5824(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5825(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0 CVE-2013-5829(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5830(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5831(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2013-5832(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2013-5838(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2013-5840(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2013-5842(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5843(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-5844(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2013-5846(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2013-5848(AV:N/AC:L/Au:N/C:N/I:P/A:N)5.0 CVE-2013-5849(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3 CVE-2013-5850(AV:N/AC:M/Au:N/C:C/I:C/A:C)9.3 CVE-2013-5852(AV:N/AC:H/Au:N/C:C/I:C/A:C)7.6 CVE-2013-5854(AV:N/AC:H/Au:N/C:P/I:N/A:N)2.6 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following Java version upgrade to
CORE-2013-1107 - IcoFX Buffer Overflow Vulnerability
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ IcoFX Buffer Overflow Vulnerability 1. *Advisory Information* Title: IcoFX Buffer Overflow Vulnerability Advisory ID: CORE-2013-1107 Advisory URL: http://www.coresecurity.com/advisories/icofx-buffer-overflow-vulnerability Date published: 2013-12-10 Date of last update: 2013-12-10 Vendors contacted: IcoFX Software Release mode: User release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2013-4988 3. *Vulnerability Description* IcoFX [1] is prone to a (client side) security vulnerability when processing .ICO files. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine, by enticing the user of IcoFX to open a specially crafted icon file. 4. *Vulnerable Packages* . IcoFX v2.5.0.0 for Windows. . Other versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* There was no official answer from vendor after several attempts to report this vulnerability (see [Sec. 8]). As mitigation action, given that this is a client-side vulnerability, avoid to open untrusted ICO files. Contact vendor for further information. 6. *Credits* This vulnerability was discovered and researched by Marcos Accossatto from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* Below is shown the result of opening the maliciously crafted file 'CORE-2013-1107-icofx-poc.ico'[2] on Windows XP SP3 (EN). The vulnerable function is located in 0x80D9F8. By loading the PoC, the loop [0x80DA74, 0x80DA93] fills the buffer and overwrite the Exception Handler: /- 0080DA748B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] 0080DA7703C0 ADD EAX,EAX 0080DA798D94C5 8CF9 LEA EDX,DWORD PTR SS:[EBP+EAX*8-674] 0080DA80B9 1000 MOV ECX,10 ; Will copy 16 bytes from file to buffer 0080DA858B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 0080DA888B18 MOV EBX,DWORD PTR DS:[EAX] 0080DA8AFF53 0C CALL DWORD PTR DS:[EBX+C] 0080DA8DFF45 E8 INC DWORD PTR SS:[EBP-18]; Index, will be overwritten with our value in the penultimate loop turn 0080DA90FF4D DC DEC DWORD PTR SS:[EBP-24]; Counter, will be overwritten with our value in the penultimate loop turn 0080DA9375 DF JNZ SHORT 0080DA74 0080DA950FBF45 F0 MOVSX EAX,WORD PTR SS:[EBP-10] -/ At the 'MOVSX' of 0x80DA95, the CPU registers are as follows: /- EAX 0010 ECX 7C80189C kernel32.7C80189C EDX 0010 EBX 004617F4 IcoFX2.004617F4 ESP 0012F380 EBP 0012FA08 ESI 005B2CBC IcoFX2.005B2CBC EDI 02555C80 EIP 0080DA95 IcoFX2.0080DA95 C 1 ES 0023 32bit 0() P 1 CS 001B 32bit 0() A 0 SS 0023 32bit 0() Z 1 DS 0023 32bit 0() S 0 FS 003B 32bit 7FFDF000(FFF) T 0 GS NULL D 0 O 0 LastErr ERROR_SUCCESS () EFL 00200247 (NO,B,E,BE,NS,PE,GE,LE) ST0 empty -??? 00F300F3 00F300F3 ST1 empty -??? 00FE00FE 00FE00FE ST2 empty -??? 0009 00220065 ST3 empty -??? 000A 00240069 ST4 empty 1.2948274137727088000e+16 ST5 empty 2.5896178900861029000e+16 ST6 empty 3.2651492439228483000e+16 ST7 empty 3.1244147623526446000e+16 3 2 1 0 E S P U O Z D I FST Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) FCW 1272 Prec NEAR,53 Mask1 1 0 0 1 0 -/ And the stack Exception Handler is overwritten (shellcode starts in 0x12F3A4): /- 0012F380 0012FA10 Pointer to next SEH record 0012F384 42424242 SE handler 0012F388 41414141 0012F38C 41414141 0012F390 41414141 0012F394 000502A8 0012F398 7E4188A6 USER32.GetWindowLongW 0012F39C 0012F3A0 0012F3D8 ASCII AAA... 0012F3A4 41414141 -/ As a result, the normal execution flow can be altered in order to execute arbitrary code. 8. *Report Timeline* . 2013-11-11: Core Security Technologies attempts to contact the IcoFX team; no reply received. Publication date is set for Dec 3rd, 2013. . 2013-11-14: Core attempts to contact vendor. . 2013-11-26: Core attempts to contact vendor. . 2013-12-03: Core attempts to contact vendor. . 2013-12-03: First release date missed. . 2013-12-10: Advisory CORE-2013-1107 published. 9. *References* [1] http://icofx.ro/. [2] http://www.coresecurity.com/system/files/attachments/2013/12/CORE-2013-1107-icofx-poc.zip 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system
[security bulletin] HPSBPI02945 rev.1 - HP Officejet Pro 8500 (A909) All-in-One Printer, Cross-Site Scripting (XSS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04035829 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04035829 Version: 1 HPSBPI02945 rev.1 - HP Officejet Pro 8500 (A909) All-in-One Printer, Cross-Site Scripting (XSS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-12-10 Last Updated: 2013-12-10 Potential Security Impact: Cross-site scripting (XSS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Officejet Pro 8500 (A909) All-in-One Printer. The vulnerability could be exploited to allow cross-site scripting (XSS). References: CVE-2013-4845, SSRT101164 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Product Name Model Number HP Officejet Pro 8500 (A909) All-in-One Printer CB022A, CB023A, CB025A, CB793A, CB794A, CB862A, CB874A, CN539A BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-4845(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks David Stroud of Perspective Risk for reporting CVE-2013-4845 to security-al...@hp.com RESOLUTION HP has provided updated HP Officejet Pro 8500 (A909) All-in-One Printer firmware version DLM1FN1344AR to resolve this issue. To obtain the updated firmware, go to www.hp.com/go/support Select Drivers Downloads Enter the product name or model number listed in the table above into the search field Select on Go If the search returns a list of products click on the appropriate product Choose an operating system under Select operating system Select the firmware under Firmware HISTORY Version:1 (rev.1) - 10 December 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlKnc6sACgkQ4B86/C0qfVmbhQCgzMbeE2Bxlv3KNCnXK0Jn2Wni dBsAnA8ts7oaHl26ztUzJeH7BjSaTO4D =W6N6 -END PGP SIGNATURE-
Android Fragment Injection vulnerability
Hi, We have recently disclosed a new vulnerability to the Android Security Team. The vulnerability affected many apps, including Settings (the one that is found on every Android device), Gmail, Google Now, Dropbox and Evernote. To be more accurate, any App which extended the PreferenceActivity class using an exported activity was automatically vulnerable. A patch has been provided in Android KitKat. If you wondered why your code is now broken, it is due to the Android KitKat patch which requires applications to override the new method, PreferenceActivity.isValidFragment, which has been added to the Android Framework. Important links: 1. Blog post: http://ibm.co/1bAA8kF 2. Whitepaper: http://ibm.co/IDm2Es Roee Hay IBM Application Security Team Lead
