SSD Advisory – Rocket BlueZone Multiple Vulnerabilities

SecuriTeam Secure Disclosure

SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Introduction
Rocket BlueZone Terminal Emulation Suite is the solution you need if you are looking to replace your aging, expensive, current Terminal Emulation solution. Our software is a secure, slim, powerhouse of a solution built for the IBM Mainframe (TN3270), i Series (TN5250), UNIX/DEC (VT), Unisys (T27 & UTS) and secure File Transfer Protocol (FTP) systems.

Vulnerability Details
Multiple vulnerabilities have been found in Rocket BlueZone:

  • WhllObj ActiveX Control Run Method Command Execution
  • WhllObj ActiveX Control Shell Method Command Execution
  • LIPI ActiveX Control SaveSettings Method Code Execution
  • WhllObj ActiveX Control StatusBarText Property Stack Buffer Overflow Vulnerability
  • WhllObj ActiveX Control GetOpenFilename Method FileFilter Stack Buffer Overflow Vulnerability
  • WhllObj ActiveX Control GetSaveAsFilename Method FileFilter Stack Buffer Overflow Vulnerability
  • LIPI ActiveX Control SendFile Method Heap Buffer Overflow Vulnerability
  • LIPI ActiveX Control ReceiveFile Method Heap Buffer Overflow Vulnerability

WhllObj ActiveX Control Run Method Command Execution
BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
This ActiveX control offers the insecure Run() method, see typelib:

The ActiveX calls CreateProcessA() with user supplied command line parameters. As attachment, proof of concept code which launch calc.exe.

Proof of Concept

WhllObj ActiveX Control Shell Method Command Execution
Rocket BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
this ActiveX control offers the insecure Shell() method, see typelib:

The ActiveX calls CreateProcessA() with user supplied command line parameters. As attachment, proof of concept code which launch calc.exe.

Proof of Concept

LIPI ActiveX Control SaveSettings Method Code Execution
Rocket BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
This ActiveX control offers the insecure SaveSettings() method, see typelib:

This method simply accepts a file name as argument and can be used to save arbitrary files into target computers. Also directory traversal sequences can be used. File content can be controlled by setting the ‘Username’ property.

Given this, a remote attacker could store an executable hta file inside automatic startup folders. As attachment, proof of concept code which launches calc.exe at the computer reboot.

Proof of Concept

WhllObj ActiveX Control StatusBarText Property Stack Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
The ActiveX offers the StatusBarText property, see typelib:

This property suffer of a stack based buffer overflow because of a copy loop inside bzwhll.dll. See vulnerable code below.

Proof of Concept

WhllObj ActiveX Control GetOpenFilename Method FileFilter Stack Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
The ActiveX offers the GetOpenFilename method, see typelib:

This method suffers of a stack based buffer overflow caused by an overlong FileFilter argument, this is because of a copy loop inside bzwhll.dll. See vulnerable code below.

Proof of Concept

WhllObj ActiveX Control GetSaveAsFilename Method FileFilter Stack Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
The ActiveX offers the GetSaveAsFilename() method, see typelib:

This function suffers of a stack based buffer overflow in the second argument due to a copy loop inside bzwhll.dll, see vulnerable code below.

Proof of Concept

LIPI ActiveX Control SendFile Method Heap Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
The ActiveX offers the SendFile() method, see typelib:

This method suffers of a heap buffer overflow in the first argument because of an dangerous call to a strcat-like function inside bzlipiobj.dll, see vulnerable code below.

Note that you need to set ‘Username’ and ‘Password’ properties to avoid a login input box.

When browsing sendfile.html, WinDBG shows:

to reach the call browse sendfile_crash.html, a login box is showed. Set a breakpoint in memory to KERNEL32.dll!lstrcatA, click OK.

Proof of Concept

LIPI ActiveX Control ReceiveFile Method Heap Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
The ActiveX offers the ReceiveFile() method, see typelib:

This method suffers of a heap buffer overflow in the first argument because of an dangerous call to a strcat-like function inside bzlipiobj.dll, see vulnerable code below.

Note that you need to set ‘Username’ and ‘Password’ properties to avoid a login input box.

When browsing receivefile.html, WinDBG shows:

Proof of Concept

Vendor Response
The vendor has responded that they have released a patch (2nd of September 2015) and commented that:

In addition to placing the BlueZone announcement on the Rocket Customer Portal, we have added the vulnerability announcement to our website.

