Securiteam – Page 10 – Computer Security Articles

Credit to Author: SSD / Maor Schwartz| Date: Wed, 13 Dec 2017 10:36:20 +0000

Vulnerability Summary The following advisory describes a unauthenticated deserialization vulnerability that leads to arbitrary delete files and, under certain circumstances, code execution found in vBulletin version 5. vBulletin, also known as vB, is “a widespread proprietary Internet forum software package developed by vBulletin Solutions, Inc., based on PHP and MySQL database server. vBulletin powers many … Continue reading SSD Advisory – vBulletin cacheTemplates Unauthenticated Remote Arbitrary File Deletion

Independent Securiteam

SSD Advisory – vBulletin routestring Unauthenticated Remote Code Execution

December 13, 2017 admin Remote Code Execution, Remote File Inclusion, SecuriTeam Secure Disclosure, Unauthenticated Action

Credit to Author: SSD / Maor Schwartz| Date: Wed, 13 Dec 2017 10:11:35 +0000

Vulnerability Summary The following advisory describes a unauthenticated file inclusion vulnerability that leads to remote code execution found in vBulletin version 5. vBulletin, also known as vB, is a widespread proprietary Internet forum software package developed by vBulletin Solutions, Inc., based on PHP and MySQL database server. vBulletin powers many of the largest social sites … Continue reading SSD Advisory – vBulletin routestring Unauthenticated Remote Code Execution

Independent Securiteam

SSD Advisory – QNAP QTS Unauthenticated Remote Code Execution

December 11, 2017 admin Buffer Overflow, Remote Code Execution, SecuriTeam Secure Disclosure, Unauthenticated Action

Credit to Author: SSD / Maor Schwartz| Date: Mon, 11 Dec 2017 10:16:42 +0000

Vulnerability Summary The following advisory describes a memory corruption vulnerability that can lead to an unauthenticated remote code execution in QNAP QTS versions 4.3.x and 4.2.x, including the 4.3.3.0299. QNAP Systems, Inc. is “a Taiwanese corporation that specializes in providing networked solutions for file sharing, virtualization, storage management and surveillance applications to address corporate, SMB, … Continue reading SSD Advisory – QNAP QTS Unauthenticated Remote Code Execution

Independent Securiteam

SSD安全公告-Endian防火墙从存储型XSS到远程命令执行

December 11, 2017 admin Chinese Translation, Cross Site Scripting, Remote Command Execution, SecuriTeam Secure Disclosure, Unauthenticated Action

Credit to Author: SSD / Maor Schwartz| Date: Mon, 11 Dec 2017 09:17:06 +0000

漏洞概要以下安全公告描述了在Endian防火墙5.0.3版本中存在的一个存储型XSS漏洞，成功利用该漏洞可造成远程代码执行。 Endian防火墙是一个“专注Linux安全的发行版本,，它是一个独立的，统一的安全管理操作系统。 Endian防火墙基于强化的Linux操作系统。” 漏洞提交者一位独立的安全研究者向 Beyond Security 的 SSD 报告了该漏洞厂商响应厂商已经发布针对该漏洞的补丁。获取更多信息: https://help.endian.com/hc/en-us/articles/115012996087 漏洞详细信息 Endian防火墙是基于Linux的防火墙/网关。它使用不同的颜色来标记其trusted，untrusted 和DMZ网络：绿色 – trusted网络红色 – untrusted 网络橙色 – DMZ 蓝色 – WiFi 用户可控的输入没有经过充分过滤，通过从untrusted 网络（红色）发送电子邮件到DMZ上的邮件服务器（橙色），Endian防火墙会把来自untrusted 网络的电子邮件隔离。当来自trusted网络（绿色）的用户登录到Endian Firewall WebAdmin并检查隔离区中的电子邮件（Services > Mail Quarantine > quarantine）时，会执行存储型XSS脚本。漏洞证明配置环境安装Endian防火墙虚拟机并设置防火墙网络接口为以下IP：绿色 – 192.168.0.190 红色 – 192.168.0.192 设置以下密码： Web管理员（admin/Password1） SSH管理员（root/Password1）连接Webadmin接口，添加ORANGE网络并更改GREEN … Continue reading SSD安全公告-Endian防火墙从存储型XSS到远程命令执行

Independent Securiteam

SSD安全公告-Linux内核XFRM权限提升漏洞

December 11, 2017 admin Chinese Translation, Privilege Escalation, SecuriTeam Secure Disclosure, Use After Free

