[FD] [CVE-2019-11604] Quest KACE Systems Management Appliance <= 9.0 kbot_service_notsoap.php METHOD Reflected Cross-Site Scripting

[RCE Security]

RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
===
Product:Quest KACE Systems Management Appliance
Vendor URL: www.quest.com
Type:   Cross-Site Scripting [CWE-79]
Date found: 2018-09-09
Date published: 2019-05-19
CVSSv3 Score:   4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
CVE:CVE-2019-11604


2. CREDITS
==
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED

Quest KACE Systems Management Appliance 9.0 and below


4. INTRODUCTION
===
The KACE Systems Management Appliance (SMA) helps you accomplish these goals
by automating complex administrative tasks and modernizing your unified endpoint
management approach. This makes it possible for you to inventory all hardware
and software, patch mission-critical applications and OS, reduce the risk of
breach, and assure software license compliance. So you're able to reduce systems
management complexity and safeguard your vulnerable endpoints.

(from the vendor's homepage)


5. VULNERABILITY DETAILS

The script "/service/kbot_service_notsoap.php" is vulnerable to an 
unauthenticated
reflected Cross-Site Scripting vulnerability when user-supplied input to the
HTTP GET parameter "METHOD" is processed by the web application. Since the
application does not properly validate and sanitize this parameter, it is
possible to place arbitrary script code onto the same page.

The following Proof-of-Concept triggers this vulnerability:
https://127.0.0.1/service/kbot_service_notsoap.php?METHOD=alert(document.domain)


6. RISK
===
To successfully exploit this vulnerability an unauthenticated or authenticated
user must be tricked into visiting an arbitrary website.

The vulnerability can be used to temporarily embed arbitrary script code into 
the
context of the appliance web interface, which offers a wide range of possible
attacks such as redirecting the user to a malicious page, spoofing content on 
the
page or attacking the browser and its plugins. Since all session-relevant 
cookies
are protected by HTTPOnly, it is not possible to hijack sessions.


7. SOLUTION
===
Update to Quest KACE Systems Management Appliance 9.1


8. REPORT TIMELINE
==
2018-09-09: Discovery of the vulnerability
2019-02-28: Tried to notify vendor via their vulnerability report form
but unfortunately the WAF protecting the form blocked the
Proof-of-Concept payload
2019-02-28: Sent another notification without any payloads
2019-02-28: Vendor response
2019-03-01: Sent the exploit payload in a separate mail
2019-03-01: Vendor acknowledges the issue (tracked as K1-20409) which will
be fixed in the 9.1 release (released on 2019/04/15)
2019-03-01: Vendor asks to delay the disclosure to make sure all customers
had time to upgrade
2019-03-13: Requested disclosure extension granted
2019-04-30: CVE requested from MITRE
2019-04-30: MITRE assigns CVE-2019-11604
2019-05-19: Public disclosure


9. REFERENCES
=
-

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Exploring the File System via Jenkins Credentials Plugin Vulnerability – CVE-2019-10320

[Nightwatch Cybersecurity Research]

[Original blog post here:
https://wwws.nightwatchcybersecurity.com/2019/05/23/exploring-the-file-system-via-jenkins-credentials-plugin-vulnerability-cve-2019-10320/]

SUMMARY

The recently fixed vulnerability in the Jenkins Credentials plugin
(v2.1.19) allowed users with certain permissions to confirm existence
of a file on the server’s file system. While this doesn’t allow an
attacker to view the file content, the ability to obtain information
about the file system can be leveraged for other attacks. In this post
we will explain how to reproduce this vulnerability.

It is also possible to load credentials from a valid PKCS#12 files on
the Jenkins server, and obtain access to the contents of those
credentials via a job. That may be addressed in a future blog post.

PLEASE NOTE: This is only exploitable by users that have sufficient
access to the Jenkins server to add or update credentials. Usually
anonymous users do not have that level of access.

PREREQUISITES

You will need to download, install and initialize Jenkins following
these instructions ("https://jenkins.io/doc/book/installing/;). DO NOT
install any plugin during the installation process. When done, you
should be able to login to Jenkins via the following URL:
“http://localhost:8080/“.