You may find the information via this link on our BlueZone product page:
https://www.rocketsoftware.com/product-families/rocket-bluezone-passport

There is also a dedicated page for the announcement if someone does a search for it on the Rocket website:
https://www.rocketsoftware.com/rocket-bluezone-security-annoucement

The patch location is within Rocket’s Customer Portal, and is accessible by all affected customers.

Thanks again for your help and your notification to us.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Zenario CMS Multiple Vulnerabilities

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Zenario is a web-based content management system for sites with one or many languages. It’s designed to grow with your site, adding extranet, online database and custom functionality when you need it.

Vulnerability Details
Multiple vulnerabilities have been discovered in Zenario:
 

  • compressor.php Query String Multiple Bypasses readfile() Absolute Path Traversal Database Credentials Disclosure Vulnerability
  • user_functions.inc.php logUserIn() “X-FORWARDED-FOR” Remote Blind SQL Injection Vulnerability
    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Kirby CMS Multiple Vulnerabilities

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Kirby is “a file‑based CMS. Easy to setup. Easy to use. Flexible as hell”.

Vulnerability Details
Two security vulnerabilities have been found in Kirby CMS:
 

  • Authentication Bypass via Path Traversal
  • CSRF Content Upload and PHP Script Execution
    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Multiple Dokeos Vulnerabilities

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Dokeos e-Learning is an open source elearning solution. It is the result of work by a large community bringing together hundreds of developers in more than 5 countries, as well as users and translators. This open source elearning solution is distributed in over 20 languages ​​and 60 countries worldwide.

Vulnerability Details
Multiple vulnerabilities have been found in Dokeos:
 

  • Unrestricted File Upload leading to Code Execution Vulnerability
  • Directory Traversal leading to Arbitrary File Deletion
  • Blind SQL Injection Vulnerability
  • Multiple Cross Site Scripting Vulnerabilities
    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Ubiquiti Networks mFi Controller Server Authentication Bypass

(Update: We are republishing this after removing it – as requested by the vendor – but as the vendor has not responded nor provided any progress in the last 30 days, we are making the information public again)

Introduction
mFi hardware and software combines plug-and-play installation with big-data analytics, event reporting and scheduling to create powerful relationships between sensors, machines and power control.

Vulnerability Details
Ubiquiti Networks mFi Controller Server installs a web management interface which listens on default public port 6443 (tcp/https). It offers a login screen where only the administrator user can monitor and control remotely the configured devices .

Because of two errors inside the underlying com.ubnt.ace.view.AuthFilter class, it is possible to bypass the authentication mechanism and have access ex. to the “ApiServlet” servlet.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – IMail Cross Site Scripting

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
IMail Server is a Windows Email Server designed specifically for the small-to-medium sized business.

Vulnerability Details
A persistent, unauthenticated, cross site scripting and cross authentication vulnerability in IClient Web interface and IAdmin web interface of IPSwitch allows attackers to execute arbitrary code, which as can be seen below allows the creation of a new user whenever the attack is triggered against the administrator of the system.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – HP iLO Format String

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
HP Proliant Servers provide an embedded operating system running on a separate CPU called iLO (Integrated Lights Out). It provides various networking and management features for the server.

Vulnerability Details
HP iLO runs an SSH server by default, and users who log in are dropped into a special isolated type of shell. There is a format string vulnerability triggered by the “show” command which allows a low-level user account to cause a denial of service on the service or potentially execute arbitrary code.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – AppLock Multiple Vulnerabilities

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
AppLock is Most downloaded app lock in Play Store:

  • #1 App lock in over 50 countries.
  • Over 100 Million users, supporting 24 languages.
  • AppLock can lock SMS, Contacts, Gmail, Facebook, Gallery, Market, Settings, Calls and any app you choose, with abundant options, protecting your privacy.
  • AppLock can hide pictures and videos, AppLock empowers you to control photo and video access. Selected pictures vanish from your photo gallery, and stay locked behind an easy-to-use PIN pad. With AppLock, only you can see your hidden pictures. Privacy made easy!

Vulnerability Details
The following report describes three ( 3 ) different vulnerabilities found in the AppLock, an Android application, with over 10 Millions of downloads, used to secure pictures, videos and application with a PIN code.

The first vulnerability will show how the pictures and videos are not encrypted but just hidden from the users, and even without root permission we can recover them, even with their original filename.

The second vulnerability shows how an user, with root permission on the device, can easily remove the PIN code from applications or add it to others. He can moreover change the PIN code.

The last, and most critical, vulnerability is a PIN bypass. It is possible, without root permissions and with all applications, settings, etc blocked from the app, reset the PIN code to one of our choice, and the take full control of the application.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.