SEC Consult 20130417-0 :: Multiple vulnerabilities in Sosci Survey
SEC Consult Vulnerability Lab Security Advisory 20130417-0 === title: Multiple vulnerabilities in Sosci Survey product: Sosci Survey vulnerable version: 2.3.04a fixed version: 2.3.04a impact: Critical homepage: https://www.soscisurvey.de found: 2012-06-18 by: T. Lazauninkas, V. Paulikas SEC Consult Vulnerability Lab https://www.sec-consult.com === Vendor description: --- SoSci Survey provides a non-comercial survey service, letting anyone to create and share surveys for collecting data in a purpose of scientific research. It is a flexible and efficient tool as it lets you to create a very customizable survey, including active content (javascript) and PHP code. https://www.soscisurvey.de/ Vulnerability overview/description: --- 1) Authorization Issues The web application fails to validate authorization for certain requests. This allows unauthorized users to access private messages that belong to other users. 2) Cross-Site Scripting The web application is prone to persistent and reflected Cross-Site Scripting attacks. The vulnerability can be used to include HTML or JavaScript code to the affected web page. The code is executed in the browser of users if they visit the manipulated site. The vulnerability can be used to change the contents of the displayed site, redirect to other sites or steal user credentials. Additionally, Portal users are potential victims of browser exploits and JavaScript Trojans. 3) Remote command execution Due to insufficient input validation, the web application fails to properly filter dangerous PHP code passed from the user side. This leads to OS command execution with the privileges of the web server. By exploiting this vulnerability, an attacker can read/write files, open connections, etc. posing a critical security risk. Proof of concept: - 1) In the user profile, users are able to send and receive private messages to each other. This also includes the administrative users. By modifying one of the vulnerable script's parameters an attacker can read the messages of other users. A proof of concept is provided below: https://www.example.com/admin/index.php?o=accounta=message.replyid=[msg_id] By iterating between the integer parameter's id value, an attacker is able to exploit this vulnerability. 2) If an invalid id value is passed to the receiver.edit module, which is handled by the index.php script, its contents is reflected to the user without proper filtering. This leads to javascript execution in the web browser. This issue can be easily exploited by navigating to the folowing URL: https://www.example.com/admin/index.php?o=panela=receiver.editid=scriptalert(document.cookie)/script An alert with the user's session cookie will be shown. Persistent Cross-Site scripting was identified in the private messaging module. It was discovered, that [subject, title, firstName, surname, content] parameters are vulnerable to persistent Cross-Site scripting as they are saved and later shown without proper filtering. A sample request is provided below: POST /admin/index.php HTTP/1.1 Host: www.example.com [...] rec-name=some_namesubject=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E message=asd%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Eo=account a=message.sendreference= Many parameters are vulnerable to reflected Cross-Site Scripting vulnerabilities: URL: https://www.example.com/admin/index.php Parameters: replace[0-24] search[0-24] id O Referer (header) URL: https://www.example.com/admin/ajax.feedback.php Parameters: dat_type 3) When creating a new survey it is possible to include PHP code. Despite that the web application is filtering most of the dangerous PHP functions, that would allow to execute OS commands, it is still possible to execute arbitrary commands by using the provided code below: print `id`; The above code, when executed, prints out the system id of the current user. This could be further exploited by an attacker for accessing the local file system, creating malicious files, opening remote conections, etc. Vulnerable / tested versions: - Pre-installed version of SoSci Survey, hosted on www.soscisurvey.de domain, was tested. It was not possible to determine an exact version of the installed software. Vendor contact timeline: 2013-01-29: Contacted vendor through i...@soscisurvey.de 2013-01-29: Initial
SEC Consult SA-20130417-1 :: Java ActiveX Control Memory Corruption