Credit to Author: SSD / Maor Schwartz| Date: Mon, 11 Dec 2017 08:51:42 +0000

漏洞概要以下安全公告描述了在Linux内核中发现的一个UAF漏洞，成功利用此漏洞的攻击者可以提升权限。漏洞存在于Netlink 套接字子系统 – XFRM. Netlink用于在内核和用户空间进程之间传输信息。它由用户空间进程的标准基于套接字的接口和内核模块的内部内核API组成。漏洞提交者一位独立的安全研究员Mohamed Ghannam向Beyond Security的SSD报告了该漏洞厂商响应该漏洞已在补丁1137b5e中被修复（“ipsec：修复中止xfrm策略转储崩溃”） CVE: CVE-2017-16939 [crayon-5a2f0459e8bcf346519844/] 漏洞详细信息非特权用户可以更改Netlink 套接字子系统 XFRM sk-> sk_rcvbuf的值（sk ==sock结构体对象）。可以通过setsockopt（SO_RCVBUF）更改sk-> sk_rcvbuf的值为特定的范围。通过recvmsg/recv/read接收数据时，sk_rcvbuf表示接收缓冲区的大小。 sk_rcvbuf值是内核为skb（sk_buff结构体对象）分配的大小。 skb-> trusize是一个变量，它保持对已使用内存的追踪，为了避免内存浪费，方便管理，内核可以在运行时改变skb的大小。例如，如果我们分配一个大的套接字缓冲区（skb），而我们只接收到1字节大小的数据包，内核将通过调用skb_set_owner_r来调整skb-> trusize的大小。通过调用skb_set_owner_r修改sk-> sk_rmem_alloc（引用自原子变量sk-> sk_backlog.rmem_alloc）。当创建XFRM netlink 套接字时，会调用xfrm_dump_policy函数，当我们关闭套接字时，xfrm_dump_policy_done会被调用。当netlink_sock对象的cb_running值为true时调用xfrm_dump_policy_done。 xfrm_dump_policy_done会尝试清理由netlink_callback对象管理的xfrm walk条目。当调用netlink_skb_set_owner_r（如skb_set_owner_r）时，它会更新sk_rmem_alloc。 netlink_dump(): 在上面的代码中，我们可以看到当sk-> sk_rcvbuf小于sk_rmem_alloc（注意我们可以通过stockpot控制sk-> sk_rcvbuf）时，netlink_dump()验证失败。当满足sk-> sk_rcvbuf小于sk_rmem_alloc时，会跳转到函数的结尾，然而cb_running的值还没有被更改为false，netlink_dump()函数就返回了。此时nlk-> cb_running为true，因此会调用xfrm_dump_policy_done()。 nlk-> cb.done指向xfrm_dump_policy_done，值得注意的是这个函数处理一个双向链表，所以如果利用这个漏洞引用一个可控的缓冲区，我们就可以实现任意内存读写。漏洞证明下面的代码在Ubuntu 17.04测试。 [crayon-5a2f0459e8bd9379864677/]

Independent Securiteam

SSD Advisory – Dasan Unauthenticated Remote Code Execution

December 6, 2017 admin Buffer Overflow, Remote Code Execution, SecuriTeam Secure Disclosure, Unauthenticated Action

Credit to Author: SSD / Maor Schwartz| Date: Wed, 06 Dec 2017 06:42:29 +0000

Vulnerability Summary The following advisory describes a buffer overflow that leads to remote code execution found in Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 Dasan Networks GPON ONT WiFi Router “is indoor type ONT dedicated for FTTH (Fibre to the Home) or FTTP (Fiber to the Premises) deployments. That … Continue reading SSD Advisory – Dasan Unauthenticated Remote Code Execution

Independent Securiteam

SSD Advisory – Monstra CMS RCE

December 6, 2017 admin Remote Code Execution, SecuriTeam Secure Disclosure

Credit to Author: SSD / Noam Rathaus| Date: Wed, 06 Dec 2017 06:35:44 +0000

Vulnerabilities Summary The following advisory describes a vulnerability found in Monstra CMS. Monstra is “a modern and lightweight Content Management System. It is Easy to install, upgrade and use.” The vulnerability found is a remote code execution vulnerability through an arbitrary file upload mechanism. Credit An independent security researcher, Ishaq Mohammed, has reported this vulnerability … Continue reading SSD Advisory – Monstra CMS RCE

Independent Securiteam

SSD Advisory – Coredy CX-E120 Repeater Multiple Vulnerabilities

December 4, 2017 admin Password reset, Remote Command Execution, SecuriTeam Secure Disclosure, Unauthenticated Action

Credit to Author: SSD / Maor Schwartz| Date: Mon, 04 Dec 2017 09:37:02 +0000

Vulnerabilities Summary The following advisory describes two (2) vulnerabilities found in Coredy CX-E120 Repeater. The Coredy CX-E120 WiFi Range Extender is “a network device with multifunction, which can be using for increasing the distance of a WiFi network by boosting the existing WiFi signal and enhancing the overall signal quality over long distances. An extender … Continue reading SSD Advisory – Coredy CX-E120 Repeater Multiple Vulnerabilities