Remote system freeze using Kaspersky Internet Security 2013

Kaspersky Internet Security 2013 (and any other Kaspersky product which
includes the firewall funcionality) is susceptible to a remote system
freeze.
As of the 3rd March 2013, the bug is still unfixed.

If IPv6 connectivity to a victim is possible (which is always the case
on local networks), a fragmented packet with multiple but one large
extension header leads to a complete freeze of the operating system.
No log message or warning window is generated, nor is the system able to
perform any task.

To test:
  1. download the thc-ipv6 IPv6 protocol attack suite for Linux from
www.thc.org/thc-ipv6

  2. compile the tools with "make"
  3. run the following tool on the target:
        firewall6 <interface> <target> <port> 19
     where interface is the network interface (e.g. eth0)
           target is the IPv6 address of the victim (e.g. ff02::1)
           port is any tcp port, doesnt matter which (e.g. 80)
       and 19 is the test case number.
     The test case numbers 18, 19, 20 and 21 lead to a remote system freeze.

Solution: Remove the Kaspersky Anti-Virus NDIS 6 Filter from all network
interfaces or uninstall the Kaspersky software until a fix is provided.

The bug was reported to Kaspersky first on the 21st January 2013, then
reminded on the 14th Feburary 2013.
No feedback was given by Kaspersky, and the reminder contained a warning
that without feedback the bug would be disclosed on this day.





Courtesy: securityfocus.com and Marc Heuse

Remote command execution for Ruby Gem ftpd-0.2.1

Remote command execution for Ruby Gem ftpd-0.2.1
2/28/2013

https://github.com/wconrad/ftpd

http://rubygems.org/gems/ftpd

"ftpd is a pure Ruby FTP server library. It supports implicit and explicit TLS, passive and active mode, and most of the commands specified in RFC 969. It an be used as part of a test fixture or embedded in a program."

The ls interface can have commands injected into it if option or filename contain the shell character ; The example.rb server listens to localhost only which I used to test the ftp library.

./ftpd-0.2.1/lib/ftpd/disk_file_system.rb
for this to work the file must exist in the CWD.

ftp> ls adfasdf;id
200 PORT command successful
150 Opening ASCII mode data connection
-rw-r--r-- 1 root root 0 Mar 2 05:52 adfasdf
uid=0(root) gid=0(root) groups=0(root)
226 Transfer complete
ftp>

204 Ls interface used by List and NameList 205
206 module Ls
207

208       def ls(ftp_path, option)
209         path = expand_ftp_path(ftp_path)
210         dirname = File.dirname(path)
211         filename = File.basename(path)
212         command = [
213           'ls',
214           option,
215           filename,
216           '2>&1',
217         ].compact.join(' ')
218         if File.exists?(dirname)
219           list = Dir.chdir(dirname) do
220             `{command}`

This vulnerability was fixed by the author in the latest release.






Courtesy: securityfocus.com

Foscam <= 11.37.2.48 path traversal vulnerability

[CVE-REQUEST] Foscam <= 11.37.2.48 path traversal vulnerability
_______________________________________________________________________
Summary:
Foscam firmware <= 11.37.2.48 is prone to a path traversal
vulnerability in the embedded web interface.

The unauthenticated attacker can access to the entire filesystem and
steal web & wifi credentials.
_______________________________________________________________________
Details:

GET //../proc/kcore HTTP/1.0
____________________________________________________________________
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Confidentiality Impact: Complete
Availability Impact: Complete
_______________________________________________________________________
Disclosure Timeline:
2013-01-18 Vendor fixed the issue in fw 11.37.2.49; no security notice
2013-02-21 Vulnerability found
2013-03-01 Public advisory
_______________________________________________________________________
Solution:
A new firmware is available on vendor's site:
http://www.foscam.com/down3.aspx

_______________________________________________________________________
References:
http://code.google.com/p/bflt-utils/
http://wiki.openipcam.com/

Courtesy: securityfocus.com

Multiple security flaws in the i-doit CMDB web application

#############################################################
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/

#
#############################################################
#
# CVE ID : CVE-2013-1413
# CSNC ID: CSNC-2013-003
# Product: i-doit
# Vendor:  synetics Gesellschaft für Systemintegration mbH
# Subject: Cross-site Scripting - XSS
# Risk:    High
# Effect:  Remotely exploitable
# Author:  Stephan Rickauer (stephan.rickauer@csnc.ch)
# Date:    March 1st 2013
#
#############################################################


Introduction:
-------------
Compass Security AG discovered multiple security flaws in the i-doit
CMDB web application.

Vulnerable:
-----------
- i-doit version prior to 1.0 Pro and 0.9.9-7 Open
- i-doit version after 1.0 Pro with disabled input filter (by default)

Patches:
--------
Version 1.0.2 Pro has received a new configure option to 'sanitize user
input' which defaults to off and has to be manually enabled.

