[FD] [CORE-2018-0012] - Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2
SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2 1. *Advisory Information* Title: Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2 Advisory ID: CORE-2018-0012 Advisory URL: http://www.secureauth.com/labs/advisories/cisco-webex-meetings-elevation-privilege-vulnerability-version-2 Date published: 2019-02-27 Date of last update: 2019-02-27 Vendors contacted: Cisco Release mode: Coordinated release 2. *Vulnerability Information* Class: OS command injection [CWE-78] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2019-1674 3. *Vulnerability Description* Cisco's Webex Meetings website states that [1]: Cisco Webex Meetings: Simply the Best Video Conferencing and Online Meetings. With Cisco Webex Meetings, joining is a breeze, audio and video are clear, and screen sharing is easier than ever. We help you forget about the technology, to focus on what matters. A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow a local attacker to elevate privileges. 4. *Vulnerable Packages* . Cisco Webex Meetings Desktop App v33.6.4.15 . Cisco Webex Meetings Desktop App v33.6.5.2 . Cisco Webex Meetings Desktop App v33.7.0.694 . Cisco Webex Meetings Desktop App v33.7.1.15 . Cisco Webex Meetings Desktop App v33.7.2.24 . Cisco Webex Meetings Desktop App v33.7.3.7 . Cisco Webex Meetings Desktop App v33.8.0.779 . Cisco Webex Meetings Desktop App v33.8.1.13 . Cisco Webex Meetings Desktop App v33.8.2.7 . Older versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* Cisco informed that released the vulnerability is fixed in Cisco Webex Meetings Desktop App releases 33.6.6 and 33.9.1. In addition, Cisco published the following advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-wmda-cmdinj 6. *Credits* This vulnerability was discovered and researched by Marcos Accossatto from SecureAuth. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team. 7. *Technical Description / Proof of Concept Code* 7.1. *Privilege Escalation* [CVE-2019-1674] The update service of Cisco Webex Meetings Desktop App for Windows does not properly validate version numbers of new files. An unprivileged local attacker could exploit this vulnerability by invoking the update service command with a crafted argument and folder. This will allow the attacker to run arbitrary commands with SYSTEM user privileges. The vulnerability can be exploited by copying to a local attacker controller folder, the atgpcdec.dll binary and rename it as atgpcdec.7z. Then, a previous version of the ptUpdate.exe file must be compressed as 7z and copied to the controller folder. Also, a malicious dll must be placed in the same folder, named vcruntime140.dll and compressed as vcruntime140.7z. Finally, a ptUpdate.xml file must be provided in the controller folder for the update binary (ptUpdate.exe) to treat our files as a normal update. To gain privileges, the attacker must start the service with the command line: sc start webexservice WebexService 1 989898 "attacker-controlled-path" Proof of Concept: The following proof of concept performs a 2 step attack, since starting from version 33.8.X, the application enforces the checking of signatures for all the downloaded binaries. This 2 step attack works against all the mentioned vulnerable packages. Notice that you'll need the previous versions of the ptUpdate.exe executable. Those versions are: 3307.1.1811.1500 for the first step and 3306.4.1811.1600 for the last step. To exploit version priot to 33.8.X, only one step is required (the last step in this PoC). Batch file: /- @echo off REM Contents of PoC.bat REM REM This batch file will exploit CVE-2019-1674 REM REM First, it will copy the atgpcdec.dll file from the installation REM folder to the current folder as atgpcdec.7z. Then, it will backup REM ptUpdate.exe and vcruntime140.dll files from the installation folder REM in the current folder, adding .bak to their names. Keep in mind that REM those files will be replaced (especially, vcruntime140.dll) and if REM not restored, will render the application useless. REM REM The executable ptUpdate.exe version 3307.1.1811.1500 must be REM compressed as ptUpdate0.7z and present in the current folder. REM The executable ptUpdate.exe version 3306.4.1811.1600 must be REM compressed as ptUpdate1.7z and present in the current folder. REM Both can be generated using 7zip GUI and compressing as 7z, with REM normal compression level and LZMA compression method. REM Another way is to compress both files using the command line app: REM REM 7z.exe a ptUpdate0.7z ptUpdate.exe -m0=BCJ -m1=LZMA:d=21 REM REM ptUpdate0.xml file will be used in the first stage of the attack. It REM will
