Re: [FD] Outlook XML Bomb? (Melchior Limacher)

[<Louis.Nadeau@xxxxxxxxxxx>]

Nice find. It's working in outlook 2013 and 2010. It's a textbook xml bomb,
it is surprising Outlook isn't protected against that. Btw, if the preview
pane is open in the default view, outlook cannot start anymore :P

-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces@xxxxxxxxxxxx] On Behalf
Of fulldisclosure-request@xxxxxxxxxxxx
Sent: Thursday, August 7, 2014 3:40 AM
To: fulldisclosure@xxxxxxxxxxxx
Subject: Fulldisclosure Digest, Vol 6, Issue 4

Send Fulldisclosure mailing list submissions to
        fulldisclosure@xxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
        http://nmap.org/mailman/listinfo/fulldisclosure
or, via email, send a message with subject or body 'help' to
        fulldisclosure-request@xxxxxxxxxxxx

You can reach the person managing the list at
        fulldisclosure-owner@xxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Fulldisclosure digest..."


Today's Topics:

   1. TomatoCart v1.x (latest-stable) Multiple Vulnerabilities
      (Kenny Mathis)
   2. Vulnerabilities in Vembu Backup and Disaster Recovery
      addressed (Len Srinivasan)
   3. Outlook XML Bomb? (Melchior Limacher)


----------------------------------------------------------------------

Message: 1
Date: Wed, 06 Aug 2014 09:18:21 -0400
From: Kenny Mathis <kenny@breaking.technology>
To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] TomatoCart v1.x (latest-stable) Multiple Vulnerabilities
Message-ID: <53E22B1D.9030402@breaking.technology>
Content-Type: text/plain; charset=utf-8


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2014-3978 - Remote SQL Injection Vulnerability
CVE-2014-3830 - Reflected Cross Site Scripting

-
----------------------------------------------------------------------------
--
Title:
    TomatoCart v1.x (latest-stable) Remote SQL Injection Vulnerability

Background:
    TomatoCart is open source ecommerce solution developed and
maintained by a
number of 64,000+ users from 50+ countries and regions. It's distributed
under
the terms of the GNU General Public License (or "GPL"), free to download and
share. The community, including project founders and other developers, are
supposed to work together on the platform of TomatoCart, contributing
features,
technical support and services. The current stable package is TomatoCart
V1.1.8.6.1, while the latest development version is version 2.0 Alpha
4.  This
exploit affects the "stable" tree.

Timeline:
    06 June 2014   - CVE-2014-3978 assigned
    06 June 2014   - Submitted to vendor
    25 June 2014   - Received inadequate patch from vendor
    26 June 2014   - Suggested patch sent to vendor
    17 July 2014   - Request for update from vendor, no response.
    05 August 2014 - Pull request sent on github for full patch

Status:
    Vendor ignored, see suggested fix below.

Released:
    05 August 2014 -
https://breaking.technology/advisories/CVE-2014-3978.txt

Classification:
    SQL Injection

Exploit Complexity:
    Low

Severity:
    High

Description:
    TomatoCart suffers from a systemic vulnerability in its query factory,
allowing attackers to circumvent user input sanitizing to perform remote SQL
injection.

    Required Information:
    * Valid user account

PoC:
    Create a new contact in your address book using the following values.

    First name: :entry_lastname,
    Last Name : ,(select user_name from toc_administrators order by id asc
limit 1),(select user_password from toc_administrators order by id asc limit
1),3,4,5,6,7,8,9,10)#
    
    The new contact will be added to your address book with the admin
hash as
the contact's street address

Suggested Action:
    Pull request has been sent to the developers on github. Recommend
patching
the required to properly encode colon (:)
    https://github.com/tomatocart/TomatoCart-v1/pull/238




-
----------------------------------------------------------------------------
--

Title:
    TomatoCart v1.x Reflected Cross Site Scripting Vulnerability

Background:
    TomatoCart is open source ecommerce solution developed and
maintained by a
number of 64,000+ users from 50+ countries and regions. It's distributed
under
the terms of the GNU General Public License (or "GPL"), free to download and
share. The community, including project founders and other developers, are
supposed to work together on the platform of TomatoCart, contributing
features,
technical support and services. The current stable package is TomatoCart
V1.1.8.6.1, while the latest development version is version 2.0 Alpha
4.  This
exploit affects the "stable" tree.


