SEC Consult 20130417-0 :: Multiple vulnerabilities in Sosci Survey

[SEC Consult Vulnerability Lab]

SEC Consult Vulnerability Lab Security Advisory  20130417-0 
===
  title: Multiple vulnerabilities in Sosci Survey
product: Sosci Survey
 vulnerable version: 2.3.04a
  fixed version: 2.3.04a
 impact: Critical
   homepage: https://www.soscisurvey.de
  found: 2012-06-18
 by: T. Lazauninkas, V. Paulikas
 SEC Consult Vulnerability Lab
 https://www.sec-consult.com
===

Vendor description:
---
SoSci Survey provides a non-comercial survey service, letting anyone to create 
and
share surveys for collecting data in a purpose of scientific research. It is a
flexible and efficient tool as it lets you to create a very customizable survey,
including active content (javascript) and PHP code.

https://www.soscisurvey.de/


Vulnerability overview/description:
---
1) Authorization Issues
   The web application fails to validate authorization for
   certain requests. This allows unauthorized users to access private messages
   that belong to other users.

2) Cross-Site Scripting
   The web application is prone to persistent and reflected Cross-Site Scripting
   attacks. The vulnerability can be used to include HTML or JavaScript
   code to the affected web page. The code is executed in the browser of
   users if they visit the manipulated site. The vulnerability can be used
   to change the contents of the displayed site, redirect to other sites
   or steal user credentials. Additionally, Portal users are potential
   victims of browser exploits and JavaScript Trojans.

3) Remote command execution
   Due to insufficient input validation, the web application fails to properly
   filter dangerous PHP code passed from the user side. This leads to OS command
   execution with the privileges of the web server. By exploiting this
   vulnerability, an attacker can read/write files, open connections, etc. 
posing
   a critical security risk.


Proof of concept:
-

1) In the user profile, users are able to send and receive private messages to
   each other. This also includes the administrative users. By modifying one of 
the
   vulnerable script's parameters an attacker can read the messages of other 
users.
   A proof of concept is provided below:

   https://www.example.com/admin/index.php?o=accounta=message.replyid=[msg_id]

   By iterating between the integer parameter's id value, an attacker is able 
to exploit
   this vulnerability.

2) If an invalid id value is passed to the receiver.edit module, which is 
handled by
   the index.php script, its contents is reflected to the user without proper 
filtering.
   This leads to javascript execution in the web browser. This issue can be 
easily exploited
   by navigating to the folowing URL:


https://www.example.com/admin/index.php?o=panela=receiver.editid=scriptalert(document.cookie)/script

   An alert with the user's session cookie will be shown.

   Persistent Cross-Site scripting was identified in the private messaging 
module. It was
   discovered, that [subject, title, firstName, surname, content] parameters are
   vulnerable to persistent Cross-Site scripting as they are saved and later 
shown
   without proper filtering. A sample request is provided below:

POST /admin/index.php HTTP/1.1
Host: www.example.com
[...]

rec-name=some_namesubject=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
message=asd%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Eo=account
a=message.sendreference=

   Many parameters are vulnerable to reflected Cross-Site Scripting 
vulnerabilities:

   URL:
https://www.example.com/admin/index.php

Parameters:
replace[0-24]
search[0-24]
id
O
Referer (header)

   URL:
https://www.example.com/admin/ajax.feedback.php

Parameters:
dat_type

3) When creating a new survey it is possible to include PHP code. Despite that 
the web
   application is filtering most of the dangerous PHP functions, that would 
allow to execute OS
   commands, it is still possible to execute arbitrary commands by using the 
provided code below:

   print `id`;

   The above code, when executed, prints out the system id of the current user. 
This could be further
   exploited by an attacker for accessing the local file system, creating 
malicious files, opening
   remote conections, etc.


Vulnerable / tested versions:
-
Pre-installed version of SoSci Survey, hosted on www.soscisurvey.de domain, was
tested. It was not possible to determine an exact version of the installed 
software.


