[Full-disclosure] SEC Consult SA-20140227-0 :: Local Buffer Overflow vulnerability in SAS for Windows (Statistical Analysis System)
SEC Consult Vulnerability Lab Security Advisory 20140227-0 === title: Local Buffer Overflow vulnerability product: SAS for Windows (Statistical Analysis System) vulnerable version: SAS 9.2, 9.3 and 9.4 fixed version: SAS 9.4 TS 1M1 CVE number: - impact: High homepage: http://www.sas.com/ found: 2013-08-08 by: René Freingruber SEC Consult Vulnerability Lab https://www.sec-consult.com === Vendor/product description: -- SAS is a software suite developed by SAS Institute for advanced analytics, business intelligence, data management, and predictive analytics. It is the largest market-share holder for advanced analytics. SAS is a software suite that can mine, alter, manage and retrieve data from a variety of sources and perform statistical analysis on it. It is widely used in insurance, public health, scientific research, finance, human resources, IT, utilities, and retail, and is used for operations research, project management, quality improvement, forecasting and decision-making. It is the standard statistical analysis software for submitting clinical pharmaceutical trials to the US Food and Drug administration. SAS provides a graphical point-and-click user interface for non-technical users and more advanced options through the SAS programming language. SAS programs have a DATA step, which retrieves and manipulates data, and a PROC step, which analyzes data. URL: http://en.wikipedia.org/wiki/SAS_%28software%29 Business recommendation: -- Attackers are able to completely compromise SAS clients when a malicious SAS program gets executed. The scope of the test, where the vulnerabilities had been identified, was a very short crash-test of the application. It is assumed that further vulnerabilities exist within this product! It is highly recommended by SEC Consult not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: -- It is possible to exploit a buffer overflow in the SAS client application by creating a malicious SAS program. When a user opens the SAS program the malicious content will be hidden because the enhanced editor does not display overlong lines. If the user executes the program a buffer overflow will be triggered resulting in arbitrary code execution. It was possible to exploit this vulnerability on a updated standard Windows 7 installation. Proof of concept: -- The detailed proof of concept exploit was removed for this vulnerability. SEC Consult has released a proof of concept video demonstrating the issue: http://www.youtube.com/user/SECConsult/videos Vulnerable / tested versions: -- The vulnerabilities have been verified to exist in SAS 9.3 TS Level 1M1. According to the vendor the following versions are also affected: SAS 9.2 TS 2M3 SAS 9.3 TS 1M1 SAS 9.3 TS 1M2 SAS 9.4 TS 1M0 Vendor contact timeline: -- 2013-11-04: Contacted vendor through off...@aut.sas.com 2013-11-04: Initial vendor response. 2013-11-06: Issue will be verified, internal tracker created. 2014-01-17: Patch released by vendor. 2014-02-27: SEC Consult releases coordinated security advisory. Solution: -- Apply the provided fix: SAS 9.4 TS 1M1 : includes the fix SAS 9.4 TS 1M0 - http://ftp.sas.com/techsup/download/hotfix/HF2/L08.html#L08004 SAS 9.3 TS 1M2 - http://ftp.sas.com/techsup/download/hotfix/HF2/I22.html#I22069 SAS 9.3 TS 1M1 - Apply maintenance M2 before applying fix for SAS 9.3 TS 1M2 SAS 9.2 TS 2M3 - http://ftp.sas.com/techsup/download/hotfix/HF2/B25.html#B25260 Workaround: -- No workaround available. Advisory URL: -- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail
[Full-disclosure] Bluetooth Photo Share Pro v2.0 iOS - Multiple Vulnerabilities
Document Title: === Bluetooth Photo Share Pro v2.0 iOS - Multiple Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1218 Release Date: = 2014-02-27 Vulnerability Laboratory ID (VL-ID): 1218 Common Vulnerability Scoring System: 6.7 Product Service Introduction: === This is the best bluetooth sharing and file transfer app in app store. Transfer photos, videos, music, contacts and any file between two iPhone,iPad and/or iPod Touches over bluetooth connection. Requires iPhone 3G or later or 2nd generation iPod Touch or later . Does not require any 3G or WiFi connection. (Copy of the Homepage: https://itunes.apple.com/us/app/bluetooth-photo-video-music/id590196698 ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Bluetooth Photo/Video/Music/Contact Share Pro v2.0 iOS mobile application. Vulnerability Disclosure Timeline: == 2014-02-27: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Apple