[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Portcullis Computer Security Ltd - Advisories
- To: <moderators@xxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <vuln@xxxxxxxxxxx>, <news@xxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Portcullis Computer Security Ltd - Advisories
- From: "advisories" <advisories@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 10 Jul 2007 16:41:02 +0100
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company,
registered in England in accordance with the Companies
Act under number 02763799. The registered office
address of Portcullis Computer Security Limited is:
The Grange Barn, Pikes End, Pinner, MIDDX,
United Kingdom, HA5 2EX.
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and
do not represent the opinion of the organisation. Access
to this email by persons other than the intended recipient
is strictly prohibited.
If you are not the intended recipient, any disclosure,
copying, distribution or other action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice
contained in this email is subject to the terms and
conditions expressed in the applicable Portcullis Computer
Security Limited terms of business.
###############################################################
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared
by MailMarshal.
#####################################################################################
Portcullis Security Advisory
Vulnerable System:
Visionsoft Audit
Vulnerability Title:
The VSAOD server discloses its version.
Vulnerability discovery and development:
Portcullis Security Testing Services discovered this vulnerability during an
application assessment.
Further research was then carried out post assessment.
Credit For Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Audit, this vulnerability was discovered for version
12.4.0.0.
Details:
On connecting to the remote VSAOD server, the version is disclosed:
server> Visionsoft Audit on Demand Service
server> Version: 12.4.0.0
In addition the version number can also be obtained as follows:
client> VER
server> 12.4.0.0
Impact:
An attacker could make use of the version information to identify vulnerable
versions of the VSAOD server.
Exploit:
Exploit code is not required.
Vendor Status:
Contacted support@xxxxxxxxxxxxxx
e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007
Copyright:
Copyright Portcullis Computer Security Limited 2006, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-039
Vulnerable System:
Visionsoft Audit
Vulnerability Title:
The VSAOD server allows unauthenticated arbitrary file overwrites.
Vulnerability Discovery and Development:
Portcullis Security Testing Services during an application assessment.
Further research was carried out post assessment.
Credit for Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Audit, this vulnerability was discovered for version
12.4.0.0.
Details:
It is possible to set the log file name on the remote VSAOD server using the
following unauthenticated exchange:
client> LOG.<filename>
server> Logfile set to: <filename>
Impact:
Since the VSAOD server typically runs as SYSTEM it is possible to overwrite any
file on the system. This can be used by an attacker to write additional ASP
into web pages, commands to a batch file or to corrupt files on the system.
Exploit:
Exploit code is not required.
Vendor Status:
Contacted support@xxxxxxxxxxxxxx
e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007
Copyright:
Copyright Portcullis Computer Security Limited 2006, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory
Vulnerable System:
Visionsoft Audit
Vulnerability Title:
The VSAOD server has input validation flaws which can result in an
unauthenticated heap overflow.
Vulnerability discovery and development:
Portcullis Security Testing Services discovered this vulnerability during an
application assessment.
Further research was then carried out post assessment.
Credit for Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Audit, the vulnerability was discovered for version
12.4.0.0.
Details:
It is possible to set the log file name on the remote VSAOD server using the
following unauthenticated exchange:
client> LOG.<filename>
server> Logfile set to: <filename>
When the file name passed is of sufficient length, the remote VSAOD server will
terminate. As the server writes the file to its file prior to crashing, the
server will terminate every time it is restarted until the ini file has been
fixed.
Impact:
An attacker could cause a Denial of Service or execute arbitrary code. Since
the VSAOD server typically runs as SYSTEM, an attacker who successfully
executes arbitrary code will fully compromise the system.
Exploit:
Exploit code is not required.
Vendor Status:
Contacted support@xxxxxxxxxxxxxx
e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007
Copyright:
Copyright Portcullis Computer Security Limited 2006, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-041
Vulnerable System:
Visionsoft Audit
Vulnerability Title:
Ths VSAOD server allows unauthenticated ini file overwrites.
Vulnerability discovery and development:
Portcullis Security Testing Services discovered this vulnerability during an
application assessment.
Further research was then carried out post assessment.
Credit for Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Audit, this vulnerability was discovered for version
12.4.0.0.