SEC Consult Vulnerability Lab Security Advisory 20130417-1 === title: Java ActiveX Control Memory Corruption product: Java(TM) Web Start Launcher vulnerable version: Sun Java Version 7 Update 17 and before Sun Java Version 6 Update 43 and before Sun Java Version 5.0 Update 41 and before fixed version: Patch information see sections below CVE: CVE-2013-2419 impact: medium homepage: http://www.java.com/ found: 2012-11-13 by: A. Antukh SEC Consult Vulnerability Lab https://www.sec-consult.com === Vendor description: --- To date, the Java platform has attracted more than 9 million software developers. It's used in every major industry segment and has a presence in a wide range of devices, computers, and networks. Java technology's versatility, efficiency, platform portability, and security make it the ideal technology for network computing. From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere! Source: http://www.java.com/en/about/ Vulnerability overview/description: --- Memory corruption vulnerability exists in the launchApp() method of the deployJava1.dll which is loaded by Internet Explorer and used to launch javaws.exe with provided arguments. The second (optional) parameter that is responsible for embedded data is checked improperly, which causes memory corruption and reading from arbitrary address if specific conditions are met. Successful exploitation of this vulnerability could potentially result in an arbitrary code execution within the Java(TM) Web Start Launcher or cause the application to crash. Vulnerability details: - The launchApp() method expects the following arguments: *pJNLP, *pEmbedded (optional) and *pVmArgs (optional). Providing a single wrong *pJNLP argument causes an application to prompt an error message and exit. However, if an attacker provides the second argument, it will be checked before quitting. The function responsible for processing an auto-generated temp file containing input args is the following: .text:0040560F pusheax ; size of input data .text:00405610 pushesi ; malcrafted string .text:00405611 calltmp_processing If the input length doesn't satisfy condition of bitwise AND, the function returns zero and exits: .text:0040950B mov edx, [ebp+arg_4] .text:0040950E testdl, 3; if size satisfies condition .text:00409511 jz short loc_409517 ; jump to processing .text:00409513 xor eax, eax ; otherwise return 0 and exit .text:00409515 leave .text:00409516 retn The returned data is used later to write from, causing an access violation: .text:00405611 calltmp_processing .text:00405616 mov esi, eax ... (cc0.9fc): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00155a10 ebx= ecx=0008 edx=ffd21610 esi= edi=0001 eip=00402a0d esp=0012e6a8 ebp=0012e734 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010202 javaws+0x2a0d: 00402a0d 8b86cc00mov eax,dword ptr [esi+0CCh] ds:0023:00cc= However, if the size fits the condition of bitwise AND, the program flow continues. The memory of input string length size is allocated: .text:00409547 pusheax ; size_t .text:00409548 mov [ebp+var_4], ecx .text:0040954B call_malloc First WORD of the malformed string is taken and compared to 3Dh (equal sign '=') to ignore it. If the WORD is not equal to 3Dh, data from the calculated offset from input string is read. .text:00409571 cmp ecx, 3Dh .text:00409574 jnz short crash_place .text:00409576 xor ecx, ecx .text:00409578 jmp short loc_409582 .text:0040957A ; --- .text:0040957A .text:0040957A crash_place:; CODE XREF: tmp_processing+97j .text:0040957A movzx ecx, word_445670[ecx*2] If the resulting offset points to unallocated memory, an access violation exception is thrown: eax=001542a0 ebx=001559f8 ecx=aaee edx= esi= edi=001558c8 eip=0040957a
SEC Consult SA-20130417-2 :: HTTP header injection/Cache poisoning in Oracle WebCenter Sites Satellite Server
SEC Consult Vulnerability Lab Security Advisory 20130417-2 === title: HTTP header injection/Cache poisoning in Oracle WebCenter Sites Satellite Server product: Oracle WebCenter Sites Satellite Server (former FatWire Satellite Server) vulnerable version: 7.6.0 Patch1, 7.6.2, 11.1.1.6.0, 11.1.1.6.1 fixed version: Patch information see sections below CVE: CVE-2013-1509 impact: medium homepage: http://www.oracle.com/us/corporate/acquisitions/fatwire/index.html found: 2012-09-17 by: K. Gudinavicius SEC Consult Vulnerability Lab https://www.sec-consult.com === Vendor description: --- FatWire Satellite Server is a predecessor product of Oracle WebCenter Sites Satellite Server. Oracle WebCenter Sites Satellite Server enables organizations to deliver segmented, targeted, and dynamically assembled content across global Web properties with rapid response times and intelligent edge caching to optimize and speed the delivery of dynamic Web experiences. Source: http://www.oracle.com/us/products/middleware/webcenter/satellite-server/overview/index.html Vulnerability overview/description: --- Due to unsanitized user input it is possible to inject arbitrary HTTP header values in certain HTTP responses of the Satellite Server. This can be exploited, for example, to perform session fixation and malicious redirection attacks via the Set-Cookie and the Refresh headers. Moreover, the Satellite Server caches these HTTP responses with the injected HTTP header resulting in all further requests to the same resource being served with the poisoned HTTP response, while these objects remain in cache. Proof of concept: - An arbitrary header can be injected in the HTTP responses of the downloadable resources. The values of the blobheadername2 and the