[FD] Apple iOS v9.1, 9.2 & 9.2.1 - Application Update Loop Pass Code Bypass

[Vulnerability Lab]

Document Title:
===
Apple iOS v9.1, 9.2 & 9.2.1 - Application Update Loop Pass Code Bypass


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1710

Apple Follow-up ID: 631627909

Video: http://www.vulnerability-lab.com/get_content.php?id=1711

Vulnerability Magazine: 
http://magazine.vulnerability-db.com/?q=articles/2016/02/04/apple-ios-v9x-application-update-loop-pass-code-bypass


Release Date:
=
2016-02-04


Vulnerability Laboratory ID (VL-ID):

1710


Common Vulnerability Scoring System:

6


Product & Service Introduction:
===
iOS (previously iPhone OS) is a mobile operating system developed and 
distributed by Apple Inc. Originally released in 2007 for the 
iPhone and iPod Touch, it has been extended to support other Apple devices such 
as the iPad and Apple TV. Unlike Microsoft`s Windows 
Phone (Windows CE) and Google`s Android, Apple does not license iOS for 
installation on non-Apple hardware. As of September 12, 2012, 
Apple`s App Store contained more than 700,000 iOS applications, which have 
collectively been downloaded more than 30 billion times. 
It had a 14.9% share of the smartphone mobile operating system units shipped in 
the third quarter of 2012, behind only Google`s Android.

In June 2012, it accounted for 65% of mobile web data consumption (including 
use on both the iPod Touch and the iPad). At the half of 2012, 
there were 410 million devices activated. According to the special media event 
held by Apple on September 12, 2012, 400 million devices have been
sold through June 2012.

( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )


Abstract Advisory Information:
==
The Vulnerability Laboratory Core Research Team discovered a pass code lock 
auth bypass vulnerability in the official Apple iOS (iPhone5&6|iPad2) v8.x, 
v9.0, v9.1 & v9.2. 


Vulnerability Disclosure Timeline:
==
2015-10-22: Researcher Notification & Coordination (Benjamin Kunz Mejri - 
Evolution Security GmbH)
2015-10-23: Vendor Notification (Apple Product Security Team)
2015-01-22: Vendor Response/Feedback (Apple Product Security Team)
2016-**-**: Vendor Fix/Patch (Apple Product Developer Team)
2016-02-04: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Apple
Product: iOS - (Mobile Operating System) 9.1, 9.2 & 9.2.1


Exploitation Technique:
===
Local


Severity Level:
===
High


Technical Details & Description:

An application update loop that results in a pass code bypass vulnerability has 
been discovered in the official Apple iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 & 
v9.2. 
The security vulnerability allows local attackers to bypass pass code lock 
protection of the apple iphone via an application update loop issue.
The issue affects the device security when processing to request a local update 
by an installed mobile ios web-application.

The vulnerability is located in the iPad 2 & iPhone 5 & 6 hardware 
configuration with iOS v8.2 - v9.2 when processing an update which results in a 
interface 
loop by the application slides. Local attacker can trick the iOS device into a 
mode were a runtime issue with unlimited loop occurs. This finally results in 
a temporarily deactivate of the pass code lock screen. By loading the loop with 
remote app interaction we was able to stable bypass the auth of an iphone after 
the reactivation via shutdown button. The settings of the device was 
permanently requesting the pass code lock on interaction. Normally the pass 
code lock is 
being activated during the shutdown button interaction. In case of the loop the 
request shuts the display down but does not activate the pass code lock like 
demonstrated in the attached poc security video. 

In case of exploitation the attack could be performed time-based by a 
manipulated iOS application or by physical device access and interaction with 
restricted 
system user account. In earlier cases of exploitation these type of loops were 
able to be used as jailbreak against iOS. The vulnerability can be exploited in 
non-jailbroken unlocked apple iphone mobiles.

The security risk of the local pass code bypass issue is estimated as high with 
a cvss (common vulnerability scoring system) count of 6.0. 
Exploitation of the local bug requires pending on the attack scenario local 
device access or a manipulated app installed to the device without user 
interaction. 
Successful exploitation of the security vulnerability results in unauthorized 
device access via pass code lock bypass.