[FD] SHAREit for Android Authentication Bypass and Remote File Download
RedForce Advisory https://redforce.io ## ِAdvisory Information Title: SHAREit For Android <= 4.0.38 Multiple Vulnerabilities Advisory URL: https://blog.redforce.io/shareit-vulnerabilities-enable-unrestricted-access-to-adjacent-devices-files/ Date published: 2019-02-25 Date of last update: 2019-02-25 Vendors contacted: Beijing Shareit Information Technology Co., Ltd. ## Introduction SHAREit for Android is a popular application used for file transfer among cross-platform devices using WiFi. It is considered one of the most popular Android applications with over 500 million downloads (+950M downloads according to [AndroidRank database] (https://www.androidrank.org/application/shareit_transfer_share/com.lenovo.anyshare.gps?hl=en) ) . ## Vulnerability Description SHAREit for Android <= 4.0.38 was found to be prone to multiple high severity vulnerabilities that enable a remote attacker -on the same network or joining public "open" WiFi hotspots created by the application when file transfer is initiated- to download arbitrary files from user's device including contacts, photos, videos, sound clips...etc. Full vulnerability technical details can be found in our advisory ( https://blog.redforce.io/shareit-vulnerabilities-enable-unrestricted-access-to-adjacent-devices-files/ ) ## Proof of Concept ### Quick Demo https://www.youtube.com/watch?v=Q4kk4FvrH6g ### Full Length Proof of Concept (GUI and AutoPwn modules) https://www.youtube.com/watch?v=xzoJXBCznWc ### Exploit Code (dubbed DUMPit) https://github.com/redforcesec/DUMPit/ ## Credits These vulnerabilities were discovered and researched by Abdulrahman Nour from RedForce. ## About RedForce RedForce is an information security consultancy firm consists of a team of experts in the offensive security field. By using the latest techniques, methodologies and attack simulation from an adversary prospective, we make sure that your organization is approaching the best practice to mitigate the risk at the lowest cost. We approach our offensive services from a holistic approach. Our aim is to contribute to the efforts of our customers in securing the critical IT infrastructure and crown jewels within their IT landscape. For more information, please visit https://redforce.io ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Apache UNO API RCE
Dear reader, I am not sure if I am contacting through the right email address but someone said I should e-mail you guys. I found an RCE functionality in the Apache UNO API which could give an attacker control over a machine, or use a machine already compromised in the network to exfiltrate data, etc. The company that posted this issue on their blog is the company I did my internship. Copy-paste from the advisory on there: [START OF ADVISORY] CVE reference: not yet assigned (see below) CVSS score: 9.8 (critical) CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected systems Apache OpenOffice, all recent versions including current version 4.1.6, all platforms LibreOffice, all recent versions including current version 6.2.0 / 6.1.5, all platforms We don't know when the vulnerable API was introduced. Code for it seems to be 5 years old, judging from timestamps. Note that normal use of OpenOffice or LibreOffice as a "client" does not expose this vulnerability. OpenOffice/LibreOffice must explicitly be told to run as an "office server" and to listen on a network port for it to expose this API call. Overview The Apache UNO API is exposed to the network if OpenOffice or LibreOffice is run as an "office server" using a command such as this: soffice --accept='socket,host=0.0.0.0,port=2002;urp;StarOffice.Service' The API contains a call named XSystemShellExecute which will execute an arbitrary command sent to it as a parameter. No authentication is required, only knowledge of the protocol. Details (without Proof-of-Concept code for now) is available in Axel's blog post. Impact The impact of this issue can be severe. Any user account used to launch OpenOffice or LibreOffice in office server mode can be compromised with relative ease. There are two mitigating factors: The "office server" mode is rarely used Although examples tend to use port numbers just above 2000, there is no default port number, so