INSTALLING THE VULNERABLE PLUGIN

1. Download the vulnerable plugin (v2.1.18) from the Jenkins update
site as an HPI file
("https://updates.jenkins.io/download/plugins/credentials/;).

2. Go to the Jenkins plugin manager, and click the advanced tab
(“http://localhost:8080/pluginManager/advanced“) to get to the manual
plugin installation page. Select the HPI file downloaded in the
previous step and install it. Restart the Jenkins server
(“http://localhost:8080/restart“) after the plugin has been installed.

3. Login to the Jenkins management page
(“http://localhost:8080/manage“) and plugin manager
(“http://localhost:8080/pluginManager/“) to confirm that the
vulnerable plugin has been installed.

GETTING TO THE VULNERABLE PAGE

1. Login to Jenkins, then go to “Credentials”, “System”, “Global
Credentials”. Click the new option “Add Credentials” that appears on
the left side. The user that you are using MUST have sufficient
permissions to add or update credentials. You can also reach this page
by going directly to
“http://localhost:8080/credentials/store/system/domain/_/newCredentials“.

2. In the “Kind” drop down box select “Certificate”, and from the two
radio buttons select “From a PKCS#12 file on Jenkins master”.

EXPLOITATION

Put in a valid path in the “file” box and click anywhere in the page
to refresh. You will get an error message “The file  doesn’t
exists” if the file is not present, OR “Could not load keystore” if
the file does exists. This would allow an attacker to explore the file
system and confirm whether specific files exist or not. While file
content cannot be viewed (unless they are PKCS#12 files), the attacker
can use this technique to help advance other attacks.

REFERENCES

CVE-ID: CVE-2019-10320
Vendor advisory: https://jenkins.io/security/advisory/2019-05-21/#SECURITY-1322

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [REVIVE-SA-2019-002] Revive Adserver Vulnerability

[Matteo Beccati via Fulldisclosure]

Revive Adserver Security Advisory REVIVE-SA-2019-002

https://www.revive-adserver.com/security/revive-sa-2019-002

CVE-IDs:   t.b.a.
Date:  2019-05-21
Risk Level:High
Applications affected: Revive Adserver
Versions affected: < 4.2.1
Versions not affected: >= 4.2.1
Website:   https://www.revive-adserver.com/




Vulnerability 1 - Use of Cryptographically Weak PRNG

Vulnerability Type:Use of Cryptographically Weak Pseudo-Random
   Number Generator (PRNG) [CWE-388]
CVE-ID:t.b.a.
CVSS Base Score:   8.1
CVSSv3 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Impact Subscore:  5.9
CVSS Exploitability Subscore: 2.2


Description
---
A Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
vulnerability has been discovered in the generation of the token used
for the password recovery functionality of Revive Adserver by HackerOne
user paulos_. Such vulnerability could be used to gain access to
existing user accounts, if the attacker has access to the password
recovery URL and knows or can guess the email address associated to the
target account.

Details
---
An attacker could request a password reset for a known user account and
exploit the usage of the weak uniqid() function to guess what the
generated password recovery token could be. If successful, they could
set a new password and gain access to the account.

References
--
https://hackerone.com/reports/576504
https://github.com/revive-adserver/revive-adserver/commit/51fef40
https://cwe.mitre.org/data/definitions/338.html




Solution


We strongly advise people to upgrade to the most recent 4.2.1 version of
Revive Adserver. In case that is not immediately feasible, we especially
recommend to delete or block the www/admin/password-recovery.php script.



Contact Information


The security contact for Revive Adserver can be reached at:
.

Please review https://www.revive-adserver.com/security/ before doing so.


-- 
Matteo Beccati
On behalf of the Revive Adserver Team
https://www.revive-adserver.com/



signature.asc
Description: OpenPGP digital signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] New BlackArch Linux ISOs + OVA Image (2019.06.01) with 2200 Tools released

[Black Arch]

Dear list,


We've released the new BlackArch Linux ISOs and OVA image (version:
2019.06.01) along with many many improvements. They include more than
2190 tools now. The armv6h, armv7h and aarch64 repositories are filled
with about 2100 tools.