Timeline:
    22 May 2014    - CVE-2014-3830 assigned
    06 June 2014   - Submitted to vendor
    25 June 2014   - Received inadequate patch from vendor
    26 June 2014   - Suggested patch sent to vendor
    17 July 2014   - Request for update from vendor, no response.
    05 August 2014 - Pull request sent on github for full patch

Status:
    Vendor ignored, see suggested fix below.

Released:
    05 August 2014 -
https://breaking.technology/advisories/CVE-2014-3830.txt

Classification:
    Reflected Cross Site Scripting

Exploit Complexity:
    Low

Severity:
    Moderate

Description:
    TomatoCart suffers from a lack of and/or improper input validation

PoC:
    
http://tomatocartserver/info.php?faqs&faqs_id=1';</script><script>alert('xss
');<
/script>

Suggested Action:
    Pull request has been sent to the developers on github. Recommend
patching
the required files to properly use htmlentities() for input variables
    https://github.com/tomatocart/TomatoCart-v1/pull/238


-
----------------------------------------------------------------------------
--


Again, we would like to stress that this is NOT a guarantee of the
security of
this product.  This simply fixes the SQL injection vulnerabilities we
were able
to discover on our first glance.  If we were able to discover these
at-a-glance
then imagine what could potentially be in the wild.


- - Breaking Technology Staff

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJT4isdAAoJEEabgwf7HzMLZq4P/jA5Q5GCsaNEcntpPxKDubNL
kI3NGsXxE/4tLIMEuMASyJe4qL2zRWot/2/WISomKULbJAV2pd6Xmmn9v9ZFx0Cc
CLICcoQ6S25goGwO5eyxWXNw9APgTOChsmjvwC8lv8CddLA4Swg06mkXq0FtDxBE
D7n5E9IZpH12VJ4zOQrUXWxRaabN76Ctpyhax6I0Qu+FydZksBEVgMTWgiU62Day
UNxkdIB0xPrtiisfxgFgwxEupKqYhuxuzPxPSA/hJCIE+9zv4u2N7RK0+ROznjF9
RyBz6QY6IluBzuKIaf596WG+Wy8XEzuvjH1wy4YKq/vBlj0srdLMenopPQjFz2U8
qbx7Us6Kojh6tBM7k/2oXlo+FRRf6Y+N9K34stExkgIqJpha4SgjZSJBtOlNo435
2n1y0sexUNZiO9Iwlr4TLO7kwzvC61w1KQ9hVtg9a+IdvIuEzXi6P6tAvBcwvLs/
Rvi8swMThWHPAhfgNb++J8Q3s5Jpth+3tN9yjUrtu/uYVenMgfGA2QkxOVEE0gM5
9JAL/U+8kAZTS4/DFYwX5CpxCD2IaTZjc5t2unXORcAah3h9TTO6i70P1GWqTj5H
XFukGw0yTKwmoR7HbOXYcDuc0SYr6ifqdf7FvrPgLXxvsVcV/vP59EjETHpGXFlU
gQgM5JGJ7MvA6ZJ0Owxk
=9rq3
-----END PGP SIGNATURE-----



------------------------------

Message: 2
Date: Wed, 6 Aug 2014 13:35:16 -0700
From: Len Srinivasan <len@xxxxxxxxx>
To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Vulnerabilities in Vembu Backup and Disaster Recovery
        addressed
Message-ID:
        <CAL58m2WWhdnXYHT6ByCvRQdP=9nhJq8Qn7kksc3Y_k=Taar_pw@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8

The company logically secure has mentioned about multiple vulnerabilities
in Vembu Backup and Disaster Recovery product and we would like to address
those concerns in detail.

We certainly welcome security related feedback on the product as we are
constantly addressing those on a regular basis as we receive feedback from
partners. But the researchers analyzing the product should possess "basic
domain knowledge" on the products that are being reviewed. Based on the
analysis done by Logically Secure team, it seems they lack knowledge on how
the product is actually used in our customer's environment and don't have a
clue about how Backup and Disaster Recovery is actually deployed.

