Stefan Kanthak | 1 Jul 18:15 2015
Picon

iTunes 12.2 and QuickTime 7.7.7 for Windows: still outdated and VULNERABLE 3rd party libraries, still UNQUOTED and VULNERABLE pathnames C:\Program Files\...

Hi  <at> ll,

the just released QuickTime 7.7.7 and iTunes 12.2 for Windows still
have quite some of the BLOODY beginners errors I already documented
in the past.

QuickTime 7.7.7, QuickTime.msi

unquoted pathname of executables in command line

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\QuickTime\shell\open\command]
 <at> ="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"

iTunes 12.2, AppleMobileDeviceSupport.msi

outdated 3rd party libraries:

* libcurl 7.16.2

  is NINE years old and has at least 25 unfixed CVEs!

  The current version is 7.43.0; for the fixed vulnerabilities
  see <http://curl.haxx.se/docs/security.html>

* libeay32.dll and ssleay32.dll 0.9.8za from 2014-06-05

  The current version is 0.9.8zg and has 24 security fixes
  which are missing in 0.9.8za; see <http://openssl.org/news/>

Apple STILL doesnt care about customer security, so better STAY AWAY
(Continue reading)

Pierre Kim | 1 Jul 17:07 2015
Picon

Exploit Code for ipTIME firmwares < 9.58 (root RCE against 127 router models)


Please find a text-only version below sent to security mailing-lists.

The complete version on exploits about my last advisory of ipTIME
products is posted here:

    https://pierrekim.github.io/blog/2015-07-01-poc-with-RCE-against-127-iptime-router-models.html

=== text-version of the advisory ===

Disclaimer

    This advisory is licensed under a Creative Commons Attribution
Non-Commercial
    Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/

As stated in the precedent advisories, ipTIME firmwares prior to 9.58
version are vulnerable to a remote code execution which gives root
privileges.

From product_db extracted from a live ipTIME system, it concerns at
least these devices:

    g1 g104a g104be g104i g104m g501 i1601 ic416 ic426 in524 ip0526
    ip300 ip409 ip410 ip416 ip418 ip419 ip422 ip449 ip802 ip803 n104
    n104a n104i n104m n2 n3004 n5004 n504 n6004 n604 n604i n604m
    n7004 n704 n704m nx505 q1 q304 q504 t1004 t1008 t2008 tq204
    tv104 tv108 tv116 tv124 x1005 x3003 x5007 z54g

By analysis updated firmwares, in total 127 devices were affected:
(Continue reading)

Security Alert | 1 Jul 15:54 2015

ESA-2015-112: EMC Isilon OneFS Command Injection Vulnerability



ESA-2015-112: EMC Isilon OneFS Command Injection Vulnerability

EMC Identifier: ESA-2015-112

CVE Identifier: CVE-2015-4525

Severity Rating: CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)

Affected products:
  
•	EMC Isilon OneFS 7.2.0.0 - 7.2.0.1
•	EMC Isilon OneFS 7.1.1.0 - 7.1.1.4
•	EMC Isilon OneFS 7.1.0.x
•	EMC Isilon OneFS 7.0.2.x
•	EMC Isilon OneFS 7.0.1.x
•	EMC Isilon OneFS 6.5.x.x

Summary:  

EMC Isilon OneFS contains a command injection vulnerability that could potentially be exploited by
malicious users to compromise the affected system.

Details:  

The OneFS web administration interface call to perform a log gather operation does not properly check
input.  This could potentially allow malicious users to execute commands as root.
(Continue reading)

Security Alert | 1 Jul 15:56 2015

ESA-2015-108: EMC Documentum D2 Multiple DQL Injection Vulnerabilities



ESA-2015-108: EMC Documentum D2 Multiple DQL Injection Vulnerabilities

EMC Identifier: ESA-2015-108

CVE Identifier: CVE-2015-0547, CVE-2015-0548

Severity Rating: CVSSv2 Base Score: See below for CVSSv2 score for individual CVEs

Affected products: 

•	EMC Documentum D2 version 4.1
•	EMC Documentum D2 version 4.2
•	EMC Documentum D2 version 4.5

Summary: 
EMC Documentum D2 contains multiple DQL injection vulnerabilities that could potentially be exploited
by malicious users to compromise the affected system. 