Vendor contact timeline:

2013-01-29: Contacted vendor through i...@soscisurvey.de
2013-01-29: Initial 

SEC Consult SA-20130417-1 :: Java ActiveX Control Memory Corruption

[SEC Consult Vulnerability Lab]

SEC Consult Vulnerability Lab Security Advisory  20130417-1 
===
  title: Java ActiveX Control Memory Corruption
product: Java(TM) Web Start Launcher
 vulnerable version: Sun Java Version 7 Update 17 and before
 Sun Java Version 6 Update 43 and before
 Sun Java Version 5.0 Update 41 and before
  fixed version: Patch information see sections below
CVE: CVE-2013-2419
 impact: medium
   homepage: http://www.java.com/
  found: 2012-11-13
 by: A. Antukh
 SEC Consult Vulnerability Lab
 https://www.sec-consult.com
===

Vendor description:
---
To date, the Java platform has attracted more than 9 million software
developers. It's used in every major industry segment and has a presence
in a wide range of devices, computers, and networks.

Java technology's versatility, efficiency, platform portability, and
security make it the ideal technology for network computing. From laptops
to datacenters, game consoles to scientific supercomputers, cell phones to
the Internet, Java is everywhere!

Source: http://www.java.com/en/about/


Vulnerability overview/description:
---
Memory corruption vulnerability exists in the launchApp() method of the
deployJava1.dll which is loaded by Internet Explorer and used to launch
javaws.exe with provided arguments. The second (optional) parameter that
is responsible for embedded data is checked improperly, which causes memory
corruption and reading from arbitrary address if specific conditions are met.

Successful exploitation of this vulnerability could potentially result in
an arbitrary code execution within the Java(TM) Web Start Launcher or cause
the application to crash.


Vulnerability details:
-
The launchApp() method expects the following arguments: *pJNLP, *pEmbedded
(optional) and *pVmArgs (optional). Providing a single wrong *pJNLP argument
causes an application to prompt an error message and exit. However, if an
attacker provides the second argument, it will be checked before quitting.

The function responsible for processing an auto-generated temp file containing
input args is the following:

.text:0040560F pusheax  ; size of input data
.text:00405610 pushesi  ; malcrafted string
.text:00405611 calltmp_processing

If the input length doesn't satisfy condition of bitwise AND, the function
returns zero and exits:

.text:0040950B mov edx, [ebp+arg_4]
.text:0040950E testdl, 3; if size satisfies 
condition   
.text:00409511 jz  short loc_409517 ; jump to processing
.text:00409513 xor eax, eax ; otherwise return 0 
and exit
.text:00409515 leave
.text:00409516 retn

The returned data is used later to write from, causing an access violation:

.text:00405611 calltmp_processing
.text:00405616 mov esi, eax
...
(cc0.9fc): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00155a10 ebx= ecx=0008 edx=ffd21610 esi= edi=0001
eip=00402a0d esp=0012e6a8 ebp=0012e734 iopl=0 nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= efl=00010202
javaws+0x2a0d:
00402a0d 8b86cc00mov eax,dword ptr [esi+0CCh] 
ds:0023:00cc=

However, if the size fits the condition of bitwise AND, the program flow
continues. The memory of input string length size is allocated:

.text:00409547 pusheax ; size_t
.text:00409548 mov [ebp+var_4], ecx
.text:0040954B call_malloc

First WORD of the malformed string is taken and compared to 3Dh (equal sign '=')
to ignore it. If the WORD is not equal to 3Dh, data from the calculated offset 
from
input string is read.

.text:00409571 cmp ecx, 3Dh
.text:00409574 jnz short crash_place
.text:00409576 xor ecx, ecx
.text:00409578 jmp short loc_409582
.text:0040957A ; 
---
.text:0040957A
.text:0040957A crash_place:; CODE XREF: 
tmp_processing+97j
.text:0040957A movzx   ecx, word_445670[ecx*2]

If the resulting offset points to unallocated memory, an access violation
exception is thrown:

eax=001542a0 ebx=001559f8 ecx=aaee edx= esi= edi=001558c8
eip=0040957a 

SEC Consult SA-20130417-2 :: HTTP header injection/Cache poisoning in Oracle WebCenter Sites Satellite Server

[SEC Consult Vulnerability Lab]