scanning for this issue is not trivial. Solution Unfortunately, after five months of trying, we have not been able to convince the Apache Security Team that this is, in fact, a security issue. So there is no patch. This is also why there is no CVE number. Apache assigns their own CVE numbers (they are a "CNA", a "CVE Numbering Authority", themselves), and they are not recognising this as a security issue. We can only recommend, if using OpenOffice or LibreOffice in server mode is absolutely necessary, to use a firewall (possibly host-based) to limit which systems can connect to the API, and to run it in a container using a low-priviliged user account. We have also made available a Snort rule to detect the use of this API call on your network: alert tcp any any -> any any (msg: "Apache API XSystemShellExecute Detected"; content:"com.sun.star.system.XSystemShellExecute"; flow:to_server; sid:31337; rev:1) Technical details See Axel's excellent blog post for many more details of this issue. Responsible disclosure timeline 18-Sep-2018: RCE disclosed to Apache Security Team 06-Dec-2018: E-mailed Apache to ask about the status of investigation 11-Dec-2018: Apache said they are aiming for a new release in January, asking us to postpone the disclosure of the RCE until 31-Jan-2019 18-Dec-2018: New OpenOffice release (4.1.6) without a fix for this issue or any communications from Apache 25-Jan-2019: E-mailed Apache to ask about the status of investigation 05-Feb-2019: Received e-mail from Apache that they don't consider this to be a security issue because the configuration is so uncommon, but are willing to work together to fix this in OpenOffice 4.1.7 07-Feb-2019: E-mailed Apache to confirm that we're willing to work with them on this issue 22-Feb-2019: E-mailed Apache to let them know we're planning to release 27-Feb-2019: Release of this post and advisory Vendor advisory None as yet. [END OF ADVISORY] Advisory: https://hackdefense.com/blog/security-advisory-rce-in-apache-uno-api/ Write-up: https://hackdefense.com/blog/finding-RCE-capabilities-in-the-apache-uno-api/ Feel free to message me for more information about the proof of concept code. With kind regards, Axel Boesenach ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [CVE-2019-9206, CVE-2019-9207] Cross Site Scripting in PRTG Network Monitor v7.1.3.3378
In 2009... ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] DSA-2019-025: RSA Archer GRC Platform Multiple Vulnerabilities
Restricted - Confidential -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 DSA-2019-025: RSA Archer GRC Platform Multiple Vulnerabilities Dell EMC Identifier: DSA-2019-025 CVE Identifier: CVE-2019-3705, CVE-2019-3706 Severity Rating: See below for scores of individual CVEs Affected Products: RSA Archer versions prior to 6.5 P1 (CVE-2019-3705) RSA Archer versions prior to 6.5 P2 (CVE-2019-3706) Summary: RSA Archer has fixes available for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system. Details: RSA Archer product has been updated to address the following vulnerabilities: * Information Exposure Vulnerability (CVE-2019-3705) RSA Archer versions, prior to 6.5 SP1, contain an information exposure vulnerability. Users' session information is logged in plain text in the RSA Archer log files. An authenticated malicious local user with access to the log files may obtain the exposed information to use it in further attacks. CVSSv3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) * Information Exposure Vulnerability (CVE-2019-3706) RSA Archer versions, prior to 6.5 SP2, contain an information exposure vulnerability. The database connection password may get logged in plain text in the RSA Archer log files. An authenticated malicious local user with access to the log files may obtain the exposed password to use it in further attacks. CVSSv3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Recommendation: For CVE-2019-3705, the following RSA Archer releases contain a resolution for this vulnerability: * RSA Archer version 6.5 P1 (6.5.0.1) * RSA Archer version 6.5 P2 (6.5.0.2) [6.5 P2 contains the items fixed in 6.5 P1] * RSA Archer version 6.4 SP1 P5 (6.4.1.5) For CVE-2019-3706, the following RSA Archer releases contain a resolution for this vulnerability: * RSA Archer version 6.5 P2 (6.5.0.2) * RSA Archer version 6.4 SP1 P5 (6.4.1.5) RSA recommends all customers upgrade at the earliest opportunity. Severity Rating For an explanation of Severity Ratings, refer to the Security Advisories Severity Rating (https://community.rsa.com/docs/DOC-47147) knowledge base article. