Re: Medium severity flaw in BlackBerry QNX Neutrino RTOS
Might have been helpful to attach the advisory. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20140311.txt.asc Description: PGP signature signature.asc Description: This is a digitally signed message part.
Medium severity flaw in BlackBerry QNX Neutrino RTOS
Summary This advisory concerns the forced disclosure of 2 vulnerabilities that were previously disclosed to BlackBerry. Disclosure has been forced since these vulnerabilities have been publicly disclosed (with PoC) on the exploit-db web site. Two local privilege escalation vulnerabilities have been identified that would ultimately result in malicious code being executed in a trusted context. The first allows direct code execution (http://www.exploit-db.com/exploits/32153/) whilst the second allows for the root password to be disclosed (http://www.exploit-db.com/exploits/32156/). It should be noted that Nth Dimension do not believe that the bug collision are due to a leak within BlackBerry but rather that these are the simply instances of multiple researchers identifying the same vulnerable code paths. Current As of the 11th March 2014, both the privilege escalation attacks have been disclosed by a 3rd party. In light of this and in the absence of any timely response from BlackBerry, Nth Dimension have opted to make full details public. -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ signature.asc Description: This is a digitally signed message part.
Re: [Full-disclosure] CVE-2013-1643 - Unauthorised Access To Other Users Email Messages in Symantec PGP Universal Web Messenger
VDBs, please note that the referenced CVE ID is wrong. CVE-2014-1643 was actually assigned to this issue by Symantec. Tim -- Tim Brown mailto:t...@65535.com signature.asc Description: This is a digitally signed message part.
[OVSA20131108] OpenVAS Manager And OpenVAS Administrator Vulnerable To Partial Authentication Bypass
Summary It has been identified that OpenVAS Manager and OpenVAS Administrator are vulnerable to authentication bypass due to an incorrect state assignment when processing OMP and OAP requests. It has been identified that this vulnerability may allow unauthorised access to OpenVAS Manager and OpenVAS Administrator on vulnerable systems. CVE-2013-6765 has been assigned to this vulnerability in Manager and CVE-2013-6766 to the same vulnerability in Administrator. It should be noted that not all of the newly available commands are functional and that exploitation typically requires SSH access to the host on which the services are installed. Current Status As of the 8th November, the state of the vulnerabilities is believed to be as follows. Patches have been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both OpenVAS Manager and OpenVAS Administrator have also been created which incorporate these patches. Thanks OpenVAS would like to thank Antonio Sanchez Arago for his help in reporting the vulnerability and apologise to all concerned for the substantial delay in triaging his report. -- Tim Brown mailto:t...@openvas.org http://www.openvas.org OpenVAS Security Advisory (OVSA20131108) Date: 8th November 2013 Product: OpenVAS Manager 3.0.7 and 4.0.4 and OpenVAS Administrator 1.2.2 and 1.3.2 Vendor: OpenVAS http://www.openvas.org/ Risk: Low Summary It has been identified that OpenVAS Manager and OpenVAS Administrator are vulnerable to authentication bypass due to an incorrect state assignment when processing OMP and OAP requests. It has been identified that this vulnerability may allow unauthorised access to OpenVAS Manager and OpenVAS Administrator on vulnerable systems. CVE-2013-6765 has been assigned to this vulnerability in Manager and CVE-2013-6766 to the same vulnerability in Administrator. Current Status As of the 8th November, the state of the vulnerabilities is believed to be as follows. Patches have been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both OpenVAS Manager and OpenVAS Administrator have also been created which incorporate these patches. Technical Details It has been identified that OpenVAS Manager and OpenVAS Administrator are vulnerable to authentication bypass due to an invalid state assignment when processing OMP and OAP requests. Upon processing an OMP and OAP request to retrieve the version information from OpenVAS Administrator and OpenVAS Manager, the state is incorrectly set to CLIENT_AUTHENTIC, allowing additional OMP and OAP commands to be called. This can be seen in the omp_xml_handle_end_element() function from omp.c (for OpenVAS Manager): if (client_state) set_client_state (CLIENT_AUTHENTIC); else set_client_state (CLIENT_TOP); break; In this instance, the first condition will always hold. Rather, the check should be whether client_state is currently set to CLIENT_GET_VERSION_AUTHENTIC. It should be noted that not all of the newly available commands are functional, since they often rely upon additional session state information being present which will not be the case where the authentication has been bypassed. Furthermore, the vulnerable code path is typically only accessible to users who have logged into a host running OpenVAS Manager or OpenVAS Administrator via SSH as the affected services are typically only bound to localhost. Fix OpenVAS recommends that the publicly available patches are applied. If building from source, then patches r18285 (for OpenVAS Administrator 1.2.x) or r18281 (for Administrator 1.3.x) and r18276 (for OpenVAS Manager 3.0.x) or r18271 (for Manager 4.0.x) should be obtained from the OpenVAS SVN repository. A fresh tarball containing the latest stable release of Administrator can be obtained from: * http://wald.intevation.org/frs/download.php/1442/openvas-administrator-1.3.2.tar.gz A fresh tarball containing the latest stable release of Manager can be obtained from: * http://wald.intevation.org/frs/download.php/1434/openvas-manager-4.0.4.tar.gz In the event that OpenVAS has been supplied as part of a distribution then the vendor or organisation concerned should be contacted for a patch. Known major distributors of OpenVAS precompiled packages have already been notified. History On the 3rd August 2013, Antonio Sanchez Arago initially attempted to contact the OpenVAS security team to report the issue in OpenVAS Manager however it was missed as many of the team were on annual leave. Unfortunately, it was not picked up until Antonio attempted to contact us again on in late October. On this occasion, it was picked up and the team were able to reproduce the vulnerability. On the 7th November, we contacted Antonio to confirm that the team had successfully reproduced the issue and Greenbone Networks to notify them of the vulnerability and request assistance in coordinating the disclosure. Major
Low severity flaw in RIM BlackBerry PlayBook OS browser
Summary The web browser which comes as part of the RIM BlackBerry PlayBook OS can be tricked into disclosing the contents of local files through the planting of a malicious HTML file through the standard download mechanism. It should be noted that in order to exploit this issue, user interaction is required as the user will need to confirm the download of the malicious HTML file. After discussions with the vendor, CVE-2012-5828 was assigned to this vulnerability. Current As of 1st Novmeber 2012, the state of the vulnerability is believed to be as follows. RIM have begun shipping a patch which it is believed successfully resolves the reported issue. Thanks Nth Dimension would like to thank all the security folk at RIM, in particular the BlackBerry Incident Response team for the way they worked to resolve the issue. -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nth Dimension Security Advisory (NDSA20121030) Date: 30th October 2012 Author: Tim Brown mailto:t...