Company Name : Vembu Technologies Inc
Product Name : Vembu Backup and Disaster Recovery
Release Version : 6.1
Website : www.vembu.com

Subject : Addressing Concerns from Logically Secure team

*Concern 1:* The main vulnerability takes advantage of the client enrolment
procedure. In it?s default state it is possible for an unauthenticated
attacker to register a client to a rogue backup server. During this
enrolment phase a new admin user is automatically created on the client
using the attacker specified credentials, the attacker can then bounce
through their rogue server using the cln=<ip/hostname> get parameter which
invokes request forwarding functionality allowing access the remote client
interface.
?
*Answer: * This whole exploit is possible only when the remote user knows
the username and password for the client web console. While reviewing this
vulnerability, the user used a trial version of our product where we have
the default username / password as admin  and admin?, which the users can
of course change while installation. In production version, we encourage
our partners to specify a strong username and password and with that
specified the whole vulnerability mentioned above is not possible.

*?Concern2* : ?
In addition to the above mentioned issue we discovered reflected XSS
vulnerabilities, Source code disclosure via incorrect processing of
trailing slash (eghttp://clientip/index.php/), Denial of Service via
unhandled exceptions in the client, Local privilege escalation, insecure
storage of credentials (MD5), poor mysql implementation (default root user
configured with a simple password), and several others.

*Answer : *Again another concern without understanding the nature of
vulnerability. The source code that is revealed on the client side via
incorrect processing of trailing is the PHP source code which basically
handles the UI of our product. It doesn't even bother the application. In
fact PHP codes gets bundled with the product already and one can open those
codes easily from accessing our PHP folder. The answer is, you cannot do
anything with those codes. You can even view these codes by simply right
clicking and click 'View Source Code'. This is just UI and not the
application. Again the password for MySQL, Storage Credentials (MD5) is all
configurable by the end user when using the product. In order to facilitate
easy evaluation of the software we can used some default values in the
product which can be changed if the user wants.

Our product is flexible and allows users to configure security parameters
before beginning to use the product in production version. If the reviewer
used a trial version of our product with default values and says that the
product is not secure only shows the ignorance of the reviewer.

Our product uses AES - 256 encryption algorithm for encrypting all data on
the client side and it is encryption at transit and at rest. If the
reviewer can break AES - 256 and tell us that this algorithm is vulnerable,
we would be concerned. Otherwise there is not point in being concerned
about our product is being flexible.

Please feel free to contact Vembu for more questions regarding this.

Regards,
Len


------------------------------

Message: 3
Date: Wed, 6 Aug 2014 09:29:44 +0200
From: Melchior Limacher <mli@xxxxxxxxxxxx>
To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Outlook XML Bomb?
Message-ID: <7C12296C82615049B55D06DEC22475B55438E5A453@hex01>
Content-Type: text/plain; charset="us-ascii"


Before:

[cid:image001.png@01CFB157.75C3A1A0]

Paste this in a new Mail:
[cid:image002.png@01CFB157.75C3A1A0]

I got this:
[cid:image003.png@01CFB158.215B8C80]

[cid:image004.png@01CFB158.85FD4480]



Regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11398 bytes
Desc: image001.png
URL:
<http://seclists.org/lists/fulldisclosure/attachments/20140806/0ac8a1a5/atta
chment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 13378 bytes
Desc: image002.png
URL:
<http://seclists.org/lists/fulldisclosure/attachments/20140806/0ac8a1a5/atta
chment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 12337 bytes
Desc: image003.png
URL:
<http://seclists.org/lists/fulldisclosure/attachments/20140806/0ac8a1a5/atta
chment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 28447 bytes
Desc: image004.png
URL:
<http://seclists.org/lists/fulldisclosure/attachments/20140806/0ac8a1a5/atta
chment-0003.png>

------------------------------

Subject: Digest Footer


_______________________________________________
Full Disclosure mailing list
Fulldisclosure@xxxxxxxxxxxx
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

------------------------------

End of Fulldisclosure Digest, Vol 6, Issue 4
********************************************

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/