Details: 
EMC Documentum D2 is affected by the following DQL injection vulnerabilities:

•	CVE-2015-0547 – DQL injection vulnerability in the D2CenterstageService.getComments service
method could potentially be exploited by malicious users to retrieve sensitive information from the database.

CVSSv2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

(Continue reading)

Security Alert | 1 Jul 15:52 2015

ESA-2015-111: EMC Documentum WebTop Client Products Multiple Vulnerabilities



ESA-2015-111: EMC Documentum WebTop Client Products Multiple Vulnerabilities

CVE Identifier: CVE-2015-0551, CVE-2015-4524

Severity Rating: CVSS v2 Base Score: See below for CVSSv2 scores for individual CVEs

Affected products: 
•	EMC Documentum WebTop, versions 6.7SP1, 6.7SP2, 6.8
•	EMC Documentum Capital Projects 1.8 and 1.9
•	EMC Documentum Administrator, versions 6.7SP1, 6.7SP2, 7.0, 7.1 and 7.2
•	EMC Documentum Digital Assets Manager, version 6.5SP6
•	EMC Documentum Web Publishers, version 6.5 SP7
•	EMC Documentum Task Space, versions 6.7SP1, 6.7SP2

Summary: Multiple vulnerabilities were fixed in WebTop and its client products.

Details: 

1.	Multiple Cross-Site Scripting Vulnerabilities (CVE-2015-0551)

EMC Documentum WebTop based client products contain multiple cross-site scripting vulnerabilities
that could potentially be exploited by attackers to inject arbitrary HTML code or scripts, which may get
executed in the context of an authenticated user. 

CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

(Continue reading)

Picon

Path Traversal in BlackCat CMS

Advisory ID: HTB23263
Product: BlackCat CMS
Vendor: Black Cat Development
Vulnerable Version(s): 1.1.1 and probably prior
Tested Version: 1.1.1
Advisory Publication:  June 10, 2015  [without technical details]
Vendor Notification: June 10, 2015 
Vendor Patch: June 24, 2015 
Public Disclosure: July 1, 2015 
Vulnerability Type: Path Traversal [CWE-22]
CVE Reference: CVE-2015-5079
Risk Level: High 
CVSSv2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:С/I:N/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in BlackCat CMS, which can be exploited
to view contents of arbitrary files on the local system. An attacker might be able to obtain potentially
sensitive or system information, and even compromise the vulnerable system.

The vulnerability exists due to improper validation of file path in "dl" HTTP GET parameter, when reading
local files using "/modules/blackcat/widgets/logs.php" script. A remote unauthenticated attacker
can download arbitrary files from the vulnerable system using directory traversal sequences ("../").

A simple exploit below allows download of "config.php" file:
(Continue reading)

Vulnerability Lab | 1 Jul 09:21 2015

Blueberry Express v5.9.x - SEH Buffer Overflow Vulnerability

Document Title:
===============
Blueberry Express v5.9.x - SEH Buffer Overflow Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1535

Video: http://www.vulnerability-lab.com/get_content.php?id=1537

Release Date:
=============
2015-06-29

Vulnerability Laboratory ID (VL-ID):
====================================
1535

Common Vulnerability Scoring System:
====================================
6.4

Product & Service Introduction:
===============================
Create engaging movies by adding text, sound and images to your screen recording. Make sure your audience
doesn`t miss a 
thing with easy-to-use Zoom-Pan and AutoScroll effects. Create polished tutorials and presentations
with the help of powerful 
editing functions. Do it the easy way with BB FlashBack screen recorder. Its never been easier for everyone
to see your movies. 
(Continue reading)

Vulnerability Lab | 1 Jul 09:17 2015

FCS Scanner v1.0 & v1.4 - Command Inject Vulnerability

Document Title:
===============
FCS Scanner v1.0 & v1.4 - Command Inject Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1538

Release Date:
=============
2015-06-30

Vulnerability Laboratory ID (VL-ID):
====================================
1538

Common Vulnerability Scoring System:
====================================
5.9

Product & Service Introduction:
===============================
This app (available in German and English) scans your smartphone or tablet and supplies you with detailed
hardware and software information.
All data can be sent by mail in xml format. For an exact identification of every mobile: the name of the file
attached contains the inventory 
number, if there is one, or the Serial Number otherwise. Thus you can do a professional inventory for
multiple phones or tablets!