@nth-dimension.org.uk URL: http://www.nth-dimension.org.uk/ / http://www.machine.org.uk/ Product: RIM BlackBerry PlayBook OS 1.0.8.6067 http://www.rim.com/products/blackberry_tablets.shtml Vendor: RIM http://www.rim.com/ Risk: Low Summary The web browser which comes as part of the RIM BlackBerry PlayBook OS can be tricked into disclosing the contents of local files through the planting of a malicious HTML file through the standard download mechanism. It should be noted that in order to exploit this issue, user interaction is required as the user will need to confirm the download of the malicious HTML file. After discussions with the vendor, CVE-2012-5828 was assigned to this vulnerability. Solutions Nth Dimension recommends that the vendor supplied patches should be applied. Technical Details It was identified that the PlayBook web browser could be forced to download rather than render HTML files and that whilst the browser does prompt the user to confirm the location of the download, this download process defaults to an attacker chosen location. Furthermore, once downloaded, it is possible to use the Location header to load the file from the attacker's chose location using the file:// URL handler in such a manner that the downloaded HTML then has trusted access to the PlayBook filing system. It is possible to craft a HTML download which when opened will lead to arbitrary JavaScript being executed in the local context. The file:// URL handler is trusted to execute across domains. History On 12th February 2012, Nth Dimension supplied a PoC exploit for this issue to representatives of RIM. BBSIRT responded on the 20th to confirm that they had recieved the report and were investigating. RIM further notified Nth Dimension to confirm that all reported vulnerabilities were handled based on CVSS and that only critical vulnerabilities were deemed candidates for out-of-band patching. Less critical issues would however be addressed in future product updates. Nth Dimension responded on 7th March 2012 to confirm that they agreed with this approach and that in their opinion the issue was not critical and did not warrant an expedited response. Nth Dimension asked to be kept in the loop regarding the release of a patch for this issue in due course. On 19th September 2012, Nth Dimension asked for an update, in particular to establish whether a CVE had been assigned by RIM for this issue. On 1st November 2012, RIM responded to say that the The changes for the issues are in the latest 2.1 builds for PlayBook. The build is currently available for WiFi only PlayBooks and weâre working with our carrier partners for testing and availability for build for the in-market cellular-enabled PlayBooks. On 6th November 2012, RIM confirm that CVE-2012-5828 has been assigned. They also confirm they believe testing of cellular PlayBooks will be completed by the end of the month. Nth Dimension repond, proposing 1st Deceber 2012 as the embargo date. Current As of 1st Novmeber 2012, the state of the vulnerability is believed to be as follows. RIM have begun shipping a patch which it is believed successfully resolves the reported issue. Thanks Nth Dimension would like to thank all the security folk at RIM, in particular the BlackBerry Incident Response team for the way they worked to resolve the issue. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQuU6xAAoJEPJhpTVyySo7xcoQAM7KB/2KYIq/IElrO15jr/hH 8Pytj9Q+k0VTmousVUWs5EP+uurZ28dGH8QNdsBv/kmp9M6gPQbex38pVVp+UJxh DcVoGhVJLsrzATQH+1LH/zVVkV4idERSQvGMjbikHWMdObfr6H37iN/UwK1+O27T tFQkIbM/rRNZk/OUz+B25D+2C53tdjTsCStkbnmYXKBlMYf0h3M28sFR3bcB5mBg MFNO7Vr/t16NdFRN+MPgfiRZTATH2gCqklMoe8rmQbu+Fumf1+7T5jlnXORUIiUb tTKvDjw9o0dL513b58JuIsheiyx0IlvGo4RyfXfWRAZaZiTPSnbzPwl83Bj1JpW+ PJ4Z+4yKcwQcRIfvCDH6vc8o4uMTM7g9SMuLxZBoZN3mFUAOLwy9wJde+w8bmpFA Z6KWtmzcAlt1QoRhNPS8s+udMc1HSXKpyNjTdaqEmhjVNReDeIp
[OVSA20121112] OpenVAS Manager Vulnerable To Command Injection
Summary It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability may allow arbitrary code to be executed with the privileges of the OpenVAS Manager on vulnerable systems. CVE-2012-5520 has been assigned to this vulnerability. Current Status As of the 20th January 2011, the state of the vulnerabilities is believed to be as follows. A patch has been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both 3.0.x and 4.0.x have also been created which incorporate this patch. Thanks OpenVAS would like to thank Andre Heinecke of Greenbone Networks for his help in reporting the vulnerability. -- Tim Brown mailto:timb@openvas,org http://www.openvas.org/ OpenVAS Security Advisory (OVSA20121112) Date: 12th November 2012 Product: OpenVAS Manager 3.0.4 and 4.0+beta4 Vendor: OpenVAS http://www.openvas.org/ Risk: Medium Summary It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability may allow arbitrary code to be executed with the privileges of the OpenVAS Manager on vulnerable systems. CVE-2012-5520 has been assigned to this vulnerability. Current Status As of the 20th January 2011, the state of the vulnerabilities is believed to be as follows. A patch has been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both 3.0.x and 4.0.x have also been created which incorporate this patch. Technical Details It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when sending reports to a Sourcefire Defense Center. The processing of requests containing malicious values for the ip address or port causes the command below to be executed with the privileges of the OpenVAS Manager (typically root) using the send_to_sourcefire() function from manage_sql.c: command = g_strdup_printf (/bin/sh %s %s %s %s %s /dev/null 2 /dev/null, script, ip, port, pkcs12_file, report_file); ... if (ret = system (command)... As you can see, an attacker can influence both the ip address and port within the concatenated string. The vulnerable code path is only accessible to authenticated users of OpenVAS Manager. Fix OpenVAS recommends that the publicly available patches are applied. If building from source, then either patch r14404, r14405 and r14421 (trunk) or r14437 (3.0.x) should be obtained from the OpenVAS SVN repository. A fresh tarball containing the latest stable release can be obtained from: * http://wald.intevation.org/frs/download.php/1212/openvas-manager-3.0.4.tar.gz In the event that OpenVAS has been supplied as part of a distribution then the vendor or organisation concerned should be contacted for a patch. History On the 7th November 2012, Greenbone Networks contacted the OpenVAS security team to notify them of the vulnerability and request assistance in coordinating the disclosure. OpenVAS Manager 3.0.4 was released on the 7th. The OpenVAS security team and Greenbone Networks opened a dialogue in order to draft this advisory and on the 12th November, CVE-2012-5520 was assigned for this vulnerability. Thanks OpenVAS would like to thank Andre Heinecke of Greenbone Networks for his help in reporting the vulnerability. signature.asc Description: This is a digitally signed message part.
Re: [OVSA20121112] OpenVAS Manager Vulnerable To Command Injection
Doh, a document gets proof read by multiple people and yet it contains a mistake. In the Current Status section of the advisory, the date is incorrect. A corrected advisory is attached. Tim -- Tim Brown mailto:timb@openvas,org http://www.openvas.org/ OpenVAS Security Advisory (OVSA20121112) Date: 12th November 2012 Product: OpenVAS Manager 3.0.4 and 4.0+beta4 Vendor: OpenVAS http://www.openvas.org/ Risk: Medium Summary It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability may allow arbitrary code to be executed with the privileges of the OpenVAS Manager on vulnerable systems. CVE-2012-5520 has been assigned to this vulnerability. Current Status As of the 12th November, the state of the vulnerabilities is believed to be as follows. A patch has been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both 3.0.x and 4.0.x have also been created which incorporate this patch. Technical Details It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when sending reports to a Sourcefire Defense Center. The processing of requests containing malicious values for the ip address or port causes the command below to be executed with the privileges of the OpenVAS Manager (typically root) using the send_to_sourcefire() function from manage_sql.c: command = g_strdup_printf (/bin/sh %s %s %s %s %s /dev/null 2 /dev/null, script, ip, port, pkcs12_file, report_file); ... if (ret = system (command)... As you can see, an attacker can influence both the ip address and port within the concatenated string. The vulnerable code path is only accessible to authenticated users of OpenVAS Manager. Fix OpenVAS recommends that the publicly available patches are applied. If building from source, then either patch r14404, r14405 and r14421 (trunk) or r14437 (3.0.x) should be obtained from the OpenVAS SVN repository. A fresh tarball containing the latest stable release can be obtained from: * http://wald.intevation.org/frs/download.php/1212/openvas-manager-3.0.4.tar.gz In the event that OpenVAS has been supplied as part of a distribution then the vendor or organisation concerned should be contacted for a patch. History On the 7th November 2012, Greenbone Networks contacted the OpenVAS security team to notify them of the vulnerability and request assistance in coordinating the disclosure. OpenVAS Manager 3.0.4 was released on the 7th. The OpenVAS security team and Greenbone Networks opened a dialogue in order to draft this advisory and on the 12th November, CVE-2012-5520 was assigned for this vulnerability. Thanks OpenVAS would like to thank Andre Heinecke of Greenbone Networks for his help in reporting the vulnerability. signature.asc Description: This is a digitally signed message part.