Proof of Concept (PoC):
===
The new attack case of scenario can be exploited by local attackers with 
physical bank branch office service access and valid 

[FD] NDI5aster – Privilege Escalation through NDIS 5.x Filter Intermediate Drivers

[Kyriakos Economou]

NDI5aster – Privilege Escalation through NDIS 5.x Filter Intermediate Drivers

ABSTRACT

The Network Driver Interface Specification (NDIS) [11] provides a 
programming interface specification that facilitates from the network 
driver architecture perspective the communication between a protocol 
driver and the underlying network adapter. In Windows OS the so called 
“NDIS wrapper” (implemented in the Ndis.sys) provides a programming 
layer of communication between network protocols (TCP/IP) and all the 
underlying NDIS device drivers so that the implementation of high-level 
protocol components are independent of the network adapter itself. 
During vulnerability research from a local security perspective that was
 performed over several software firewall products designed for Windows 
XP and Windows Server 2003 (R2 included), an issue during the loading 
and initialization of one of the OS NDIS protocol drivers was 
identified; specifically the ’Remote Access and Routing Driver’ called 
wanarp.sys. This issue can be exploited through various NDIS 5.x filter 
intermediate drivers [4] that provide the firewall functionality of 
several security related products. The resulting impact is vertical 
privilege escalation which allows a local attacker to execute code with 
kernel privileges from any account type, thus completely compromising 
the affected host.

URL: http://www.anti-reversing.com/ndi5aster/
  

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] osTicket multiple vulnerabilities

[Giovanni Cerrato]

=
- Release date: February 04th, 2016
- Discovered by: Giovanni Cerrato and Enrico Cinquini
- Severity: High
=

 I. VULNERABILITY
-

osTicket multiple vulnerabilities.


 II. INTRODUCTION
-

Last version of osTicket (v1.9.12) is affected by multiple vulnerabilities.

 III. DESCRIPTION
-

1) UPLOAD HTML FILE

It is possible to upload files attached to a ticket at URL:
https://hostname/upload/open.php
There are some controls to block not allowed file (e.g php,html) but they
are only client-side and not server-side so they can be easily bypassed
using tool like Burp suite.They will be uploaded and reachable at specific
URL like the following example:
https://hostname/file.php?key=qycj1msethqx49ilidrwxrurvebbsipa=1447372800=6ee71ea7dee17cac30a884f4cf823c6734e1115d

This vulnerability could be used for example to perform XSS attack or to
upload a fake login page.

2) MISSIMG FUNCTION LEVEL ACCESS CONTROL

It is possible to access to some contents of the web application without
authentication. It is allowed to view all ticket attachment only by calling
their URLs like following:
https://hostname/file.php?key=qycj1msethqx49ilidrwxrurvebbsipa=1447372800=6ee71ea7dee17cac30a884f4cf823c6734e1115d
.
This vulnerability combined with unrestricted HTML upload can be used to
realize phishing and/or XSS attack via email. To achieve this tasks anyone
needs to upload an HTML file containing malicious Javascript or phishing
page and then spread the associated URL.


3) STORED CROSS SITE SCRITPING

The application is vulnerable to some stored XSS attack.

URL: https://hostname/scp/users.php
Functionality: Add User
Form parameter affected: Internal Notes

URL: https://hostname/scp/orgs.php
Functionality: Add Organization
Form parameter affected: Name, Internal Notes

URL https://hostname/scp/categories.php
Functionality: Add New Category
Form parameter affected: Category Description, Internal Notes

URL https://hostname/scp/departments.php
Functionality: Add New Department
Form parameter affected: Department Signature

URL: https://hostname/scp/teams.php
Functionality: Add New Team
Form parameter affected: Admin Notes, Name

URL: https://hostname/scp/groups.php
Functionality: Add New Group
Form parameter affected: Admin Notes

URL: https://hostname/scp/banlist.php
Functionality: Ban New Email
Form parameter affected: Admin Notes

URL: https://hostname/scp/profile.php
Functionality: Edit profile
Form parameter affected: Signature

A proof of concept can be obtained using the following Javascript code:



4) SESSION FIXATION

The application does not regenerate session id cookie (OSTSESESSID) after
authentication so it is prone to session fixation attack. This
vulnerability can be used to hijack a valid user session.