Details:
It is possible to overwrite the ini file on the remote VSAOD server using the
following unauthenticated exchange:
client> SETTINGSFILE
client> <whatever you like>
client> END
Impact:
This can be used by an attacker to prevent the remote VSAOD server from
starting in future or to otherwise change its configuration.
Exploit:
Exploit code is not required.
Vendor Status:
Contacted support@xxxxxxxxxxxxxx
e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007
Copyright:
Copyright Portcullis Computer Security Limited 2006, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-042
Vulnerable System:
Visionsoft Audit
Vulnerability Title:
The VSAOD server uses a weak algorithm to obscure passwords on the wire and
within configuration files.
Vulnerability Discovery and Development:
Portcullis Security Testing Services discovered this vulnerability during an
application assessment.
Further research was then carried out post assessment.
Credit For Discovery:
Tim Brown and Mark Lowe - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Visionsoft Audit, this vulnerability was discovered for
version 12.4.0.0.
Details:
Passwords used to authenticate with the remote VSAOD server prior to the
execution of the requested executable are obscured on the wire and in
configuration files using an XOR based algorithm.
Impact:
An attacker who compromised a system running a VSAOD server could unobscure the
password identified through eavesdropping the network traffic or from the
configuration file. Typically this will be a domain account with privileged
access to the systems on the network. The attacker potentially will be able to
authenticate with these systems using other servers. Note: The configuration
file typically has read permissions for both Users and Power Users.
Exploit:
Exploit code is not required.
Vendor Status:
Contacted support@xxxxxxxxxxxxxx
e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007
Copyright:
Copyright Portcullis Computer Security Limited 2006, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-043
Vulnerable System:
Visionsoft Audit
Vulnerability Title:
The VSAOD server discloses the log path.
Vulnerability discovery and development:
Portcullis Security Testing Services discovered this vulnerability during an
application assessment.
Further research was then carried out post assessment.
Credit for Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Audit, the vulnerability was discovered for version
12.4.0.0.
Details:
When logging is enabled on the remote VSAOD server, the log path is disclosed:
client> LOG.ON
server> OK, logging to C:\Documents and Settings\All Users\Application
Data\Visionsoft\VAP\vsAoD\vsAoD.log
Impact:
An attacker could make use of the log path disclosure by identifying the OS
type of the system which they are attacking.
Exploit:
Exploit code is not required.
Vendor Status:
Contacted support@xxxxxxxxxxxxxx
e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007
Copyright:
Copyright Portcullis Computer Security Limited 2006, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-044
Vulnerable System:
Visionsoft Audit.
Vulnerability Title:
The VSAOD server allows remote execution via replay attacks.
Vulnerability Discovery and Development:
Portcullis Security Testing Services discovered this vulnerability during an
application assessment.
Further research was then carried out post assessment.
Credit for Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Audit, this vulnerability was discovered for version
12.4.0.0.
Details:
In order for the Audit client to schedule an audit it connects to the remote
VSAOD server and initiates the following exchange:
server> Visionsoft Audit on Demand Service
server> Version: 12.4.0.0
server>
client> DETAILS
client> <windows domain>
client> <user name>
client> <obscured password>
client> OK
client> PROCESS
client> <path to executable>
server> <status message|OK|FAIL message>
The VSAOD server will then switch to the supplied Windows domain account and
execute the requested executable. The supplied Windows domain account does not
require special privileges, although obviously using a privileged account will
allow the executable more access to the remote server. The username and
password can be obtained in a number of ways (some of which are vulnerabilities
in their own right) including eavesdropping a legitimate session. The
requested executable can be either local to the remote server or available via
a Microsoft Windows Network share.
Impact:
An attacker could execute arbitrary code on the server, by passing normal
Windows security mechanisms.
Exploit:
Exploit code is not required.
Vendor Status:
Contacted support@xxxxxxxxxxxxxx
e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007
Copyright:
Copyright Portcullis Computer Security Limited 2006, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06_045
Vulnerable System:
Visionsoft Audit
Vulnerability Title:
The VSAOD server allows unauthenticated remote uninstalls.
Vulnerability discovery and development:
Portcullis Security Testing services discovered this vulnerability during an
application assessment.
Further research was then carried out post assessment.
Credit for Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of Audit, this vulnerability was discovered for version
12.4.0.0.