Re: [Full-disclosure] Breaking the links: Exploiting the linker
CVEs have now been assigned to the two previously reported bugs as follows: 1) http://www.nth-dimension.org.uk/downloads.php?id=83 - Privesc attack using DB2 from normal user to root, the PoC is for Linux but based on testing the AIX version looks iffy too although I couldn't get gcc to generate a valid library to exploit it. CVE-2011-4061. FWIW I now have a version of the exploit for this working on AIX, based on a copy of kbbacf1 from IBM Tivoli Monitoring 6.1.0.6. It therefore appears that the vulnerable version of kbbacf1 isn't just shipped with DB2. 2) http://www.nth-dimension.org.uk/downloads.php?id=80 - Generic attack on the QNX runtime linker which abuses an arbitrary file overwrite and race condition to get root. CVE-2011-4060. Cheers, Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ signature.asc Description: This is a digitally signed message part.
Medium severity flaw with Ark
I recently discovered that the Ark archiving tool is vulnerable to directory traversal via malformed. When attempts are made to view files within the malformed Zip file in Ark's default view, the wrong file may be displayed due to incorrect construction of the temporary file name. Whilst this does not allow the wrong file to be overwritten, after closing the default view, Ark will then attempt to delete the temporary file which could result in the deletion of the incorrect file. After discussions with the vendor, CVE-2011-2725 was assigned to this vulnerability. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20110726.txt.asc Description: PGP signature signature.asc Description: This is a digitally signed message part.
Low severity flaw in various applications including KSSL, Rekonq, Arora, Psi IM
I recently discovered that various Qt applications including KSSL (the KDE class library responsible for SSL negotiation), Rekonq, Arora and Psi IM are vulnerable to UI spoofing due to their use of QLabel objects to render externally controlled security critical information. The primary area of concern at this time relates to the named applications SSL certificate dialogue UI however other similar dialogue boxes may also be vulnerable. After discussions with Nokia, KDE and the Rekonq developers the following CVEs have been assigned to this issue: * KSSL - CVE-2011-3365 * Rekonq - CVE-2011-3366 * Arora - CVE-2011-3367 Note that no CVE has yet been assigned to Psi IM. Nokia have also updated the QLabel class section of the Qt documentation to provide updated security information regarding this issue. -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20111003.txt.asc Description: PGP signature signature.asc Description: This is a digitally signed message part.
Breaking the links: Exploiting the linker
I've recently been working on a paper on Linux and POSIX linkers, the most recent release of which can be found at: * http://www.nth-dimension.org.uk/downloads.php?id=77 I'm particularly interested in feedback on references or threats that I may have missed. As per the abstract, the aim of the paper wasn't to claim everything as my own but rather to document as much as possible about common flaws and how to identify them. Whilst working on the paper I came across a number of interesting bugs (some exploitable, others sadly not). The paper itself touches on the circumstances around CVE-2011-1126 but two other bugs also mentioned in the paper (one of which I released the advisory NDSA20110310 for) are potentially more useful so I've written PoC to exploit them: 1) http://www.nth-dimension.org.uk/downloads.php?id=83 - Privesc attack using DB2 from normal user to root, the PoC is for Linux but based on testing the AIX version looks iffy too although I couldn't get gcc to generate a valid library to exploit it. 2) http://www.nth-dimension.org.uk/downloads.php?id=80 - Generic attack on the QNX runtime linker which abuses an arbitrary file overwrite and race condition to get root. The paper is still a work in progress but both DB2 and QNX are available for download if you want to take them for a spin. Anyway, enjoy! Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ signature.asc Description: This is a digitally signed message part.
Medium severity flaw in Konqueror
I was recently taking a look at Konquerer and spotted an example of universal XSS. Essentially, the error page displayed when a requested URL is not available includes said URL. If said URL includes HTML fragments these will be rendered. CVE-2010-2952 has been assigned to this issue. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20110321.txt.asc Description: PGP signature signature.asc Description: This is a digitally signed message part.
Re: [Full-disclosure] Medium severity flaw in Konqueror
On Tuesday 12 April 2011 03:36:24 Vincent Danen wrote: * [2011-04-11 22:07:24 +0100] Tim Brown wrote: I was recently taking a look at Konquerer and spotted an example of universal XSS. Essentially, the error page displayed when a requested URL is not available includes said URL. If said URL includes HTML fragments these will be rendered. CVE-2010-2952 has been assigned to this issue. Actually, CVE-2011-1168 was assigned to this issue as noted in the upstream advisory: http://www.kde.org/info/security/advisory-20110411-1.txt Hi Vincent, You're quite right, not sure how the wrong CVE ended up in the email. That's a different CVE for another of my advisories :/. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ signature.asc Description: This is a digitally signed message part.
Medium severity flaw in QNX Neutrino RTOS
I was recently taking a look at the state of play regarding the security of POSIX runtime linkers and was pointed at the QNX Neutrino RTOS to take a look. In doing so I noticed a problem relating to the way that it handles LD_DEBUG_OUTPUT which allows for the creation or overwriting of an arbitrary file. Moreover the technique by which this can be achieved can be triggered even where the binary being executed is setUID and is running as another user. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20110310.txt.asc Description: PGP signature signature.asc Description: This is a digitally signed message part.