SEC Consult Vulnerability Lab Security Advisory  20130417-2 
===
  title: HTTP header injection/Cache poisoning in Oracle WebCenter
 Sites Satellite Server
product: Oracle WebCenter Sites Satellite Server (former FatWire
 Satellite Server)
 vulnerable version: 7.6.0 Patch1, 7.6.2, 11.1.1.6.0, 11.1.1.6.1
  fixed version: Patch information see sections below
CVE: CVE-2013-1509
 impact: medium
   homepage: 
http://www.oracle.com/us/corporate/acquisitions/fatwire/index.html
  found: 2012-09-17
 by: K. Gudinavicius
 SEC Consult Vulnerability Lab
 https://www.sec-consult.com
===

Vendor description:
---
FatWire Satellite Server is a predecessor product of Oracle WebCenter Sites
Satellite Server.

Oracle WebCenter Sites Satellite Server enables organizations to deliver
segmented, targeted, and dynamically assembled content across global Web
properties with rapid response times and intelligent edge caching to optimize
and speed the delivery of dynamic Web experiences.

Source: 
http://www.oracle.com/us/products/middleware/webcenter/satellite-server/overview/index.html


Vulnerability overview/description:
---
Due to unsanitized user input it is possible to inject arbitrary HTTP header
values in certain HTTP responses of the Satellite Server. This can be
exploited, for example, to perform session fixation and malicious redirection
attacks via the Set-Cookie and the Refresh headers. Moreover, the Satellite
Server caches these HTTP responses with the injected HTTP header resulting in
all further requests to the same resource being served with the poisoned HTTP
response, while these objects remain in cache.


Proof of concept:
-
An arbitrary header can be injected in the HTTP responses of the
downloadable resources. The values of the blobheadername2 and the
blobheadervalue2 URL parameters are user controllable. In the following
example the Refresh header is injected:

http://fatwire/cs/Satellite?blobcol=urldatablobheadername1=content-typeblobheadername2=Refresh;
blobheadervalue1=application/pdfblobheadervalue2=0;url=http://www.sec-consult.comblobkey=id;
blobnocache=falseblobtable=MungoBlobsblobwhere=1342534304149ssbinary=truesite=S08

The returned HTTP response will contain the injected Refresh header and its
value. Furthermore, the HTTP response will be cached, so the next time users
will be accessing the same downloadable resource using the standard URL, they
will be affected and redirected using the injected Refresh header value.

HTTP/1.1 200 OK
Date: Thu, 06 Sep 2012 15:59:04 GMT
Refresh: 0;url=http://www.sec-consult.com
Last-Modified: Thu, 06 Sep 2012 15:54:20 GMT
Content-Type: application/pdf
Connection: close
Content-Length: 772193


Vulnerable / tested versions:
-
The following installation has been tested:
* FatWire Satellite Server 7.6.0 Patch1.


Vendor contact timeline:

2012-11-26: Contacting vendor through secalert...@oracle.com
2012-11-26: Vendor response, will investigate issues
2012-11-27: Investigation ongoing, the following ID assigned:
S0321206 - ARBITRARY HTTP HEADER INJECTION/CACHE POISONING IN 
FATWIRE
2013-01-25: S0321206 Issue fixed in main codeline, scheduled for a future CPU
2013-04-12: S0321206 is fixed in upcoming CPU on 2013-04-16
2013-04-16: Oracle releases April 2013 CPU
2013-04-17: Public release of SEC Consult advisory


Solution:
-
Apply latest patches, see:
http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html


Workaround:
---


Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF K. Gudinavicius / @2013

Cisco Security Advisory: Cisco Network Admission Control Manager SQL Injection Vulnerability

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cisco Security Advisory: Cisco Network Admission Control Manager SQL Injection 
Vulnerability

Advisory ID: cisco-sa-20130417-nac

Revision 1.0

For Public Release 2013 April 17 16:00  UTC (GMT)

+--

Summary
===

Cisco Network Admission Control (NAC) Manager contains a vulnerability that
could allow an unauthenticated remote attacker to execute arbitrary code and
take full control of the vulnerable system. A successful attack could allow an
unauthenticated attacker to access, create or modify any information in the NAC
Manager database. 

Cisco has released free software updates that address this vulnerability. 