Details:
It is possible to remotely uninstall the remote VSAOD server using the
following unauthenticated exchange:
server> Visionsoft Audit on Demand Service
server> Version: 12.4.0.0
server>
client> UNINSTALL
client> Stopping
The VSAOD server will then disconnect and terminate.
Impact:
An attacker could cause a Denial of Service.
Exploit:
Exploit code is not required.
Vendor Status:
Contacted support@xxxxxxxxxxxxxx
e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007
Copyright:
Copyright Portcullis Computer Security Limited 2006, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 060-056
Vulnerable System:
P-Synch.
Vulnerability Title:
The P-Synch Windows domain password reset web applications style parameter
allows JavaScript injection.
Vulnerability discovery and development:
This vulnerability was discovered during an application assessment. Further
research was then carried
out post assessment. The vendor has been notified.
Credit for Discovery:
Tim Brown of Portcullis Computer Security Ltd.
Affected systems:
All known versions of P-Synch.
Details:
It is possible to pass a remote URL for a style sheet to the P-Synch Windows
domain password reset web
application within the style parameter, which will then be referenced in the
web pages returned.
Impact:
An attacker could use this to execute malicious code on visitors computers
using the techniques outlined
in Tim Brown's paper Misunderstanding Javascript injection[1].
[1] http://www.nth-dimension.org.uk/news/entry.php?e=156579087
Exploit:
Exploit code is not required.
Copyright:
Copyright Portcullis Computer Security Limited 2006, All rights reserved
worldwide. Permission is hereby
granted for the electronic redistribution of this information. It is not to be
edited or altered in any way
without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or itsuse.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use
or spread of this information.
Portcullis Security Advisory 06-057
Vulnerable System:
eVisit Analyst.
Vulnerability Title:
The multiple CGI scripts allow SQL injection.
Vulnerability discovery and development:
Tim Brown of Portcullis Computer Security Ltd. The vendor has been notified
and the vulnerability fixed.
Affected systems:
All known versions of eVisit Analyst.
Details:
By modifying the id parameter which is passed during a request to the idsp1.pl,
ip.pl and einsite_director.pl CGI scripts, it is possible to cause error
messages to be returned which indicates the presence of an SQL injection
vulnerability. The same error messages also discloses the web root path.
Impact:
Portcullis believe that the script concerned can not be exploited due to the
way in which it operates; however, this can not be confirmed with a full
inspection of the source code.
Exploit:
Exploit code is not required.
Copyright:
Copyright © Portcullis Computer Security Limited 2007, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-059
Vulnerable System:
ImgSvr
Vulnerability Title:
The ImgSvr is vulnerable to directory traversal.
Vulnerability discovery and development:
Portcullis Security Testing Services. Further research was then carried out.
Credit for Discovery:
Tim Brown - Portcullis Computer Security Ltd.
Affected systems:
All known versions of ImgSvr.
Details:
It is possible to pass a value in the template parameter of requests to ImgSvr
which
causes arbitrary files to be returned from outside of the web root as follows:
GET /?template=../../../../../../../../../../etc/passwd HTTP/1.0
Impact:
An attacker could cause access to arbitrary files.
Exploit:
Exploit code is not required.
Vendor Status:
Contacted frett27@xxxxxxxxxxxxxxxxxxxx and p.orbry@xxxxxxxxxx
e-mailed - 16th January 2007
e-mailed - 22nd January 2007
e-mailed - 14th February 2007
e-mailed - 15th March 2007
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties, implied or otherwise, with regard to this information or its
use. Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-058
Vulnerable System:
ImgSvr.
Vulnerability Title:
The ImgSvr is vulnerable to a stack overflow.
Vulnerability discovery and development:
Portcullis Security Testing Services. Further research was then carried out by
Tim Brown and
Neil Kettle.
Credit for Discovery:
Tim Brown and Neil Kettle of Portcullis Computer Security Ltd.
Affected systems:
All known versions of ImgSvr.
Details:
Following the Bugtraq posting "imgsvr dos exploit by n00b" which described a
remote Denial of Service of the Windows version of ImgSvr, research was carried
out which
indicated that the Linux version was also vulnerable to the same attack
although, significantly more input was required.
