[FD] Java deserialization vulnerability in QRadar RemoteJavaScript Servlet
Java deserialization vulnerability in QRadar RemoteJavaScript Servlet
Abstract
A Java deserialization vulnerability exists in the QRadar
RemoteJavaScript Servlet. An authenticated user can call one of the
vulnerable methods and cause the Servlet to deserialize arbitrary
objects.
An attacker can exploit this vulnerability by creating a specially
crafted (serialized) object, which amongst other things can result in a
denial of service, change of system settings, or execution of arbitrary
code.
See also
CVE-2020-4280 [2]
6344079 [3] - IBM QRadar SIEM is vulnerable to deserialization of
untrusted data
Tested versions
This issue was successfully verified on QRadar Community Edition [4]
version 7.3.1.6 (7.3.1 Build 20180723171558).
Fix
IBM has released the following versions of QRader in which this issue
has been resolved:
- QRadar / QRM / QVM / QRIF / QNI 7.4.1 Patch 1 [5]
- QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 5 [6]
Introduction
QRadar [7] is IBM's enterprise SIEM [8] solution. A free version of
QRadar is available that is known as QRadar Community Edition [4]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.
A Java deserialization vulnerability [9] exists in the QRadar
RemoteJavaScript Servlet. This Servlet contains a custom JSON-RPC [10]
implementation (based on JSON-RPC version 1.0). Certain methods accept
base64 encoded serialized Java objects. No checks have been implemented
to prevent deserialization of arbitrary objects. Consequently, an
authenticated user can call one of the affected methods and cause the
RemoteJavaScript Servlet to deserialize arbitrary objects.
An attacker can exploit this vulnerability by creating a specially
crafted (serialized) object, which amongst other things can result in a
denial of service, change of system settings, or execution of arbitrary
code.
Details
The RemoteJavaScript Servlet is only accessible for authenticated users.
It is mapped to the following URLs:
- /remoteJavaScript
- /remoteMethod
- /JSON-RPC
- /JSON-RPC/*
The JSON data can be passed via the URL query string or as POST data.
The JSON data should contain a field named method, which contains the
name of the application and the method that needs to be invoked. The
requested application is looked up in the Application Registry. Each
application has a mapping XML file located under
/opt/qradar/conf/appconfig/ named -exported_methods.xml, which
is essentially a list of all (Java) methods that can be called including
their associated Java class, access control, and other settings.
When the application is found (and licensed), a call is made to
getExportedMethod() to lookup the Java method that needs to be invoked.
After some additional checks - like authorization - the Servlet will
eventually invoke the call() method of the found Java method. If
present, arguments are passed as a String array to the call() method.
These arguments are then converted into the correct type using the
com.q1labs.core.shared.util.ReflectionUtils.stringsToObjects() method.
com.q1labs.uiframeworks.application.ExportedMethod:
public abstract class ExportedMethod extends AllowableObject {
[...]
public Object call(PageContext pageContext, String... passedArguments)
throws Exception {
if (passedArguments != null && passedArguments.length != 0) {
if (this.log.isDebugEnabled()) {
this.log.debug("Calling with passed in arguments: " +
Arrays.toString(passedArguments));
}
return this.call(pageContext,
this.stringsToObjects(passedArguments));
[...]
private Object[] stringsToObjects(String[] paramaters) throws
ExportedMethodException {
return ReflectionUtils.stringsToObjects(this.getParameterTypes(),
paramaters);
}
The parameter types differ per method and are provided via the
getParameterTypes() method. If the parameter type is a 'simple' type, it
will be converted without deserialization. H
[FD] Microsoft OneDrive client for Windows Qt QML module hijack
Microsoft OneDrive client for Windows Qt QML module hijack Yorick Koster, July 2020 Abstract A file hijacking vulnerability was found in the Microsoft OneDrive client. This vulnerability allows a local attacker to plant a DLL file on the local machine. This DLL will then be loaded whenever (another) user launches OneDrive, running with the privileges of the victim. Tested version This issue was successfully verified on Microsoft OneDrive version 19.232.1124.0010. Fix This vulnerability was resolved in Microsoft OneDrive version 20.073.0409.0003 [2]. Introduction OneDrive is Microsoft's cloud storage service, which can be used to store files including documents, photos, music, videos, et cetera. Files stored in OneDrive can be accesses from other devices and shared with others. A file hijacking vulnerability was found in the Microsoft OneDrive client for Windows. This vulnerability allows a local attacker to plant a DLL file on the local machine. This DLL will then be loaded whenever (another) user launches OneDrive, running with the privileges of the victim. This issue was independently discovered [3] by Elias Dimopoulos [4] from REDYOPS Labs. Vulnerability details When OneDrive starts, it will search in the folder C:\Qt\Qt-5.11.1\ for any QML module that needs to be loaded. When the module can't be found under C:\Qt, the application's installation folder will be searched (generally located under %LOCALAPPDATA%). https://www.securify.nl/advisory/SFY20200708/onedrivehijack.png Normally, the C:\Qt folder is not present on Windows systems. Any authenticated user is permitted to create this folder in the system root and consequently, a logged on attacker can also create the searched folder structure. The attacker can then create any of the following folders and copy a malicious DLL in these folders: - Colors - Colors.1 - Colors.1.0 - ColorThemeManager - ColorThemeManager.1 - ColorThemeManager.1.0 - QtQuick\Controls\impl - QtQuick\Controls\impl.2 - QtQuick\Controls\impl.2.4 - QtQuick\Controls\Styles.1.4 - QtQuick\Controls\Styles.1 - QtQuick\Controls.1\Styles - QtQuick\Controls.1.4\Styles - QtQuick\Controls.2\impl - QtQuick\Controls.2.0 - QtQuick\Controls.2.2 - QtQuick\Controls.2.4 - QtQuick\Controls.2.4\impl - QtQuick\Templates.2.4 - QtQuick\Window.2.2 - QtQuick\Window.2.3 - QtQuick.1\Controls\Styles - QtQuick.1.4\Controls\Styles - QtQuick.2\Controls\impl - QtQuick.2.0 - QtQuick.2.0\Controls - QtQuick.2.11 - QtQuick.2.2\Controls - QtQuick.2.2\Window - QtQuick.2.3\Window - QtQuick.2.4\Controls - QtQuick.2.4\Controls\impl - QtQuick.2.4\Templates - QtQuick.2.7 Now whenever OneDrive is launched, it will find the attacker's DLL, load it, and run any code that is present in this DLL. The attacker's code will run with the privileges of the user that launched OneDrive. Proof of concept The following Powershell script can be used to demonstrate this issue. When successful, the proof of concept will start Calculator. https://gist.github.com/ykoster/9ce4232fee389de1195a624680419d7e References [1] https://www.securify.nl/advisory/SFY20200708/microsoft-onedrive-client-for-windows-qt-qml-module-hijack.html [2] https://oneclient.sfx.ms/Win/MsitSlow/20.073.0409.0003/OneDriveSetup.exe [3] https://labs.redyops.com/index.php/2020/04/27/onedrive-privilege-of-escalation/ [4] https://twitter.com/gweeperx ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Cisco AnyConnect elevation of privileges due to insecure handling of path names
Cisco AnyConnect elevation of privileges due to insecure handling of path names Yorick Koster, December 2019 Abstract The update functionality of the Cisco AnyConnect Secure Mobility Client for Windows is affected by a path traversal vulnerability that allows local attackers to create/overwrite files on arbitrary locations. Successful exploitation of this vulnerability allows the attacker to gain SYSTEM privileges. See also - CVE-2020-3153 [2] - cisco-sa-ac-win-path-traverse-qO4HWBsj [3] - Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability - SSD Advisory [4] - Cisco AnyConnect Privilege Elevation through Path Traversal Tested version This issue was successfully verified on Cisco AnyConnect Secure Mobility Client for Windows version 4.8.01090. Fix This vulnerability was fixed in Cisco AnyConnect Secure Mobility Client for Windows version 4.8.02042. Cisco customers with active contracts can obtain updates through the Software Center at https://software.cisco.com/download/navigator.html. Cisco has released bug ID CSCvs46327 [5] for registered users, which contains additional details and an up-to-date list of affected product versions. Introduction Cisco AnyConnect Secure Mobility Client contains functionality to auto-update itself. Auto-update also works for low-privileged users, this is possible because the update is initiated from a service running with SYSTEM privileges (Cisco AnyConnect Secure Mobility Agent). This service exposes TCP port 62522 on the loopback device to which clients can connect and send commands to be handled by this service. One of these commands it to launch the vpndownloader application and update AnyConnect. A path traversal vulnerability exists in the vpndownloader application for Windows that allows a local user to create and run files outside of the temporary installer folder. Successful exploitation of this vulnerability allows a local attacker to gain SYSTEM privileges. Vulnerability details The AnyConnect auto-update functionality has been affected by a number of vulnerabilities in the past that can be abused by local users to gain SYSTEM privileges (eg, Kostya Kortchinsky [6], Securify [7], Project Zero [8], SerializingMe [9]). Cisco has made a number of changes to mitigate these attacks, amongst these changes are: - Executables need to have a valid Authenticode signature from Cisco Systems, Inc.. - (New) versions of vpndownloader.exe are copied to %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Downloader. - Proper NTFS permissions are (now) set on the %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\ folder. - The vpndownloader.exe executable must have vpndownloader.exe configured as the original filename in its version information. - When vpndownloader.exe launches additional installation files, these files also need to have a valid Authenticode signature from Cisco Systems, Inc.. - Installation files are copied in a separate temporary folder under %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Installer before they are executed. In a nutshell, the auto-update mechanism works by sending a message to the AnyConnect Agent to launch vpndownloader.exe and instruct it to perform a certain action (as command line argument). This action is either moving/copying a profile (XML) file to a profile folder or launch a Cisco signed installer file. Technically, this doesn't need to be an installer file, any Cisco signed executable will do. When vpndownloader.exe is instructed to run an installer file, the file is first copied to a temporary folder under %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Installer. After the file has been copied, the digital signature is checked including the signer of the file. If all checks out, the file is launched from the temporary folder and the folder is deleted after execution has completed. Because the executable is copied to
[FD] QRadar session manager path traversal vulnerability
QRadar session manager path traversal vulnerability
Yorick Koster, September 2019
Abstract
A path traversal exists in the session validation functionality of
QRadar. In particular, the vulnerability is present in the part that
handles session tokens (UUIDs). QRadar fails to validate if the
user-supplied token is in the correct format. Using path traversal it is
possible for authenticated users to impersonate other users, and also to
executed arbitrary code (via Java deserialization). The code will be
executed with the privileges of the Tomcat system user.
Tested versions
This issue was successfully verified on QRadar Community Edition [2]
version 7.3.1.6 (7.3.1 Build 20180723171558).
Fix
IBM reports that as part of the Session Authenticator rewrite session
information is no longer stored on disk. Consequently, this issue is
mitigated in QRadar 7.3.2 Patch 3 and newer. In addtion, it is stated
that thist issue is resolved in QRadar Community Edition version 7.3.3
[3].
Introduction
QRadar [4] is IBM's enterprise SIEM [5] solution. A free version of
QRadar is available that is known as QRadar Community Edition [2]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.
The QRadar web application supports several authentication methods,
including JAAS, basic authentication, OAuth, and token-based
authentication. The token-based authentication uses UUIDs, which either
represents a so-called host token or a file within the /store/sessions/
folder. Whenever QRadar encounters a session token, which is not a host
token, the sessions folder is searched for a file with the same name. If
the file exists, it will be opened and its contents will be
deserialized. The returned object is used to validate the user's
session. In some cases validation is performed on the provided token to
check if it is a properly formatted UUID. Several instances were found
where this validation is not done, allowing for path traversal attacks.
By exploiting this issue it would be possible for an attacker to open a
session file outside the sessions folder. A possible attack scenario
would be if a low privileged user uploads a file to the QRadar server
containing a serialized session object for a different user (eg, Admin)
and thus escalated privileges to that user.
No mitigations have been implemented to prevent deserialization of other
Java objects. Consequently, it is also possible to upload a file
containing other serialized objects. An authenticated attacker can
exploit this vulnerability by uploading a specially crafted (serialized)
object, which amongst other things can result in a denial of service,
change of system settings, or execution of arbitrary code.
Details
Deserialization of the session file happens in the class
com.q1labs.core.shared.sessionmanager.SessionManager. The session file
is retrieved by calling the getFileFromToken() method of the class
com.q1labs.core.shared.sessionmanager.UserSession.
com.q1labs.core.shared.sessionmanager.UserSession:
public static File getFileFromToken(String sessionToken) {
return new File(NVAReader.getProperty("SESSION_DIR",
"/store/sessions/") + sessionToken);
}
As can be seen in the code fragment above, the provided sessionToken
argument is directly concatenated with the SESSION_DIR configuration
property (normally /store/sessions/). If the file exits, its contents is
deserialized by the SessionManager class.
com.q1labs.core.shared.sessionmanager.SessionManager:
private UserSession deserializeSession(String sessionToken) {
UserSession retSession = null;
try {
File sessionFile = UserSession.getFileFromToken(sessionToken);
if (sessionFile.exists()) {
if (this.log.isDebugEnabled()) {
this.log.debug("Session file exists,
deserializing...");
}
try {
ObjectInputStream is = new
ObjectInputStream(new FileInputStream(sess
[FD] Authorization bypass in QRadar Forensics web application
Authorization bypass in QRadar Forensics web application
Yorick Koster, September 2019
Abstract
It was found that any authenticated user can access & use the QRadar
Forensics web application, regardless whether they are granted
permission to use the Forensics application. This bypass only requires
that the user manually sets a cookie named QRIF with the same value as
the user's session cookie.
See also
CVE-2020-4274 [2]
6189705 [3] - IBM QRadar SIEM is vulenrable to Authorization bypass
(CVE-2020-4274)
Tested versions
This issue was successfully verified on QRadar Community Edition [4]
version 7.3.1.6 (7.3.1 Build 20180723171558).
Fix
IBM has released the following versions of QRader in which this issue
has been resolved:
- QRadar / QRM / QVM / QNI 7.4.0 GA [5] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 [6] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7 [7] (SFS)
- QRadar Incident Forensics 7.4.0 [8] (ISO)
- QRadar Incident Forensics 7.4.0 [9] (SFS)
Introduction
QRadar [10] is IBM's enterprise SIEM [11] solution. A free version of
QRadar is available that is known as QRadar Community Edition [4]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.
The QRadar Forensics web application is normally only accessible for
users that are granted permission to use this application. A centralized
control that checks if the user has permission is implemented in an
include file that is included in most pages. This check can be bypassed
by sending a QRIF cookie to the application. If this cookie is present
and has the same value as the SEC cookie, the permission check is not
performed. Consequently, any authenticated user can access & use the
Forensics web application.
Details
Most PHP pages of the Forensics application (directly or indirectly)
include the PHP file includes/functions.inc.php. A number of checks have
been implemented in this file, including a check to validate the user's
session, a check to detect Cross-Site Request Forgery attacks, and a
permission check to validate if the user has permission to use the
Forensics application. This last check is implemented in the LoginUser()
method of the QRadarHelper class.