blobheadervalue2 URL parameters are user controllable. In the following example the Refresh header is injected: http://fatwire/cs/Satellite?blobcol=urldatablobheadername1=content-typeblobheadername2=Refresh; blobheadervalue1=application/pdfblobheadervalue2=0;url=http://www.sec-consult.comblobkey=id; blobnocache=falseblobtable=MungoBlobsblobwhere=1342534304149ssbinary=truesite=S08 The returned HTTP response will contain the injected Refresh header and its value. Furthermore, the HTTP response will be cached, so the next time users will be accessing the same downloadable resource using the standard URL, they will be affected and redirected using the injected Refresh header value. HTTP/1.1 200 OK Date: Thu, 06 Sep 2012 15:59:04 GMT Refresh: 0;url=http://www.sec-consult.com Last-Modified: Thu, 06 Sep 2012 15:54:20 GMT Content-Type: application/pdf Connection: close Content-Length: 772193 Vulnerable / tested versions: - The following installation has been tested: * FatWire Satellite Server 7.6.0 Patch1. Vendor contact timeline: 2012-11-26: Contacting vendor through secalert...@oracle.com 2012-11-26: Vendor response, will investigate issues 2012-11-27: Investigation ongoing, the following ID assigned: S0321206 - ARBITRARY HTTP HEADER INJECTION/CACHE POISONING IN FATWIRE 2013-01-25: S0321206 Issue fixed in main codeline, scheduled for a future CPU 2013-04-12: S0321206 is fixed in upcoming CPU on 2013-04-16 2013-04-16: Oracle releases April 2013 CPU 2013-04-17: Public release of SEC Consult advisory Solution: - Apply latest patches, see: http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html Workaround: --- Advisory URL: - https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com EOF K. Gudinavicius / @2013
Cisco Security Advisory: Cisco Network Admission Control Manager SQL Injection Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco Network Admission Control Manager SQL Injection Vulnerability Advisory ID: cisco-sa-20130417-nac Revision 1.0 For Public Release 2013 April 17 16:00 UTC (GMT) +-- Summary === Cisco Network Admission Control (NAC) Manager contains a vulnerability that could allow an unauthenticated remote attacker to execute arbitrary code and take full control of the vulnerable system. A successful attack could allow an unauthenticated attacker to access, create or modify any information in the NAC Manager database. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130417-nac -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAlFu1FEACgkQUddfH3/BbTr/jwD/UmdJ5/x0iKBt+h5P7CyDoCw1 XjSDuB/0AXMfEQLCIXIA/3eqYPgDyYs6Np3C/LGVU/HPNYsC7u7HQ/bV599WGwwb =RRHX -END PGP SIGNATURE-
Cisco Security Advisory: Cisco TelePresence Infrastructure Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco TelePresence Infrastructure Denial of Service Vulnerability Advisory ID: cisco-sa-20130417-tpi Revision 1.0 For Public Release 2013 April 17 16:00 UTC (GMT) +-- Summary === Cisco TelePresence multipoint control unit (MCU) and Cisco TelePresence Server contain a vulnerability that could allow an unauthenticated, remote attacker to trigger the reload of an affected system. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130417-tpi -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAlFu1F0ACgkQUddfH3/BbTrooAD9Hd1bHNtH6qE25KH2qSKx0Xd5 55+2JOZHT4CmjoVhaSMA+wWqGdVUbbtVtzIK0OZ4b/7tVRNtTmtoIjr9FA60WxWS =8gT5 -END PGP SIGNATURE-
DC4420 - London DEFCON - April meet - Tuesday 23rd April 2013
Whether you're coming to town next week for London Infosec or BSides, or you're in the smoke anyway, come and join us for what is normally our busiest and most entertaining night of the year... This time should be no exception: we have managed to retain our normal venue - The Phoenix - and we have a single speaker giving us a full hour 'fun' talk, leaving us plenty of time for, well, you know the score... Primary Speaker: Kev Sheldrake - Head Hacking Title: Social Engineering Lies! Synopsis: Social engineering is the practice of gaining unauthorised access to something, typically only using human interaction to do so. NLP is a pseudo-scientific psychological paradigm for modelling excellence and creating hypnotic change. Hypnosis is the process through which hypnotic subjects take and act upon suggestions. It is possible to apply NLP and hypnosis to social engineering. Or so people would tell you. This talk will tell you different. Featuring lots of swearing and optional audience participation, I'll explain the hypnotist's perspective on 'covert hypnosis' and NLP. I'm a hypnotist, but I promise not to hypnotise anyone at the event. ~~ Secondary Speaker: The Bar Staff Title: Buy Major a beer Synopsis: Now you've been lied to by the primary speaker, you will buy Major a beer. *** Venue: The Phoenix, Cavendish Square http://www.phoenixcavendishsquare.co.uk/ Date: Tuesday 23rd April, 2013 Time: 17:30 till kicking out - talk starts at 19:30 See you there! http://dc4420.org cheers, MM -- In DEFCON, we have no names... errr... well, we do... but silly ones...