Description:
------------
The i-doit web application does not properly encode output of user data
in various places. Exploiting this vulnerability leads to so-called
cross-site scripting (XSS) and allows execution of JavaScript code in
the context of the user's session, e.g. to impersonate logged-in i-doit
CMDB users.

Milestones:
-----------
2013-01-20  Vulnerability discovered
2013-01-20  Vendor notified
2013-01-20  CVE requested at MITRE.org
2013-01-21  Vendor contact established, provided with technical details
2013-01-21  CVE-ID assigned by MITRE
2013-01-21  Acknowledgement of vulnerability by vendor and agreement of
            advisory release schedule
2013-01-28  More XSS vulnerabilites identified, vendor updated
2013-02-20  Release of patched vendor software
2013-03-01  Public release of advisory

References:
-----------
http://www.i-doit.org

http://www.i-doit.com

http://www.csnc.ch

Raspberry Pi Firmware Updater Vulnerability

Raspberry Pi Firmware Updater Vulnerability

Application:
https://github.com/Hexxeh/rpi-update/

Version Tested:
Github source as of 10ad1e975a (10th Feb commit)

Vulnerability #1:
A malicious user can clobber any file due to insecure tmp file handling.

Example:

Any unprivileged user can create the following symlink, either from
a shell account, or by malicious web content such as PHP scripts.
pi@raspberrypi ~ $ ln -s /etc/passwd /tmp/updateScript.sh

Once in place, the symlink is awaiting the administrator to run an update:
 pi@raspberrypi ~ $ sudo rpi-update
 ...
 pi@raspberrypi ~ $ cat /etc/passwd
 #!/bin/bash
 if mv "./testfile.sh.tmp" "./testfile.sh"; then
 rm -- "$0"
 exec env UPDATE_SELF=0 /bin/bash "./testfile.sh" ""
 else
 echo " !!! Failed!"
 fi

As of this point, the pi is quite unusable due to the corrupted password database.
Note that the attacker cannot customise the content, for example, to set
a UID0 account.

Vulnerability #2:
The installation recommends the following command:
sudo wget http://goo.gl/1BOfJ

 -O /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update

Although the selfupdate functionality utilises SSL to ensure the integrity of the download, the installation process uses a URL shortening service without SSL to download the bash script, which the user is then encouraged to run as the root user.

Fix and Vendor Response
A pull request detailing exploit #1 and including a simple patch was submitted February 6th. The patch has not yet been accepted.

Workaround
By running rpi-update with the self update feature disabled, the affected code is not executed. Example:
sudo UPDATE_SELF=0 rpi-update

If you would like to update the application manually, or perform an initial installation safely, use the following commands:
wget https://github.com/Hexxeh/rpi-update/raw/master/rpi-update

sudo cp rpi-update /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update

Note that applying the patch in my pull request will not be a complete solution, as it will be reverted after the first automatic update.






Courtesy: securityfocus.com

Oracle EM Segment Advisor Arbitrary URL redirection/phishing (CVE-2012-3219)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TeamSHATTER Security Advisory

Oracle Enterprise Manager Segment Advisor Arbitrary URL redirection/phishing
vulnerability

February 20, 2013

Risk Level:
High

Affected versions:
Oracle Enterprise Manager Database Control 10.2.0.3, 10.2.0.4; 10.2.0.5,
11.1.0.7, 11.2.0.2, 11.2.0.3

Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Qinglin Jiang of
Application Security Inc.

Details:
Oracle Enterprise Manager Database Control Segment Advisor page is vulnerable
to an arbitrary URL redirection/phishing vulnerability. An attacker may inject
an arbitrary URL into the web application and force the application to
redirect to it without any validation. This vulnerability can be used in
phishing attacks to trick legitimate users to visit malicious sites without
realizing it. The affected link and parameter are
/em/console/database/xdb/XDBResource and cancelURL.

Impact:
A remote attacker can redirect a legitimate user to a arbitrary URL, which can
result in phishing attacks, trojan distribution, and spamming.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply January 2013 CPU.

CVE:
CVE-2012-3219

Links:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

https://www.teamshatter.com/?p=4159

 

Timeline:
Vendor Notification - 4/26/2012
Vendor Response - 5/3/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013
- --
_____________________________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iEYEARECAAYFAlEmbNsACgkQRx91imnNIgF44wCfZCk/iHG72ifdIh0Q3NX76hm1
KDEAn2HapYPDObVhhrVtIQoHXBbC6INi
=BIt8
-----END PGP SIGNATURE-----






Courtesy: securityfocus.com

SQL Injection in Oracle EM (streams queue) (CVE-2013-0373)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TeamSHATTER Security Advisory

SQL Injection in Oracle Enterprise Manager (streams queue)

February 20, 2013

Risk Level:
High

Affected versions:
Oracle Enterprise Manager Database Control 10.2.0.3, 10.2.0.4, 10.2.0.5,
11.1.0.7, 11.2.0.2, 11.2.0.3

Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of
Application Security Inc.