/opt/ibm/forensics/html/DejaVu/qradar_helper.php:
public function LoginUser($sessionToken, &$errorInfo)
{
global $s, $u, $QR_HELPER_CODES;
[...]
$qrUserHasForensicsAccess =
$this->GetQRuserHasForensics($qr_user_info['username']);
The call to LoginUser() is executed from the LoginCurrentUser() method,
which in turn is called form the functions.inc.php include file.
/opt/ibm/forensics/html/includes/functions.inc.php:
require_once('DejaVu/qradar_helper.php');
if (!isset($qrh))
{
$qrh = new QRadarHelper();
[...]
$errorMessage = "";
$userLoggedIn = $qrh->LoginCurrentUser(true, $errorMessage);
Before the call to LoginUser() is made, the LoginCurrentUser() method
first checks if it has received a QRIF cookie. If the cookie is present
and it has the same value of the SEC cookie (the session cookie) the
call to LoginUser() is not made. Not calling LoginUser() also means that
no check is made to validate of the user has permission to use the
Forensics application.
/opt/ibm/forensics/html/DejaVu/qradar_helper.php:
public function LoginCurrentUser ($remember, &$errorInfo)
{
[...]
if(isset($_COOKIE['QRIF']))
{
//if the current cookie is the same as the session token that
means user hasn't changed
//just update the expiry time
if ($_COOKIE['QRIF'] === $this->session_token)
{
//if cookie is available that means it hasn't expired
yet so we need to update it's expiry time
//if cookie expiry time is set to 0 (expire with
browser) then we don't update it
if($cookieExpiryT
[FD] Arbitrary class instantiation & local file inclusion vulnerability in QRadar Forensics web application
Arbitrary class instantiation & local file inclusion vulnerability in QRadar Forensics web application Yorick Koster, September 2019 Abstract It was found that the QRadar Forensics web application is vulnerable to instantiation of arbitrary objects based on user-supplied input. An authenticated attacker can abuse this to perform various types of attacks including Server-Side Request Forgery and (potentially) arbitrary execution of code. In addition, the same input is also used to include PHP files, which can be used to include arbitrary local files. By abusing the case upload functionality, it is possible for an authenticated user to upload a PHP file to a known location on the system. By exploiting the local file inclusion vulnerability it is possible to run arbitrary PHP code. This code will be executed with the privileges of the Apache system user (generally the nobody user). See also CVE-2020-4272 [2] 6189645 [3] - IBM QRadar SIEM is vulnerable to instantiation of arbitrary objects (CVE-2020-4272) Tested versions This issue was successfully verified on QRadar Community Edition [4] version 7.3.1.6 (7.3.1 Build 20180723171558). Fix IBM has released the following versions of QRader in which this issue has been resolved: - QRadar / QRM / QVM / QNI 7.4.0 GA [5] (SFS) - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 [6] (SFS) - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7 [7] (SFS) - QRadar Incident Forensics 7.4.0 [8] (ISO) - QRadar Incident Forensics 7.4.0 [9] (SFS) Introduction QRadar [10] is IBM's enterprise SIEM [11] solution. A free version of QRadar is available that is known as QRadar Community Edition [4]. This version is limited to 50 events per second and 5,000 network flows a minute, supports apps, but is based on a smaller footprint for non-enterprise use. The QRadar web application contains functionality to render various graphs. The graph that needs to be rendered is based on user-supplied request parameters. The correct graph and dataset classes are dynamically loaded based on these parameters. No validation is performed on the user-supplied parameters, allowing authenticated users to instantiate arbitrary classes, which can be exploited to perform various attacks including Server-Side Request Forgery and (potentially) arbitrary execution of code via specially crafted Phar files [12]. In case a dataset class is provided that has not been declared (loaded) yet. The code tries to include the correct PHP file in which the class is defined. The file name of the include file is also based on the same request parameter. Consequently, the web application is vulnerable to local file inclusion. If an attacker manages to place an arbitrary PHP file on the local system, it is possible to abuse this issue to run arbitrary PHP code. It was found that the case upload functionality allows uploading of PHP files to a known location, thus allowing for the execution of arbitrary PHP code. This code will be executed with the privileges of the Apache system user (generally the nobody user). Details These issues are present in the graphs.php file. This PHP file accepts a number of request parameters, including chart, dataset, and output_image. /opt/ibm/forensics/html/graphs.php: $chart= ( isset($_REQUEST['chart']) ? htmlspecialchars($_REQUEST['chart']) : null ); $dataClass= ( isset($_REQUEST['dataset']) ? htmlspecialchars($_REQUEST['dataset']) : null ); $output_image = ( isset($_REQUEST['output_image']) ? $_REQUEST['output_image'] : null ); If the output_image parameter is set to true, the PHP code will directly try to instantiate an object with the name provided in the chart parameter. One argument is passed to the constructor for which its value is obtain from a request parameter with the same name as the selected class name. If the class is successfully loaded, the drawChart() method is called - regardless of whether this method actually exists. /opt/ibm/forensics/html/graphs.php:
[FD] PHP object injection vulnerability in QRadar Forensics web application
PHP object injection vulnerability in QRadar Forensics web application
Yorick Koster, September 2019
Abstract
A PHP object injection vulnerability was found in the QRadar Forensics
web application. The vulnerability can be triggered via a specially
crafted cookie and can be used by an authenticated attacker to execute
arbitrary commands. The commands will be executed with the privileges of
the Apache system user.
See also
CVE-2020-4271 [2]
6189651 [3] - IBM QRadar SIEM is vulnerable to PHP object injection
(CVE-2020-4271)
Tested versions
This issue was successfully verified on QRadar Community Edition [4]
version 7.3.1.6 (7.3.1 Build 20180723171558).
Fix
IBM has released the following versions of QRader in which this issue
has been resolved:
- QRadar / QRM / QVM / QNI 7.4.0 GA [5] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 [6] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7 [7] (SFS)
- QRadar Incident Forensics 7.4.0 [8] (ISO)
- QRadar Incident Forensics 7.4.0 [9] (SFS)
Introduction
QRadar [10] is IBM's enterprise SIEM [11] solution. A free version of
QRadar is available that is known as QRadar Community Edition [4]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.
A PHP object injection vulnerability was found in the QRadar Forensics
web application. The vulnerability exists in the DataSetModel class and
can be triggered via a specially crafted cookie. By exploiting this
issue it is possible for authenticated users to instantiate arbitrary
PHP objects. It has been confirmed that a POP chain exists that can be
used to execute arbitrary commands. The commands will be executed with
the privileges of the Apache system user (generally the nobody user).
Details
The Forensics web application contains functionally to save graph data
in cookies. When a graph is viewed that was previously saved, the data
will be restored from the cookie value(s). Saving and restoring data is
done using PHP object serialization. The serialized data is compressed
and encoded with base64 before it is returned as cookie to the user.
Deserialization of graph cookies is done in the restore() method of the
DataSetModel as is shown in the code fragment below.
/opt/ibm/forensics/html/DejaVu/Reports/DataSetModel.php:
public function restore($dataKeys, $dsize) {
if ($dsize == 0)
// No data
return null;
$cookieData = '';
foreach ($dataKeys as $dataKey) {
if (array_key_exists($dataKey, $_COOKIE)) {
$cookieData .= $_COOKIE[$dataKey];
// All done, so delete the data cookie.
setcookie($dataKey, "", time() - 3600);
} else {
error_log("MISSING COOKIE '$dataKey'");
return null;
}
}
$sz = strlen($cookieData);
if ($sz != $dsize) {
error_log("ERROR: Graph data size incorrect: expected $dsize,
got $sz");
return null;
}
try {
$dataset =
unserialize(gzuncompress(base64_decode($cookieData)));
return $dataset;
} catch (Exception $e) {
error_log("Error deserializing session data: " .
$e->getMessage());
$dataset = null;
}
return null;
}
The restore() method is called in the constructor of various chart
classes, which all inherit from the BaseChart class. These chart classes
are exposed in the /forensics/graphs.php page of the Forensics web
application.
/opt/ibm/forensics/html/DejaVu/Charts.php:
abstract class BaseChart extends ParameterizedObject {
[...]
public function __construct($params=null) {
[...]
$dm = empty($dmodel) ? new DataSetModeler(null) : new $dmodel(null);
if(array_key_exists('si
[FD] Local privilege escalation in QRadar due to run-result-reader.sh insecure file permissions
Local privilege escalation in QRadar due to run-result-reader.sh insecure file permissions Yorick Koster, September 2019 Abstract It was found that the nobody user is owner of the run-result-reader.sh script. This script is executed by the root user's crontab. Due to this it is possible for any process running as nobody to add commands to this script that will be executed with root privileges. In combination with a code execution vulnerability in QRadar's web application, this can be used for attacker's to gain full control of the QRadar system. See also CVE-2020-4270 [2] 6189657 [3] - IBM QRadar SIEM is vulnerable to privilege escalation (CVE-2020-4270) Tested versions This issue was successfully verified on QRadar Community Edition [4] version 7.3.1.6 (7.3.1 Build 20180723171558). Fix IBM has released the following versions of QRader in which this issue has been resolved: - QRadar / QRM / QVM / QNI 7.4.0 GA [5] (SFS) - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 [6] (SFS) - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7 [7] (SFS) - QRadar Incident Forensics 7.4.0 [8] (ISO) - QRadar Incident Forensics 7.4.0 [9] (SFS) Introduction QRadar [10] is IBM's enterprise SIEM [11] solution. A free version of QRadar is available that is known as QRadar Community Edition [4]. This version is limited to 50 events per second and 5,000 network flows a minute, supports apps, but is based on a smaller footprint for non-enterprise use. A local privilege escalation vulnerability was found in QRadar. This vulnerability is possible because the script located at /opt/qvm/iem/bin/run-result-reader.sh is configured with weak file permissions. The owner of the script is set to the nobody user, which is a low privileged system account use by various services - including QRadar's web application. The script is also started by the root user's crontab. This means that if an attacker manages to gain access to the QRadar system as the nobody user, it would be possible to escalate privileges to root. This is for example possible by exploiting a code execution vulnerability in QRadar's web application. Details The crontab of the root user contains various entries to run commands on different moments. One of these entries will run the run-result-reader.sh script every 20 minutes: # crontab -l [...] # Update the Endpoint Manager Fixlet Action Results */20 * * * * /opt/qvm/iem/bin/run-result-reader.sh > /var/log/iem-cron.log 2>&1 This script is owned by the nobody user, meaning that this user fully controls the script and thus fully controls which commands will be executed. # ls -la /opt/qvm/iem/bin/run-result-reader.sh -rwxr-xr-x 1 nobody nobody 2592 Sep 12 17:40 /opt/qvm/iem/bin/run-result-reader.sh If the (modified) script is run from root's crontab, the commands within the script will be executed with root privileges. Due to this it is possible for the nobody to exploit this issue to gain root privileges and gain full control of the QRadar system. References [1] https://www.securify.nl/advisory/SFY20200405/local-privilege-escalation-in-qradar-due-to-run-result-reader_sh-insecure-file-permissions.html [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4270 [3] https://www.ibm.com/support/pages/node/6189657 [4] https://developer.ibm.com/qradar/ce/ [5] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QRSIEM-20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http [6] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20200409085709&includeR
[FD] Reflected Cross-Site Scripting in QRadar Forensics link analysis page
Reflected Cross-Site Scripting in QRadar Forensics link analysis page
Yorick Koster, September 2019
Abstract
The QRadar Forensics PHP web application contains a page that is
vulnerable to reflected Cross-Site Scripting. This issue exist due to
the lack of encoding of the single-quote character and can be trigger
without authentication.
This vulnerability allows an attacker to perform a wide variety of
actions such as performing arbitrary actions on the victim's behalf or
presenting a fake login screen to collect usernames and passwords. In
order to exploit this issue, the attacker has to lure a victim into
opening a specially crafted link and pressing a key combination - making
a successful attack less likely.
Tested versions
This issue was successfully verified on QRadar Community Edition [2]
version 7.3.1.6 (7.3.1 Build 20180723171558).
Fix
IBM reports that QRadar 7.3.2 Patch 6 is not affected by this
vulnerability. In addtion, it is stated that thist issue is resolved in
QRadar Community Edition version 7.3.3 [3].
Introduction
QRadar [4] is IBM's enterprise SIEM [5] solution. A free version of
QRadar is available that is known as QRadar Community Edition [2]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.
The QRadar Forensics PHP web application contains a page that is
vulnerable to reflected Cross-Site Scripting. This issue exist due to
the lack of encoding of the single-quote character and can be trigger
without authentication.
This vulnerability allows an attacker to perform a wide variety of
actions such as performing arbitrary actions on the victim's behalf or
presenting a fake login screen to collect usernames and passwords. In
order to exploit this issue, the attacker has to lure a victim into
opening a specially crafted link and pressing a key combination - making
a successful attack less likely.
Details
The vulnerability exists in the LinkAnalysis.php page, located in
/opt/ibm/forensics/html/DejaVu/. The page accepts three request
parameters that are reflected in hidden input fields. Their values are
then used to open a new window to load the LinkAnalysisServlet Servlet.
The page itself appears to be old unused code, however it is still
exposed.
/opt/ibm/forensics/html/DejaVu/LinkAnalysis.php:
var solrQuery = document.getElementById('solrQuery').value;
var solrDocs = document.getElementById('solrDocs').value;
var solrRows = document.getElementById('solrRows').value;
window.onload = function() {
window.open('$servletURL?solrURL=$solrURL&solrQuery='+solrQuery+'&solrDocs='+solrDocs+'&solrRows='+solrRows',
'_self')
}
[...]
The code above uses the htmlentities() [6] function to escape HTML
characters. The flag argument is not provided, meaning that
htmlentities() will not encode the single-quote character.
The values of the request parameters are reflected between single-quotes
and consequently it is possible to break out of the value attribute and
inject additional attributes in the hidden input field. It isn't
possible to inject other HTML tags as the greater-than and less-than
characters are encoded by htmlentities().
Exploiting Cross-Site Scripting vulnerabilities within hidden fields can
be a bit tricky. A method has been described by Gareth Heyes [7] in the
article XSS in hidden input fields [8]. Essentially it requires that the
victim is enticed to press a certain key combination. This behavior is
also browser [9] and OS dependent. As the attacker also needs to lure a
victim into opening a specially crafted link, exploiting this issue may
proof to be difficult.