A ChangeLog of the Live-ISO-2019.06.01:


   - added more than 150 new tools
   - added 'jedi-vim' plugin
   - updated vim plugins
   - included every tool of BlackArch except: cuda-/oclhashcat, vmcloak, theZoo
   - included linux kernel 5.1.4
   - ISO file clean-ups and tweaks
   - updated blackarch-installer to v1.1.1
   - updated Xresources/Xdefaults + added support for rxvt-unicode
   - updated default ISO files (synced with archiso's template)
   - package QAs (runtime checks) were performed prior the ISO build
   - updated all blackarch tools and packages including config files
   - updated all system packages
   - updated all window manager menus (awesome, fluxbox, openbox)


If you're not already familiar with BlackArch Linux, please read the
DESCRIPTION section below.



[ DOWNLOAD ]


You can download the new ISOs here: https://www.blackarch.org/downloads.html



[ DESCRIPTION ]


BlackArch Linux is an Arch-based GNU/Linux distribution for pentesters
and security researchers. The BlackArch package repository is
compatible with existing Arch installs.


Here are some of BlackArch's features:


   - Support for x86_64, armv6h, armv7h and aarch64 architectures
   - Over 2050 tools (constantly increasing)
   - Modular package groups
   - A live ISO with multiple window managers, including fluxbox,
openbox, awesome, i3 and spectrwm.
   - An 64bit OVA image ready to use with Virtualbox, QEMU and VMware
   - An optional installer with the ability to build from source.


[ CONTACT ]


We mostly work on BlackArch Linux for our personal use. We share it in
the hopes that you will contribute by reporting bugs and sharing tools
and ideas.


We have a relaxed project structure. We welcome pull requests of all
sizes through any means, including Github[0] and email[1].


Also see our Twitter account[2] and IRC channel[3]. Although BlackArch
is the primary topic in the channel, we also have pleasant
conversations about other things. Come join us. It's a happy place.



[ THANKS ]


We wish to thank all of BlackArch's users, mirrors, and supporters.
Thanks for your help.



[ DONATIONS ]


Our initiative depends on donations in order to be able to pay the
server infrastructure and our expences. Therefore we ask for voluntary
donations.



[ REFERENCES ]


[0] https://www.github.com/BlackArch/ 
[1] blackarchlinux () gmail com
[2] https://twitter.com/blackarchlinux
[3] irc://irc.freenode.net/blackarch

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CMS Made Simple 2.2.10 - (Authenticated) Persistent Cross-Site Scripting

[Manuel Garcia Cardenas]

=
MGC ALERT 2019-002
- Original release date: April 10, 2019
- Last revised:  May 22, 2019
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,8/10 (CVSS Base Score)
- CVE-ID: CVE-2019-11226
=

I. VULNERABILITY
-
CMS Made Simple 2.2.10 - (Authenticated) Persistent Cross-Site Scripting

II. BACKGROUND
-
CMS Made Simple (CMSMS) is a free, open source (GPL) content management
system (CMS) to provide developers, programmers and site owners a web-based
development and administration area.

III. DESCRIPTION
-
Has been detected a Persistent XSS vulnerability in CMS Made Simple, that
allows the execution of arbitrary HTML/script code to be executed in the
context of the victim user's browser.

IV. PROOF OF CONCEPT
-
Go to: Content -> Content Manager -> News -> Add Article

And post in the m1_title parameter for example
test">alert(1)

The variable "m1_title" it is not sanitized, later, if some user visit the
content in the public area, the XSS is executed, in the response you can
view:

alert(1)

V. BUSINESS IMPACT
-
An attacker can execute arbitrary HTML or Javascript code in a targeted
user's browser, this can leverage to steal sensitive information as user
credentials, personal data, etc.

VI. SYSTEMS AFFECTED
-
CMS Made Simple <= 2.2.10

VII. SOLUTION
-
Disable until a fix is available, vendor doesn't accept XSS issues inside
admin panel.

VIII. REFERENCES
-
https://www.cmsmadesimple.org/

IX. CREDITS
-
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-
April 10, 2019 1: Initial release
May 22, 2019 2: Last revision

XI. DISCLOSURE TIMELINE
-
April 10, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas
April 10, 2019 2: Send to vendor
April 22, 2019 3: New request, vendor doesn't accept XSS issues inside
admin panel.
May 22, 2019 4: Sent to lists

XII. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-
Manuel Garcia Cardenas
Pentester

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/