[OVSA20110118] OpenVAS Manager Vulnerable To Command Injection
Summary It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability allows privilege escalation within the OpenVAS Manager but more complex injection may allow arbitrary code to be executed with the privileges of the OpenVAS Manager on vulnerable systems. CVE-2011-0018 has been assigned to this vulnerability. The vulnerable code path is only accessible to authenticated users of OpenVAS Manager however it may also be triggered either directly or by using a cross- site request forgery based attack via the Greenbone Security Assistant web application. Current Status As of the 20th January 2011, the state of the vulnerabilities is believed to be as follows. A patch has been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both 1.0.x and 2.0.x have also been created which incorporate this patch. Note that the cross-site address forgery elements of this vulnerability have not yet been addressed in the Greenbone Security Assistant web application. Thanks OpenVAS would like to thank Ronald Kingma and Alexander van Eee of ISSX for their help in reporting the vulnerability. -- Tim Brown mailto:t...@openvas.org http://www.openvas.org/ OpenVAS Security Advisory (OVSA20110118) Date: 18th January 2011 Product: OpenVAS Manager = 1.0.3 and 2.0rc2 Vendor: OpenVAS http://www.openvas.org/ Risk: Medium Summary It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability allows privilege escalation within the OpenVAS Manager but more complex injection may allow arbitrary code to be executed with the privileges of the OpenVAS Manager on vulnerable systems. CVE-2011-0018 has been assigned to this vulnerability. The vulnerable code path is only accessible to authenticated users of OpenVAS Manager however it may also be triggered either directly or by using a cross-site request forgery based attack via the Greenbone Security Assistant web application. Current Status As of the 20th January 2011, the state of the vulnerabilities is believed to be as follows. A patch has been supplied by Greenbone Networks which it successfully resolves this vulnerability. New releases of both 1.0.x and 2.0.x have also been created which incorporate this patch. Note that the cross-site address forgery elements of this vulnerability have not yet been addressed in the Greenbone Security Assistant web application. Technical Details It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability allows an authenticated user of the Greenbone Security Assistant web application (which communicates with OpenVAS Manager using OMP) to escalate their privileges with just a few clicks although more complex attacks may also be possible. Escalation of privileges can be achieved accessing the Greenbone Security Assistant, creating an escalator with a modified POST request as follows: Content-Disposition: form-data; name=method_data:to_address none@none/var/lib/openvas/users/alexander/isadmin The processing of this request causes GSA to make a request to OpenVAS Manager which causes the command below to be executed with the privileges of the OpenVAS Manager (typically root) using the email() function from manage_sql.c: command = g_strdup_printf (echo \ To: %s\n From: %s\n Subject: %s\n \n %s\ | /usr/sbin/sendmail %s /dev/null 21, to_address, from_address ? from_address : automa...@openvas.org, subject, body, to_address); ... if (ret = system (command)... As you can see, an attacker can influence both the to and from addresses within the concatenated string. The OpenVAS Manager uses the presence of the file isadmin to determine the privileges associated with the account. The vulnerable code path is only accessible to authenticated users of OpenVAS Manager however it may also be triggered either directly or by using a cross-site request forgery based attack via the Greenbone Security Assistant web application. Fix OpenVAS recommends that the publicly available patches are applied. If building from source, then either patch r9974 (trunk) or r9976 (1.0.x) should be obtained from the OpenVAS SVN repository. A fresh tarball containing the latest stable release can
Medium security flaw in Apache Traffic Server
I was recently taking a look at the Apache Traffic Server project (which I believe was formerly developed by Yahoo Inc) and notice a series of potential problems relating to the way that it handles DNS. This proxy does not rely on the OS supplied resolver library for resolving hostnames but instead implements its own asynchronous resolver. Whilst reviewing the code, I spotted 3 potential issues which I believe might significantly increase the chances of Traffic Server's internal DNS cache being poisoned. The Apache Software Foundation have assigned CVE-2010-2952 to these issues. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20100830.txt.asc Description: PGP signature signature.asc Description: This is a digitally signed message part.
DLL hijacking on Linux
All, If you've seen the recent Microsoft advisory. I put together a nice post on a similar DLL hijacking issue that affects Linux (and other POSIX-alikes). You can read the full details on my blog (http://www.nth- dimension.org.uk/blog.php?id=87) but the key point is that an empty directory specification statement in LD_LIBRARY_PATH, PATH (and probably others) is equivalent to $CWD. That is to say that LD_LIBRARY_PATH=:/lib is equivalent to LD_LIBRARY_PATH=.:/lib. It can occur when a script has LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib or similar and LD_LIBRARY_PATH hasn't previously been defined. It's worth checking for this kind of thing in scripts that may be run via sudo/su when auditing hosts. I don't believe it's a vulnerability per se, but particular instances of broken scripts may well be. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ signature.asc Description: This is a digitally signed message part.
Re: [Full-disclosure] Medium security hole in Varnish reverse proxy
On Monday 29 March 2010 18:12:38 John Adams wrote:
Post some code that people can evaluate.
I don't really like posting PoC code, but consider:
param.set user root
stop
start
vcl.inline test backend default { .host = \127.0.0.1\; .port = \8080\; }
C{ #include aheaderfile.h }C sub vcl_recv { C{ system(\touch /tmp/foo\); }C
}
vcl.use test
Should give you some ideas
For starters, There's no reason why varnish ever has to run as root.
It never listens on privileged ports, and the C compiler is never
available over a network interface.
The proxy process doesn't run as root by default, but that's not much
consolation if the master process can reconfigure it at will. The C compiler
is available over whatever interface the master port is bound to, and in most
cases that will be localhost:6082. I've seen that as a default configuration
for FreeBSD, Fedora, Debian and Ubuntu packages.
You can ask varnish to reload a configuration and recompile it, but
you'd have to have write access to the filesystem first.
Not strictly true, have a look at vcl.inline (as per the example above).
You an also
only cause recompilation to occur if the admin interface is up and
running, which can be easily disabled.
True, but up until the latest version this was your only option since there
was no authentication support and the default in many cases (including as
noted in my advisory, the Redhat packaging files included in Varnish trunk) was
to enable it. The addition of authentication in 2.1.0 will /if enabled/
improve the situation no end.
Poul is probably correct. Any vulnerabilities in Varnish with regards
to privilege escalation are configuration issues.
Technically he is probably right but I still think the design sucks too, and
let's be honest, an attacker probably doesn't need to make the distinction
anyway.
Tim
--
Tim Brown
mailto:t...@nth-dimension.org.uk
http://www.nth-dimension.org.uk/
signature.asc
Description: This is a digitally signed message part.
Medium security hole in Varnish reverse proxy
Hi, I've identified a couple of security flaws affecting the Varnish reverse proxy which may allow privilege escalation. These issues were reported by email to the vendor but he feels that it is a configurational issue rather than a design flaw. Whilst I can partially see his point in that the administrative interface can be disabled, I'm not convinced that making a C compiler available over a network interface without authentication is sound practice, especially when the resultant compiled code can be made to run as root rather trivially. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20090908.txt.asc Description: PGP signature signature.asc Description: This is a digitally signed message part.
High security hole in NullLogic Groupware
Hi, I've identified a couple of security flaws affecting the NullLogic Groupware which may allow compromise of accounts, denial of service or even remote code execution. These issues were reported by email to the developer but no response was forthcoming. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20090413.txt.asc Description: application/pgp-keys signature.asc Description: This is a digitally signed message part.
Medium security hole in TekRADIUS
Hi, I've identified a couple of security flaws affecting the TekRADIUS radius server for Windows which may allow privilege escalation. These issues were reported by email to the vendor and have I believe been resolved. Tim -- Tim Brown mailto:t...@nth-dimension.org.uk http://www.nth-dimension.org.uk/ NDSA20090412.txt.asc Description: application/pgp-keys signature.asc Description: This is a digitally signed message part.
Medium security hole affecting Festival on Debian unstable/testing and Ubuntu Hardy Heron
It has been recently been identified that the Festival text to speech server was vulnerable to unauthenticated remote code execution. Further research indicated that this vulnerability has already been reported as a local privilege escalation against both the Gentoo and SuSE GNU/Linux distributions and had assigned CVE-2007-4074. The remote form of this vulnerability was originally identified in the default configuration of Festival 1.96~beta-5 as distributed in Debian unstable but Ubuntu Hardy Heron was also affected. Both Debian and Ubuntu have since released patches to resolve this flaw. An advisory for this flaw which provides further information is attached. A short analysis of Debian's response can be found at http://www.nth-dimension.org.uk/blog.php?id=68. Cheers, Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ NDSA20080215.txt.asc Description: application/pgp-keys
Serious holes affecting SiteBar 3.3.8
All,
As a result of a short security audit of SiteBar, a number of security holes
were found. The holes included code execution, a malicious redirect and
multiple cases of Javascript injection.
After liasing with the developers, the holes have been patched. Attached are
the advisory and patch relating to these flaws.
CVEs open already relating to this audit:
* CVE-2006-3320 (Javascript injection) - previously reported by other parties
but not resolved and so included for completeness
* CVE-2007-5492 (code execution) - first reported in my attached advisory to
the vendor, independently rediscovered by Robert Buchholz of Gentoo whilst
auditing the differences between the patched and unpatched versions (3.3.8 vs
3.3.9)
* CVE-2007-5491 (file permissions issue) - apparently patched by the vendor at
the same time as my issues were resolved and discovered by Robert Buchholz of
Gentoo whilst auditing the differences between the patched and unpatched
versions (3.3.8 vs 3.3.9)
It is intended that CVE-2007-5492 will be updated to reference both code
execution flaws I reported. All other issues in the advisory have been
patched but no CVEs have yet been requested or assigned to the best of my
knowledge.