This issue can be demonstrated using the proof of concept below. When
loading this URL in Firefox, the victim needs to press Alt+Shift+X
(Windows/Linux) or Ctrl+Alt+X (macOS).
https:///forensics/DejaVu/LinkAnalysis.php?solrQuery=%27%20accesskey=X%20onclick=%27alert(document.cookie)
[FD] Cross-Site Request Forgery & weak access control in QRadar ConfigServices webservice
Cross-Site Request Forgery & weak access control in QRadar ConfigServices webservice Yorick Koster, September 2019 Abstract The QRadar web application is deployed with Apache Axis to expose a number of SOAP services. No measures have been implemented in Axis and/or QRadar to prevent Cross-Site Request Forgery attacks against these webservices. Due to this it is possible for an attacker to call any exposed service via Cross-Site Request Forgery. A successful attack requires that the attacker tricks/forces a logged in victim to visit the attacker's specially crafted URL. Besides the lack of Cross-Site Request Forgery protection, most methods also lack proper access control checks. A handful of these methods perform some form of access control, but most methods can be called by any authenticated user. This could for example be used by a logged in attacker to gain access to sensitive information (eg, login credentials). Tested versions This issue was successfully verified on QRadar Community Edition [2] version 7.3.1.6 (7.3.1 Build 20180723171558). Fix IBM reports that Apache Axis is no longer used and therefore this issues has been resolved in upstream builds. In addtion, it is stated that thist issue is resolved in QRadar Community Edition version 7.3.3 [3]. Introduction QRadar [4] is IBM's enterprise SIEM [5] solution. A free version of QRadar is available that is known as QRadar Community Edition [2]. This version is limited to 50 events per second and 5,000 network flows a minute, supports apps, but is based on a smaller footprint for non-enterprise use. The QRadar web application is deployed with Apache Axis [6] to expose a number of SOAP services. By default, Axis allows users to call the SOAP services via a GET request. The GET request is internally converted to a SOAP envelope, before it is processed by Axis. No measures have been implemented in Axis and/or QRadar to prevent Cross-Site Request Forgery attacks against the webservices exposed by Axis. Due to this it is possible for an attacker to call any exposed service via Cross-Site Request Forgery. A successful attack requires that the attacker tricks/forces a logged in victim to visit the attacker's specially crafted URL. Besides the lack of Cross-Site Request Forgery protection, most methods also lack proper access control checks. A handful of these methods perform some form of access control, but most methods can be called by any authenticated user. This could for example be used by a logged in attacker to gain access to sensitive information. By calling the getNvaProperty() method, it is possible to retrieve any 'NVA' configuration setting. Sensitive settings, like passwords, are stored encrypted, however there is also a getDecrypted() method that allows these values to be decrypted. Some passwords are reused for different services, which also allows users to elevate their own privileges. For example, the property jpa.connection.password is used for connecting to PostgreSQL, but is also used as the password for the ConfigServices account. Details Apache Axis provides a SOAP implementation, services can be configured in various ways. In case of QRadar the services are configured in the server-config.wsdd file, located under WEB-INF. Three service classes are currently configured: - AdminService - Version - configservices The first two are distributed with Axis, the latter one is custom for QRadar. The AdminService allows for deploying and undeploying of webservers, however it is configured to only be accessible from localhost. The implementation of the configservices webservice can be found in the class com.q1labs.configservices.core.ConfigurationServices. Any public method in this class can be called through Axis. The webservice is mapped to the path /console/services/configservices. There are two ways to call these methods: - POST request containing a SOAP envelope. The first tag in the SOAP body should have the same name as the method that needs to be invoked. Method parameters are provided as child elements within this tag. - GET request; the URL parameters are converted
[FD] QRadar RssFeedItem Server-Side Request Forgery vulnerability
QRadar RssFeedItem Server-Side Request Forgery vulnerability
Yorick Koster, September 2019
Abstract
The RssFeedItem class of the QRadar web application is used to fetch and
parse RSS feeds. No validation is performed on the user-supplied RSS
feed URL. Due to the lack of URL validation (whitelisting), it is
possible for authenticated attackers to execute Server-Side Request
Forgery attacks. Using this issue it is possible to call the Apache Axis
AdminService webservice in order to execute arbitrary code with the
privileges of the Tomcat user.
See also
CVE-2020-4294 [2]
6189663 [3] - IBM QRadar SIEM is vulnerable to Server-Side Request
Forgery (SSRF) (CVE-2020-4294)
Tested versions
This issue was successfully verified on QRadar Community Edition [4]
version 7.3.1.6 (7.3.1 Build 20180723171558).
Fix
IBM has released the following versions of QRader in which this issue
has been resolved:
- QRadar / QRM / QVM / QNI 7.4.0 GA [5] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 [6] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7 [7] (SFS)
- QRadar Incident Forensics 7.4.0 [8] (ISO)
- QRadar Incident Forensics 7.4.0 [9] (SFS)
Introduction
QRadar [10] is IBM's enterprise SIEM [11] solution. A free version of
QRadar is available that is known as QRadar Community Edition [4]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.
The RssFeedItem class of the QRadar web application is used to fetch and
parse (and cache) RSS feeds. The class is exposed in the JSON-RPC
interface via the qradar.getRssFeedItem method. This method can be
called by any authenticated user, no special privileges are required.
RSS feeds are fetched using the Apache Commons HttpClient class, no
validation is performed on the user-supplied URL. Due to the lack of URL
validation (whitelisting), it is possible for authenticated attackers to
execute Server-Side Request Forgery attacks.
Details
Authenticated users can trigger the Server-Side Request Forgery
vulnerability by making a JSON-RPC call with the method set to
qradar.getRssFeedItem. This call is mapped to
com.q1labs.qradar.ui.dashboard.RssFeedItem.getRssFeedItem() and takes
one parameter named feedURL. Any valid URL can be passed to this method.
com.q1labs.qradar.ui.dashboard.RssFeedItem:
public class RssFeedItem extends DashboardItem {
[...]
public static DashboardItem getRssFeedItem(PageContext pageContext,
String feedURL) throws Exception {
sessionContext =
RequestUtils.getSessionContext((HttpServletRequest)pageContext.getRequest());
RssFeedItem cachedItem = (RssFeedItem)feedCache.get(feedURL);
cachedItem = null;
if (cachedItem == null || System.currentTimeMillis() -
cachedItem.lastUpdateTime >= 60L) {
cachedItem = new RssFeedItem(pageContext, feedURL);
feedCache.put(feedURL, cachedItem);
}
return cachedItem;
}
No validation is done on the user-supplied URL, it is directly passed to
HttpClient that will try to make a GET request to this URL. This
behavior allows for Server-Side Request Forgery. The returned HTTP
response is parsed as RSS feed. If the response isn't a valid RSS feed,
an error is returned to the user. Due to this it is not possible to read
the HTTP response, however the GET request is still executed. By abusing
this vulnerability it is possible for an authenticated attacker to make
GET requests to services that are normally not accessible, including
webservices of QRadar that can only be accessed from the local machine.
com.q1labs.qradar.ui.dashboard.RssFeedItem:
public RssFeedItem(PageContext pageContext, String rssURLString) {
GetMethod getMethod = null;
Locale locale =
LocaleUtil.getLocale((HttpServletRequest)pageContext.getRequest());
[FD] Unauthorized access to QRadar configuration sets via default password
Unauthorized access to QRadar configuration sets via default password
Yorick Koster, September 2019
Abstract
QRadar is deployed with a default password for the ConfigServices
account. Using this default password it is possible to download
configuration sets containing sensitive information, including
(encrypted) credentials and host tokens. With these host tokens it is
possible to access other parts of QRadar.
See also
CVE-2020-4269 [2]
6189711 [3] - IBM QRadar SIEM contains hard-coded credentials
(CVE-2020-4269)
Tested versions
This issue was successfully verified on QRadar Community Edition [4]
version 7.3.1.6 (7.3.1 Build 20180723171558).
Fix
IBM has released the following versions of QRader in which this issue
has been resolved:
- QRadar / QRM / QVM / QNI 7.4.0 GA [5] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 [6] (SFS)
- QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7 [7] (SFS)
- QRadar Incident Forensics 7.4.0 [8] (ISO)
- QRadar Incident Forensics 7.4.0 [9] (SFS)
As a workaround it is possible to remove or disable the configservices
account in the file /opt/qradar/conf/users.conf.
Introduction
QRadar [10] is IBM's enterprise SIEM [11] solution. A free version of
QRadar is available that is known as QRadar Community Edition [4]. This
version is limited to 50 events per second and 5,000 network flows a
minute, supports apps, but is based on a smaller footprint for
non-enterprise use.
So-called configuration sets can be downloaded via the web interface.
These sets are normally only accessible for the ConfigServices user. It
was found that QRadar is deployed with a default password for the
ConfigServices account. Using this default password it is possible to
download configuration sets containing sensitive information, including
(encrypted) credentials and host tokens. With these host tokens it is
possible to access other parts of QRadar.
Details
The Apache configuration for the QRadar web interface contains a
configuration alias that maps to the
/store/configservices/configurationsets folder. This folder is protected
with the mod_authn_file [12] Apache Module. The only user that is
allowed through is the configservices user.
/etc/httpd/conf.d/configservices_httpd.conf:
Alias /configuration /store/configservices/configurationsets
AuthType Basic
AuthUserFile /opt/qradar/conf/users.conf
AuthName "Identification"
Options Indexes Includes FollowSymLinks MultiViews ExecCGI
AllowOverride All
require user configservices
The password for this user is set in the file
/opt/qradar/conf/users.conf. The password is protected with the crypt
algorithm, the crypted password is the same for all QRadar
installations.
/opt/qradar/conf/users.conf:
admin:null:ALL:root@localhost:Admin:
configservices:/wEPae8TzCqmM:ALL::ConfigServices:
Cracking the crypted password quickly reveals that the corresponding
password is qradar:
$ python -c 'import crypt; print(crypt.crypt("qradar", "/w"))'
/wEPae8TzCqmM
With the found password it is now possible to download the configuration
set from the web server:
$ curl --insecure --user configservices:qradar
https:///configuration/globalset_list.xml
It should be noted that the default password of the configservices user
only works for the configuration alias as configured in Apache. Recent
versions of QRadar still use the ConfigServices user in other parts of
the web interface. These parts either use a random password (stored in
PostgreSQL) or a so-called host token (via the SEC header or cookie).
However, using the default password it is possible to retrieve the value
of this host token and thus gain access to other parts of QRadar.
curl --insecure --user configservices:qradar -o
/tmp/zipfile_GEN.full.zip
https:///configuration/zipfile_GEN.full.zip
unzip -p /tmp/zipfile_GEN.full.zip /host_tokens.masterlist | grep
'CONSOLE_HOSTCONTEXT='
[FD] ZoneAlarm TrueVector Internet Monitor service insecure NTFS permissions vulnerability
ZoneAlarm TrueVector Internet Monitor service insecure NTFS permissions vulnerability Yorick Koster, December 2019 Abstract A vulnerability was found in the TrueVector Internet Monitor service, which is installed as part of the Check Point ZoneAlarm firewall. This vulnerability allows a local attacker to cause the affected service to change the file permissions of arbitrary local files. After the file permissions have been changed, the attacker can then overwrite its content, and ultimately gain elevated privileges on the vulnerable machine. Tested version This vulnerability was successfully verified on ZoneAlarm Free Firewall v15.8.023.18219/TrueVector Internet Monitor v15.8.7.18219. Fix Check Point released new versions of ZoneAlarm Firewall that fix this vulnerability. The latest version of ZoneAlarm Free Firewall (v15.8.043.18324) can be obtained from https://www.zonealarm.com/software/free-firewall/download. The 2020-03 Cumulative Update [2] for Windows 10 adds hardlink mitigations. After installing this update, Windows will require write access on the target file otherwise the hardlink won't be created. Requiring write access on the target file also mitigates this issue. Introduction A vulnerability was found in the TrueVector Internet Monitor service, which is installed as part of the Check Point ZoneAlarm firewall. This vulnerability allows a local attacker to cause the affected service to change the file permissions of arbitrary local files. After the file permissions have been changed, the attacker can then overwrite its content, and ultimately gain elevated privileges on the vulnerable machine. Vulnerability details The TrueVector Internet Monitor service is running as LocalSystem, it periodically creates a number of backup files within the %ProgramData%\CheckPoint\ZoneAlarm\Data\ folder. When these files are created, their file permissions are explicitly set to Full Control for Authenticated Users. A local attacker can create a hardlink with the same name as the backup files, causing the permissions of another file to be changed. After the file permissions have been changed, the attacker can then overwrite its content, and ultimately gain elevated privileges on the vulnerable machine. Hardlinks can be created using James Forshaw's [3] CreateHardlink [4] tool. CreateHardlink.exe "%ProgramData%\CheckPoint\ZoneAlarm\Data\bu_tosave.ndb" "%SystemRoot%\win.ini" CreateHardlink.exe "%ProgramData%\CheckPoint\ZoneAlarm\Data\bu_todelete.ndb" "%SystemRoot%\win.ini" References [1] https://www.securify.nl/advisory/SFY20200317/zonealarm-truevector-internet-monitor-service-insecure-ntfs-permissions-vulnerability.html [2] https://www.catalog.update.microsoft.com/Search.aspx?q=KB4540673 [3] https://twitter.com/tiraniddo [4] https://github.com/googleprojectzero/symboliclink-testing-tools/tree/master/CreateHardlink ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Ivanti Workspace Control Application Whitelist bypass via PowerGrid /SEE command line argument
Ivanti Workspace Control Application Whitelist bypass via PowerGrid /SEE command line argument Yorick Koster, August 2018 Abstract It was found that the PowerGrid application can be used to run arbitrary commands via the /SEE command line option. An attacker can abuse this issue to bypass Application Whitelisting in order to run arbitrary code on the target machine. Tested versions This issue was successfully verified on Ivanti Workspace Control version 10.2.950.0. Fix This issue is mitigated in Ivanti Workspace Control version 10.3.0.0. The fix included in this version prevents the creation of XML files within the WMTemp folder, effectively preventing this issue from being exploited. Details https://www.securify.nl/advisory/SFY20180806/ivanti-workspace-control-application-whitelist-bypass-via-powergrid-_see-command-line-argument.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Stored credentials Ivanti Workspace Control can be retrieved from Registry
Stored credentials Ivanti Workspace Control can be retrieved from Registry Yorick Koster, August 2018 Abstract A flaw was found in Workspace Control that allows a local unprivileged user to retrieve the database or Relay server credentials from the Windows Registry. These credentials are encrypted, however the encryption that is used is reversible. Tested versions This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1 & 10.2.950.0. Fix This issue was resolved in Ivanti Workspace Control version 10.3.10.0. Details https://www.securify.nl/advisory/SFY20180804/stored-credentials-ivanti-workspace-control-can-be-retrieved-from-registry.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Ivanti Workspace Control Data Security bypass via localhost UNC path
Ivanti Workspace Control Data Security bypass via localhost UNC path Yorick Koster, August 2018 Abstract Ivanti Workspace Control contains a flaw where it is possible to access folders that should be protected by Data Security. A local attacker can bypass these restrictions using localhost UNC paths. Depending on the NTFS permissions it may be possible for local users to access files and folders that should be protected using Data Protection. Tested versions This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1 & 10.2.950.0. Fix This issue was resolved in Ivanti Workspace Control version 10.3.0.0. Details https://www.securify.nl/advisory/SFY20180803/ivanti-workspace-control-data-security-bypass-via-localhost-unc-path.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Ivanti Workspace Control local privilege escalation via Named Pipe