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Legal Information Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Technical Support (https://community.rsa.com/docs/DOC-1294). RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell Technologies, distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA, its affiliates or its suppliers, be liable for any damages wha tsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. Dell Product Security Incident Response Team sec...@dell.com -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEP5nobPoCj3pTvhAZgSlofD2Yi6cFAlx4N6AACgkQgSlofD2Y i6dXzQ//XHQsdsvdDqGc85jOTtTRZ0VWhxe3g76dAW7u5tmKt8dyHZF4QqaXtc/p qKRdrWl6SK/ajzxhnF7PaMmLLLAYnHBzL56Vo0ZTjcXD/8rMfTh+WX8v/M06TOjG UgJTdtVGKILsBGmuViwVtvpTLsmeVhbhq34dbMscLhrgjwvrTmsCW3Zv+6w4/x5G umlHR8f+asAYs/JKJ3IvFo5i/v1wKoXsFQVXN8RtySzRVKX+Jx3fsqfCnC+cj4cz 6SnaOPQMBRTPzev4vcWGR4HxoQjE6vl3xgKYyi1bAQf6sZnZpVvzmvPi6OZDfV9q jm+32qvMbwjH2L0POwk7djnmaeZ9qRM3cYihHRJhuOaqW4UyVxhy7ZwZIXeYwOX4 lGiyqt6gtGpUjAFgI1qycGOzVu4W1pZhmIAPRk5KYFapr3BEmgWoDwrvjF7QqRq8 wt5J1Us6XWc4D+wqMIo7YZmnvO9Bz73oxBKqvZXNUJSxfQroAQhcG4DJy+TH+nC7 MWMH2EEdhL5ibCog6AMRksMmU08Cw2gIvKnotOgRIPUnirlfn22IpukqV2prBrHH zOoHOLRx865jPqPPHb4Tp+DvGDwtscwiGyI9AaeemutPbUhlibP/vMyQh8wKItCl F+iHsckY/7Mh2/FH3a0vWb57edaT4lPgvt8JwwP4OfE+a7qXpuA= =lmP4 -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] DSA-2019-038: RSA® Authentication Manager Insecure Credential Management Vulnerability
Restricted - Confidential -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 DSA-2019-038: RSA® Authentication Manager Insecure Credential Management Vulnerability Dell EMC Identifier: DSA-2019-038 CVE Identifier: CVE-2019-3711 Severity Rating: 5.8 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N) Affected Products: • RSA® Authentication Manager version 8.4 and earlier Summary: RSA Authentication Manager contains a vulnerability associated with insecure credential management. Details: The Operations Console components within the RSA Authentication Manager have been updated to address the following vulnerability: • Insecure Credential Management Vulnerability RSA Authentication Manager versions prior to 8.4 P1 contain an Insecure Credential Management Vulnerability. A malicious Operations Console administrator may be able to obtain the value of a domain password that another Operations Console administrator had set previously and use it for attacks. CVSSv3 Base Score: 5.8 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N) For more information about any of the Common Vulnerabilities and Exposures (CVEs) mentioned here, consult the National Vulnerability Database (NVD) at http://nvd.nist.gov/home.cfm. To search for a particular CVE, use the database’s search utility at http://web.nvd.nist.gov/view/vuln/search. Recommendation: The following RSA Authentication Manager release contains resolutions to these vulnerabilities: • RSA Authentication Manager version 8.4 P1 and later RSA recommends all customers upgrade at the earliest opportunity. Severity Rating For an explanation of Severity Ratings, refer to the Security Advisories Severity Rating (https://community.rsa.com/docs/DOC-47147) knowledge base article. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Legal Information Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Technical Support (https://community.rsa.com/docs/DOC-1294). RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell Technologies, distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. Dell Product Security Incident Response Team sec...@dell.com -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEP5nobPoCj3pTvhAZgSlofD2Yi6cFAlx4PM4ACgkQgSlofD2Y i6dwgg//YlGh1SSweefOfF0qdAqrDk+biX8/jqNXRObkizP/fRDRqcYovezuz4gv 1tPsfHD4ho8HYWCIft9uuRfAN5XFd7Rml19BvtWLqCcZWMjwiuM977SdjdeYJwpU RIl3Kc/NMMJoMRHOTilBEFQCT38kS4pr6QvWCLGtHly+ea6ouaMoAxpRO5wXq/As rZkiowwDOshAkcGy9GvDmxOHaNdw/N38PI6njD74zKwJdmSAbbWVi82aOIREiLkL ALvJBlk492FeSQ19jp1jx3jOVXzzdyNNdyvqtBoORJihfvnCu7AsG6ncNOqE1rFW Z6mIDhkDjNKMyuEajc69iQwcnEsi9Gq3OtxVcT7q4BIi0KcBMIaHnK5eWDYam4gG EcBolnna3KT/UPdp/dQQB7VHeqqT1E0BQt8yLh397/H+X3DRKd4BL6Ak4UHDm3iP 8oHs42YGeyqvKVaFZBNkt9Ln1WOPZz0uboYcqcyUF2s634QOAYa8ASK4q0vP8JmT Soq4ySMoLcyHcbSdtVohEEMG4XuyvepVi1UGHGTX50nkmhW70NaPCQqha7DuOGBN QVpESHaqC5XfCsqC8C4xLXoy5Etz5x3N1tW4mXPhIGT1ZAJQgVyFsd8MqCDk4iSG qRaZJJI0e8LwNuOv7IfOZrYhNTBPr3xSCDS+0pA9Gpud1vhT3WI= =NxVT -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