Tim
--
Tim Brown
mailto:[EMAIL PROTECTED]
http://www.nth-dimension.org.uk/
Index: command.php
===
--- command.php (revision 412)
+++ command.php (working copy)
@@ -94,8 +94,15 @@
{
if (!$this-um-isAuthorized($this-command,
in_array($this-command, array('Log In', 'Log Out', 'Sign Up')),
-SB_reqVal('command_gid'), SB_reqVal('nid_acl'), SB_reqVal('lid_acl')))
+SB_reqValInt('command_gid'), SB_reqValInt('nid_acl'), SB_reqValInt('lid_acl')))
{
+$bld = 'build' . $this-shortName();
+$cmd = 'command' . $this-shortName();
+
+if (!method_exists($this,$bld) !method_exists($this,$cmd))
+{
+$this-command = 'Unknown command!';
+}
$this-um-accessDenied();
return;
}
@@ -849,6 +856,7 @@
// be otherwise lost. Needed to go back.
if ($disabled $params['type'] == 'text')
{
+$params['value'] = str_replace('',',$params['value']);
?
input type=hidden name=?php echo SB_safeVal($params,'name') ? value=?php echo $params['value']?
?php
@@ -857,6 +865,7 @@
if ($name{0} == '-')
{
+$params['value'] = str_replace('',',$params['value']);
?
input type=hidden name=?php echo $params['name']? value=?php echo $params['value']?
?php
@@ -927,7 +936,7 @@
}
elseif (isset($params['type']) ($params['type'] == 'button') || ($params['type'] == 'addbutton'))
{
-if (!$this-um-isAuthorized($name,false,null,SB_reqVal('nid_acl'),SB_reqVal('lid_acl'))) continue;
+if (!$this-um-isAuthorized($name,false,null,SB_reqValInt('nid_acl'),SB_reqValInt('lid_acl'))) continue;
if ($params['type'] == 'button')
{
@@ -1664,7 +1673,7 @@
function buildDeleteTree()
{
-$node = $this-tree-getNode(SB_reqVal('nid_acl',true));
+$node = $this-tree-getNode(SB_reqValInt('nid_acl',true));
if (!$node) return null;
$fields['Folder Name'] = array('name'='name','value'=$node-name, 'disabled'=null);
@@ -1677,10 +1686,10 @@
function commandDeleteTree()
{
-$this-tree-removeNode(SB_reqVal('nid_acl'), false);
+$this-tree-removeNode(SB_reqValInt('nid_acl'), false);
if ($this-um-getParam('user','use_trash'))
{
-$this-tree-purgeNode(SB_reqVal('nid_acl'));
+$this-tree-purgeNode(SB_reqValInt('nid_acl'));
}
SB_unsetVal('nid_acl');
$this-forwardCommand('Maintain Trees');
@@ -1834,7 +1843,8 @@
return;
}
-if (SB_reqChk('forward'))
+// This should handle login from translator.php, we should avoid external redirect
+if (SB_reqChk('forward') strpos(SB_reqVal('forward'),'/') === false)
{
header('Location: '.SB_reqVal('forward'));
exit;
@@ -2681,14 +2691,14 @@
return null;
}
-if (SB_reqVal('uid') == SB_ADMIN)
+$uid = intval(SB_reqVal('uid'));
+
+if ($uid == SB_ADMIN)
{
$this-error('Cannot modify administrator!');
return null;
}
-$uid = SB_reqVal('uid');
-
$fields = array();
$user = $this-um-getUser($uid);
$fields['Username'] = array('name'='email', 'value'=$user['username'], 'disabled' = null);
@@ -3960,7 +3970,7 @@
function buildAddFolder()
{
$fields = array();
-$node = $this-tree-getNode(SB_reqVal('nid_acl',true));
+$node = $this-tree-getNode(SB_reqValInt
SSHatter 0.6
All, SSHatter, the SSH brute forcer is now up to release 0.6. New since the last announcement include: * Changes allowing rudimentary username enumeration via timing attacks (as described in http://www.securityfocus.com/archive/1/archive/1/448025/100/0/threaded) have been implemented. These changes has been validated against OpenSSH 3.5p1. * Targets and usernames are now specified in a file and targets can now be specified one per line in the format hostname[:portnumber]. * Reconnection can optionally be enabled where support on connection failures have occurred. * A default passwords list (taken from http://www.nth-dimension.org.uk/downloads.php?id=30) has also been added. * Fixes for systems configured with AllowUsers have added as these systems do not return Permission denied on Net::SSH::Perl-login(). This latest version can be downloaded from http://www.nth-dimension.org.uk/downloads.php?id=34. Remember, auditing systems without permission may be a crime, always read the label. Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/
Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API
Firstly, the sky isn't falling, the risks posed by the gadget API already existed elsewhere in Windows generally, but this is another new attack surface without any legacy dependencies. This is my general view on the gadget API. On Sunday 16 September 2007 13:34:32 Thierry Zoller wrote: PG No, this is an entirely new level of attack, New level of attack, what makes you believe that? As I previously stated, unlike Peter I don't consider this a new level of attack, I'm just a bit surprised that the threat model wasn't examined by Microsoft a little more closely before they decided to include the gadget API. Unlike other APIs that Microsoft have released there was no legacy requirement to include all of the new functionality highlighted in my paper. Moreover, irrespective of the design decisions how did at least 3 Microsoft gadgets get through SDL without input validation being tested and the vulnerabilities. PG because it's moved the dancing PG bunnies problem onto the Windows desktop. Huh ? What is different to let's say the southpark worm we saw years ago? Or any other normal binary that promised to be a screensaver or similar ? Because it's not just about downloading rogue gadgets. I don't want to overhype the gadget API - it's just another attack surface after all - but if you look at all the PoCs so far, the greater risk comes from malware being injected into 'trusted' gadgets. PG Given what an incredible attack vector they are What is incredible in this attack vector ? What is actually new ? What is the differnce with the User downloads screensaver and get's owned attack vector ? Allowing gadgets - trusted or otherwise - to download and execute arbitrary parts of the internet becomes a tad more dangerous when you explicitly allow them access to APIs for reading and write arbitrary files (subject to Vista ACLs) and executing arbitrary binaries. The process of securing IE has largely been to remove and mitigate such vectors by which this can occur, so why reintroduce them in non-legacy code. Finally, why on earth does the trust model for gadgets consist of full trust and nothing more. Why not allow gadgets to state in their manifest that for example they don't need to execute things, won't make use of ActiveX controls and will only connect to a specific host? Tim -- Tim Brown mailto:[EMAIL PROTECTED]
Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API
On Monday 17 September 2007 13:26:36 Roger A. Grimes wrote: I'm sorry, we'll have to agree to disagree. I don't see the new attack vector here. I, the attacker, have to make you download my malicious trojan program, which you install on your computer. Irrespective of the rest of what Roger says (which I agree with FTR), this bit is simply wrong. Look at the PoC that has been made public: https://strikecenter.bpointsys.com/articles/2007/08/26/vista-gadget-patches-in-ms07-048 It's not (just) about downloading malware gadgets. It's about exploiting vulnerabilities *in* gadgets (the default gadgets in Vista, in the case of the PoC). Essentially anywhere a gadget calls for example eval() on untrusted data you *may* have a a problem. Tim -- Tim Brown mailto:[EMAIL PROTECTED]
Re: Next generation malware: Windows Vista's gadget API