Details:
SQL Injection works by attempting to modify the parameters passed to an
application to change the SQL statements that are passed to a database. SQL
injection can be used to insert additional SQL statements to be executed.
Some parameters of /em/console/database/dist/streams/queue are vulnerable to
SQL Injection attacks. This web page is part of Oracle Enterprise Manager web
application. This vulnerability allows to execute SQL statements in the
backend database making a web request as an authenticated user.  The
vulnerability can be exploited, by means of cross-site request forgery
attacks, when an Administrator with an open OEM session visits a malicious web
site.

Impact:
An attacker hosting a malicious web site can execute SQL statements in the
backend database when an administrator with an open session in Oracle
Enterprise Manager web application visits the malicious web site.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply January 2013 CPU.

CVE:
CVE-2013-0373

Links:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

https://www.teamshatter.com/?p=4156

 

Timeline:
Vendor Notification - 8/22/2012
Vendor Response - 8/28/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013
- --
_____________________________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iEYEARECAAYFAlEmcDwACgkQRx91imnNIgFGRwCeJbqzhJQUVTvtjqDrprL+Zt9K
yu4An2Q0aqEe5+bdvyLjvWgoYlJbAVNb
=dUgv
-----END PGP SIGNATURE-----







Courtesy: securityfocus.com

SQL Injection in Oracle EM (SCPLBL_COLLECTED parameters) (CVE-2013-0353)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TeamSHATTER Security Advisory

SQL Injection in Oracle Enterprise Manager (SCPLBL_COLLECTED parameters)

February 20, 2013

Risk Level:
High

Affected versions:
Oracle Enterprise Manager Database Control 11.1.0.7, 11.2.0.2, 11.2.0.3

Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of
Application Security Inc.

Details:
SQL Injection works by attempting to modify the parameters passed to an
application to change the SQL statements that are passed to a database. SQL
injection can be used to insert additional SQL statements to be executed.
Some parameters of /em/console/ecm/config/savedConfig are vulnerable to SQL
Injection attacks. This web page is part of Oracle Enterprise Manager web
application. It may be possible for a malicious user to execute a function
with the elevated privileges of the SYSMAN database user in the repository
database. This user has the DBA role granted.  This vulnerability can also be
exploited, by means of cross-site request forgery attacks, when an
Administrator with an open OEM session visits a malicious web site.

Impact:
This vulnerability allow a Oracle Enterprise Manager user with VIEW (or more)
privileges to execute a function call with the elevated privileges of the
SYSMAN database user.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply January 2013 CPU.

CVE:
CVE-2013-0353

Links:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

https://www.teamshatter.com/?p=4152

 

Timeline:
Vendor Notification - 6/25/2012
Vendor Response - 6/29/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013- --
_____________________________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iEYEARECAAYFAlEmbNsACgkQRx91imnNIgFEeQCfYDk846kd3FWKZJhddwvxxkdn
gwoAoNN3xyIA07cAAlkXbywWnVZI8icC
=6QMP
-----END PGP SIGNATURE-----







Courtesy: securityfocus.com

SQL Injection in Oracle EM (dBClone) (CVE-2013-0374)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TeamSHATTER Security Advisory

SQL Injection in Oracle Enterprise Manager (dBClone)

February 20, 2013

Risk Level:
High

Affected versions:
Oracle Enterprise Manager Database Control 10.2.0.3, 10.2.0.4, 10.2.0.5,
11.1.0.7, 11.2.0.2, 11.2.0.3

Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of
Application Security Inc.

Details:
SQL Injection works by attempting to modify the parameters passed to an
application to change the SQL statements that are passed to a database. SQL
injection can be used to insert additional SQL statements to be executed.
Some parameters of /em/console/database/dbclone/dBClone are vulnerable to SQL
Injection attacks. This web page is part of Oracle Enterprise Manager web
application. It may be possible for a malicious user to execute a function
with the elevated privileges of the SYSMAN database user in the repository
database. This user has the DBA role granted.  This vulnerability can also be
exploited, by means of cross-site request forgery attacks, when an
Administrator with an open OEM session visits a malicious web site.

Impact:
This vulnerability allow a Oracle Enterprise Manager user with VIEW (or more)
privileges to execute a function call with the elevated privileges of the
SYSMAN database user.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply January 2013 CPU.

