SSD Advisory – Live555 Exploitable Buffer Overflow and Directory Traversal

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Live555 Media Server is “a complete RTSP server application”.

Vulnerability Details
Two security vulnerabilities have been found in Live555. The first allows overflowing an internal buffer used by the program and the execution of arbitrary code the latter allows through directory traversal to gain insight to the operating system the Live555 is installed upon – which in allows more accurate exploitation of the first vulnerability with less “chance” of failure.

SSD Advisory – Axigen HTML Attachments Cross Site Scripting

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Axigen is a Linux mail server, calendaring and collaboration 100% private, highly available and scalable messaging solution.

Vulnerability Details
The vulnerability is in the “actions.hsp” file that is responsible for visualizing certain attachments. The problem occurs because this file enables arbitrarily execution of JavaScript. Not only that, the application “by default” runs the attachment in the same domain so many other more complex attacks.

SSD Advisory – ManageEngine Exchange Reporter Plus Auth Bypass / Arbitrary SQL Statement Execution

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
ManageEngine Exchange Reporter Plus is a web-based analysis and reporting solution for Microsoft Exchange Servers. Exchange Reporter Plus is a comprehensive MS Exchange reporting software that provides over 100 different reports on every aspect of the Microsoft Exchange Server environment.

Vulnerability Details
The ManageEngine Exchange Reporter product installs a JBoss server which listens on default port 8181 (tcp/http) for incoming requests. It offers an admin panel on that port.

Without authorization/authentication it is possible to visit the RunQuery.jsp script to execute arbitrary PostgreSQL statements. When the EXECUTE parameter is set to ‘true’, it is possible to pass arbitrary SQL queries through the QUERY parameter (stacked queries are allowed).

SSD Advisory – Internet Explorer 11 Rendering Engine DLL Hijacking

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
DLL Hijacking vulnerability is caused by specific insecure programming practices that allow so-called “binary planting” or “DLL preloading attacks”. These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location.

This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected.

Vulnerability Details
The Microsoft Internet Explorer 11 rendering engine on Windows 7 contains a remote DLL hijacking vulnerability which searches for a component that by default does not exist in the system. Although the search order is “safe”, the current directory is still included thus allowing for a DLL hijack vulnerability to exist. Several vectors exist since the IE rendering engine is used by a lot of third parties software. In this proof of concept we will use, HTML documents and SVG documents, it is also possible to use Word documents but we will not show how to do this in this advisory.