There are no workarounds for this vulnerability.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130417-nac
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iF4EAREIAAYFAlFu1FEACgkQUddfH3/BbTr/jwD/UmdJ5/x0iKBt+h5P7CyDoCw1
XjSDuB/0AXMfEQLCIXIA/3eqYPgDyYs6Np3C/LGVU/HPNYsC7u7HQ/bV599WGwwb
=RRHX
-END PGP SIGNATURE-

Cisco Security Advisory: Cisco TelePresence Infrastructure Denial of Service Vulnerability

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cisco Security Advisory: Cisco TelePresence Infrastructure Denial of Service 
Vulnerability

Advisory ID: cisco-sa-20130417-tpi

Revision 1.0

For Public Release 2013 April 17 16:00  UTC (GMT)

+--

Summary
===

Cisco TelePresence multipoint control unit (MCU) and Cisco TelePresence Server
contain a vulnerability that could allow an unauthenticated, remote attacker to
trigger the reload of an affected system.

Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are not available. This advisory
is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130417-tpi
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iF4EAREIAAYFAlFu1F0ACgkQUddfH3/BbTrooAD9Hd1bHNtH6qE25KH2qSKx0Xd5
55+2JOZHT4CmjoVhaSMA+wWqGdVUbbtVtzIK0OZ4b/7tVRNtTmtoIjr9FA60WxWS
=8gT5
-END PGP SIGNATURE-

DC4420 - London DEFCON - April meet - Tuesday 23rd April 2013

[Major Malfunction]

Whether you're coming to town next week for London Infosec or BSides, or 
you're in the smoke anyway, come and join us for what is normally our 
busiest and most entertaining night of the year...


This time should be no exception: we have managed to retain our normal 
venue - The Phoenix - and we have a single speaker giving us a full hour 
'fun' talk, leaving us plenty of time for, well, you know the score...


Primary Speaker:

  Kev Sheldrake - Head Hacking

Title:

  Social Engineering Lies!

Synopsis:

  Social engineering is the practice of gaining unauthorised access to 
something, typically only using human interaction to do so.  NLP is a 
pseudo-scientific psychological paradigm for modelling excellence and 
creating hypnotic change.  Hypnosis is the process through which 
hypnotic subjects take and act upon suggestions.  It is possible to 
apply NLP and hypnosis to social engineering.  Or so people would tell you.


  This talk will tell you different.  Featuring lots of swearing and 
optional audience participation, I'll explain the hypnotist's 
perspective on 'covert hypnosis' and NLP.  I'm a hypnotist, but I 
promise not to hypnotise anyone at the event.


~~

Secondary Speaker:

  The Bar Staff

Title:

  Buy Major a beer

Synopsis:

  Now you've been lied to by the primary speaker, you will buy Major a 
beer.


***

Venue:

  The Phoenix, Cavendish Square

  http://www.phoenixcavendishsquare.co.uk/

Date:

  Tuesday 23rd April, 2013

Time:

  17:30 till kicking out - talk starts at 19:30

See you there!

  http://dc4420.org

cheers,
MM
--
In DEFCON, we have no names... errr... well, we do... but silly ones...

[SECURITY] [DSA 2662-1] xen security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2662-1   secur...@debian.org
http://www.debian.org/security/  Salvatore Bonaccorso
April 18, 2013 http://www.debian.org/security/faq
- -

Package: xen
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2013-1917 CVE-2013-1919

Multiple vulnerabilities have been discovered in the Xen hypervisor. The
Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2013-1917
The SYSENTER instruction can be used by PV guests to accelerate
system call processing. This instruction, however, leaves the EFLAGS
register mostly unmodified. This can be used by malicious or buggy
user space to cause the entire host to crash.

CVE-2013-1919
Various IRQ related access control operations may not have the
intended effect, potentially permitting a stub domain to grant its
client domain access to an IRQ it doesn't have access to itself.
This can be used by malicious or buggy stub domains kernels to mount
a denial of service attack possibly affecting the whole system.

For the stable distribution (squeeze), these problems have been fixed in
version 4.0.1-5.9.

For the testing distribution (wheezy) and the unstable distribution
(sid), these problems will be fixed soon.