Ivanti Workspace Control local privilege escalation via Named Pipe Yorick Koster, August 2018 Abstract It was found that Ivanti Workspace Control allows a local (unprivileged) attacker to run arbitrary commands with Administrator privileges. This issue can be exploited by spawning a new Composer process, injecting a malicious thread in this process. This thread connects to a Named Pipe and sends an instruction to a service to launch an attacker-defined application with elevated privileges. Tested versions This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1 & 10.2.950.0. Fix This issue was resolved in Ivanti Workspace Control version 10.3.10.0. Details https://www.securify.nl/advisory/SFY20180802/ivanti-workspace-control-local-privilege-escalation-via-named-pipe.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Ivanti Workspace Control Application Whitelist bypass via PowerGrid /RWS command line argument
Ivanti Workspace Control Application Whitelist bypass via PowerGrid /RWS command line argument Yorick Koster, August 2018 Abstract It was found that the PowerGrid application will execute rundll32.exe from a relative path when it is started with the /RWS command line option. An attacker can abuse this issue to bypass Application Whitelisting in order to run arbitrary code on the target machine. Tested versions This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1. Fix This issue was resolved in Ivanti Workspace Control version 10.2.950.0. PowerGrid now uses the GetSystemDirectory() function to construct an absolute path to rundll32.exe. Details https://www.securify.nl/advisory/SFY20180801/ivanti-workspace-control-application-whitelist-bypass-via-powergrid-_rws-command-line-argument.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges
Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges Remco Vermeulen, September 2018 Abstract It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the My Cloud device. References CVE-2018-17153 Tested versions This vulnerability was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.30.172. This issue is not limited to the model that was used to find this vulnerability since most of the products in the My Cloud series share the same (vulnerable) code. Fix There is currently no fix available. Details https://www.securify.nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Cross-Site Scripting vulnerability in Zimbra Collaboration Suite due to the way it handles attachment links
Cross-Site Scripting vulnerability in Zimbra Collaboration Suite due to the way it handles attachment links Stephan Kaag, January 2018 Abstract A Cross-Site Scripting (XSS) vulnerability was found in Zimbra Collaboration Suite (ZCS). This issue allows an attacker to perform a wide variety of actions such as performing arbitrary actions on their behalf or presenting a fake login screen to collect usernames and passwords. In order to exploit this issue, the attacker has to lure a victim into opening a specially crafted email in ZCS. See also - CVE-2018-6882 - https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 - https://bugzilla.zimbra.com/show_bug.cgi?id=108786 - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories Tested versions This issue was successfully tested on ZCS 8.7.11_GA_1854 (build 20170531151956). It is however likely that this issue is present in all versions of ZCS from version 8.5.0 on. Fix The issue is fixed in Zimbra Collaboration Suite version 8.8.7. Details https://www.securify.nl/advisory/SFY20180101/cross-site-scripting-vulnerability-in-zimbra-collaboration-suite-due-to-the-way-it-handles-attachment-links.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Authentication bypass in Kaseya VSA
Authentication bypass in Kaseya VSA Kin Hung Cheng, Robert Hartshorn, May 2017 Abstract A security vulnerability was found in Kaseya VSA that allows users to view remote computers that they are not authorised to view. Using this vulnerability a user that is authenticated to view at least one remote computer can view ever machines in the Kaseya application. Tested versions This issue was successfully tested on version R9.2 Fix Patch to the latest version of VSA. Details https://www.securify.nl/advisory/SFY20170504/authentication-bypass-in-kaseya-vsa.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Code execution in Kaseya VSA
Code execution in Kaseya VSA Kin Hung Cheng, Robert Hartshorn, May 2017 Abstract A security vulnerability was found in Kaseya VSA file upload file functionality. Using this vulnerability an authenticated user in a Kaseya VSA environment is able to upload arbitrary files onto the server. This functionality can lead to remote code execution with an asp shell. Tested versions This issue was successfully tested on version 9.2 Fix Patch to the latest version of VSA. Details https://www.securify.nl/advisory/SFY20170503/code-execution-in-kaseya-vsa.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Arbitrary file read in Kaseya VSA
Arbitrary file read in Kaseya VSA Kin Hung Cheng, Robert Hartshorn, May 2017 Abstract A security vulnerability was found in Kaseya VSA file download file functionality. Using this vulnerability an authenticated user in a Kaseya VSA environment is able to download arbitrary files from the server (including source code of Kaseya, the database backups, configuration files, and even windows files). Tested versions This issue was successfully tested on version R9.2 Fix Patch to the latest version of VSA. Details https://www.securify.nl/advisory/SFY20170502/arbitrary-file-read-in-kaseya-vsa.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] bugt...@securityfocus.com
Clickjacking vulnerability in CSRF error page pfSense Yorick Koster, November 2017 Abstract pfSense is a free and open source firewall and router. It was found that the pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin into interacting with a specially crafted webpage it is possible for an attacker to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user, this will result in a full compromise of the pfSense instance. Tested versions This issue was successfully tested on pfSense version 2.4.1. Fix pfSense 2.4.2-RELEASE was released that addresses the Clickjacking issue. Details https://www.securify.nl/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Clickjacking vulnerability in CSRF error page pfSense
Clickjacking vulnerability in CSRF error page pfSense Yorick Koster, November 2017 Abstract pfSense is a free and open source firewall and router. It was found that the pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin into interacting with a specially crafted webpage it is possible for an attacker to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user, this will result in a full compromise of the pfSense instance. Tested versions This issue was successfully tested on pfSense version 2.4.1. Fix pfSense 2.4.2-RELEASE was released that addresses the Clickjacking issue. Details https://www.securify.nl/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Xamarin Studio for Mac API documentation update affected by local privilege escalation
Xamarin Studio for Mac API documentation update affected by local privilege escalation Yorick Koster, April 2017 Abstract Xamarin Studio is an Integrated Development Environment (IDE) used to create iOS, Mac and Android applications. Xamarin Studio supports developments in C# and F# (by default). The API documentation update mechanism of Xamarin Studio for Mac is installed as setuid root. This update mechanism contains several flaws that could be leveraged by a local attacker to gain elevated (root) privileges. See also - CVE-2017-8665 - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8665 Tested versions This issue was successfully verified on Xamarin Studio for Mac version 6.2.1 (build 3) and version 6.3 (build 863). Fix Microsoft released a new version of Xamarin.iOS that addresses this issue: https://support.microsoft.com/en-us/help/4037359 Details https://www.securify.nl/advisory/SFY20170403/xamarin-studio-for-mac-api-documentation-update-affected-by-local-privilege-escalation.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Buffer over-read vulnerability in Virtuozzo Power Panel (VZPP) and Automator
Buffer over-read vulnerability in Virtuozzo Power Panel (VZPP) and Automator Sipke Mellema, July 2017 Abstract Virtuozzo Power Panel is a solution that allows customers of service providers to manage their virtual environments. Virtuozzo Automator is an administrative tool for managing the service provider's virtual infrastructure. Both products are affected by a buffer over-read vulnerability that allows attackers to read random server memory. Tested versions This issue was tested on Virtuozzo Power Panel version 6.1.2. Fix A fix for this issue is included in the following software versions: - Virtuozzo Power Panel 6.1.2-hotfix5 - Virtuozzo Automator 6.1.2-hotfix5 and 7.0.2-hotfix1 Details https://www.securify.nl/advisory/SFY20170701/buffer-over-read-vulnerability-in-virtuozzo-power-panel-_vzpp_-and-automator.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] InsomniaX loader allows loading of arbitrary Kernel Extensions
InsomniaX loader allows loading of arbitrary Kernel Extensions Yorick Koster, April 2017 Abstract It was found that the loader application bundled with InsomniaX can be used to load arbitrary Kernel Extensions (kext). The loader is normally used to load a kext file that is needed to disable the Lid Sleep. A flaw has been found in the loader that allows a local attacker to load (or unload) any arbitrary kext file. See also - http://semaja2.net/2017/06/insomniax-security-notice/ - http://semaja2.net/2017/06/thank-you-and-farewell-for-now/ Tested versions This issue was successfully verified on InsomniaX version 2.1.8. Fix There is currently no fix available. The author of InsomniaX reports that InsomniaX is no longer supported. As a workaround, remove the setuid bit from the loader file. Doing so will prevent users from disabling the Lid Sleep. sudo chmod u-s /Applications/InsomniaX.app/Contents/Resources/loader Details https://www.securify.nl/advisory/SFY20170405/insomniax-loader-allows-loading-of-arbitrary-kernel-extensions.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] SyntaxHighlight MediaWiki extension allows injection of arbitrary Pygments options
MediaWiki version 1.28.2 and version 1.27.3 were release that include a fix for this issue. https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000209.html On 29-04-17 16:41, Securify B.V. wrote: SyntaxHighlight MediaWiki extension allows injection of arbitrary Pygments options Yorick Koster, February 2017 Abstract A vulnerability was found in the SyntaxHighlight MediaWiki extension. Using this vulnerability it is possible for an anonymous attacker to pass arbitrary options to the Pygments library. By specifying specially crafted options, it is possible for an attacker to trigger a (stored) Cross-Site Scripting condition. In addition, it allows the creating of arbitrary files containing user-controllable data. Depending on the server configuration, this can be used by an anonymous attacker to execute arbitrary PHP code. See also - CVE-2017-0372 - https://phabricator.wikimedia.org/T158689 - https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html (fix not included in this release) Tested versions This issue was tested on SyntaxHighlight version 2.0 as bundled with MediaWiki version 1.28.0. Fix This issue was supposed to be fixed in MediaWiki version 1.28.1 and version 1.27.2. It appears that the fix was pushed to the git repository, but for some reason it was not included in the release packages. It is advised to apply the patch committed to Github. https://github.com/wikimedia/mediawiki-extensions-SyntaxHighlight_GeSHi/commit/2d5a60a89fb3995b73e17df5901d6f023e41df3d https://github.com/wikimedia/mediawiki-extensions-SyntaxHighlight_GeSHi/commit/a88c5e1dcbdb3e9940c6f55a6744c62a6d62710f Details https://www.securify.nl/advisory/SFY20170201/syntaxhighlight_mediawiki_extension_allows_injection_of_arbitrary_pygments_options.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SyntaxHighlight MediaWiki extension allows injection of arbitrary Pygments options
SyntaxHighlight MediaWiki extension allows injection of arbitrary Pygments options Yorick Koster, February 2017 Abstract A vulnerability was found in the SyntaxHighlight MediaWiki extension. Using this vulnerability it is possible for an anonymous attacker to pass arbitrary options to the Pygments library. By specifying specially crafted options, it is possible for an attacker to trigger a (stored) Cross-Site Scripting condition. In addition, it allows the creating of arbitrary files containing user-controllable data. Depending on the server configuration, this can be used by an anonymous attacker to execute arbitrary PHP code. See also - CVE-2017-0372 - https://phabricator.wikimedia.org/T158689 - https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html (fix not included in this release) Tested versions This issue was tested on SyntaxHighlight version 2.0 as bundled with MediaWiki version 1.28.0. Fix This issue was supposed to be fixed in MediaWiki version 1.28.1 and version 1.27.2. It appears that the fix was pushed to the git repository, but for some reason it was not included in the release packages. It is advised to apply the patch committed to Github. https://github.com/wikimedia/mediawiki-extensions-SyntaxHighlight_GeSHi/commit/2d5a60a89fb3995b73e17df5901d6f023e41df3d https://github.com/wikimedia/mediawiki-extensions-SyntaxHighlight_GeSHi/commit/a88c5e1dcbdb3e9940c6f55a6744c62a6d62710f Details https://www.securify.nl/advisory/SFY20170201/syntaxhighlight_mediawiki_extension_allows_injection_of_arbitrary_pygments_options.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Local privilege escalation vulnerability in HideMyAss Pro VPN client v3.x for macOS
Local privilege escalation vulnerability in HideMyAss Pro VPN client v3.x for macOS Han Sahin, April 2017 Abstract A local privilege escalation vulnerability has been found in the helper binary com.privax.hmaprovpn.helper that ships with HideMyAss Pro VPN v3.3.0.3 for macOS. The helper is installed setuid root and uses the openvpn binary to create VPN profiles and connections. The helper fails to perform signature check's on the openvpn file, which is owned by the user that installed the client. This allows malware on the system to replace the openvpn binary and run arbitrary code as root. Tested versions This issue was tested on HideMyAss Pro VPN v3.3.0.3 for macOS. Fix There is currently no fix available. Details https://www.securify.nl/advisory/SFY20170408/local_privilege_escalation_vulnerability_in_hidemyass_pro_vpn_client_v3_x_for_macos.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Multiple local privilege escalation vulnerabilities in HideMyAss Pro VPN client v2.x for OS X
Multiple local privilege escalation vulnerabilities in HideMyAss Pro VPN client v2.x for OS X Han Sahin, April 2017 Abstract Multiple local privilege escalation vulnerabilities were found in the helper binary HMAHelper that ships with HideMyAss Pro VPN for OS X. The helper is installed setuid root and responsible for loading Kernel Extensions (kext) and managing VPN firewall rules. These issues can be leveraged by a local attacker to gain elevated (root) privileges. Tested versions This issue was tested on HMA Pro VPN version 2.2.7.0 for OS X Fix HMA Support has reported that this issue will not be fixed. Version 2.2.7.0. is still available for download and was earlier this year also available in the Mac App Store. It seems that this version is still available for older versions of OS X (OS X 10.7 - 10.11). It should be noted the latest version of HMA Pro VPN for OS X (version 3.3.0.3) is vulnerable to a similar local privilege escalation issue that is also not fixed at the time of writing. Details https://www.securify.nl/advisory/SFY20170402/multiple_local_privilege_escalation_vulnerabilities_in_hidemyass_pro_vpn_client_v2_x_for_os_x.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges
Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges Remco Vermeulen, April 2017 Abstract It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the My Cloud device. Tested versions This vulnerability was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.21.126. This issue is not limited to the model that was used to find this vulnerability since most of the products in the My Cloud series share the same (vulnerable) code. Fix This issue was fixed in firmware version 2.30.165. Details https://www.securify.nl/advisory/SFY20170404/authentication_bypass_vulnerability_in_western_digital_my_cloud_allows_escalation_to_admin_privileges.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Persistent Cross-Site Scripting in Scriptler Jenkins Plugin
Persistent Cross-Site Scripting in Scriptler Jenkins Plugin Burak Kelebek, April 2017 Abstract A Cross-Site Scripting vulnerability was found in the Scriptler Jenkins plugin. This vulnerability allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, an authenticated attacker has to inject arbitrary HTML in the description of a Scriptler script and wait for an admin to visit the script overview page. By combining this vulnerability with the reported Cross-Site Request Forgery vulnerability it is possible for an unauthenticated attacker to exploit this issue by luring an authenticated administrator into visiting a specially crafted page. See also Jenkins Security Advisory 2017-04-10 Tested versions This issue was successfully tested on Scriptler version 2.9. Fix There is currently no fix available Details https://www.securify.nl/advisory/SFY20170406/persistent_cross_site_scripting_in_scriptler_jenkins_plugin.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Office OneNote 2007 DLL side loading vulnerability
