[FD] Socrata Bug Bounty #1 - Persistent Encoding Vulnerability

[Vulnerability Lab]

Document Title:
===
Socrata Bug Bounty #1 - Persistent Encoding Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1438


Release Date:
=
2015-04-22


Vulnerability Laboratory ID (VL-ID):

1438


Common Vulnerability Scoring System:

3.3


Product & Service Introduction:
===
Private Socrata Bug Bounty Program - BC


Abstract Advisory Information:
==
The Vulnerability Laboratory Research Team discovered an application-side input 
validation vulnerability in the Socrata online service web-application.


Vulnerability Disclosure Timeline:
==
2015-02-24: Researcher Notification & Coordination (Benjamin Kunz Mejri - 
Evolution Security GmbH)
2015-02-24: Vendor Notification (Socrata Security Team - Silent Bug Bounty 
Program)
2015-02-24: Vendor Response/Feedback (Socrata Security Team - Silent Bug Bounty 
Program)
2015-02-24: Vendor Fix/Patch (Socrata Developer Team)
2015-02-25: Bug Bounty Reward (Socrata Security Team - Silent Bug Bounty 
Program)
2015-04-22: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Socrata Inc
Product: Socrata Online Service - Web Application 2015 Q1


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details & Description:

An application-side mail encoding web vulnerability has been discovered in the 
official Socrata online service web-application.
The vulnerability allows remote attackers to bypass the outgoing mail filter 
validation of the socrata web-server & web-application.

The vulnerability is located in the first- and lastname values of the 
`leadCapture/save` module. Remote attackers without privileged application 
user account are able to inject persistent malicious script codes. The script 
code execution occurs in the notification mail to the service but 
also to the active user copy mail. The persistent injected script code executes 
in the header section were the database context of the first- and 
lastname will be displayed. The sender interacts automatically by usage of the 
discover.socrata.com service. The validation of the db stored outgoing 
values is wrong encoded and allows persistent injections of malicious script 
codes via POST method. The attack vector is persistent and the request 
method to inject is POST.

The security risk of the mail encoding web vulnerability is estimated as medium 
with a cvss (common vulnerability scoring system) count of 3.3.
Exploitation of the web vulnerability requires no privileged web-application 
user account and low or medium user interaction because of the 
persistent attack vector. Successful exploitation of the encoding vulnerability 
results in session hijacking, persistent phishing, persistent 
external redirects and persistent manipulation of web header or mail body 
context.

Vulnerable Domain(s):
[+] discover.socrata.com

Vulnerable Module(s):
[+] index.php/leadCapture/save

Vulnerable Parameter(s):
[+] firstname
[+] lastname

Affected Sender(s):
[+] sa...@socrata.com

Affected Receiver(s):
[+] b...@evolution-sec.com

Affected Context Module(s):
[+] Service Notification Mail (Users)


Proof of Concept (PoC):
===
The vulnerability can be exploited by remote attackers without privileged 
application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Surf to the vulnerable service page
2. Inject payload to the firstname and lastname values
3. Save the content
4. View your mailbox to review the malicious mail
5 Successful reproduce of the security vulnerability!


PoC: Thank You for Downloading "The 2014 Benchmark Report"


2014 Open Data Benchmark Report









Read the Full Report


Hello ">[PERSISTENT INJECTED 
SCRIPT CODE HERE!]http://www.evolution-sec.com/peng.js"; 
onload="alert(document.cookie),
Thank you for your interest in Socrata. You can download the 2014 
Open Data Benchmark Study at any time by clicking the Download Now button 
below.
An effective digital portal is the foundation of improving efficiency with 
open data. Learn how the http://info.socrata.com/P000y0zS9I1GB80m0SpI193"; target="_blank"
>Socrata Open Data Portal can help you streamline data publishing as well 
>as enable others to search, query, and visualize your data with 
>ease.
Sincerely,   The Socrata Team 

http://discover.socrat

[FD] [ALICLOUDSEC-VUL2015-001]Android wpa_supplicant WLAN Direct remote buffer overflow

[朱东海]

1. Advisory Information

Advisory URL:
http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.p1ECc3&id=19