AppStore Product: Bluetooth Photo Share - iOS Mobile Web Application 2.0 Exploitation Technique: === Remote Severity Level: === High Technical Details Description: 1.1 A local file include web vulnerability has been discovered in the officialBluetooth Photo/Video/Music/Contact Share Pro v2.0 iOS mobile application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the web-application or mobile device. The web vulnerability is located in the `filename` value of the `Select File to Upload` function POST method request. Remote attackers are able to inject own files with malicious `filename` to compromise the mobile application. The attack vector is persistent and the request method is POST. The local file/path include execution occcurs in the main index file dir list of the path section after the regular upload. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.4(+)|(-)7.5. Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password. Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise. Request Method(s): [+] [POST] Vulnerable Module(s): [+] Select File Upload Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir List (http://localhost:8080) 1.2 An arbitrary file upload web vulnerability has been discovered in the officialBluetooth Photo/Video/Music/Contact Share Pro v2.0 iOS mobile application. The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation. The vulnerability is located in the `upload` (video and images) module. Remote attackers are able to upload a php or js web-shells by renaming the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension `image.gif.jpg.html.js.aspx.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg .gif file extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.1(+)|(-)6.2. Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password. Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells. Request Method(s): [+] [POST] Vulnerable Module(s): [+] Select File Upload Vulnerable Parameter(s): [+] filename (multiple extensions) Affected Module(s): [+] Index File Dir List (http://localhost:8080/) Proof of Concept (PoC): === 1.1 The local file include web vulnerability can be exploited by remote attackers without privileged web-application user account or user interaction. For security demonstration or to reproduce the vulnerability follow the
[Full-disclosure] Telekom Bug Bounty #12 - File Include Web Vulnerability
Document Title: === Telekom Bug Bounty #12 - File Include Web Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1178 Release Date: = 2014-02-27 Vulnerability Laboratory ID (VL-ID): 1178 Common Vulnerability Scoring System: 7.1 Product Service Introduction: === Deutsche Telekom AG (English: German Telecom) is a German telecommunications company headquartered in Bonn, North Rhine-Westphalia, Germany. Deutsche Telekom was formed in 1996 as the former state-owned monopoly Deutsche Bundespost was privatized. As of June 2008, the German government still holds a 15% stake in company stock directly, and another 17% through the government bank KfW. (Copy of the Homepage: http://en.wikipedia.org/wiki/Deutsche_Telekom http://www.telekom.com/bug-bounty ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered a file include web vulnerability in an official German Telekom website web-application. Vulnerability Disclosure Timeline: == 2014-01-01: Researcher Notification Coordination (Ibrahim Mosaad El-Sayed) 2014-01-03: Vendor Notification (Telekom CERT Security Team) 2014-01-16: Vendor Response/Feedback (Telekom CERT Security Team) 2014-02-20: Vendor Fix/Patch (Telekom Developer Team) 2014-02-27: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Deutsche Telekom (German Telecom) Product: InterShop - Web Application (Framework) 2014 Q1 Exploitation Technique: === Local Severity Level: === High Technical Details Description: A local file/path include and arbitrary file upload vulnerability has been discovered in the official Telekom GT INTERSHOP website web-application. The arbitrary file upload issue and file include web vulnerability allows attackers to unauthorized include/request/access or upload own files/ context. The local file include and arbitrary file upload web vulnerability is located in the vulnerable parameter `filelist` of the file `ViewStaticContent-Start`. Remote attackers, if they know the main correct path, can view the source code of any file on the system. The issue has the character of a file include but also an arbitrary file upload issue. The security risk of the arbitrary file upload and local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1(+). Exploitation of the local file include and arbitrary file upload web vulnerability requires no user interaction or privileged web user account. Successful exploitation of the local web vulnerability results in web-application compromise by unauthorized local file include web attacks. Vulnerable Parameter(s): [+] filelist Affected Module(s): [+] ViewStaticContent-Start Proof of Concept (PoC): === The local file include and arbitrary file include web vulnerability can be exploited by remote attackers without user interaction or privileged user account. For security demonstration or to reproduce the web vulnerability follow the provided information and steps below. 