[SECURITY] [DSA 2662-1] xen security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2662-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 18, 2013 http://www.debian.org/security/faq - - Package: xen Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1917 CVE-2013-1919 Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-1917 The SYSENTER instruction can be used by PV guests to accelerate system call processing. This instruction, however, leaves the EFLAGS register mostly unmodified. This can be used by malicious or buggy user space to cause the entire host to crash. CVE-2013-1919 Various IRQ related access control operations may not have the intended effect, potentially permitting a stub domain to grant its client domain access to an IRQ it doesn't have access to itself. This can be used by malicious or buggy stub domains kernels to mount a denial of service attack possibly affecting the whole system. For the stable distribution (squeeze), these problems have been fixed in version 4.0.1-5.9. For the testing distribution (wheezy) and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your xen packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRcAS2AAoJEL97/wQC1SS+Iv8H/jgF59tOvl0f5ybpS1nOjnim ISDrxnkODEyfDlA9org+o1M61gTPyU8bT0QvjjUfeVKh5y0FewmrVoFYdlE9slI2 Q4vOwf4paQd0D/VcQWVLnTRNoHALIFq/V3WXgpo7Fk7ffXZkjQgdOE7MviX8SfLh gvl6hobIuVeEiDMWROkESpim5UjxX5Xh6X4g9C1a3o82nCxKyv55/SWz4lpCqbxV CNyKt3Qo6IdbHkKVFSasYZhb1oPtiGAMuIFyOhmRXmpZRSyfomuJI4HJlUgs0rZ3 j4ki0LjETq3DfwY5eP2gDPaE2aPc5TgUJC9kmOtUviRFIAWjU0LFwN/y3hZVRVg= =7t1v -END PGP SIGNATURE-
CVE-2013-2504 : Matrix42 Service Desk XSS
* * * 43zsec SECURITY ADVISORY * * * * * _ _ CVE ID : CVE-2013-2504 _ Product: Service Store 5.3 SP3 (5.33.946.0) _ Vendor: matrix42 - member of asseco group _ Subject: Cross-site Scripting - XSS _ Classification:PCI 2.0:6.5.7 PCI 1.2:6.5.1 OWASP:A2 CWE:79 CAPEC:19 WASC:08 _ Risk:High _ Effect: Remotely exploitable _ Author: 43zsec (43zsec() gmail.com) _ Date:March 6th 2013 _ Dork:inurl:/SPS/Logon/AuthLogon.aspx?ReturnUrl= Productinformation: - Matrix42 Service Desk (description from the Webpage): http://www.matrix42.com/products/it-service-management/service-desk/ A friendly, well-organized customer service is the flagship of every company. As the IT department’s central point of contact, the helpdesk ensures user productivity. As a matter of course, the processes are ITIL-based, well-documented and historicized. The ITIL V3 certified Matrix42 Service Desk is completely integrated with the Service Catalog and related processes. The ticket automatically includes all information from contract, asset and license management to allow the service staff to make fast decisions and take efficient action. Introducion: 43zsec discovered some security flaws in the matrix42 service desk. Vulnerable Versions / Tested Versions: Service Store 5.3 SP3 (5.33.946.0) Patches: no Patches available for this vulnerability for today. Description: Impact: XSS URL: https://SERVERNAME/SPS/Portal/default.aspx?'--/style/scriptscriptalert(document.cookie)/script Parameter Name:Query Based Parameter Type:FullQuery String Pattern: '--/style/scriptscriptalert(document.cookie)/script Remarks: Details: Source: https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page. Impact: XSS gives a attacker a lot of attacking vectors, including: Session Hijacking: stealing the user session cookie Phishing Attacks MITM Attacks: Intercepting data. REMEDY: Microsoft Anti-Cross Site Scripting Library V4.2 http://www.microsoft.com/en-us/download/details.aspx?id=28589 XSS (Cross Site Scripting) Prevention Cheat Sheet https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet Time-Map: 06.03.2013Vendor contacted 10.04.2013Vendor will Patch this issue 18.04.2013disclosure References: http://www.matrix42.de http://www.asseco.com/ https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 http://www.microsoft.com/en-us/download/details.aspx?id=28589