SSD Advisory – Cisco Prime Infrastructure Remote Code Execution Vulnerability

Vulnerability Details
A vulnerability in CPI (Cisco Prime Infrastructure) allows unauthenticated attackers to cause the product to preform deserialization of untrusted data which in turn can be used to cause it to execute arbitrary code (Java code).

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Untangle NG Firewall Remote Command Execution

Vulnerability Description
The Untangle NG Firewall appliance includes a free module called “Captive Portal”. This module is installed by default with several other recommended modules. This module works as 2FA authentication system, which enables multi user login (in VPN or LAN environment for example) and custom firewall rules for each one. It forces all traffic to be authenticated before giving access to the network, and redirects all HTTP/HTTPS request to a login/disclaimer URL (“/capture/handler.py”).

The component URI is not restricted to local users, so it can be accessed also from the administrative interface, which is enabled by default on WAN interfaces to remote users, through HTTPS (443).

There is an administrative functionality in this module to upload custom python scripts or HTML pages, packed as ZIP file. The component does not check if the user is authenticated before processing the upload. It results in an arbitrary file upload vulnerability, which allows remote unauthenticated users to write custom python/HTML files to a known folder.

All Untangle plugins has its own application id, by default the captive portal id is “16”. The uploaded files (if packed correctly) will be extracted and copied to:
“/capture/custom_16/”

The id is consistent, but in older versions may change. Anyway, it is always between 1-35, which is short enough to identify it in a few tries (in the worst case).

The content of the ZIP file must be a “custom.py” or “custom.html” file.

As result, there is a RCE vulnerability, because when the module is installed, the web server configuration is modified to execute CGI files (as python) from “/capture/” folder. So if a custom python is uploaded, accessing the file through the web will execute the content:
“/capture/custom_16/custom.py”

In a few words:

  1. Upload ZIP file with a file called “custom.py” with the desired Python payload inside.
  2. Access “/capture/custom_16/custom.py” to execute its content
    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Ghost CMS Multiple Vulnerabilities

Vulnerabilities Description
The following report describes four (4) different vulnerabilities found in Ghost CMS software, used in hundred of thousands of blog around the world. The vulnerabilities allows the attacker to disrupt the service and change the content of the blog.

Moreover is also possible to perform some kind of DoS ( Denial of Service ) attack if some condition are met.

The vulnerabilities are the following:

  • Change author of a blog entry ( this bypass a previous fix deployed in Ghost 0.5.9 )
  • Change PWD of an user without knowing the previous one ( the attacker must be logged as the user )
  • Disk exhaust is possible with any account
    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Teco SG2 and TP3 Vulnerabililites

Vulnerabilities Description
Multiple vulnerabilities have been found in Teco’s SG2 and TP3 product, these vulnerabilities allows attackers that are able to supply the products with a specially crafted file to cause it to execute arbitrary code.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – BMC Track-It Arbitrary file upload vulnerability and Information disclosure vulnerability

Vulnerability Description
BMC Track-It! 11.4 contains an arbitrary file upload vulnerability and an information disclosure vulnerability which can be exploited by an unauthenticated user. The file upload vulnerability can be used to upload a file to the web root and execute code under the IIS user. The information disclosure vulnerability allows you to obtain the SQL database and the domain administrator credentials (username and password).

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Multiple Vulnerabilities in WebNMS Framework Server

Background
WebNMS is an industry-leading framework for building network management applications. With over 25,000 deployments worldwide and in every Tier 1 Carrier, network equipment providers and service providers can customize, extend and rebrand WebNMS as a comprehensive Element Management System (EMS) or Network Management System (NMS). NOC Operators, Architects and Developers can customize the functional modules to fit their domain and network. Functional modules include Fault Correlation, Performance KPIs, Device Configuration, Service Provisioning and Security. WebNMS supports numerous Operating Systems, Application Servers, and databases.

Vulnerabilities Description
Multiple vulnerabilities affecting WebNMS have been found, these vulnerabilities allows uploading of arbitrary files and their execution, arbitrary file download (with directory traversal), use of a weak algorithm for storing passwords and session hijacking.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Polycom Video Conference persistent and non-authenticated XSS allows camera control

Vulnerability Description
A persistent, pre-authenticated, cross site scripting vulnerability in Polycom HDX Web interface allows remote attackers to take over the camera and control it.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – 3CX VoIP Phone System Manager Server Remote Code Execution Vulnerability (with SYSTEM privileges)

Vulnerability Description
The 3CX product installs a Windows service called “Abyss Web Server” (abyssws.exe) which listens on default public ports 5000 (tcp/http) and 5001 (tcp/https) for incoming requests to the web panel and runs with NT AUTHORITY\SYSTEM privileges.

Without requiring authentication/authorization it is possible to upload arbitrary scripts into an accessible web path through the VAD_Deploy.aspx script.

Given this, it is possible to run arbitrary code/commands with the privileges of the target server.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.