On Saturday 15 September 2007 13:55:24 Peter Gutmann wrote: (The original article was cross-posted to a lot of lists, maybe the discussion could be moved to vuln-dev only, unless everyone wants to see all of this stuff). I shall respond in turn to the interesting points from all responses. Peter wrote: I first saw this issue covered at the AVAR conference last year (before Vista had even been released), there's only the abstract online at http://www.aavar.org/avar2006/Program/ericchien.html, but it gives a good idea of what the anti-virus guys are concerned about here. Eric's talk seems to be a good start on risk analysis of gadgets generically. The design of Vista gadgets seems particularly troubling since it seemed to have several design flaws which were the subject of the paper. Given what an incredible attack vector they are (it's pretty much an open invitation to get malware onto PCs), I'm amazed there haven't been any serious exploits yet. I guess the relatively low uptake of Vista (compared to the XP installed base) has meant that they're not a significant target for the malware industry just yet, since it's still more profitable to do a drive-by iframe exploit and hit all OSes than to mount a Vista-only attack. Likewise, I was amazed when I got the tip off about gadgets from a developer friend at the turn of the year. We've seen 3 PoC exploits so far, so I'm sure the malware community will be taking note. Todd wrote: Good paper; Since this is out there I figure I'll forward the much shorter article I wrote that details an attack against the contact gadget, which was patched last month. Thanks, it's pretty interesting to see the various PoC coming out in almost in synchronisation with the paper. I'm glad I'm not the only one concerned by the functionality they provide. Roger wrote: Yes, this is a new attack vector, but it is always game over anyway if I can get you to run my untrusted program. In my testing, installing any Vista sidebar gadget results in a minimum of 3 warnings, each saying that the code being installed could be harmful, before it is installed. 5 warnings if the gadget is unsigned. New, maybe not... it's simply an mashup (to use another buzzword ;)) of numerous existing attack vectors. What's interesting here for me is that the gadget API is a new codebase and still we're facing Microsoft making the same old mistakes. Honestly, irrespective of design flaws, how did the already reported vulnerable gadgets make it through the SDL. We're talking about basic input validation flaws in a web app after all. That for me is the crux. It's not just about the dangers of installing rogue gadgets but the exploitation of existing gadgets. It's something to be aware of, because malicious hackers will exploit them, and many end-users will ignore any warning, but not the most worrisome problem on my plate. Secondly, I can completely control the install of any gadgets in my environment using Active Directory group policies to a granular level. I would like to think my paper is fair in this regard. I have provided details of Microsoft's mitigations including the AD policy stuff in the references section of the paper. Aviv wrote: I don't understand why Microsoft rated this vulnerability as important, instead of critical. As Peter wrote, maybe its the size of the install base ;). I would guess that it's because you'll only end up with user level accounts. Although I suspect haven't counted on ad fraud attacks, hijacking of cookies etc in their risk analysis. Tim -- Tim Brown mailto:[EMAIL PROTECTED]
Next generation malware: Windows Vista's gadget API
A paper has just been released on the Windows Vista's gadget API. The abstract is as follows: Windows has had the ability to embed HTML into it’s user interface for many years. Right back to and including Windows NT 4.0, it has been possible to embed HTML into the task bar, but the OS has always maintained a sandbox, from which the HTML has been unable to escape. All this changes with Windows Vista. This paper seeks to inform system administrators, users and the wider community on both potential attack vectors using gadgets and the mitigations provided by Windows Vista. The full paper can be found at http://www.portcullis-security.com/165.php. Cheers, Tim -- Tim Brown mailto:[EMAIL PROTECTED]
Tutorial on Fuzzled
In preparation for the imminent release of Fuzzled 1.1, I spent this evening writing a short paper entitled Writing a fuzzer using the Fuzzled framework. The paper includes some of the techniques I use to dismantle protocols including documentation, observation and static analysis. It then moves on to the fundamentals of implementing a protocol using the framework. I talk about base requests, namespaces and tieing them together with factories with reference to Fuzzled::Protocol::HTTP, an example included in the framework. The paper also highlights a few tricks to the framework, including developing multi-threaded fuzzers, identifying offsets and parsing packets. It ends with my techniques to identify vulnerabilities highlighted by fuzzers. I'm sure none of the techniques themselves are new, but the application of them in the context of using the Fuzzled framework may provide some inspiration to others. The full paper can be found at: http://www.nth-dimension.org.uk/utils/get.php?downloadsid=35. Cheers, Tim PS If anyone wants to try a release candidate of Fuzzled 1.1, contact me off list and we'll see what we can do. -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/
Serious holes affecting JFFNMS
As a result of a short security audit of JFFNMS, a number of security holes
were found, even from the perspective of a non authenticated user. The holes
included authentication bypass via SQL injection. Javascript injection and a
serious case of information disclosure. After liasing with the developers,
the holes have been resolved. Attached are the advisory and patch relating
to these flaws.
Tim
--
Tim Brown
mailto:[EMAIL PROTECTED]
http://www.nth-dimension.org.uk/
diff -Nru -x'*.png' -x'*.ini' -x'*.*sql' -x'*.patch' jffnms-0.8.3/htdocs/admin/adm/test.php jffnms-0.8.4-pre2/htdocs/admin/adm/test.php
--- jffnms-0.8.3/htdocs/admin/adm/test.php 2006-09-16 20:31:13.0 -0300
+++ jffnms-0.8.4-pre2/htdocs/admin/adm/test.php 1969-12-31 21:00:00.0 -0300
@@ -1 +0,0 @@
-? phpinfo(); ?
\ No newline at end of file
diff -Nru -x'*.png' -x'*.ini' -x'*.*sql' -x'*.patch' jffnms-0.8.3/htdocs/auth.php jffnms-0.8.4-pre2/htdocs/auth.php
--- jffnms-0.8.3/htdocs/auth.php 2006-09-16 20:31:13.0 -0300
+++ jffnms-0.8.4-pre2/htdocs/auth.php 2002-08-13 23:14:54.228705056 -0300
@@ -46,11 +46,6 @@
session_start();
}
- if (($jffnms_version==0.0.0) ($_SERVER[REMOTE_ADDR]==128.30.52.13)) { //W3C Validator
- $_REQUEST[user]=admin;
- $_REQUEST[pass]=admin;
- }
-
if (!isset($_SESSION[authentification]))
$authentification = $jffnms-authenticate ($_REQUEST[user],$_REQUEST[pass],true,from .$_SERVER[REMOTE_ADDR]);
diff -Nru -x'*.png' -x'*.ini' -x'*.*sql' -x'*.patch' jffnms-0.8.3/lib/api.classes.inc.php jffnms-0.8.4-pre2/lib/api.classes.inc.php
--- jffnms-0.8.3/lib/api.classes.inc.php 2006-09-16 20:31:14.0 -0300
+++ jffnms-0.8.4-pre2/lib/api.classes.inc.php 2002-08-13 23:14:55.656488000 -0300
@@ -677,7 +677,7 @@
$auth_type = 1;
$cant_auth = 0;
- if (isset($user) isset($pass)) {
+ if (preg_match(/[EMAIL PROTECTED],20}$/, $user) isset($pass)) {
$query_auth = select id as auth_user_id, usern as auth_user_name, passwd, fullname as auth_user_fullname from auth where usern = '$user';
$result_auth = db_query ($query_auth);
$cant_auth = db_num_rows($result_auth);
@@ -693,18 +693,20 @@
}
if (($auth==0) ($cant_auth == 0)){ //not found in DB
- if (isset($user) isset($pass)) {
+
+ if (preg_match(/[EMAIL PROTECTED],20}$/, $user) isset($pass)) {
$query_auth = select id as auth_user_id, username as auth_user_name, name as auth_user_fullname from clients where username= '$user' and password = '$pass';
$result_auth = db_query ($query_auth);
$auth = db_num_rows( $result_auth);
}
+
if ($auth==1) {
$reg = db_fetch_array($result_auth);
$auth_type = 2;
}
}
- if (($log_event==true) (!empty($user)))
+ if (($log_event==true) preg_match(/[EMAIL PROTECTED],20}$/, $user))
insert_event(date(Y-m-d H:i:s,time()),get_config_option(jffnms_internal_type),1,Login,(($auth==1)?successful:failed),$user,$log_event_info,,0);
unset ($reg[passwd]);
NDSA20070524.txt.asc
Description: application/pgp-keys
signature.asc
Description: This is a digitally signed message part.