CVE:
CVE-2013-0374

Links:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

https://www.teamshatter.com/?p=4145

 

Timeline:
Vendor Notification - 8/22/2012
Vendor Response - 8/28/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013- --
_____________________________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iEYEARECAAYFAlEmbNsACgkQRx91imnNIgHo7QCfSJQzpaRGl//95FKIt5zSMtCF
8pYAoI4zumPicyj1j4m5ru3kXahkwHzd
=uU10
-----END PGP SIGNATURE-----







Courtesy: securityfocus.com

SQL Injection in Oracle EM (advReplicationAdmin) (CVE-2013-0372)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TeamSHATTER Security Advisory

SQL Injection in Oracle Enterprise Manager (advReplicationAdmin)

February 20, 2013

Risk Level:
High

Affected versions:
Oracle Enterprise Manager Database Control 11.1.0.7, 11.2.0.2, 11.2.0.3

Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of
Application Security Inc.

Details:
SQL Injection works by attempting to modify the parameters passed to an
application to change the SQL statements that are passed to a database. SQL
injection can be used to insert additional SQL statements to be executed. Some
parameters of /em/console/database/dist/advRepl/advReplicationAdmin are
vulnerable to SQL Injection attacks. This web page is part of Oracle
Enterprise Manager web application. This vulnerability allows to execute SQL
statements in the backend database making a web request as an authenticated
user.  The vulnerability can be exploited, by means of cross-site request
forgery attacks, when an Administrator with an open OEM session visits a
malicious web site.

Impact:
An attacker hosting a malicious web site can execute SQL statements in the
backend database when an administrator with an open session in Oracle
Enterprise Manager web application visits the malicious web site.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply January 2013 CPU.

CVE:
CVE-2013-0372

Links:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

https://www.teamshatter.com/?p=4142

 

Timeline:
Vendor Notification - 8/22/2012
Vendor Response - 8/28/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013- --
_____________________________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iEYEARECAAYFAlEmbmUACgkQRx91imnNIgGmpQCgr8Wzc9CkJVzkVTxXx9ro8U1h
aFkAoLLabATVXrBOLKKz9/yE9z49pB+P
=WaN+
-----END PGP SIGNATURE-----

Courtesy: securityfocus.com

HTTP Response Splitting in Oracle EM (policyViewSettings) (CVE-2013-0354)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TeamSHATTER Security Advisory

HTTP Response Splitting in Oracle Enterprise Manager (policyViewSettings)

February 20, 2013

Risk Level:
Medium

Affected versions:
Oracle Enterprise Manager Database Control 11.1.0.7, 11.2.0.2, 11.2.0.3

Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of
Application Security Inc.

Details:
HTTP Response Splitting is a web application vulnerability where input
parameters are unsafely used in response headers allowing an attacker to make
the server print one (or more) new line sequences in the header section which
allows to set arbitrary headers, take control of the body, or break the
response into two or more separate responses.  This can be used to perform
cross-site scripting, cross-user defacement and web cache poisoning, among
other attacks. The 'pagename' parameter of web page
/em/console/ecm/policy/policyViewSettings is vulnerable to this kind of
attacks.

Impact:
An attacker that convinces a valid Oracle Enterprise Manager user to click or
open a malicious link can take over the user's session.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability.

Fix:
Apply January 2013 CPU.

CVE:
CVE-2013-0354

Links:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

https://www.teamshatter.com/?p=4138

Timeline:
Vendor Notification - 6/25/2012
Vendor Response - 6/29/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013



- --
_____________________________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iEYEARECAAYFAlEmbcQACgkQRx91imnNIgGIXgCghhi6V4QeGQd906/jQwUoCBFL
EM4AoKvhlJs8KHaJfLQLBdhMWgnzx5vD
=xePM
-----END PGP SIGNATURE-----







Courtesy: securityfocus.com

Oracle Database GeoRaster API overflow (CVE-2012-3220)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TeamSHATTER Security Advisory

Oracle Database GeoRaster API overflow

February 20, 2013

Risk Level:
High

Affected versions:
Oracle Database 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3

Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Martin Rakhmanov of
Application Security Inc.

Details:
GeoRaster is a feature of Oracle Spatial that lets you store, index, query,
analyze, and deliver GeoRaster data. One of the GeoRaster APIs is prone to
stack-based overflow.

Impact:
An attacker that can connect to database with spatial support can execute
arbitrary code in the server's process context.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
Do not install spatial support in the database.

Fix:
Apply January 2013 CPU.

CVE:
CVE-2012-3220

Links:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

https://www.teamshatter.com/?p=4134

 

Timeline:
Vendor Notification - 5/3/2012
Vendor Response - 5/4/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013
- --
_____________________________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iEYEARECAAYFAlEmbNsACgkQRx91imnNIgGm0wCgoCDtw7yex8egWX0in3tTYGHm
R60Anjf9fKfxgr6y4E28pn3Z+xLWNoJV
=9NkT
-----END PGP SIGNATURE-----








Courtesy: securityfocus.com