Through further research, it was then identified that the same remote Denial of
Service could also be caused by passing a large value to the template parameter
as
follows:
GET /?template=<large value> HTTP/1.0
In both cases this led to ImgSvr failing within the internal ADA function
system__file_io__open. Due to the way the Linux implementation of the GNU ADA
compiler works to protect against stack overflows, a secondary stack of $ebp,
$eip and $esp is maintained above the primary stack. When our request causes
system__file_io__open to fail, an exception is caught by the exception handler
which uses the values of the secondary stack in an attempt to handle the
exception in a graceful manner. However, because we have smashed through into
the $ebp and $eip values on the secondary stack, we can influence further code
execution.
Impact:
An attacker could cause a Denial of Service or execute arbitrary code.
In addition, it is believed that variants of this vulnerability may exist in
other products. ImgSvr uses AWS, a generic web server implemented in ADA
which is likely to have been used in other products. In addition, the flaw
in the secondary stack implementation can be attributed to the GNU ADA compiler
and is not unique to ImgSvr.
Exploit:
The proof of concept exploit code is available.
Vendor Status:
Contacted frett27@xxxxxxxxxxxxxxxxxxxx and p.orbry@xxxxxxxxxx
e-mailed - 16th January 2007
e-mailed - 22nd January 2007
e-mailed - 14th February 2007
e-mailed - 15th March 2007
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties, implied or otherwise, with regard to this information or its
use. Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-060
Vulnerable System:
SurgeMail.
Vulnerability Title:
SurgeMail is prone to a format string vulnerability.
Vulnerability discovery and development:
Portcullis Security Testing Services discovered this vulnerability.
Further research was then carried out.
Credit For Discovery:
Nico Leidecker - Portcullis Computer Security Ltd.
Affected systems:
Version 3.7b8 Linux and maybe previous versions and on other platforms.
Details:
SurgeMail offers the ability to charge the recipients a fee for receiving
emails from certain addresses. As soon as such an email comes in, a
notification email containing the amount payable is composed and sent to the
user requesting payment. A user with the privileges allowing them to change
these amounts is then able to exploit a format string vulnerability, caused by
the abdiction of an explicit format string while using the amount value as
parameter in such a function. Furthermore, the amount value can consist of
arbitrary characters.
Impact:
An attacker could cause a Denial of Service or execute arbitrary code in the
context of the server.
Exploit:
The proof of concept exploit code is available.
Vendor Status:
Vendor notified. The vulnerability has been fixed.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-061
Vulnerable System:
SurgeFTP
Vulnerability Title:
The mirror mechanism allows Denial of Service.
Vulnerability discovery and development:
Portcullis Security Testing Services discovered this vulnerability.
Further research was then carried out.
Credit for Discovery:
Nico Leidecker - Portcullis Computer Security Ltd.
Affected systems:
Version 2.3a1 Linux and is likely to affect other platforms.
Details:
SurgeFTP provides a mirror functionality but fails to detect malformated
command responses. This concerns the PASV command and its response from the
mirrored server. SurgeFTP fails to parse a response to PASV properly so that
it will crash if the response was malformated.
Impact:
It may be possible for an attacker to shut down the service. By default,
SurgeFTP respawns after a couple of seconds. But then, immediately reconnects
to the mirrored server. As long as the attacker keeps sending malformated
PASV responses to the server, it will keep shutting down immediately after
restarting.
Exploit:
The proof of concept exploit code is available.
Vendor Status:
Vendor notified. The vulnerability has been fixed.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-062
Vulnerable System:
SurgeFTP
Vulnerability Title:
SurgeFTP is vulnerable to Cross-site Scripting(XSS).
Vulnerability Discovery And Development:
Portcullis Security Testing services discovered this vulnerability.
Further research was then carried out.
Credit For Discovery:
Nico Leidecker - Portcullis Computer Security Ltd.
Affected systems:
Version 2.3a1 Linux and probably other platforms.
Details:
SurgeFTP provides a web interface for managing mirrored servers. The state of
every last mirroring process is displayed in the overview screen. If SurgeFTP
receives a server response where the first characters are not the numeric
status code, an error message is printed which also includes the received
message from the mirrored server. SurgeFTP fails to sanitise HTML and script
code from that message.