Re: Medium security hole affecting DSL-G624T
On Thursday 03 May 2007 22:13:15 3APA3A wrote: This vulnerability for D-Link DSL-G624T was already reported by Jose Ramon Palanco. See http://securityvulns.ru/Odocument816.html Previously, same problem was reported for D-Link DSL-G604T by Qex http://securityvulns.ru/Mdocument578.html There were also few more problems reported about /cgi-bin/webcm, see http://securityvulns.ru/Idocument664.html http://securityvulns.ru/Idocument759.html I quite agree, the Summary of my attached advisory makes this point. However, as I also point out in the Solutions section, all of the issues you list were against major version 1 of the firmware. We're now at major version 3 and directory traversal is still a problem. Moreover, the advisories that cover directory traversal (http://securityvulns.ru/Mdocument578.html and http://securityvulns.ru/Mdocument578.html) only talk about /etc/passwd. Neglecting the fact that the web server runs as root and that /etc/shadow is therefore available. Secondly, the Javascript injection issue describe is as far as I know /entirely new/. It's not a short walk to the point where these two issues alone could be use to compromise devices, irrespective of the firmware issues you also link to. Maybe, I'm hoping that by version 10 of the firmware in the year 2014, D-Link may actually manage to fix some of these reported problems? Moreover, maybe they'll actually make it possible for researchers to report these things in a manner whereby they actually respond to the reports when contacted. Not holding my breath though. Tim -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/
Re: Medium security hole affecting DSL-G624T
On Thursday 03 May 2007 23:19:55 3APA3A wrote: Not exactly, read first link carefully: Tested on D-Link DSL-G624T Version: Firmware Version : V3.00B01T01.YA-C.20060616 Discovered by: Jose Ramon Palanco: jose.palanco(at)eazel(dot).es Fair enough I stand corrected but it's been there since 1.something, so either way it's not new. I shall be more careful to read responses in future :). To categorically state what I mentioned in the original advisory, I do not make any claim to having discovered the directory traversal first, I simply want the bug fixed. Jose mentions both directory traversal and 3 examples of crossite scripting. Crossite scripting examples are different from yours though and require POST request. Your CSS is easier to exploit. Exactly. Although SF is now attributing BID 23802 (my XSS) to Jose as well :) In fact, at least Russian D-Link support is very responsive to any bug report, but it seems like only way to get a response is to post a problem on their forum. So it seems, and there lies the problem, the UK forum at least does not function in either Firefox or Konqueror. I like vendors who respond by email and I like vendors who respond[1] quickly even more :). [1] such as our alternate discussion -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/
Medium security hole affecting DSL-G624T
Hi,
I've identified a couple of security flaws affecting the DSL-G624T firmware.
I believe the directory traversal issue has been reported in other devices /
firmware versions supplied by D-Link but not the combination I tested and
clearly has not been resolved. Additionally, the Javascript injection issue
is I believe new and has not been reported on any device.
These issues were reported by email to the vendor at the usual addresses
(support/security/etc) without response on 13th April 2007. I also attempted
to log faults on the vendors support web site but sadly, it would not
function adequately using either Firefox nor Konqueror.
Tim
--
Tim Brown
mailto:[EMAIL PROTECTED]
http://www.nth-dimension.org.uk/
Nth Dimension Security Advisory (NDSA20070412)
Date: 12th April 2007
Author: Tim Brown mailto:[EMAIL PROTECTED]
URL: http://www.nth-dimension.org.uk/ / http://www.machine.org.uk/
Product: DSL-G624T router (V3.00B01T02.UK-A.20060208)
http://www.dlink.co.uk/?go=gNTyP9CgrdFOIC4AStFCF834mptYKO9ZTdvhLPG3yV3oVo5+hKltbNlwaaFp7DQtFzrqyCJG948BANfh
Vendor: D-Link http://www.dlink.co.uk/
Risk: Medium
Summary
Following the Securiteam posting D-Link DSL-G604T Wireless Router
Directory Traversal which described a directory traversal in release
V1.00B02T02.EU.20040618 of the DSL-G624T router firmware, research
was carried out on the DSL-G624T router which indicated that it too
was vulnerable to this and a second vulnerability. Nth Dimension
would also point out that the directory traversal have been reported in
other router and firmware combinations.
1) Firmware CGI is vulnerable to directory traversal and can be made
to retrieve any file to which the web server user has read access
(for example /etc/shadow).
2) Firmware CGI is vulnerable to Javascript injection within the
requested URL.
Technical Details
1) The firmware CGI script can be made to read any arbitrary file that
the web server user has read access to, as it makes no sanity checks on
the value passed within the getpage parameter of the URL, for example:
http://192.168.1.1/cgi-bin/webcm?getpage=/etc/shadow
In the event that the user has not authenticated, then the user is prompted
for authentication credentials before the request is processed.
As noted above this vulnerability bares an uncanny resemblance to a previously
reported vulnerability with another D-Link router running a (presumably) older
version of the firmware.
2) The value of the URL requested is used in within the web pages returned
by the firmware CGI script, in its unsanitised form. Specifically, it makes
no sanity checks on the value passed within the var:RelaodHref parameter of the
URL, for example:
http://192.168.1.1/cgi-bin/webcm?getpage=../html/home/home_RelaodHref.htmvar:RelaodHref=a%20==%20a;){alert(XSS)}}/script
As with the example of Javascript injection, the user will be
prompted to authenticate if required.
Combining these vulnerabilities should allow the compromise of any router
running affected firmware versions.
Solutions
Unfortunately, Nth Dimension are unware of any fixes for these issues
at the current time. Note that 2 years have elapsed, and 2 major releases
of the firmware have occurred since the original Securiteam advisory were
published.
