SSD Advisory – IBM Informix Dynamic Server and Informix Open Admin Tool Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describes six (6) vulnerabilities found in Informix Dynamic Server and Informix Open Admin Tool.

IBM Informix Dynamic Server Exceptional, low maintenance online transaction processing (OLTP) data server for enterprise and workgroup computing.

IBM Informix Dynamic Server has many features that cater to a variety of user groups, including developers and administrators. One of the strong features of IDS is the low administration cost. IDS is well known for its hands-free administration. To make server administration even easier, a new open source, platform-independent tool called OpenAdmin Tool (OAT) is now available to IDS users. The OAT includes a graphical interface for administrative tasks and performance analysis tools.

Vulnerabilities:

  1. Unauthentication static PHP code injection that leads to remote code execution
  2. Heap buffer overflow
  3. Remote DLL Injection that leads to remote code execution (1)
  4. Remote DLL Injection that leads to remote code execution (2)
  5. Remote DLL Injection that leads to remote code execution (3)
  6. Remote DLL Injection that leads to remote code execution (4)

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
IBM has released patches to address those vulnerabilities and issued the following CVE’s:

  • CVE-2016-2183
  • CVE-2017-1092

For more Information – http://www-01.ibm.com/support/docview.wss?uid=swg22002897

Continue reading SSD Advisory – IBM Informix Dynamic Server and Informix Open Admin Tool Multiple Vulnerabilities

SSD Advisory – Synology DiskStation Manager Multiple Stored Cross-Site Scripting

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describe two (2) stored Cross-Site Scripting (XSS) found in Synology DiskStation Manager (DSM).

  1. Cross-site scripting stored in SWF file
  2. Cross-site scripting stored in Video Station application

Synology DiskStation Manager (DSM), a Linux based software package that is the operating system for the DiskStation and RackStation products. The Synology DSM is the foundation of the DiskStation, which integrates the basic functions of file sharing, centralized backup, RAID storage, multimedia streaming, virtual storage, and using the DiskStation as a network video recorder.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
Repeated emails (support@cynology.com) sent to the vendor, since March, were answered with unclear answers:
“Sorry for the misunderstanding. You reported it to us and what I meant was that our developers have verified your report and it’s been logged as a known issue now.
So, your report to us is highly appreciated and we thank you very much for your help!”

We therefore don’t know at this time whether this vulnerabilities were or not resolved.

Continue reading SSD Advisory – Synology DiskStation Manager Multiple Stored Cross-Site Scripting

SSD Advisory – Bitdefender Code Signing organizationName Buffer Overflow

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerability Summary
The following advisory describes a Buffer Overflow vulnerability found in Bitdefender Engine PE.

Bitdefender provides the Bitdefender “antimalware” engine for integration with other security vendors products. The engine is used in Bitdefender’s own products, for example in Bitdefender Internet Security 2017 and below. The antimalware engine is the core of the product, among other features providing the means to scan potentially malicious portable executables (PEs).

Credit
An independent security researcher, Pagefault, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor Response
Bitdefender has released patched to address this vulnerability in version 7.71417.

Continue reading SSD Advisory – Bitdefender Code Signing organizationName Buffer Overflow

Know your community – Simone Margaritelli (@evilsocket)

The guy that published a first hand account of how an allegedly government-sponsored firm, Dark Matter, tried to hire him to help them spy on civilian in the UAE.

A former BlackHat that switch sides

Bug Bounty hunter

The author of the most known offensive open source software – BetterCAP, dSploit, AndroSwat and more!

Please meet Simone Margaritelli AKA @evilsocket

Continue reading Know your community – Simone Margaritelli (@evilsocket)