Microsoft Office OneNote 2007 DLL side loading vulnerability Yorick Koster, September 2015 Abstract A DLL side loading vulnerability was found in Microsoft Office OneNote 2007. This issue can be exploited by loading the Microsoft Office OneNote Mobile ActiveSync Provider for Desktop object as an embedded OLE object. When instantiating the object Windows will try to load the DLL ceutil.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. See also - CVE-2017-0197 - Microsoft OneNote 2007 Service Pack 3 (3191829) - Microsoft OneNote 2010 Service Pack 2 (64-bit editions) (2589382) - Microsoft OneNote 2010 Service Pack 2 (32-bit editions) (2589382) Tested versions This issue was successfully verified on Windows 7 + Office 2007 32-bit. Fix Microsoft released updates for Microsoft OneNote 2007 Service Pack 3 and Microsoft OneNote 2010 Service Pack 2 that fix this vulnerability: - Microsoft OneNote 2007 Service Pack 3 (3191829) - Microsoft OneNote 2010 Service Pack 2 (64-bit editions) (2589382) - Microsoft OneNote 2010 Service Pack 2 (32-bit editions) (2589382) Details https://www.securify.nl/advisory/SFY20150907/microsoft_office_onenote_2007_dll_side_loading_vulnerability.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Multiple local privilege escalation vulnerabilities in Proxifier for Mac
Multiple local privilege escalation vulnerabilities in Proxifier for Mac Yorick Koster, April 2017 Abstract Multiple local privileges escalation vulnerabilities were found in the KLoader binary that ships with Proxifier. KLoader is responsible for loading a Kernel Extension (kext). KLoader is installed setuid root, it accepts one or two command line arguments that are used in a number of system commands. These arguments are used in an insecure manner allowing a local attacker to elevate its privileges. In addition, the environment is not properly sanitized, which also introduces an possibility to run arbitrary commands with elevated privileges. Tested versions These issues were successfully verified on Proxifier for Mac v2.18. Fix Proxifier v2.19 was released that addresses these issues. Details https://www.securify.nl/advisory/SFY20170401/multiple_local_privilege_escalation_vulnerabilities_in_proxifier_for_mac.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Edge Fetch API allows setting of arbitrary request headers
Microsoft Edge Fetch API allows setting of arbitrary request headers Yorick Koster, January 2017 Abstract It was found that the Fetch API in Microsoft Edge allows websites to set arbitrary HTTP request headers, including the Content-Length, and Host headers. Amongst others, a malicious website can use this issue to bypass the same origin policy, read HTTP response headers, or initiate arbitrary HTTP requests from the victim's browser (HTTP request smuggling). See also - CVE-2017-0140 - MS17-007: Cumulative Security Update for Microsoft Edge (4013071) Tested versions This issue was successfully tested on Microsoft Edge version 38.14393.0.0 (EdgeHTML 14.14393). Fix Microsoft released MS17-007 that fixes this vulnerability. Details https://www.securify.nl/advisory/SFY20170101/microsoft_edge_fetch_api_allows_setting_of_arbitrary_request_headers.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Stack-based buffer overflow in Western Digital My Cloud allows for remote code execution
Stack-based buffer overflow in Western Digital My Cloud allows for remote code execution Remco Vermeulen, January 2017 Abstract It was discovered that the Western Digital My Cloud is vulnerable to a stack-based buffer overflow in the authentication mechanism. By exploiting this vulnerability it is possible for an unauthenticated attacker to run arbitrary code with root privileges. Tested versions This vulnerability was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.21.126. This issue isn't limited to the model that was used to find this vulnerability since most of the products in the My Cloud series share the same (vulnerable) code. Fix There is currently no fix available. Details https://www.securify.nl/advisory/SFY20170105/stack_based_buffer_overflow_in_western_digital_my_cloud_allows_for_remote_code_execution.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Western Digital My Cloud vulnerable to Cross-Site Request Forgery vulnerability
Western Digital My Cloud vulnerable to Cross-Site Request Forgery vulnerability Remco Vermeulen, January 2017 Abstract It was discovered that the Western Digital My Cloud is affected by Cross-Site Request Forgery. This issue can be combined with a command injection vulnerability (see advisory SFY201703) to gain complete control (root access) of the affected device. See also - https://securify.nl/advisory/SFY20170102/authentication_bypass_vulnerability_in_western_digital_my_cloud.html - https://securify.nl/advisory/SFY20170103/western_digital_my_cloud_vulnerable_to_multiple_command_injection_vulnerabilities.html Tested versions This issue was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.21.126. The issue isn't limited to the used model since most of the products in the My Cloud series share the same (vulnerable) code. Fix There is currently no fix available. Details https://www.securify.nl/advisory/SFY20170104/western_digital_my_cloud_vulnerable_to_cross_site_request_forgery_vulnerability.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Western Digital My Cloud vulnerable to multiple command injection vulnerabilities
Western Digital My Cloud vulnerable to multiple command injection vulnerabilities Remco Vermeulen, January 2017 Abstract It was discovered that the Western Digital My Cloud is affected by multiple command injection vulnerabilities. Some of these issues don't require authentication and allow an attacker to gain complete control (root access) of the affected device. Some do require authentication, in this case an attacker can use Cross-Site Request Forgery (CSRF, see advisory SFY20170104) or authentication bypass (see advisory SFY20170102) and still gain complete control of the vulnerable Western Digital device. See also - https://security.szurek.pl/wd-my-cloud-mirror-211153-rce-and-authentication-bypass.html - https://blog.exploitee.rs/2017/hacking_wd_mycloud/ - https://www.exploitee.rs/index.php/Western_Digital_MyCloud - https://securify.nl/advisory/SFY20170102/authentication_bypass_vulnerability_in_western_digital_my_cloud.html - https://securify.nl/advisory/SFY20170104/western_digital_my_cloud_vulnerable_to_cross_site_request_forgery_vulnerability.html Tested versions These vulnerabilities were successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware versions 2.21.119 and 2.21.126. These issues aren't limited to the model that was used to find these vulnerabilities since most of the products in the My Cloud series share the same (vulnerable) code. Fix There is currently no fix available. Details https://www.securify.nl/advisory/SFY20170103/western_digital_my_cloud_vulnerable_to_multiple_command_injection_vulnerabilities.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Multiple persistent Cross-Site Scripting vulnerabilities in osTicket
Multiple persistent Cross-Site Scripting vulnerabilities in osTicket Han Sahin, July 2016 Abstract Two persistent Cross-Site Scripting vulnerabilities have been found in osTicket. These issues exists due to the lack of output encoding on user input. These vulnerabilities allow an attacker to inject malicious JavaScript code into the application. This code will then be executed within the browser of a user who views the dashboard. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf. Tested versions These issues were successfully tested on osTicket version 1.9.12. Fix osTicket version 1.9.15 and osTicket version 1.10 are released that address these vulnerabilities. Details https://www.securify.nl/advisory/SFY20160801/multiple_persistent_cross_site_scripting_vulnerabilities_in_osticket.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Authentication bypass vulnerability in Western Digital My Cloud
Authentication bypass vulnerability in Western Digital My Cloud Remco Vermeulen, Januari 2017 Abstract It was discovered that Western Digital My Cloud is affected by an authentication bypass vulnerability. By exploiting this vulnerability, an unauthenticated attacker can bypass the login functionality and gain full control of the device. Tested versions This vulnerability was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.21.119. This issue isn't limited to the model that was used to find this vulnerability since most of the products in the My Cloud series share the same (vulnerable) code. Fix Western Digital has released firmware version 2.21.126 that resolves this vulnerability. This updated firmware can be downloaded from the following location: https://support.wdc.com/downloads.aspx?g=904&lang=en#firmware Details https://www.securify.nl/advisory/SFY20170102/authentication_bypass_vulnerability_in_western_digital_my_cloud.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Internet Explorer iframe sandbox local file name disclosure vulnerability
Internet Explorer iframe sandbox local file name disclosure vulnerability Yorick Koster, March 2016 Abstract It was found that Internet Explorer allows the disclosure of local file names. This issue exists due to the fact that Internet Explorer behaves different for file:// URLs pointing to existing and non-existent files. When used in combination with HTML5 sandbox iframes it is possible to use this behavior to find out if a local file exists. This technique only works on Internet Explorer 10 & 11 since these support the HTML5 sandbox. Also it is not possible to do this from a regular website as file:// URLs are blocked all together. The attack must be performed locally (works with Internet zone Mark of the Web) or from a share. See also - CVE-2016-3321 - MS16-095: Cumulative Security Update for Internet Explorer (3177356) Tested versions This issue was successfully verified on Internet Explorer 10 and Internet Explorer 11. The HTML5 sandbox iframes is not available in older versions of Internet Explorer. Fix Microsoft released MS16-095 that fixes this vulnerability. Details https://www.securify.nl/advisory/SFY20160301/internet_explorer_iframe_sandbox_local_file_name_disclosure_vulnerability.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] DLL side loading vulnerability in VMware Host Guest Client Redirector
DLL side loading vulnerability in VMware Host Guest Client Redirector Yorick Koster, December 2015 Abstract A DLL side loading vulnerability was found in the VMware Host Guest Client Redirector, a component of VMware Tools. This issue can be exploited by luring a victim into opening a document from the attacker's share. An attacker can exploit this issue to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. If the WebDAV Mini-Redirector is enabled, it is possible to exploit this issue over the internet. Tested versions This issue was successfully verified on VMware Tools for Windows version 10.0.5 build 3228253. See also - CVE-2016-5330 - VMSA-2016-0010 - VMware product updates address multiple important security issues Fix This issue has been fixed in VMware Tools for Windows version 10.0.6. Details https://www.securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Persistent Cross-Site Scripting in WP Live Chat Support plugin
Persistent Cross-Site Scripting in WP Live Chat Support plugin Han Sahin, July 2016 Abstract A persistent Cross-Site Scripting (XSS) vulnerability has been found in the WP Live Chat Support plugin. By using this vulnerability an attacker can supply malicious code on behalf of a logged on WordPress user in order to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. Tested versions This issue was successfully tested on WP Live Chat Support WordPress plugin version 6.2.00. Fix This issue has been fixed in version 6.2.02 of the WP Live Chat Support plugin. The updated plugin can be downloaded from the following location: https://downloads.wordpress.org/plugin/wp-live-chat-support.zip. Details https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_wp_live_chat_support_plugin.html Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Craft CMS affected by server side template injection
Craft CMS affected by server side template injection Nelson Berg & Jurgen Kloosterman, June 2016 Abstract It was discovered that Craft CMS is vulnerable to server-side template injection. An authenticated attacker can exploit this issue to compromise Craft CMS, for example by retrieving sensitive data from configuration files. Tested versions All versions of Craft CMS prior to build 2791 are affected by this vulnerability. Fix Pixel & Tonic, Inc. released Craft CMS build 2791 that resolves this vulnerability. This build can easily be installed through the Control Panel. After the fix is applied the rendering of templates is globally limited in TemplatesService.php and TwigEnvironment.php. Details https://www.securify.nl/advisory/SFY20160608/craft_cms_affected_by_server_side_template_injection.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Microsoft Visio multiple DLL side loading vulnerabilities
Microsoft Visio multiple DLL side loading vulnerabilities Yorick Koster, August 2015 Abstract Multiple DLL side loading vulnerabilities were found in Microsoft Visio. These issues can be exploited by loading various Visio COM components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load the DLL msoutls.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. See also - CVE-2016-3235 - MS16-070: Security Update for Microsoft Office (3163610) Tested versions This issue was successfully verified on Windows 7 + Visio 2010. Microsoft reports that this issue also affects Microsoft Visio 2007, Microsoft Visio 2013, and Microsoft Visio 2016. Fix Microsoft released MS16-070 that fixes this vulnerability. Details https://www.securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_loading_vulnerabilities.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection
EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection Han Sahin, November 2014 Abstract It was discovered that EMC M&R (Watch4net) does not protect against Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can compromise end user data and may allow an attacker to perform an account hijack. If the targeted end user is the administrator account, this results in a full compromise of Watch4net. Affected versions Versions of EMC ViPR SRM prior to version 3.7 are affected by these vulnerabilities. See also - http://seclists.org/bugtraq/2016/Apr/att-106/ESA-2016-039.txt - CVE-2016-0891 Fix EMC released 34247_ViPR-SRM to fix these vulnerabilities. Please note that this fix is only available for registered EMC Online Support customers. Details https://www.securify.nl/advisory/SFY20141109/emc_m_r__watch4net__lacks_cross_site_request_forgery_protection.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] .NET Framework 4.6 allows side loading of Windows API Set DLL
.NET Framework 4.6 allows side loading of Windows API Set DLL Yorick Koster, February 2016 Abstract A DLL side loading vulnerability was found in the .NET Framework version 4.6 when running on Windows Vista or Windows 7. This issue can be exploited by luring a victim into opening an Office document from the attacker's share. An attacker can use this issue to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. If the WebDAV Mini-Redirector is enabled, it is possible to exploit this issue over the internet. This issue can be exploited even if the Office document is opened in Protected View. See also - CVE-2016-0148 - MS16-041 : Security Update for .NET Framework (3148789) - http://www.greyhathacker.net/docs/OfficeDLLhijacking.zip - https://twitter.com/matthias_kaiser/status/697163250111291398 - http://hyp3rlinx.altervista.org/advisories/MICROSOFT-PPT-VIEWER-CODE-EXEC.txt Tested versions This issue was successfully verified on Vista running Office 2010 and .NET 4.6.81.0 & Windows 7 running Office 2013 and .NET 4.6.1055.0. Fix Microsoft released MS16-041 that fixes this vulnerability. Details https://www.securify.nl/advisory/SFY20160201/_net_framework_4_6_allows_side_loading_of_windows_api_set_dll.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Windows Mail Find People DLL side loading vulnerability
Hi Stefan,
See below.
On 09-03-16 12:48, Stefan Kanthak wrote:
"Securify B.V." wrote:
Windows Mail Find People DLL side loading vulnerability
Yorick Koster, September 2015
This vulnerability demonstrates Microsoft's terrible SLOPPY coding
horror^Wpractice: it needs two mistakes to create this kind of bug!
"%CommonProgramFiles%\System\wab32res.dll" is (as its name implies)
a resource DLL, which means that it contains no code, but only
(localized) resources, and SHOULD (better: MUST) be loaded via
LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL,
LOAD_LIBRARY_AS_DATAFILE)
to avoid the call of its DllMain() startup code!
See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>
JFTR: LOAD_LIBRARY_AS_DATAFILE was introduced in the last millennium!