1) By visiting: https://www.telekom.de/is-bin/INTERSHOP.enfinity/WFS/EKI-PK-Site/de_DE/-/EUR/ViewStaticContent-Start ?filelist=css/default/process/process_apds.cssfiletype=js 2) we will notice the source code of the css file 3) if we changes the file type from js to css 4) the link will become: https://www.telekom.de/is-bin/INTERSHOP.enfinity/WFS/EKI-PK-Site/de_DE/-/EUR/ViewStaticContent-Start ?filelist=css/default/process/process_apds.cssfiletype=css 5) We will notice that the paths of the different files in the css file have been changed from relative paths to absolute paths in the frst link the path of the images was similar to this: background: url(../../../images/symbols/BG_APDS_tarif_grau.gif) no-repeat; After changing the “filetype” parameter from js to css, the path has became: background: url(/is-bin/intershop.static/WFS/EKI-PK-Site/EKI-PK/de_DE/images/symbols/BG_APDS_tarif_grau.gif) no-repeat; we see that the paths changed from relative paths to absolute ones which considered as path disclosure vulnerability To include a file for example the following image: ../../../images/symbols/BG_APDS_tarif_grau.gif we can change the vulnerable link to be: https://www.telekom.de/is-bin/INTERSHOP.enfinity/WFS/EKI-PK-Site/de_DE/-/EUR/ViewStaticContent-Start?filelist=images/symbols/BG_APDS_tarif_grau.giffiletype=css Another way to include the same image is:
[Full-disclosure] Update: CVE-2014-0053 Information Disclosure when using Grails
CVE-2014-0053 Information Disclosure in Grails applications Severity: Important Vendor: Grails by Pivotal Product Affected: - Grails Resources plugin 1.0.0 to 1.2.5 Products known to depend on the affected product: - Grails 2.0.0 to 2.3.6 Description: The Grails resources plug-in, a default dependency of Grails since 2.0.0, does not block access to resources located under /WEB-INF or /META-INF by default. This means that both configuration files and class files are publicly accessible when they should be private. Further, the filtering mechanism that applies any configured block does not normalise the requested URI before filtering allowing the block to be bypassed via directory traversal. Mitigation: Users of affected versions should apply one of the following mitigations: - Upgrade the resources plug-in to 1.2.6, configure the resources plug-in to block access to resources under /WEB-INF and /META-INF and the redploy the application - Prevent access to resources under /WEB-INF and /META-INF in the reverse proxy (if one is used) Possible configuration options to block access to /WEB-INF include adding the following to grails-app/conf/Config.groovy: grails.resources.adhoc.includes = ['/images/**', '/css/**', '/js/**', '/plugins/**'] grails.resources.adhoc.excludes = ['**/WEB-INF/**','**/META-INF/**'] Credit: The original /WEB-INF issue was identified by @Ramsharan065 but was reported publicly to the Grails team via Twitter. Pivotal strongly encourages responsible reporting of security vulnerabilities via secur...@gopivotal.com The /META-INF aspects of this issue were identified by numerous individuals and reported responsibly to either the Grails team or to the Pivotal Security team. The directory traversal aspects of this vulnerability were reported to the Pivotal security team by Kristian Mattila. References: https://twitter.com/Ramsharan065/status/434975409134792704 http://www.gopivotal.com/security/cve-2014-0053 (may take 24 hours to update) History: 2014-Feb-16: /WEB-INF issue made public 2014-Feb-19: Initial vulnerability report published 2014-Feb-27: Updated to include information on /META-INF and directory traversal aspects of this vulnerability. Separated out affected product and dependencies Extended affected Grails versions to include 2.3.6 Updated mitigations.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Web App Sec: (ATT Corporation) former American Telecommunication Telegraph Vulnerabilities (Cross-Site Scripting / OWASP Top 10)
