SSD Advisory – Mac OS X 10.12 Quarantine Bypass

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability summary
Mac OS X contains a vulnerability that allows bypassing of the Apple Quarantine and the execution of arbitrary JavaScript code without any restrictions.

Credit
A security researcher from WeAreSegment, Filippo Cavallarin, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
Apple has been notified on the 27th of June 2017, several correspondences were exchanged. Apple notified us that a patch has been put in place in the upcoming High Sierra version. No additional information has been provided by Apple since the notification that a patch has been made – no link to the advisory nor any information on what CVE has been assigned to this have been provided.

We have verified that Mac OS X High Sierra is no longer vulnerable to this, a solution would be to either upgrade High Sierra, or remove the rhtmlPlayer.html file (a workaround).

Continue reading SSD Advisory – Mac OS X 10.12 Quarantine Bypass

SSD Advisory – KEMP LoadMaster from XSS Pre Authentication to RCE

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability Summary

KEMP’s main product, the LoadMaster, is a load balancer built on its own proprietary software platform called LMOS, that enables it to run on almost any platform: As a KEMP LoadMaster appliance, a Virtual LoadMaster (VLM) deployed on Hyper-V, VMWare, on bare metal or in the public cloud. KEMP is available in Azure, where it is in the top 15 deployed applications as well as in AWS and VMWare vCloud Air.

A cross site scripting web vulnerability has been discovered in KEMP LoadMaster v7.135.0.13245 (latest). A non authenticated user is able to inject his own malicious Javascript code into the system and use it to create a new web administrator user.

Vendor response
We were unable to get an update beyond this statement from the vendor:
Expect a fix in our new version available Jan 2017.

Continue reading SSD Advisory – KEMP LoadMaster from XSS Pre Authentication to RCE

SSD Advisory – Sentora Web Hosting Control Panel Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in Sentora Web Hosting Control Panel that lead to remote code execution.

Sentora is a free to download and use web hosting control panel developed for Linux, UNIX and BSD based servers or computers. The Sentora software can turn a domestic or commercial server into a fully fledged, easy to use and manage web hosting server.

The vulnerabilities found in Sentora Web Hosting Control Panel are:

  • Authenticated Code Execution
  • Privilege Escalation

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor Response
The vendor has released an new version of the product which addressed the vulnerabilities.

Continue reading SSD Advisory – Sentora Web Hosting Control Panel Multiple Vulnerabilities

SSD Advisory – Over 100K IoT Cameras Vulnerable to Source Disclosure

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability Summary
The following advisory describes an arbitrary file content disclosure vulnerability found in GoAhead web server.

The GoAhead web server is present on multiple embedded devices, from IP Cameras to Printers and other embedded devices.

The vulnerability allows a remote unauthenticated attacker to disclose the content of the file being accessed. As most embedded devices do not run a SQL (or SQL-like) daemon, the credentials for authentication are stored inside the file being accessed. Through this disclosure attack, an attacker can view the credentials required to access the device.

Credit
An independent security researcher Istvan Toth has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
Update #2: The vulnerability of the “/” less access causing file disclosure dates back to 2004, http://aluigi.altervista.org/adv/goahead-adv2.txt, I cannot find any indication when GoAhead fixed it – in any case it is still present in 2017 in devices that use the GoAhead server.

Update: The vendor (GoAhead) claims the vulnerability is not in his product, but rather in the camera vendor’s code.

We at Beyond Security, are unsure about this, but as none of the camera vendors responded, we are left in the dark at the root cause for the vulnerability.

Since this vulnerability affects practically multiple devices that have the GoAhead web server (these devices appear to implement old versions of GoAhead), there is no one company you can report these vulnerabilities to or get them addressed – further the majority of the products that are vulnerable are OEM products with no real “vendor” behind them.

We urge users who have an embedded device and have GoAhead running on them, you can know this by seeing the following banner returned when you connect to the device:

To remove the device from the network, or at the very least not allow access to the web interface to anyone beside a very strict IP address range.

Continue reading SSD Advisory – Over 100K IoT Cameras Vulnerable to Source Disclosure