Either
LoadLibrary("%CommonProgramFiles%\System\wab32res.dll")
or
LoadLibraryEx("wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
were sufficient to avoid this vulnerability.
Fix
Microsoft released MS16-025 that fixes this vulnerability.
Have you checked how Microsoft fixed it?
Did they exercise all due diligence now, practised defense in depth
and replaced the call to
LoadLibrary("wab32res.dll")
with a call to
LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL,
LOAD_LIBRARY_AS_DATAFILE)?
They still use LoadLibrary() to load wab32res.dll. Previously, the
fetched a path from HKLM\Software\Microsoft\WAB\DLLPath and appended
wab32res.dll to the result, which was fed into LoadLibrary().
With MS16-025 they sanitize DLLpath using PathRemoveFileSpec(). By
default DLLPath is set to %CommonProgramFiles%\System\wab32.dll,
PathRemoveFileSpec() removes wab32.dll from the path. They also call
ExpandEnvironmentStrings(), but that was also the case previously.
With kind regards,
Yorick
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Windows Mail Find People DLL side loading vulnerability
Windows Mail Find People DLL side loading vulnerability Yorick Koster, September 2015 Abstract A DLL side loading vulnerability was found in the Windows Mail Find People DLL. This issue can be exploited by loading the "For &People..." object as an embedded OLE object. When instantiating the object Windows will try to load the DLL wab32res.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. See also - CVE-2016-0100 - MS16-025: Security Update for Windows Library Loading to Address Remote Code Execution (3140709) Tested versions This issue was successfully verified on Windows Vista + Office 2010 32-bit. Fix Microsoft released MS16-025 that fixes this vulnerability. Details https://www.securify.nl/advisory/SFY20150904/windows_mail_find_people_dll_side_loading_vulnerability.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] OLE DB Provider for Oracle multiple DLL side loading vulnerabilities
Fix Microsoft released MS16-014 that fixes this vulnerability. On 16-12-15 19:26, Securify B.V. wrote: OLE DB Provider for Oracle multiple DLL side loading vulnerabilities Yorick Koster, August 2015 Abstract Multiple DLL side loading vulnerabilities were found in the OLE DB Provider for Oracle. These issues can be exploited by loading various OLE components as an embedded OLE object. When instantiating the object Windows will try to load the DLLs oci.dll, and ociw32.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. See also http://www.greyhathacker.net/docs/OfficeDLLhijacking.zip https://securify.nl/blog/SFY20151201/there_s_a_party_in_ole__and_you_are_invited.html Tested versions This issue was successfully verified on Windows 7 + Office 2007 32-bit, Windows Vista + Office 2010 32-bit, Windows 7 + Office 2013 32-bit. Fix There is currently no fix available. Details https://www.securify.nl/advisory/SFY20150806/ole_db_provider_for_oracle_multiple_dll_side_loading_vulnerabilities.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] MapsUpdateTask Task DLL side loading vulnerability
MapsUpdateTask Task DLL side loading vulnerability Yorick Koster, November 2015 Abstract A DLL side loading vulnerability was found in the MapsUpdateTask Task DLL that ships with Windows 10. This issue can be exploited by loading COM control as an embedded OLE object. When instantiating the object Windows will try to load the DLL phoneinfo.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. See also - CVE-2016-0041 - MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) Tested versions This issue was successfully verified on Windows 10 + Office 2016 64-bit. Fix Microsoft released MS16-014 that fixes this vulnerability. Details https://www.securify.nl/advisory/SFY20151101/mapsupdatetask_task_dll_side_loading_vulnerability.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] BDA MPEG2 Transport Information Filter DLL side loading vulnerability
BDA MPEG2 Transport Information Filter DLL side loading vulnerability Yorick Koster, September 2015 Abstract A DLL side loading vulnerability was found in the BDA MPEG2 Transport Information Filter that ships with Windows Vista. This issue can be exploited by loading the filter as an embedded OLE object. When instantiating the object Windows will try to load the DLL ehTrace.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. See also - CVE-2016-0041 - MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) Tested versions This issue was successfully verified on Windows Vista + Office 2010 32-bit. Fix Microsoft released MS16-014 that fixes this vulnerability. Details https://www.securify.nl/advisory/SFY20150906/bda_mpeg2_transport_information_filter_dll_side_loading_vulnerability.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] NPS Datastore server DLL side loading vulnerability
NPS Datastore server DLL side loading vulnerability Yorick Koster, September 2015 Abstract A DLL side loading vulnerability was found in the NPS Datastore server DLL that ships with Windows Vista. This issue can be exploited by loading the affected DLL as an embedded OLE object. When instantiating the object Windows will try to load the DLL iasdatastore2.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. See also - CVE-2016-0041 - MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) Tested versions This issue was successfully verified on Windows Vista + Office 2010 32-bit. Fix Microsoft released MS16-014 that fixes this vulnerability. Details https://www.securify.nl/advisory/SFY20150905/nps_datastore_server_dll_side_loading_vulnerability.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] HP LaserJet Fax Preview DLL side loading vulnerability
HP LaserJet Fax Preview DLL side loading vulnerability Yorick Koster, September 2015 Abstract A DLL side loading vulnerability was found in the HP LaserJet Fax Preview Resource DLL. This issue can be exploited by loading the FaxPreview Class as an embedded OLE object. When instantiating the object Windows will try to load the DLL MFC80ENU.DLL from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. Affected versions This issue was successfully verified on the HP Color LaserJet CM2320 MFP drivers version 3.1 (CM2320series-win7-full-solution-AM-EMEA1-v3.1.exe). Fix There is currently no fix available, HP reports: "Unfortunately, the driver software for these devices can no longer be updated. The devices have ended support life and the engineering resources are no longer available to provide any firmware updates. We do understand the issue, and current drivers are no longer vulnerable to the OLE side load issue". Details https://www.securify.nl/advisory/SFY20150903/hp_laserjet_fax_preview_dll_side_loading_vulnerability.html https://www.securify.nl/exploit/SFY20150901/hp_laserjet_ole_sideload.html https://www.securify.nl/blog/SFY20151201/there_s_a_party_in_ole__and_you_are_invited.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] HP ToComMsg DLL side loading vulnerability
HP ToComMsg DLL side loading vulnerability Yorick Koster, September 2015 Abstract A DLL side loading vulnerability was found in the HP ToComMsg DLL. This issue can be exploited by loading the TcComMsg.AutoTcComMsg object as an embedded OLE object. When instantiating the object Windows will try to load the DLL MFC80ENU.DLL from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. Tested versions This issue was successfully verified on the HP Color LaserJet CM2320 MFP drivers version 3.1 (CM2320series-win7-full-solution-AM-EMEA1-v3.1.exe). Fix There is currently no fix available, HP reports: "Unfortunately, the driver software for these devices can no longer be updated. The devices have ended support life and the engineering resources are no longer available to provide any firmware updates. We do understand the issue, and current drivers are no longer vulnerable to the OLE side load issue". Details https://www.securify.nl/advisory/SFY20150902/hp_tocommsg_dll_side_loading_vulnerability.html https://www.securify.nl/exploit/SFY20150901/hp_laserjet_ole_sideload.html https://www.securify.nl/blog/SFY20151201/there_s_a_party_in_ole__and_you_are_invited.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] LEADTOOLS ActiveX control multiple DLL side loading vulnerabilities
LEADTOOLS ActiveX control multiple DLL side loading vulnerabilities Yorick Koster, September 2015 Abstract Multiple DLL side loading vulnerabilities were found in the LEADTOOLS ActiveX control. These issues can be exploited by loading various COM components as an embedded OLE object. When instantiating the object Windows will try to load the DLL LTANN11N.DLL from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. Affected versions This issue was successfully verified on the HP Color LaserJet CM2320 MFP drivers version 3.1 (CM2320series-win7-full-solution-AM-EMEA1-v3.1.exe). Fix There is currently no fix available, HP reports: "Unfortunately, the driver software for these devices can no longer be updated. The devices have ended support life and the engineering resources are no longer available to provide any firmware updates. We do understand the issue, and current drivers are no longer vulnerable to the OLE side load issue". Details https://www.securify.nl/advisory/SFY20150901/leadtools_activex_control_multiple_dll_side_loading_vulnerabilities.html https://www.securify.nl/exploit/SFY20150901/hp_laserjet_ole_sideload.html https://www.securify.nl/blog/SFY20151201/there_s_a_party_in_ole__and_you_are_invited.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] OLE DB Provider for Oracle multiple DLL side loading vulnerabilities
OLE DB Provider for Oracle multiple DLL side loading vulnerabilities Yorick Koster, August 2015 Abstract Multiple DLL side loading vulnerabilities were found in the OLE DB Provider for Oracle. These issues can be exploited by loading various OLE components as an embedded OLE object. When instantiating the object Windows will try to load the DLLs oci.dll, and ociw32.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. See also http://www.greyhathacker.net/docs/OfficeDLLhijacking.zip https://securify.nl/blog/SFY20151201/there_s_a_party_in_ole__and_you_are_invited.html Tested versions This issue was successfully verified on Windows 7 + Office 2007 32-bit, Windows Vista + Office 2010 32-bit, Windows 7 + Office 2013 32-bit. Fix There is currently no fix available. Details https://www.securify.nl/advisory/SFY20150806/ole_db_provider_for_oracle_multiple_dll_side_loading_vulnerabilities.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Shockwave Flash Object DLL side loading vulnerability
Shockwave Flash Object DLL side loading vulnerability Yorick Koster, August 2015 Abstract A DLL side loading vulnerability was found in the Flash version that ships with Windows. This issue can be exploited by loading the Shockwave Flash object as an embedded OLE object. When instantiating the object Windows will try to load the DLL spframe.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. See also https://advisory.securify.nl/blog/SFY20151201/there_s_a_party_in_ole__and_you_are_invited.html Tested versions This issue was successfully verified on Windows 10 + Office 2013 32-bit. Fix It appears that this issue has been resolved by the security updates for Adobe Flash Player of November 2015 (version 19.0.0.245 or later, APSB15-28 [3]). The initialization code has been changed in this version. Currently, the DLL spframe.dll is only loaded if Flash is started from Microsoft Edge. In all other cases, Flash tries to load ieframe.dll instead of spframe.dll. ieframe.dll is located in System32, which is searched before the current working directory, preventing side loading of this DLL. Details https://www.securify.nl/advisory/SFY20150802/shockwave_flash_object_dll_side_loading_vulnerability.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Shutdown UX DLL side loading vulnerability
Shutdown UX DLL side loading vulnerability Yorick Koster, November 2015 Abstract A DLL side loading vulnerability was found in the Shutdown UX DLL. This issue can be exploited by loading the Authentication UI Shutdown Choices object as an embedded OLE object. When instantiating the object Windows will try to load the DLL wuaext.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6132 https://technet.microsoft.com/library/security/MS15-132 https://securify.nl/blog/SFY20151201/there_s_a_party_in_ole__and_you_are_invited.html Tested versions This issue was successfully verified on Windows 10 + Office 2016 64-bit. Fix Microsoft released MS15-132 [4] that fixes this vulnerability. Details https://www.securify.nl/advisory/SFY20151102/shutdown_ux_dll_side_loading_vulnerability.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Windows Authentication UI DLL side loading vulnerability
Windows Authentication UI DLL side loading vulnerability Yorick Koster, August 2015 Abstract A DLL side loading vulnerability was found in the Windows Authentication UI DLL. This issue can be exploited by loading the Slide To Shut Down Screen object as an embedded OLE object. When instantiating the object Windows will try to load the DLL wuaext.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6132 https://technet.microsoft.com/library/security/MS15-132 https://advisory.securify.nl/blog/SFY20151201/there_s_a_party_in_ole__and_you_are_invited.html Tested versions This issue was successfully verified on Windows 10 + Office 2013 32-bit, and Windows 10 + Office 2016 64-bit. Fix Microsoft released MS15-132 that fixes this vulnerability. Details https://www.securify.nl/advisory/SFY20150803/windows_authentication_ui_dll_side_loading_vulnerability.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Event Viewer Snapin multiple DLL side loading vulnerabilities
Event Viewer Snapin multiple DLL side loading vulnerabilities Yorick Koster, August 2015 Abstract Multiple DLL side loading vulnerabilities were found in the Event Viewer Snapin that ships with Windows. These issues can be exploited by loading various COM components as an embedded OLE object. When instantiating vulnerable object Windows will try to load the DLL elsext.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6132 https://technet.microsoft.com/library/security/MS15-132 http://www.greyhathacker.net/docs/OfficeDLLhijacking.zip https://code.google.com/p/google-security-research/issues/detail?id=514 https://advisory.securify.nl/blog/SFY20151201/there_s_a_party_in_ole__and_you_are_invited.html Tested versions This issue was successfully verified on Windows 7 + Office 2007 32-bit, Windows Vista + Office 2010 32-bit, Windows 7 + Office 2013 32-bit. Fix Microsoft released MS15-132 that fixes this vulnerability. Details https://www.securify.nl/advisory/SFY20150805/event_viewer_snapin_multiple_dll_side_loading_vulnerabilities.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] COM+ Services DLL side loading vulnerability
COM+ Services DLL side loading vulnerability Yorick Koster, August 2015 Abstract A DLL side loading vulnerability was found in the COM+ Services component that ships with Windows. This issue can be exploited by loading the QC Queue Administration Class as an embedded OLE object. When instantiating the object Windows will try to load the DLL mqrt.dll from the current working directory. If an attacker convinces the user to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6132 https://technet.microsoft.com/library/security/MS15-132 https://code.google.com/p/google-security-research/issues/detail?id=556 https://advisory.securify.nl/blog/SFY20151201/there_s_a_party_in_ole__and_you_are_invited.html Tested versions This issue was successfully verified on Windows 7 + Office 2007 32-bit, Windows Vista + Office 2010 32-bit, Windows 7/10 + Office 2013 32-bit, and Windows 10 + Office 2016 64-bit. Fix Microsoft released MS15-132 that fixes this vulnerability. Details https://www.securify.nl/advisory/SFY20150801/com__services_dll_side_loading_vulnerability.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Cisco AnyConnect elevation of privileges via DMG install script
Fix Cisco customers with active contracts can obtain updates through the Software Center at https://software.cisco.com/download/navigator.html. Cisco has released bug ID CSCuv11947 for registered users, which contains additional details and an up-to-date list of affected product versions. On 23-09-15 19:14, Securify B.V. wrote: Cisco AnyConnect elevation of privileges via DMG install script Yorick Koster, July 2015 Abstract Cisco AnyConnect Secure Mobility Client for OS X is affected by a vulnerability that allows local attackers to mount arbitrary DMG files at arbitrary mount points. By exploiting this vulnerability is is possible for the attacker to gain root privileges. Cisco reports that a similar issue also exists in Cisco AnyConnect Secure Mobility Client for Linux. See also - CVE-2015-6306 - http://tools.cisco.com/security/center/viewAlert.x?alertId=41135 Tested version This issue was successfully verified on Cisco AnyConnect Secure Mobility Client for OS X version 3.1.08009. Fix There is currently no fix available. Updates are expected to be released on September 30, 2015. Cisco has released bug ID CSCuv11947 for registered users, which contains additional details and an up-to-date list of affected product versions. Details https://www.securify.nl/advisory/SFY20150701/cisco_anyconnect_elevation_of_privileges_via_dmg_install_script.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Cisco AnyConnect elevation of privileges via DLL side loading