Date published: 2015-04-23

Date of last update: 2015-04-23

2. Vulnerability Information

Class: heap overflow

Impact: memory information leak and remote code execution

Remote Exploitable: Yes

Local Exploitable: No

CVE Name: CVE-2015-1863

Vulnerability Information and Patch: http://w1.fi/security/2015-1/

3. Vulnerability Description

In Android, wpa_supplicant is designed to be a "daemon" program that runs in
the background and acts as the backend component controlling the wireless
connection.. When WLAN Direct function of wpa_supplicant is enabled, a
malformed p2p invitation type packet with long ssid can trigger a heap
overflow vulnerability. An attacker could launch a remote attack in the
wireless device signal coverage, access to the victim's android device and
execute native code with the corresponding user privileges (in the android
is wifi user). The user has permission to read the saved WIFI password,
change network configuration, hijacking all Wi-Fi traffic. When combined
with a local privilege escalation vulnerability that allows an attacker to
remotely control a host of victims, implant Trojans and other underlying
implant systems.

4. Vulnerable Packages

 Android 4/Android 5

wpa_supplicant 2.x

5. Credits

Smart hardware research group of Alibaba security team for discovering the
vulnerability.

6. Technical Description

 wpa_supplicant malloc a p2p_device structure, the oper_ssid field
size of which is 0x20 bytes. In the p2p invitation packet the size of ssid
field is described with an octet, the max of which is 0xff. When copy to
oper_ssid field, the length is not checked. When the size of ssid exceeds
0x20 bytes, it can overflow other fields of the p2p_device structure and
overflow heap structure when exceeds 0x40 bytes.

 

In the android version 5.1, the source is:

 p2p_device structure（ wpa_supplicant/p2p/p2p_i.h)

struct p2p_device {

[……….]

int oper_freq;

u8 oper_ssid[32];  <- fixed 0x20 bytes 

size_t oper_ssid_len;

[……….]

/**

* go_neg_conf - GO Negotiation Confirmation frame

*/

struct wpabuf *go_neg_conf;

int sd_pending_bcast_queries;

};

=（wpa_supplicant/p2p/p2p.c p2p_add_device ==

int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,

  struct os_reltime *rx_time, int level, const u8 *ies,

  size_t ies_len, int scan_res)

{

[……….]

if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)

   os_memcpy(dev->interface_addr, addr, ETH_ALEN);

if (msg.ssid &&

(msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||

 os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)

 != 0)) {

os_memcpy(dev->oper_ssid, msg.ssid + 2, msg.ssid[1]);

//the dest buf is 0x20, but the size is controlled by user input, trigger
buffer overflow 

   dev->oper_ssid_len = msg.ssid[1];

}

[……….]

7. Vulnerability Impact Assessment：

1）Affected product：Affect all devices of android version below 5.1 

2）Default configuration exploitable analysis：Although much of android
devices enable WLAN direct when user enters WLAN Direct UI, but: 

We found some models of well-known mobile phone manufacturers (such as
Xiaomi, Huawei), default to open the WLAN Direct. Even if the user never
entered the WLAN Direct UI, the attacker can initiate a WLAN direct
connection and trigger this vulnerability without user interaction. However,
an attacker needs to know WLAN Direct MAC address, the address is the MAC
address of user equipment with first byte OR 2, MAC address of the user
equipment can acquire easily by WIFI packet sniffer, so you can calculate
WLAN Direct MAC address, for example the user device MAC address 14: 12: 34:
56: 78: 90, then WLAN Direct MAC address is 16:12 : 34: 56: 78: 90, which
means that some models of mobile phone, simply open the WIFI service, can
suffer from the vulnerability attack.

For other models without WLAN Direct default enabled need to pay attention,
because a lot of file transfer software use WLAN Direct feature and will
enable it. And this feature once enabled, even if the user exits the WLAN
Direct UI, the feature is enabled until the device reboot or WIFI restart.
During this time the device is affected and can be attack remotely.

3）Impact

This vulnerability can leak information, use leaked information with ROP
to bypass ASLR and DEP. Exploit this vulnerability successfully, attackers
can execute native code with wifi user permission. Then with wifi user
permission can change wifi configuration and hijack network traffic. 

And this vulnerability can be exploited remotely, if composite a local
privilege escalation vulnerability, attackers can implant trojan without
physically touch victim devices. 

  So this vulnerability is high risk, especially for wlan