(Copy of the Homepage: https://itunes.apple.com/nz/app/fcs-scanner/id902969515 &
(Continue reading)

Vulnerability Lab | 1 Jul 09:14 2015

Ebay Magento Bug Bounty #14 - Persistent Description Vulnerability

Document Title:
===============
Ebay Magento Bug Bounty #14 - Persistent Description Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1463

EIBBP-31602

Release Date:
=============
2015-06-30

Vulnerability Laboratory ID (VL-ID):
====================================
1463

Common Vulnerability Scoring System:
====================================
3.8

Product & Service Introduction:
===============================
Magento is an open source e-commerce web application that was launched on March 31, 2008 under the name
Bento. It was developed 
by Varien (now Magento, a division of eBay) with help from the programmers within the open source community
but is now owned 
solely by eBay Inc. Magento was built using parts of the Zend Framework. It uses the
entity-attribute-value (EAV) database model 
(Continue reading)

Vulnerability Lab | 1 Jul 09:10 2015

Pinterest Bug Bounty #1 - Persistent contact_name Vulnerability

Document Title:
===============
Pinterest Bug Bounty #1 - Persistent contact_name Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1431

Release Date:
=============
2015-06-30

Vulnerability Laboratory ID (VL-ID):
====================================
1431

Common Vulnerability Scoring System:
====================================
3.3

Product & Service Introduction:
===============================
Pinterest is a web and mobile application company that offers a visual discovery, collection, sharing,
and storage tool. 
Users create and share the collections of visual bookmarks (boards). Boards are created through a user
selecting an item, 
page, website, etc. and pinning it to an existing or newly created board. Users save and share pins from
multiple resources 
onto boards based on a plethora of criteria, e.g. similar characteristics, a theme, birthday parties,
planning a vacation, 
(Continue reading)

andrew | 1 Jul 08:39 2015

Extra information for CVE-2014-4626 - EMC Documentum Content Server: authenticated user is able to elevate privileges, hijack Content Server filesystem, execute arbitrary commands by creating malicious dm_job objects

Product: EMC Documentum Content Server
Vendor: EMC
Version: ANY
CVE: N/A
Risk: High
Status: public/not fixed

On April 2014 I discovered vulnerability in EMC Documentum Content Server
which allow authenticated user to elevate privileges, hijack Content Server
filesystem or execute arbitrary commands by creating malicious dm_job
objects (for detailed description see VRF#HUFU6FNP.txt and 
VRF#HUFV0UZN.txt).

On October 2014 vendor announced ESA-2014-105 which was claiming that
vulnerability has been remediated.

On November 2014 fix was contested (there was significant delay after
ESA-2014-105 because vendor constantly fails to provide status of reported
vulnerabilities) by providing PoC similar to described in VRF#HUGC34JH.txt,
description provided to CERT/CC (another CNA was chosen because vendor
fails to communicate) was:
=================================8<================================
The problem is that non-privileged user is able to create dm_job objects and
execute corresponding docbase methods (some examples of "malicious" methods
are given in VRF#HUFU6FNP, also see VRF#HUFV0UZN), the word "create" here
does mean some sequence of commands which result to existence of dm_job
object. PoC in VRF#HUFU6FNP describes attack on scheduler - scheduler does
not schedule jobs unless they are owned by superuser, so, the command
sequence in that case was: "create dm_job and update dm_job", EMC thinks
that they have fixed vulnerability, but they just fixed the sequence given
(Continue reading)


Gmane