Alexander E. Patrakov | 29 May 19:48 2015

StrongSwan VPN client for Android leaks username to rouge server


I found that, in the event of DNS spoofing, StrongSwan VPN client for 
Android can leak the username and the MSCHAPv2 authentication value to a 
rogue server if it has any valid X.509 certificate. Unless I 
misunderstand something about X.509 certificates and their use for 
confirming IKEv2 identities, and unless this is already known, this 
might use a CVE ID.

The client that I am talking about is this Android application:

In the example below, the client was supposed to connect to 
using username "alice" and a password. The server identity is validated 
by a CA-issued certificate that ultimately chains to something in the 
default trust store. However, a hacker has spoofed the DNS (well, in the 
example, that's actually a deliberate misconfiguration by me) so that points to his server ( in this example) instead. 
On that server, he (legitimately) has a valid certificate for

The settings on the client are:

Profile Name: VPN
Type: IKEv2 EAP (Login/Password)
Login: alice
Password: <hidden>
CA Certificate: Choose automatically
(Continue reading)

P J P | 29 May 18:35 2015

CVE request Linux kernel: ns: user namespaces panic


Linux kernel built with the user namespaces support(CONFIG_USER_NS) is 
vulnerable to a NULL pointer dereference flaw. It could occur when users in 
user namespaces do unmount mounts.

An unprivileged user could use this flaw to crash the system resulting in DoS.

Upstream fixes:

It was introduced by:

Thank you Drew Fisher for reporting this issue to Fedora Security Team.

Thank you.
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Larry W. Cashdollar | 29 May 16:55 2015

wow-moodboard-lite v1.1.1.1 Wordpress plugin has an open redirect

Title: wow-moodboard-lite v1.1.1.1 Wordpress plugin has an open redirect
Author: Larry W. Cashdollar,  <at> _larry0
Date: 2015-05-10
Download Site:
Vendor: mschot
Vendor Notified: 2015-05-19
Vendor Contact:
A mood board is a type of collage consisting of images, text, and samples of objects in a composition. They
may be physical or digital, and can be "extremely effective" presentation tools.

wowproxy.php doesn’t require any authentication to the proxy images function.   Users can be misled to a
malicious link
via this feature.

26 // Get the url of the image to be proxied
27 $url = ( isset( $_POST[ 'url' ] ) ) ? $_POST[ 'url' ] : ( isset( $_GET[ 'url    ' ] ) ? $_GET[ 'url' ] : false );

39 function proxyimages( $url )
40 {
41         header( "Location: ".$url );
42         exit;
43 }

CVEID: 2015-4070
Exploit Code:
	• http://wp-site/wordpress/wp-content/plugins/wow-moodboard-lite/wowproxy.php?url=http://site_to_redirect
(Continue reading)

Enrico Zini | 29 May 15:00 2015

[CVE-2015-0839] hp-plugin binary driver verification


background history:

2015-03-10: I reported this issue to the Debian security team
2015-03-12: The Debian security team assigned CVE-2015-0839 from the
            Debian pool
2015-03-16: I reported this issue upstream, privately, at
2015-05-29: There has been no reply from upstream so far, so I am making
            a public report.
The issue:

I was forced to run hp-plugin to download a binary driver for the new
printer, and I noticed this bit:

  Downloading plug-in from:
  Receiving digital keys: /usr/bin/gpg --homedir /home/enrico/.hplip/.gnupg
--no-permission-warning --keyserver --recv-keys 0xA59047B9
  Creating directory plugin_tmp
  Verifying archive integrity... All good.

The use of a short key ID worries me, because it is now trivial to
generate keys with arbitrary key IDs, and gpg --recv-keys will happily
download all those it finds. Also, is a keyserver where
everyone can upload arbitrary keys.