Medium level security hole in FreeProxy
The FreeProxy HTTP proxy server suffers from a denial of service condition which causes the server to hang. This occurs when an attacker makes a request for the hostname/portnumber combination in use by the server itself. The vendor was notified on the 10th January 2007 and a fix was made available on the 24th. Full details can be found in the attached advisory. -- Tim Brown mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ NDSA20070206.txt.asc Description: application/pgp-keys
Low security hole affecting IPCalc's CGI wrapper
Hi, I believe I've found a low level security hole relating to the way IPCalc's CGI wrapper sanitises input, which allows Javascript injection. Hole is considered low since IPCalc's CGI wrapper has no privileged functionality, however of course it might be possible to use it as a vector to attack other applications hosted on the same web server. I contacted the author (Krischan Jodies - http://www.jodies.de/) on the 7th, offering them 14 days to respond but have had no reply to acknowledge that the problem even exists, I've decided to publish this warning. Tim -- Tim Brown, Nth Dimension mailto:[EMAIL PROTECTED] http://www.nth-dimension.org.uk/ NDSA20060705.txt.asc Description: application/pgp-keys
Fresh hole in W3Mail (fwd)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, The attached advisory supercedes my previous effort regarding W3Mail (NDSA20020719). It seems that in fixing the original holes, CascadeSoft introduced a new one. Their fix for the original hole was as I suggested, to move the MIME attachments data from the web server document root. Unfortunately, the script they wrote to allow users to access the attachment, does no checking about the validity of the file argument, allowing you to request any file that is readable by the web server user. The vendor has been notified, but since they never bothered to acknowledge our contact last time, we're expecting no official response. Hopefully this time they will be able to correct the bug in less than 4 months. Cheers, Tim - -- Tim Brown mailto:securityfocus;machine.org.uk http://www.machine.org.uk/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (SunOS) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE90Y64VAlO5exu9x8RAhG2AJ992byF0moWXFBaSWOi2aWhkAcfhgCgtAwQ Nq6Yh27JqstnYwPlg0kSHVs= =o+mg -END PGP SIGNATURE- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nth Dimension Security Advisory (NDSA20021112) Date: 12th November 2002 Author: Tim Brown mailto:timb;nth-dimension.org.uk URL: http://www.nth-dimension.org.uk/ / http://www.machine.org.uk/ Product: W3Mail (up to and including 1.0.6) http://www.w3mail.org/ Vendor: CascadeSoft http://www.cascadesoft.com/ Risk: Medium Supersedes: NDSA20020719 Summary This vulnerability comes in 3 related parts. On 1.0.5 and earlier releases: 1) W3Mail can incorrectly expose downloaded MIME attachments without correct authentication in cases where the web server has been configure with indexing for the MIME attachments storage directory. 2) In cases where the web server has server side scripting of any type (such as PHP) enabled for the MIME attachments directory, it is possible to gain remote access as the web server user typically nobody. On 1.0.6: 3) W3Mail can be made to retrieve any file to which the web server user has read access (for example /etc/passwd). Technical Details On 1.0.5 and earlier releases: 1) Unless indexing for the MIME attachments directory is disabled it is possible to browse the MIME attachments directory and read arbitrary attachments. Prior to release 1.0.3, W3Mail did not correctly clean up the MIME directory, leaving the attachments there even after the user whom they belonged to has logged out. In releases 1.0.3 and onwards, providing the user correctly logs out their attachments will be removed. Note that the attachments will remain as with 1.0.3 and previous releases if the user simply closes the window rather than using the correct logout link. 2) By sending a MIME attachment executable by the web server from the MIME attachments directory to an POP3 account accessed from the W3Mail web based POP3 client remote access as the webserver user can in theory be achieved, if the user to whom the mail is sent opens the malicious email (and thus creates the attachments within the MIME attachments directory for the lifetime explained in part 1). Whilst the attachment exists, the potential intruder can request it via their browser and therefore have it exected by the web server. The attachment must be sent as a none text MIME type in order for the malicious code to correctly be created. This part of the vulnerability will work even when directory indexing is turned off for the MIME attachments directory since attachments are created with their original name. This vulnerability can also be exploited on attachments being sent from W3Mail, although in this case the affect is reduced in releases from 1.0.3 onwards which clean the attachments directory after the mail has been sent minimizing the potential time for any attack. On 1.0.6: 3) In replacing the code to fix the problems described previously, CascadeSoft moved the MIME attachments directory out of the document root as we initially recommended. However, the code they introduced to allow access to the attachments from the the web page (viewAttachment.cgi) can be made to read any arbitrary file that the web server user has read access to, as it makes no sanity checks on the value passed within the file element of the URL, allowing for file=../../../../../etc/passwd etc. Note that for this to work as described the attacker will need a valid session ID. Solutions In order to completely protect against the vulnerability (in the short term), Nth Dimension recommend turning off indexing and any server side file execution for the MIME attachments directory, however it is our belief that it would be better to rewrite the affected code with a view to storing attachments (either those being sent or received) outside the web servers document root. Release 1.0.6 fixes issues 1 2 as we suggested but introduces a new hole
Medium security hole affecting W3Mail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I believe I've found a medium level security hole relating to the way W3Mail stores MIME attachments. I contacted the authors (CascadeSoft - http://www.cascadesoft.com/) on the 19th, offering them 14 days to produce a fix, but have had no reply to acknowledge that the problem even exists, I've decided to publish this warning: - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nth Dimension Security Advisory (NDSA20020719) Date: 19th July 2002 Author: Tim Brown mailto:[EMAIL PROTECTED] URL: http://www.nth-dimension.org.uk/ / http://www.machine.org.uk/ Product: W3Mail (up to and including 1.0.5) http://www.w3mail.org/ Vendor: CascadeSoft http://www.cascadesoft.com/ Risk: Medium Summary This vulnerability come in 2 related parts. 1) W3Mail can incorrectly expose downloaded MIME attachments without correct authentication in cases where the Web Server has been configure with indexing for the MIME attachments storage directory. 2) In cases where the web server has server side scripting of any type (such as PHP) enabled for the MIME attachments directory, it is possible to gain remote access as the webserver user typically nobody. Technical Details 1) Unless indexing for the MIME attachments directory is disabled it is possible to browse the MIME attachments directory and read arbitrary attachments. Prior to release 1.0.3, W3Mail did not correctly clean up the MIME directory, leaving the attachments there even after the user whom they belonged to has logged out. In versions 1.0.3 and more recent, providing the user correctly logs out their attachments will be removed. Note that the attachments will remain as with 1.0.3 and lower releases if the user simply closes the window rather than using the correct logout link. 2) By sending a MIME attachment executable by the web server from the MIME attachments directory to an POP3 account accessed from the W3Mail web based POP3 client remote access as the webserver user can in theory be achieved, if the user to whom the mail is sent opens the malicious email (and thus creates the attachments within the MIME attachments directory for the lifetime explained in part 1). Whilst the attachment exists, the potential intruder can request it via their browser and therefore have it exected by the web server. The attachment must be sent as a none text MIME type in order for the malicious code to correctly be created. This part of the vulnerability will work even when directory indexing is turned off for the MIME attachments directory since attachments are created with their original name. This vulnerability can also be exploited on attachments being sent from W3Mail, although in this case the affect is reduced in versions from 1.0.3 onwards which clean the attachments directory after the mail has been sent minimizing the potential time for any attack. Solutions In order to completely protect against the vulnerability (in the short term), Nth Dimension recommend turning off indexing and any server side file execution for the MIME attachments directory, however it is our belief that it would be better to rewrite the affected code with a view to storing attachments (either those being sent or received) outside the web servers document root. - -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9PCdVVAlO5exu9x8RAjebAJ97XYkyxJ4q+NjC+1gLL/w+NImLmwCcD1Y8 lSNSbyyXGkYHGocJVfeQk1E= =kHyN - -END PGP SIGNATURE- I found it purely by chance, as one of my friends has a web stats utility running on his W3Mail server - it was listing attachments, and I was surprised to find that they could be accessed without any authentication - more shocking still its possible to use this knowledge to upload malicious code to be executed via a browser. Cheers, Tim - -- Tim Brown mailto:[EMAIL PROTECTED] http://www.machine.org.uk/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9P/ENVAlO5exu9x8RAuuzAKCbbljnLAKEftare4krCyeeNmejlACaAzvG IVRQ6njpiwVSogiMPPZFgFE= =p/4l -END PGP SIGNATURE-