Fix Cisco customers with active contracts can obtain updates through the Software Center at https://software.cisco.com/download/navigator.html. Cisco has released bug ID CSCuv01279 [5] for registered users, which contains additional details and an up-to-date list of affected product versions. On 22-09-15 18:18, Securify B.V. wrote: Cisco AnyConnect elevation of privileges via DLL side loading Yorick Koster, June 2015 Abstract Cisco AnyConnect Secure Mobility Client for Windows is affected by an vulnerability that allows local attackers to execute arbitrary DLL files with elevated privilege. By exploiting this vulnerability is is possible for the attacker to gain SYSTEM privileges. See also - CVE-2015-6305 - http://tools.cisco.com/security/center/viewAlert.x?alertId=41136 - https://code.google.com/p/google-security-research/issues/detail?id=460 Test version This issue was successfully verified on Cisco AnyConnect Secure Mobility Client for Windows version 3.1.08009. Fix There is currently no fix available. Updates are expected to be released on September 30, 2015. Cisco has released bug ID CSCuv01279 for registered users, which contains additional details and an up-to-date list of affected product versions. Details https://www.securify.nl/advisory/SFY20150601/cisco_anyconnect_elevation_of_privileges_via_dll_side_loading.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Cisco AnyConnect elevation of privileges via DMG install script
Cisco AnyConnect elevation of privileges via DMG install script Yorick Koster, July 2015 Abstract Cisco AnyConnect Secure Mobility Client for OS X is affected by a vulnerability that allows local attackers to mount arbitrary DMG files at arbitrary mount points. By exploiting this vulnerability is is possible for the attacker to gain root privileges. Cisco reports that a similar issue also exists in Cisco AnyConnect Secure Mobility Client for Linux. See also - CVE-2015-6306 - http://tools.cisco.com/security/center/viewAlert.x?alertId=41135 Tested version This issue was successfully verified on Cisco AnyConnect Secure Mobility Client for OS X version 3.1.08009. Fix There is currently no fix available. Updates are expected to be released on September 30, 2015. Cisco has released bug ID CSCuv11947 for registered users, which contains additional details and an up-to-date list of affected product versions. Details https://www.securify.nl/advisory/SFY20150701/cisco_anyconnect_elevation_of_privileges_via_dmg_install_script.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Cisco AnyConnect elevation of privileges via DLL side loading
Cisco AnyConnect elevation of privileges via DLL side loading Yorick Koster, June 2015 Abstract Cisco AnyConnect Secure Mobility Client for Windows is affected by an vulnerability that allows local attackers to execute arbitrary DLL files with elevated privilege. By exploiting this vulnerability is is possible for the attacker to gain SYSTEM privileges. See also - CVE-2015-6305 - http://tools.cisco.com/security/center/viewAlert.x?alertId=41136 - https://code.google.com/p/google-security-research/issues/detail?id=460 Test version This issue was successfully verified on Cisco AnyConnect Secure Mobility Client for Windows version 3.1.08009. Fix There is currently no fix available. Updates are expected to be released on September 30, 2015. Cisco has released bug ID CSCuv01279 for registered users, which contains additional details and an up-to-date list of affected product versions. Details https://www.securify.nl/advisory/SFY20150601/cisco_anyconnect_elevation_of_privileges_via_dll_side_loading.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Multiple Cross-Site Scripting vulnerabilities in Synology Download Station
Multiple Cross-Site Scripting vulnerabilities in Synology Download Station Han Sahin, September 2015 Abstract Multiple Cross-Site Scripting vulnerabilities were found in Synology Download Station. These issues allow attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials if available, performing arbitrary actions on their behalf but also performing arbitrary redirects to potential malicious websites. Tested version These issues have been tested on Synology Download Station version 3.5-2956 and version 3.5-2962. Fix Synology reports that these issue have been resolved in: - Download Station version 3.5-2962 [Create download task via file upload] - Download Station version 3.5-2967 [Create download task via URL] Details https://www.securify.nl/advisory/SFY20150809/multiple_cross_site_scripting_vulnerabilities_in_synology_download_station.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Synology Video Station command injection and multiple SQL injection vulnerabilities
Synology Video Station command injection and multiple SQL injection vulnerabilities Han Sahin, September 2015 Abstract It was discovered that Synology Video Station is vulnerable to command injection that allows an attacker to execute arbitrary system commands with root privileges. In addition, Video Station is affected by multiple SQL injection vulnerabilities that allows for execution of arbitrary SQL statements with DBA privileges. As a result it is possible to compromise the PostgreSQL database server. Affected versions These issues affect Synology Video Station version up to and including version 1.5-0757. Fix Synology has reported that these issue have been resolved in: - Video Station version 1.5-0757 [audiotrack.cgi] - Video Station version 1.5-0763 [watchstatus.cgi] - Video Station version 1.5-0763 [subtitle.cgi] Details https://www.securify.nl/advisory/SFY20150810/synology_video_station_command_injection_and_multiple_sql_injection_vulnerabilities.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Integer overflow in .NET Framework System.DirectoryServices.Protocols.Utility class
Microsoft released MS15-101 that addresses this issue: https://technet.microsoft.com/library/security/ms15-101 On 25-07-15 09:02, Securify B.V. wrote: Integer overflow in .NET Framework System.DirectoryServices.Protocols.Utility class Yorick Koster, May 2015 Abstract An integer overflow exists in the System.DirectoryServices.Protocols.Utility class of the .NET Framework. Triggering this issue results in an overflown integer that is used to allocate a buffer on the heap that is too small, resulting in memory corruption. Exploiting this issues appears to be difficult. Consequently, Microsoft has decided to not release a security bulletin. Affected versions This issue affects .NET Framework version 4.5 and 4.6. Other versions are not affected as this issue can only be triggered using large arrays (> 2GB). Fix There is currently no fix available for this issue. Microsoft will not release a security bulletin, it may be fixed in future versions of the .NET Framework. [...] [we] are going to pursue this as a candidate for improvement in future versions, [...] On x86, the feasibility of an attack is mitigated by the maximum process memory and even on amd64, prevailing configurations preclude this from being a feasible attack. Details https://www.securify.nl/advisory/SFY20150501/integer_overflow_in__net_framework_system_directoryservices_protocols_utility_class.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Weak authentication in EMC Secure Remote Services Virtual Edition Web Portal
Weak authentication in EMC Secure Remote Services Virtual Edition Web Portal Han Sahin, November 2014 Abstract It was discovered that the session tokens in EMC Secure Remote Services Virtual Edition are Base64 encoded XML tokens that lack any cryptographic protection. Due to this it is possible for attackers to create their own session cookies. Attackers with network access (insiders) to the ESRS Web Portal can exploit this issue to gain unauthorized access to the management interface. Affected versions EMC reports that the following versions are affected by this vulnerability: - EMC Secure Remote Services Virtual Edition 3.02 - EMC Secure Remote Services Virtual Edition 3.03 - EMC Secure Remote Services Virtual Edition 3.04 See also - CVE-2015-0544 [2] - ESA-2015-097 [3]: EMC Secure Remote Services (ESRS) Virtual Edition (VE) Multiple Security Vulnerabilities Fix EMC released EMC Secure Remote Services Virtual Edition 3.06 that resolves this vulnerability. Registered EMC Online Support customers can download patches and software from support.emc.com [4] at: EMC Secure Remote Services -> EMC Secure Remote Services Virtual Edition -> Downloads Details https://www.securify.nl/advisory/SFY20141115/weak_authentication_in_emc_secure_remote_services_virtual_edition_web_portal.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Insufficient certificate validation in EMC Secure Remote Services Virtual Edition
Insufficient certificate validation in EMC Secure Remote Services Virtual Edition Han Sahin, November 2014 Abstract It was discovered that the server certificate validation checks performed by EMC Secure Remote Services Virtual Edition are insecure. Weak certificate validation allows attackers to perform a man in the middle attack against ESRS connections. This allows for eavesdropping on, and spoofing of provisioned devices in ESRS VE (including but not limited to home calls to the ESRS portal esrs.emc.com). Affected versions EMC reports that the following versions are affected by this vulnerability: - EMC Secure Remote Services Virtual Edition 3.02 - EMC Secure Remote Services Virtual Edition 3.03 - EMC Secure Remote Services Virtual Edition 3.04 See also - CVE-2015-0543 [2] - ESA-2015-097 [3]: EMC Secure Remote Services (ESRS) Virtual Edition (VE) Multiple Security Vulnerabilities Fix EMC released EMC Secure Remote Services Virtual Edition 3.06 that resolves this vulnerability. Registered EMC Online Support customers can download patches and software from support.emc.com [4] at: EMC Secure Remote Services -> EMC Secure Remote Services Virtual Edition -> Downloads Details https://www.securify.nl/advisory/SFY20141114/insufficient_certificate_validation_in_emc_secure_remote_services_virtual_edition.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Integer overflow in .NET Framework System.DirectoryServices.Protocols.Utility class
Integer overflow in .NET Framework System.DirectoryServices.Protocols.Utility class Yorick Koster, May 2015 Abstract An integer overflow exists in the System.DirectoryServices.Protocols.Utility class of the .NET Framework. Triggering this issue results in an overflown integer that is used to allocate a buffer on the heap that is too small, resulting in memory corruption. Exploiting this issues appears to be difficult. Consequently, Microsoft has decided to not release a security bulletin. Affected versions This issue affects .NET Framework version 4.5 and 4.6. Other versions are not affected as this issue can only be triggered using large arrays (> 2GB). Fix There is currently no fix available for this issue. Microsoft will not release a security bulletin, it may be fixed in future versions of the .NET Framework. [...] [we] are going to pursue this as a candidate for improvement in future versions, [...] On x86, the feasibility of an attack is mitigated by the maximum process memory and even on amd64, prevailing configurations preclude this from being a feasible attack. Details https://www.securify.nl/advisory/SFY20150501/integer_overflow_in__net_framework_system_directoryservices_protocols_utility_class.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Synology Photo Station multiple Cross-Site Scripting vulnerabilities
Synology Photo Station multiple Cross-Site Scripting vulnerabilities Han Sahin, May 2015 Abstract Multiple reflected Cross-Site scripting vulnerabilities were found in Synology Photo Station. These issues allow attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials if available, performing arbitrary actions on their behalf but also performing arbitrary redirects to potential malicious websites. Tested version This issue was tested on Synology Photo Station version 6.2-2858. Fix Synology reports that this issue has been resolved in Photo Station version 6.3-2945. https://www.synology.com/en-us/releaseNote/PhotoStation Details https://www.securify.nl/advisory/SFY20150504/synology_photo_station_multiple_cross_site_scripting_vulnerabilities.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Reflected Cross-Site Scripting in Synology DiskStation Manager
Reflected Cross-Site Scripting in Synology DiskStation Manager Han Sahin, May 2015 Abstract A reflected Cross-Site scripting vulnerability was found in Synology DiskStation Manager. This issue allows attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials if available, performing arbitrary actions on their behalf but also performing arbitrary redirects to potential malicious websites. Tested version This issue was tested on Synology DiskStation Manager version 5.2-5565. Fix Synology reports that this issue has been resolved in DiskStation Manager version 5.2-5565 Update 1 (2015/05/21). https://www.synology.com/en-global/releaseNote/DS214play Details https://www.securify.nl/advisory/SFY20150503/reflected_cross_site_scripting_in_synology_diskstation_manager.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Command injection vulnerability in Synology Photo Station
Command injection vulnerability in Synology Photo Station Han Sahin, May 2015 Abstract A command injection vulnerability was found in Synology Photo Station, which allows an attacker to execute arbitrary commands with the privileges of the webserver. An attacker can use this vulnerability to compromise a Synology DiskStation NAS, including all data stored on the NAS. Tested version This issue was tested on Synology Photo Station version 6.2-2858. Fix Synology reports that this issue has been resolved in Photo Station version 6.3-2945. https://www.synology.com/en-us/releaseNote/PhotoStation Details https://www.securify.nl/advisory/SFY20150502/command_injection_vulnerability_in_synology_photo_station.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Reflected Cross-Site Scripting vulnerability in asdoc generated documentation
Reflected Cross-Site Scripting vulnerability in asdoc generated documentation Radjnies Bhansingh, March 2014 Abstract A reflected Cross-Site scripting vulnerability was found in Apache Flex's asdoc generated API documentation. This issue allows attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials if available, performing arbitrary actions on their behalf but also performing arbitrary redirects to potential malicious websites. Affected products Apache Flex reports that all versions of Apache Flex before 4.14.1 are affected by this vulnerability. Fix The Apache Flex team fixed the issue in asdoc in Apache Flex 4.14.1. Users can also manually apply the following patch to fix this issue manually. https://git-wip-us.apache.org/repos/asf/flex-sdk/repo?p=flex-sdk.git;a=commitdiff;h=151c6fa1e46529acb74c1baf056d431da1db0422 Users should upgrade their version of Apache Flex and regenerate their current documentation generated with asdoc. Please note that any local modification to the asdoc index.html will need to be saved as they are not reapplied by asdoc on the newly generated documentation. Details https://www.securify.nl/advisory/SFY20150301/reflected_cross_site_scripting_vulnerability_in_asdoc_generated_documentation.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Viber for Android exposes insecure Javascript interface
Viber for Android exposes insecure Javascript interface Yorick Koster, April 2014 Abstract It was discovered that Viber's Sticker Market is affected by a remote code execution vulnerability. This is possible because the Market is loaded over an insecure connection (HTTP) in a WebView that exposes an insecure Javascript interface. Exploiting this issue allows for the execution of arbitrary Java code within the privileges of the Viber app. Tested versions This issue was successfully tested on Viber for Android version 4.3.0.712. Fix As of Viber version 5.2.0.2415 (released December 15, 2014) the target SDK was change from API Level 15 to API Level 19. Due to this, this issue is no longer exploitable devices running Android 4.2 (API Level 17) and newer. Details https://www.securify.nl/advisory/SFY20140402/viber_for_android_exposes_insecure_javascript_interface.html https://vimeo.com/102272421 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Citrix NetScaler VPX help pages are vulnerable to Cross-Site Scripting
Citrix NetScaler VPX help pages are vulnerable to Cross-Site Scripting Han Sahin, August 2014 Abstract It was discovered that the help pages of Citrix VPX are vulnerable to Cross-Site Scripting. This issue allows attackers to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tested version This issue was discovered in Citrix NetScaler VPX NSVPX-ESX-10.5-50.10, other versions may also be vulnerable. Fix Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.8nc. Details https://www.securify.nl/advisory/SFY20140807/citrix_netscaler_vpx_help_pages_are_vulnerable_to_cross_site_scripting.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Command injection vulnerability in Citrix NITRO SDK xen_hotfix page
Command injection vulnerability in Citrix NITRO SDK xen_hotfix page Han Sahin, August 2014 Abstract Securify discovered a command injection vulnerability in xen_hotfix page of the NITRO SDK. The attacker-supplied command is executed with elevated privileges (nsroot). This issue can be used to compromise of the entire Citrix SDX appliance and all underling application's and data. Tested version This issue was discovered in Citrix NetScaler SDX svm-10.5-50-1.9, other versions may also be affected. Fix Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.3nc. Details https://www.securify.nl/advisory/SFY20140806/command_injection_vulnerability_in_citrix_nitro_sdk_xen_hotfix_page.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Citrix NITRO SDK xen_hotfix page is vulnerable to Cross-Site Scripting