You can run "gpg --recv 70096AD1" to play with multiple keys having the
same key ID.
(Continue reading)

Henri Salo | 29 May 13:40 2015

CVE request: XSS and CSRF in WP Smiley plugin for WordPress

We found following vulnerabilities with Joni Hauhia. Could you assign CVE for
these issues, thanks.

Product: WordPress plugin wp-smiley
Plugin page:
Developer: As247 (no contact information available)
Vulnerability Type:
  CWE-79: Cross-site scripting
  CWE-352: Cross-Site Request Forgery
Vulnerable Versions: 1.4.1
Fixed Version: N/A
Solution Status: N/A
Vendor Notification: 2015-03-24
Public Disclosure: 2015-05-29

Vulnerability details:

WP Smiley plugin for WordPress contains a flaw that allows a stored
cross-site-scripting (XSS) attack. This flaw exists because the smilies4wp.php
script does not validate input properly before returning it to users. This
allows an authenticated remote attacker to create a specially crafted request
that would execute arbitrary script code in a user's browser session within the
trust relationship between their browser and the server.

Editor-level user account can use this cross-site scripting vulnerability
against Administrator-level users.

Root cause:

(Continue reading)

Joe Bowser | 27 May 22:03 2015

CVE-2015-1835: Remote exploit of secondary configuration variables in Apache Cordova on Android

CVE-2015-1835: Remote exploit of secondary configuration variables in
Apache Cordova on Android


The Apache Software Foundation

Versions Affected:
Cordova Android up to 4.0.1 (3.7.2 excluded)

Android applications built with the Cordova framework that don't have
explicit values set in Config.xml can have undefined configuration
variables set by Intent.  This can cause unwanted dialogs appearing in
applications and changes in the application behaviour that can include the
app force-closing.

The latest release of Cordova Android entirely removes the ability of
configuration parameters to be set by intents.  This change is an API
change in the platform, and third-party plugins that use values set in the
config.xml should make sure that they use the preferences API instead of
relying on the Intent bundle, whcih can be manipulated in this case.

Upgrade path:
Developers who are concerned about this should rebuild their applications
with either Cordova Android 4.0.2, or Cordova 3.7.4 if they are unable to
upgrade to Cordova 4.0.2. Developers should also make sure that variables
(Continue reading)

Seaman, Chad | 27 May 20:53 2015

CVE Request, multiple WordPress plugins and themes


?I'm not sure if these should be broken down by individual vulnerability or lumped per plugin/theme, there
are 21 plugins/themes affected in total.

  * grand-media [PLUGIN]
    + url:
    + vuln found:
    :--|- XSS
    :--|- LFI
    :    |- note: only truly exploitable if user sets ALLOW_NO_EXT == true
    :--|- DoS
    :    |- note: force to recursively call itself via remote 301 redirects, cripples php-fpm w/ nginx
    :--|- Open proxy

  * wp-mobile-edition [PLUGIN]
    + url:
    + vuln found:
    :--|- LFI
    :    |- note: pre PHP 5.3 is likely (unconfirmed) suspectible to nullbyte injection, meaning any file can be read
    :--|- OpenProxy
    :--|- DoS
    :    |- note: will process list of files in for loop, aiding DoS capabilities
    :    |- note: follows 301 redirects, can be used to recursively call itself to exhaustion, ?cripples php-fpm
w/ nginx
(Continue reading)

Jason A. Donenfeld | 27 May 16:45 2015

CVE Request: Linux Kernel Ozwpan Driver - Remote packet-of-death vulnerabilities

Hi folks,

This is a resend, as the other request seems to have gotten lost in the mix.

A variety of issues have been found in Linux's ozwpan driver.

1. A remote packet can be sent, resulting in funny subtractions of
signed integers, which causes a memcpy(kernel_heap,
network_user_buffer, -network_user_provided_length).

There are two different conditions that can lead to this:
You may want to give two CVEs or just one CVE for these two issues.