_ .___ _ / _ \ | |/ _/ / /_\ \| |\_ \ /|\ |/\ \|__ /___/___ / \/\/ Corporation Published Report: 27/02/2014 Credits: Advanced Information Security Corporation, USA Severity: High/Critical (OWASP TOP 10) Type: Web Application / Cross-Site Scripting . Author: Nicholas Lemonias. (Information Security Expert) Affected Domain Domain: www.Att.com http://www.att.com/ (ATT Corporation) former American Telecommunication Telegraph Vendor Overview = ATT Corp., originally the American Telephone and Telegraph Company, is the subsidiary of ATT that provides voice, video, data, and Internet telecommunications and professional services to businesses, consumers, and government agencies. During its long history, ATT was at times the world's largest telephone company, the world's largest cable television operator, and a regulated monopoly. At its peak in the 1950s and 1960s, it employed one million people and its revenue was roughly $300 billion annually in 2006. In 2005, ATT was purchased by Baby Bell SBC Communications for more than $16 billion ($19.1 billion in present-day terms). SBC then rebranded itself as ATT Inc. Today, ATT Corporation continues to exist as the long distance subsidiary of ATT Inc., and its name occasionally shows up in ATT press releases. In 1880 the management of American Bell had created what would become ATT Long Lines. The project was the first of its kind to create a nationwide long-distance network with a commercially viable cost-structure. The project was formally incorporated in New York State as a separate company named American Telephone and Telegraph Company on March 3, 1885. Starting from New York, its long-distance telephone network reached Chicago, Illinois, in 1892. Brief Description This problem allowed reproduction and execution of third-party heterogeneous code which defied User - Vendor trust levels, and consequently affected user and product confidentiality, integrity and availability of information (CIA Triad); as outlined by security practises and in accord to formal international standards (ISO/IEC 27001), (BS 77999) and (ISO/IEC 27002). Proof-Of-Concept 1 == http://www.Att.com/gen/press-room?cdvn=newsnewsfunction= tagresultspid=20626tagname=technologytagtype=att'sTYLe% 3d'ccd:Expre%2f**%2fSSion(prompt(91233))'bad%3d'%3etier=TS_PROD http://www.att.com/gen/press-room?cdvn=newsnewsfunction=tagresultspid=20626tagname=technologytagtype=att'sTYLe%3d'ccd:Expre%2f**%2fSSion(prompt(91233))'bad%3d'%3etier=TS_PROD Description: The variable 'tagtype' due to character encoding and insufficient data sanitisation is vulnerable to a reflected cross-site scripting. The variable is thus changed to att'sTYLe='att:Expre/**/SSion(prompt(313371))'bad=' Proof-of-Concept: 2 www.att.com/gen/press-room?cdvn=newsnewsfunction= tagresultspid=20626tagname=technologytagtype=att'sTYLe% 3d'att:Expre%2f**%2fSSion(confirm(xss))'bad%3d'%3etier=TS_PROD Description: A confirmation window would prompt the user for confidential information. Defacement of the website could also occur through an 'Image onload event' e.g: IMG onload=JavaScript Code. A malicious user could take advantage of this problem thus to impersonate authenticated users, and to exploit user's or to execute open Url/Java Script execution from third-party heterogeneous sources, or to install untrusted components exploiting inherent O/S and browser vulnerabilities, and without any prior notification. Responsible Disclosure Timeline == [+] 8th of August 2013 - Informed vendor concerning this security realisation. [+] 8th of August 2013 - Vendor acknowledgement of the problem. [+] 11th of August 2013 -Feedback request on remediation procedures. [+] 9th of December 2013 - Problem remediation process. [+] 27th of February, 2014 - Public Disclosure. Recommendations for QoS Security Compliance = The recommendations made to ATT Corp were therefore: To consider encrypting the view state of the application. Furthermore to implement a stronger Cross-Site Scripting protection. Apparently XSS filtering is not properly applied, and meta-character filtering allowed data input over the HTTP protocol to inject third-party untrusted code, in JavaScript, Active-X and Visual Basic Script. Please note that malicious users could take advantage of such instances, as we have seen in malware and virus propagation instances - with a severe impact to systems of strategic and political importance. Our consultation to ATT Corp, has therefore been for a full and urgent security risk assessment, as benchmarked in (ISO/IEC 27001), (ISO/IEC 27002), and (ISO/IEC 27005). Furthermore we consulted for the effective enumeration and revisitation of upper-level