Impact:
An attacker can gain root access on the server. In order to achieve that, he
will have the ability to execute script code that creates an FTP user who can
access the real root directory and acts without dropping privileges. In one
scenario, for the next step, the attacker accesses the vulnerable host via FTP
and uploads a modified crontab file with the intention of executing a command
which binds a shell to a port.
Exploit:
The proof of concept exploit code is available.
Vendor Status:
Vendor notified. The vulnerability has been fixed.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-063
Vulnerable System:
centericq
Vulnerability Title:
Centericq is vulnerable to multiple buffer overflows.
Vulnerability Discovery And Development:
Portcullis Security Testing Services discovered this vulnerability.
Further research was then carried out..
Credit for Discovery:
Nico Leidecker - Portcullis Computer Security Ltd.
Affected systems:
Version 4.21 on FreeBSD and the official sources were tested as vulnerable.
Previous versions and those versions running on various Linux distributions may
be
affected.
Details:
Centericq provides modules to several messaging and chat protocols. The
modules for Yahoo, LiveJournal, Jabber and IRC are vulnerable to multiple
buffer overflows mainly, when the user receives a notification message for
certain events. The following list identifies the events which have to be
undertaken in order to result in a possible buffer overflow.
IRC Hook
- a user in the victims contact list changes his nickname. The sum of the
length of his old and his new nickname has to be greater than 100.
- a user joins or leaves a channel and the length of nickname and real
name are greater than 512.
- the victim obtains the IRC client information from another user. The
information length must be greater than 512 bytes.
- in the event message, when a user gets kicked from a channel and the
length of his username and the name of the op user are greater than 512.
- a third user or the victim gets opped or deopped by an op whereas length
of username and op name are greater than 512.
Untested buffer overflows in the following modules:
Jabber Hook
- the victim obtains the Jabber client information from another user. The
information length must be greater than 512 bytes.
LiveJournal Hook
- in the notification message, when the attacker adds or removes the victim
to or from his friend list.
Yahoo Hook
- in the notification message, when a user invites the victim to a
conference.
- if the attacker declines a conference invitation
- a user joins or leaves a conference
- a user gets informed, when he received a new email.
when the total length of sender and subject are greater than 1024 a
buffer overflow follows.
As an example:
One of the modules is an Internet Relay Chat (IRC) module. The centericq user
is notified for every change of nickname for any user in his contact list and
logs it to a file. However, only 100 bytes are allocated for the log message
which includes both the old and new username. Furthermore, centericq fails to
check the sizes of the usernames and therefore suffers from a buffer overflow
if the sum of the length of old and new username is greater than 40 (format
string covers the remaining 60 bytes). In order to get into the victims contact
list, the attacker simply sends a message to the user. He has not joined any
channel by doing that. In the next step, the attacker changes his nickname to
another name that may include arbitrary code to execute within the context of
the running of centericq. Official IRC Servers may not support usernames that
are 20 bytes or longer. Although, the attacker could lead the victim to a server
controlled by him to exploit these vulnerabilities.
Impact:
The attacker could cause a Denial of Service or execute arbitrary code with
the users privileges.
Exploit:
The proof of concept exploit code is available.
Vendor Status:
Contacted k@xxxxxxxxxxxx
e-mailed - 16th January 2007
e-mailed - 14th February 2007
e-mailed - 15th March 2007
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory 06-064
Vulnerable System:
Belkin Wireless G Plus Router
Vulnerability Title:
Belkin Router G Plus Router (F5D7231-4) Administration Web Interface
Cross-site-Scripting.
Vulnerability discovery and development:
Portcullis Security Testing Services. Further research was then carried out.
Credit for Discovery:
Nico Leidecker of Portcullis Computer Security Ltd.
Affected systems:
Belkin G Plus Router (F5D7231-4), Firmware version 4.05.03, was tested as
vulnerable.
Details:
The Belkin administration web interface is prone to a Cross-site Scripting
vulnerability. The network's administrator can overview a DHCP client list,
where IP, MAC addresses and the hostnames are displayed.
There is no sanitising for HTML and script code which could appear in the
hostname.
Impact:
An attacker might be able to execute arbitrary script code in the admins
browser.
Exploit:
There is no exploit code required.
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/