2. A remote packet can be sent, resulting in divide-by-zero in
softirq, causing hard crash:

3. A remote packet can be sent, resulting in a funny subtraction,
causing an insanely big loop to lock up the kernel:

4. Multiple out-of-bounds reads, resulting in possible information
leakage, explained in the last paragraph of the introductory email

Please assign CVEs so that these can be properly tracked. I've been
told the v2 of these patches are in the merging queue.
(Continue reading)

Kurt Seifried | 26 May 18:41 2015

Question about tmp flaws in non-default build options (e.g. Kerberos DEBUG_ASN1)

So I found some obvious tmp vulns in Kerberos, but they only exist if
you build with DEBUG_ASN1 on (and if you're in that situation you got
some not fun problems).

However based on the fact that CVE-2014-1692 (the OpenSSH J-PAKE
protocol) it seems that even if the code is not enabled by default, the
fact that it exists is enough to qualify it for a CVE. So with this in
mind I'm sending a CVE request in.

First example from each of the 3 files affected by the DEBUG_ASN1 tmp
file issues (note: print_buffer_bin doesn't do anything clever to be safe):

#ifdef DEBUG_ASN1
    if (cms_msg_type == CMS_SIGN_CLIENT) {
        print_buffer_bin(*signed_data, *signed_data_len,
    } else {

#ifdef DEBUG_ASN1
    print_buffer_bin(data->contents, data->length, "/tmp/kdc_as_req");

(Continue reading)

Kurt Seifried | 26 May 16:53 2015

FreeRDP tmp flaws

This may need 2 CVE's because different versions are affected.

Upstream has no security address I can find, filing a GitHUB issue (what
their wiki says to do) which is public so also posting here.

This is in the RHEL 7 version and upstream:
./channels/drdynvc/tsmf/tsmf_media.c:			snprintf(buf, sizeof(buf),
"/tmp/FreeRDP_Frame_%d.ppm", frame_id);
                /* Dump a .ppm image for every 30 frames. Assuming the
frame is in YUV format, we
                   extract the Y values to create a grayscale image. */
                static int frame_id = 0;
                char buf[100];
                FILE * fp;
                if ((frame_id % 30) == 0)
                        snprintf(buf, sizeof(buf),
"/tmp/FreeRDP_Frame_%d.ppm", frame_id);
                        fp = fopen(buf, "wb");
                        fwrite("P5\n", 1, 3, fp);
                        snprintf(buf, sizeof(buf), "%d %d\n",
sample->stream->width, sample->stream->height);
                        fwrite(buf, 1, strlen(buf), fp);
                        fwrite("255\n", 1, 4, fp);
                        fwrite(sample->data, 1, sample->stream->width *
sample->stream->height, fp);
(Continue reading)

Douwe Maan | 26 May 13:56 2015

CVE Request: CSRF vulnerability in OmniAuth request phase

Affected software: 
- Ruby gem (library) OmniAuth[0]
- Gems that use OmniAuth, e.g. Devise[1]

Type of vulnerability: 
Cross-Site Request Forgery

Original report by: 
Mohamed Abdelbaset Elnoby, Senior Information Security Analyst at[2]
[The website isn’t currently working.]


OmniAuth is a library used in Ruby web applications to authenticate users using 
external services, for example OAuth providers. 

The request phase of OmniAuth is vulnerable to Cross-Site Request Forgery. This 
is the step that actually connects an external account (on a connected OAuth 
provider) to an internal account (on the web application itself). This means 
that when a client is signed into an account on the web application, and signed 
into an account on a connected OAuth provider, these two accounts can be 
connected without user intent, user interaction or feedback to the user. From 
here on out, the external account can be used to sign into the web application 
as the internal account. 

If the sign in action at a connected OAuth provider is vulnerable to CSRF, an 
attacker can force the victim’s client to be logged into the external service 
using an account beloning to the attacker, can then force this external account 
to be connected to the internal account, and can from here on out use their 
account on the external service to log into the victim’s account on the targeted 
(Continue reading)