 IV. BUSINESS IMPACT
-

An attacker could upload malicious file, hijack a valid user session,
perform XSS or phishing attacks and access to sensible information.


 V. SYSTEMS AFFECTED
-

Version 1.9.12 is vulnerable.


 VI. SOLUTION
-

It's necessary to:

- implement a strong upload filter to prevent the upload of malicious file

- implement an input validation mechanism to avoid being vulnerable to XSS
injection

- review and correct access control to prevent that unauthenticated users
can access to sensible documents


 VII. REFERENCES
-

osticket website:

http://osticket.com/


 VIII. CREDITS
-

The vulnerability has been discovered by:

Giovanni Cerrato cerrato(dot)gianni(at)gmail(dot)com
Enrico Cinquini enrico(dot)cinquini(at)gmail(dot)com


 IX. ADVISORY TIMELINE
-

November 10th, 2015: Vulnerability identification
November 17th, 2015: First contact with vendor
November 19th, 2015: Vendor notified
November 25th, 2015: Asking for status update
November 30th, 2015: Vendor response; investigating
December 16th, 2015: Asking for status update
December 18th, 2015: Vendor says that the vulnerabilities will be fixed in
the new version
January  11th, 2016: Provided more details to vendor
January  25th, 2016: Asking for status update
February 02th, 2016: Advised vendor public disclosure date will be February
04th
February 02th, 2016: Vendor provides status update(still investigating)
February 04th, 2016: Public disclosure


 X. LEGAL NOTICES
-

The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse of this
information.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Executable installers are vulnerable^WEVIL (case 23): WinImage's installer and self-extractors allow arbitrary (remote) code execution and escalation of privilege

[Stefan Kanthak]

Hi @ll,

the executable installer winima90.exe and previous versions
available from  loads and executes
CRTdll.dll, UXTheme.dll, RichEd32.dll and WindowsCodecs.dll
from its "application directory".

Self-extracting executables created with WinImage load and
execute CRTdll.dll, UXTheme.dll and MPR.dll from their
"application directory".


For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
,

and  for
"prior art" about this well-known and well-documented vulnerability.


If an attacker places the DLLs named above in the users
"Downloads" directory (for example per drive-by download or
social engineering) this vulnerability becomes a remote code
execution.

Due to the application manifest embedded in the executable
installer which specifies "requireAdministrator" it is run
with administrative privileges ("protected" administrators
are prompted for consent, unprivileged standard users are
prompted for an administrator password); execution of the
DLLs therefore results in an escalation of privilege!


See 
and 
plus 
 

Proof of concept (verified on Windows XP, Windows Vista, Windows 7,
Windows Server 2008 [R2]; should work on newer versions too):

1. visit , download
    and save
   it as UXTheme.dll in your "Downloads" directory, then copy it
   as RichEd32.dll, WindowsCodecs.dll and MPR.dll;

2. download winima90.exe and save it in your "Downloads"
   directory;

3. run winima90.exe (or a self-extractor created with WinImage)
   from the "Downloads" directory;

4. notice the message boxes displayed from the DLLs placed in
   step 1.

PWNED!


5. copy the downloaded UXTheme.dll as CRTdll.dll;

6. rerun winima90.exe or a self-extractor from the "Downloads"
   directory.

DOSSED!


This denial of service can easily be turned into an arbitrary code
execution: just create a CRTdll.dll which exports all the symbols
referenced by winima90.exe or the self-extractors and place it in
the "Downloads" directory.


For this well-known (trivial, easy to avoid, easy to detect and
easy to fix) beginner's error see
,
,
 and
 plus
:

| To ensure secure loading of libraries
| * Use proper DLL search order.
| * Always specify the fully qualified path when the library location is
~~
|   constant.


regards
Stefan Kanthak


Timeline:
~

2016-01-12report sent to vendor

  NO ANSWER, not even an acknowledgement of receipt

2016-01-21report resent to vendor

  NO ANSWER, not even an acknowledgement of receipt

2016-01-30report published

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/