SSD Advisory – AppLock Multiple Vulnerabilities

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
AppLock is Most downloaded app lock in Play Store:

  • #1 App lock in over 50 countries.
  • Over 100 Million users, supporting 24 languages.
  • AppLock can lock SMS, Contacts, Gmail, Facebook, Gallery, Market, Settings, Calls and any app you choose, with abundant options, protecting your privacy.
  • AppLock can hide pictures and videos, AppLock empowers you to control photo and video access. Selected pictures vanish from your photo gallery, and stay locked behind an easy-to-use PIN pad. With AppLock, only you can see your hidden pictures. Privacy made easy!

Vulnerability Details
The following report describes three ( 3 ) different vulnerabilities found in the AppLock, an Android application, with over 10 Millions of downloads, used to secure pictures, videos and application with a PIN code.

The first vulnerability will show how the pictures and videos are not encrypted but just hidden from the users, and even without root permission we can recover them, even with their original filename.

The second vulnerability shows how an user, with root permission on the device, can easily remove the PIN code from applications or add it to others. He can moreover change the PIN code.

The last, and most critical, vulnerability is a PIN bypass. It is possible, without root permissions and with all applications, settings, etc blocked from the app, reset the PIN code to one of our choice, and the take full control of the application.

SSD Advisory – Symantec NetBackup OpsCenter Server Java Code Injection RCE

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Symantec NetBackup OpsCenter is an optional web based application that, if installed, is installed separately in a customer’s environment for advanced monitoring, alerting, and reporting capabilities. Symantec NetBackup OpsCenter for Linux/Unix is susceptible to Java Code injection that could potentially result in privileged access to the application.

Vulnerability Details
A vulnerability in Symantec NetBackup OpsCenter when installed on a Linux based operating system allows remote unauthenticated attackers to cause the product to execute arbitrary code. The vulnerability exploits a mechanism that allows users to provide Java code to the server that is then executed as part of its internal process, due to a flaw in the way this code is handled an attacker can cause it to execute arbitrary code of his choice and elevate it to gain root privileges on the remote machine.

SSD Advisory – Microsoft Office Word 2003/2007 Code Execution

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Microsoft Word is a word processor developed by Microsoft. It was first released in 1983 under the name Multi-Tool Word for Xenix systems.

Vulnerability Details
Word 2003/2007 is prone to a remote code execution issue because of a component that allows script execution in the context of the opened document which will run in the context of the local machine security zone of Windows/Internet Explorer. This security zone has relaxed restrictions allowing arbitrary code to be executed using eg. ADO objects such as the ADODB.recordset that is able to create arbitrary files in arbitrary locations in the disk, including of course, the currently logged on user´s startup folder. The file can be an HTML application, and will be run next time Windows boots and the same user that was affected by this vulnerability logs on to Windows.

SSD Advisory – Horde Groupware Files Application XSS

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Horde Groupware is a free, enterprise ready, browser based collaboration suite. Users can manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project. Horde Groupware bundles the separately available applications Kronolith, Turba, Nag Mnemo, Gollem, and Trean.

Vulnerability Details
A vulnerability in the way Horde Groupware handles directory contents allows an authenticated attacker to inject a XSS into directories and files and have others become victim to their code execution via the sharing option.

SSD Advisory – ZendXml Multibyte Payloads XXE/XEE

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
ZendXml is a utility component for XML usage and best practices in PHP.

Vulnerability Details
The XML standard defines a concept of an external entites. XXE (XML eXternal Entity) attack is an attack on an application that parses XML input from untrusted sources using incorrectly configured XML parser. The application may be forced to open arbitrary files and/or network resources. Exploiting XXE issues on PHP applications may also lead to denial of service or in some cases (for example, when an ‘expect’ PHP module is installed) lead to command execution.

An independent security research of Zend Framework revealed that it is possible to bypass XXE security controls within the framework in case when the PHP application using Zend XML related classes (e.g Zend_XmlRpc_Server, Zend_Feed, Zend_Config_Xml etc.) from Zend Framework (including the latest version) is served via PHP FPM. Bypassing the controls may allow XXE attacks and lead to the aforementioned exploitation possibilities on systems where the XML parser is set to resolve entities.

SSD Adivsory – QNAP QTS LDAP Authentication Remote Code Execution

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Based on Linux, QNAP QTS 4 is a powerful operating system deployed on all QNAP Turbo NAS devices to bring performance and enhanced functionalities under an easy-to-use web GUI. QTS allows traditional NAS capabilities, in addition to advanced sharing features and mobile platforms support. Moreover, QTS supports custom applications to expand NAS functionalities for sharing and media streaming.

On top of a traditional Linux kernel (3.4.6, x86 64), QTS 4 provides NAS capabilities implemented in user-land and a web-based UI built using cgi-bin technology. Although SSH access is available on all QNAP devices, it is possible to completely manage the device using the web interface.

From the technical standpoint, QTS 4 web UI consists of two main components:
 

  • A web server thttpd and CGI binaries. In the default configuration, this service runs as ”admin”, a user with root permissions. On 80/tcp, the web server hosts a set of scripts to perform a redirect to port 8080/tcp. The service is also available over SSL (443/tcp) using Apache configured as a reverse-proxy, pointing to 8080/tcp. The webroot is located at /home/httpd.

 

  • A set of custom binaries and standard Linux utilities (e.g. ldapsearch) that are invoked from the CGI scripts, to perform required tasks

By default, the web interface is available from remote hosts with no network filtering.

Vulnerability Overview
A code injection vulnerability has been discovered in the current version of QNAP QTS 4. As mentioned, this vulnerability affects all QNAP NAS products using LDAP authentication. Valid credentials are NOT required in order to exploit this issue, allowing a remote attacker to execute arbitrary system commands as root.

SSD Advisory – Live555 Exploitable Buffer Overflow and Directory Traversal

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Live555 Media Server is “a complete RTSP server application”.

Vulnerability Details
Two security vulnerabilities have been found in Live555. The first allows overflowing an internal buffer used by the program and the execution of arbitrary code the latter allows through directory traversal to gain insight to the operating system the Live555 is installed upon – which in allows more accurate exploitation of the first vulnerability with less “chance” of failure.

SSD Advisory – Axigen HTML Attachments Cross Site Scripting

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Axigen is a Linux mail server, calendaring and collaboration 100% private, highly available and scalable messaging solution.

Vulnerability Details
The vulnerability is in the “actions.hsp” file that is responsible for visualizing certain attachments. The problem occurs because this file enables arbitrarily execution of JavaScript. Not only that, the application “by default” runs the attachment in the same domain so many other more complex attacks.