We recommend that you upgrade your xen packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRcAS2AAoJEL97/wQC1SS+Iv8H/jgF59tOvl0f5ybpS1nOjnim
ISDrxnkODEyfDlA9org+o1M61gTPyU8bT0QvjjUfeVKh5y0FewmrVoFYdlE9slI2
Q4vOwf4paQd0D/VcQWVLnTRNoHALIFq/V3WXgpo7Fk7ffXZkjQgdOE7MviX8SfLh
gvl6hobIuVeEiDMWROkESpim5UjxX5Xh6X4g9C1a3o82nCxKyv55/SWz4lpCqbxV
CNyKt3Qo6IdbHkKVFSasYZhb1oPtiGAMuIFyOhmRXmpZRSyfomuJI4HJlUgs0rZ3
j4ki0LjETq3DfwY5eP2gDPaE2aPc5TgUJC9kmOtUviRFIAWjU0LFwN/y3hZVRVg=
=7t1v
-END PGP SIGNATURE-

CVE-2013-2504 : Matrix42 Service Desk XSS

[43z sec]

*
 *
* 43zsec SECURITY ADVISORY
*
*
 *
*
 *



_
_ CVE ID : CVE-2013-2504
_ Product: Service Store 5.3 SP3 (5.33.946.0)
_ Vendor:  matrix42 - member of asseco group
_ Subject: Cross-site Scripting - XSS

_ Classification:PCI 2.0:6.5.7
   PCI 1.2:6.5.1
   OWASP:A2
   CWE:79
   CAPEC:19
   WASC:08


_ Risk:High
_ Effect:  Remotely exploitable
_ Author:  43zsec (43zsec() gmail.com)
_ Date:March 6th 2013
_ Dork:inurl:/SPS/Logon/AuthLogon.aspx?ReturnUrl=



Productinformation:
-
Matrix42 Service Desk (description from the Webpage):
http://www.matrix42.com/products/it-service-management/service-desk/

A friendly, well-organized customer service is the flagship of every company.
As the IT department’s central point of contact, the helpdesk ensures
user productivity.
As a matter of course, the processes are ITIL-based, well-documented
and historicized.
The ITIL V3 certified Matrix42 Service Desk is completely integrated
with the Service Catalog
and related processes. The ticket automatically includes all
information from contract,
asset and license management to allow the service staff to make fast
decisions and take efficient action.


Introducion:
43zsec discovered some security flaws in the matrix42 service desk.


Vulnerable Versions / Tested Versions:
Service Store 5.3 SP3 (5.33.946.0)


Patches:
no Patches available for this vulnerability for today.


Description:
Impact: XSS
URL:
https://SERVERNAME/SPS/Portal/default.aspx?'--/style/scriptscriptalert(document.cookie)/script

Parameter Name:Query Based
Parameter Type:FullQuery String
Pattern:
'--/style/scriptscriptalert(document.cookie)/script
Remarks:


Details:
Source: https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Cross-Site Scripting attacks are a type of injection problem, in which malicious
scripts are injected into the otherwise benign and trusted web sites.
Cross-site scripting
(XSS) attacks occur when an attacker uses a web application to send
malicious code,
generally in the form of a browser side script, to a different end
user. Flaws that allow
these attacks to succeed are quite widespread and occur anywhere a web
application uses
input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user.
The end user’s browser has no way to know that the script should not
be trusted, and will execute the script.
Because it thinks the script came from a trusted source, the malicious
script can access any cookies,
session tokens, or other sensitive information retained by your
browser and used with that site.
These scripts can even rewrite the content of the HTML page.


Impact:
XSS gives a attacker a lot of attacking vectors, including:
Session Hijacking: stealing the user session cookie
Phishing Attacks
MITM Attacks: Intercepting data.


REMEDY:
Microsoft Anti-Cross Site Scripting Library V4.2
http://www.microsoft.com/en-us/download/details.aspx?id=28589

XSS (Cross Site Scripting) Prevention Cheat Sheet
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet


Time-Map:
06.03.2013Vendor contacted
10.04.2013Vendor will Patch this issue
18.04.2013disclosure


References:
http://www.matrix42.de
http://www.asseco.com/

https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
http://www.microsoft.com/en-us/download/details.aspx?id=28589