Citrix NITRO SDK xen_hotfix page is vulnerable to Cross-Site Scripting Han Sahin, August 2014 Abstract A Cross-Site Scripting vulnerability was found in the xen_hotfix page of the Citrix NITRO SDK. This issue allows attackers to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tested version This issue was discovered in Citrix NetScaler SDX svm-10.5-50-1.9;, other versions may also be affected. Fix Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.3nc. Details https://www.securify.nl/advisory/SFY20140805/citrix_nitro_sdk_xen_hotfix_page_is_vulnerable_to_cross_site_scripting.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Advent JMX Servlet of Citrx Command Center is accessible to unauthenticated users
Advent JMX Servlet of Citrx Command Center is accessible to unauthenticated users Han Sahin, August 2014 Abstract It was discovered that the Advent JMX Servlet of Citrix Command Center is accessible to unauthenticated users. This issue can be abused by attackers to comprise the entire application. Tested version This issue was discovered in Citrix Command Center 5.1 build 33.3 (including patch CC_SP_5.2_40_1.exe), other versions may also be vulnerable. Fix Citrix reports that this vulnerability is fixed in Command Center 5.2 build 42.7, which can be downloaded from the following location (login required). https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html Citrix assigned BUG0494204 to this issue. Details https://www.securify.nl/advisory/SFY20140804/advent_jmx_servlet_of_citrx_command_center_is_accessible_to_unauthenticated_users.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Citrix Command Center allows downloading of configuration files
Citrix Command Center allows downloading of configuration files Han Sahin, August 2014 Abstract It was discovered that Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. Unauthenticated attackers can download any configuration file stored in this folder, decode passwords stored in these files, and gain privileged access to devices managed by Command Center. Tested version This issue was discovered in Citrix Command Center 5.1 build 33.3 (including patch CC_SP_5.2_40_1.exe), other versions may also be vulnerable. Fix Citrix reports that this vulnerability is fixed in Command Center 5.2 build 42.7, which can be downloaded from the following location (login required). https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html Citrix assigned BUG0493933 to this issue. Details https://www.securify.nl/advisory/SFY20140802/citrix_command_center_allows_downloading_of_configuration_files.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] EMC Secure Remote Services Virtual Edition Provisioning component is affected by SQL injection
EMC Secure Remote Services Virtual Edition Provisioning component is affected by SQL injection Han Sahin, November 2014 Abstract An SQL injection vulnerability was found in EMC Secure Remote Services Virtual Edition (ESRS VE) that allows an attacker to retrieve arbitrary data from the application, interfere with its logic, or execute commands on the database server itself. Affected versions EMC reports that the following versions are affected by this vulnerability: - EMC Secure Remote Services Virtual Edition 3.02 - EMC Secure Remote Services Virtual Edition 3.03 See also - CVE-2015-0524 - ESA-2015-040: EMC Secure Remote Services Virtual Edition Security Update for Multiple Vulnerabilities Fix EMC released EMC Secure Remote Services Virtual Edition 3.04 that resolves this vulnerability. Registered EMC Online Support customers can download patches and software from support.emc.com at: EMC Secure Remote Services -> EMC Secure Remote Services Virtual Edition -> Downloads Details https://www.securify.nl/advisory/SFY20141113/emc_secure_remote_services_virtual_edition_provisioning_component_is_affected_by_sql_injection.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Command injection vulnerability in EMC Secure Remote Services Virtual Edition
Command injection vulnerability in EMC Secure Remote Services Virtual Edition Han Sahin, November 2014 Abstract A command injection vulnerability was found in EMC Secure Remote Services Virtual Edition (ESRS VE) that allows an attacker to execute arbitrary system commands and take full control over ESRS VE. Affected versions EMC reports that the following versions are affected by this vulnerability: - EMC Secure Remote Services Virtual Edition 3.02 - EMC Secure Remote Services Virtual Edition 3.03 See also - CVE-2015-0525 - ESA-2015-040: EMC Secure Remote Services Virtual Edition Security Update for Multiple Vulnerabilities Fix EMC released EMC Secure Remote Services Virtual Edition 3.04 that resolves this vulnerability. Registered EMC Online Support customers can download patches and software from support.emc.com at: EMC Secure Remote Services -> EMC Secure Remote Services Virtual Edition -> Downloads Details https://www.securify.nl/advisory/SFY20141112/command_injection_vulnerability_in_emc_secure_remote_services_virtual_edition.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Path traversal vulnerability in EMC M&R (Watch4net) Device Discovery
Path traversal vulnerability in EMC M&R (Watch4net) Device Discovery Han Sahin, November 2014 Abstract A path traversal vulnerability was found in EMC M&R (Watch4net) Device Discovery. This vulnerability allows an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries. Affected products EMC reports that the following products are affected by this vulnerability: - EMC M&R (Watch4Net) versions prior 6.5u1 - EMC ViPR SRM versions prior to 3.6.1 See also - CVE-2016-0516 - ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities Fix EMC released the following updated versions that resolve this vulnerability: - EMC M&R (Watch4Net) 6.5u1 - EMC ViPR SRM 3.6.1 Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM. Details https://www.securify.nl/advisory/SFY20141106/path_traversal_vulnerability_in_emc_m_r__watch4net__device_discovery.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Path traversal vulnerability in EMC M&R (Watch4net) MIB Browser
Path traversal vulnerability in EMC M&R (Watch4net) MIB Browser Han Sahin, November 2014 Abstract A path traversal vulnerability was found in EMC M&R (Watch4net) MIB Browser. This vulnerability allows an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries. Affected products EMC reports that the following products are affected by this vulnerability: - EMC M&R (Watch4Net) versions prior 6.5u1 - EMC ViPR SRM versions prior to 3.6.1 See also - CVE-2015-0516 - ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities Fix EMC released the following updated versions that resolve this vulnerability: - EMC M&R (Watch4Net) 6.5u1 - EMC ViPR SRM 3.6.1 Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM. Details https://www.securify.nl/advisory/SFY20141105/path_traversal_vulnerability_in_emc_m_r__watch4net__mib_browser.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Cross-Site Scripting vulnerability in EMC M&R (Watch4net) Alerting Frontend
Cross-Site Scripting vulnerability in EMC M&R (Watch4net) Alerting Frontend Han Sahin, November 2014 Abstract A Cross-Site Scripting vulnerability was found in EMC M&R (Watch4net) Alerting Frontend. This issue allows attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes, or exploit issues in other areas of Watch4net. Affected products EMC reports that the following products are affected by this vulnerability: - EMC M&R (Watch4Net) versions prior 6.5u1 - EMC ViPR SRM versions prior to 3.6.1 See also - CVE-2015-0513 - ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities Fix EMC released the following updated versions that resolve this vulnerability: - EMC M&R (Watch4Net) 6.5u1 - EMC ViPR SRM 3.6.1 Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM. Details https://www.securify.nl/advisory/SFY20141104/cross_site_scripting_vulnerability_in_emc_m_r__watch4net__alerting_frontend.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Cross-Site Scripting vulnerability in EMC M&R (Watch4net) Centralized Management Console
Cross-Site Scripting vulnerability in EMC M&R (Watch4net) Centralized Management Console Han Sahin, November 2014 Abstract A Cross-Site Scripting vulnerability was found in EMC M&R (Watch4net) Centralized Management Console. This issue allows attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes, or exploit issues in other areas of Watch4net. Affected products EMC reports that the following products are affected by this vulnerability: - EMC M&R (Watch4Net) versions prior 6.5u1 - EMC ViPR SRM versions prior to 3.6.1 See also - CVE-2015-0513 - ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities Fix EMC released the following updated versions that resolve this vulnerability: - EMC M&R (Watch4Net) 6.5u1 - EMC ViPR SRM 3.6.1 Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM. Details https://www.securify.nl/advisory/SFY20141103/cross_site_scripting_vulnerability_in_emc_m_r__watch4net__centralized_management_console.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Cross-Site Scripting vulnerability in EMC M&R (Watch4net) Web Portal Report Favorites
Cross-Site Scripting vulnerability in EMC M&R (Watch4net) Web Portal Report Favorites Han Sahin, November 2014 Abstract A Cross-Site Scripting vulnerability was found in EMC M&R (Watch4net) Web Portal. This issue allows attackers to replace the report that is shown at startup, the attackers payload will be stored in the user's profile and will be executed every time the victim logs in. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, logging their keystrokes, or exploit issues in other areas of Watch4net. Affected products EMC reports that the following products are affected by this vulnerability: - EMC M&R (Watch4Net) versions prior 6.5u1 - EMC ViPR SRM versions prior to 3.6.1 See also - CVE-2015-0513 - ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities Fix EMC released the following updated versions that resolve this vulnerability: - EMC M&R (Watch4Net) 6.5u1 - EMC ViPR SRM 3.6.1 Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM. Details https://www.securify.nl/advisory/SFY20141102/cross_site_scripting_vulnerability_in_emc_m_r__watch4net__web_portal_report_favorites.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] EMC M&R (Watch4net) data storage collector credentials are not properly protected
EMC M&R (Watch4net) data storage collector credentials are not properly protected Han Sahin, November 2014 Abstract It was discovered that EMC M&R (Watch4net) credentials of remote servers stored in Watch4net are encrypted using a fixed hardcoded password. If an attacker manages to obtain a copy of the encrypted credentials, it is trivial to decrypt them. Affected products EMC reports that the following products are affected by this vulnerability: - EMC M&R (Watch4Net) versions prior 6.5u1 - EMC ViPR SRM versions prior to 3.6.1 See also - CVE-2015-0514 - ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities Fix EMC released the following updated versions that resolve this vulnerability: - EMC M&R (Watch4Net) 6.5u1 - EMC ViPR SRM 3.6.1 Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM. Details https://www.securify.nl/advisory/SFY20141101/emc_m_r__watch4net__data_storage_collector_credentials_are_not_properly_protected.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Error messages of Websense Content Gateway are vulnerable to Cross-Site Scripting
Error messages of Websense Content Gateway are vulnerable to Cross-Site Scripting Han Sahin, September 2014 Abstract It was discovered that the error messages of Websense Content Gateway process user-controllable data insecurely, rendering these pages vulnerable to Cross-Site Scripting. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tested versions This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. Fix This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 Details https://www.securify.nl/advisory/SFY20140916/error_messages_of_websense_content_gateway_are_vulnerable_to_cross_site_scripting.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Multiple Cross-Site Scripting vulnerabilities in Websense Reporting
Multiple Cross-Site Scripting vulnerabilities in Websense Reporting Han Sahin, September 2014 Abstract It has been found that Websense Reporting is affected by multiple Cross-Site Scripting issues. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tested versions This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. Fix Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information about this hotfix can be found at the following location: http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 Details https://www.securify.nl/advisory/SFY20140914/multiple_cross_site_scripting_vulnerabilities_in_websense_reporting.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Cross-Site Scripting vulnerability in Websense Explorer report scheduler
Cross-Site Scripting vulnerability in Websense Explorer report scheduler Han Sahin, September 2014 Abstract It was discovered that the report scheduler of Websense Explorer is vulnerable to Cross-Site Scripting. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tested versions This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. Fix Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information about this hotfix can be found at the following location: http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 Details https://www.securify.nl/advisory/SFY20140911/cross_site_scripting_vulnerability_in_websense_explorer_report_scheduler.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Cross-Site Scripting vulnerability in Websense Data Security block page
Cross-Site Scripting vulnerability in Websense Data Security block page Han Sahin, September 2014 Abstract It was discovered that the Websense Data Security block page processes user-controllable data insecurely, rendering the block page is vulnerable to Cross-Site Scripting. Cross-Site Scripting allows an attacker to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tested versions This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. Fix This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 Details https://www.securify.nl/advisory/SFY20140910/cross_site_scripting_vulnerability_in_websense_data_security_block_page.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Missing access control on Websense Explorer web folder
Missing access control on Websense Explorer web folder Han Sahin, September 2014 Abstract It was discovered that no access control is enforced on the explorer_wse path, which is exposed through the web server. An attacker can abuse this issue to download any file exposed by this path, including security reports and Websense Explorer configuration files. Tested versions This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. Fix This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 Details https://www.securify.nl/advisory/SFY20140909/missing_access_control_on_websense_explorer_web_folder.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Source code disclosure of Websense Triton JSP files via double quote character
Source code disclosure of Websense Triton JSP files via double quote character Han Sahin, September 2014 Abstract Websense Triton is affected by a source code disclosure vulnerability. By appending a double quote character after JSP URLs, Websense will return the source code of the JSP instead of executing the JSP. An attacker can use this issue to inspect parts of Websense's source code in order to gain more knowledge about Websense's internals. Tested versions This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. Fix Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information about this hotfix can be found at the following location: http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 Details httpa://www.securify.nl/advisory/SFY20140907/source_code_disclosure_of_websense_triton_jsp_files_via_double_quote_character.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Command injection vulnerability in network diagnostics tool of Websense Appliance Manager
Command injection vulnerability in network diagnostics tool of Websense Appliance Manager Han Sahin, September 2014 Abstract A command injection vulnerability was found in Websense Appliance Manager that allows an attacker to execute arbitrary code on the appliance. This issue can be combined with other vulnerabilities, like Cross-Site Scripting, to perform a remote unauthenticated attacks to compromise the appliance. Tested versions This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. Fix Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information about this hotfix can be found at the following location: http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 Details https://www.securify.nl/advisory/SFY20140906/command_injection_vulnerability_in_network_diagnostics_tool_of_websense_appliance_manager.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Websense Email Security vulnerable to persistent Cross-Site Scripting in audit log details view
Websense Email Security vulnerable to persistent Cross-Site Scripting in audit log details view Han Sahin, September 2014 Abstract Users of Websense Data Security that are reviewing DLP incidents can be attacked via Cross-Site Scripting. This issue can be exploited using a specially crafted email, or by sending a specially crafted HTTP request through the Websense proxy. The attacker-supplied code can perform a wide variety of attacks, such as stealing session tokens, login credentials, performing arbitrary actions as victims, or logging victims' keystrokes. Tested versions This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well. Fix This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location: http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 Details https://www.securify.nl/advisory/SFY20140905/websense_email_security_vulnerable_to_persistent_cross_site_scripting_in_audit_log_details_view.html ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
