SSD Advisory – Panopta OnSight Remote Root

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Panopta OnSight Enterprise is a monitoring platform made up of adaptable building blocks which can be assembled for a custom fit solution. Use a mixture of deployment on-site and on our public cloud to build the most powerful managed hybrid solution available in the industry.

That combined with Panopta world class support means a fully managed monitoring experience so that you can focus on running your business. Get the ultimate combination of flexibility and control with tight integration into existing systems and other best of breed tools already in place. All without having to compromise any of your network security. Panopta OnSight Enterprise doesn’t force you to change the way you operate. It just fits like a glove.

Vulnerability Details
Panopta OnSight is a virtual appliance which exposes two primary network services, nginx and sshd. There are two undocumented user accounts on the system, one of which’s password leaked after examining the file system. This user is in the sudo group, so after login to the system, privileges can be elevated and a user can execute arbitrary shell commands as root.

SSD Advisory – Porteus Kiosk

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Porteus Kiosk is a lightweight Linux operating system which has been restricted to allow only use of the web browser. Furthermore, the browser has been locked down to prevent users from tampering with settings or downloading and installing software. When the kiosk boots it automatically opens Firefox to your chosen home page. The history is not kept, no passwords are saved, and many menu items have been disabled for total security. When Firefox is restarted all caches are cleared and browser the reopens automatically with a clean session to ensure no trace of history is left.

Two vulnerabilities have been recently come into our attention and have been purchased from one of our security researchers, these vulnerabilities allow disclosure of local files and the ability to escape from the “jailed” browser.

The vulnerabilities have both been patched in the latest version, part of the 20150619, version.

The details mentioned below have not been released before though the description of the vulnerabilities found at Porteus Kiosk Changelog.

Vulnerability Details
The browser installed by default is a jailed Firefox that only allows you to zoom in, out, search and insert URL. There is not bars (menu, history, favorites, …) and you can’t use shortcuts (like ALT) so there is very limited usability.

Source Disclosure vulnerability in Joomla – the dreaded single quote

We have started receiving reports from Joomla users that our ScanMyServer service is picking up an unknown and undocumented vulnerability on their web site.

The scanner is showing that they have one or more source disclosure/path disclosure vulnerabilities. Since they were using the latest and most up to date version of Joomla their reports looked odd and we started to investigate the matter.

We found out that the vulnerability is “hard” to trigger, as Firefox and Internet Explorer will escape the single quote in a URL to its encoded form, while Chrome will not. So while sending it under Chrome will show something like:
Fatal error: Uncaught exception 'InvalidArgumentException' with message 'Invalid URI detected.' in /home/content/41/9236541/html/libraries/joomla/environment/uri.php:194 Stack trace: #0 /home/content/41/9236541/html/libraries/joomla/application/application.php(248): JURI::getInstance() #1 /home/content/41/9236541/html/includes/application.php(135): JApplication->route() #2 /home/content/41/9236541/html/index.php(36): JSite->route() #3 {main} thrown in /home/content/41/9236541/html/libraries/joomla/environment/uri.php on line 194

The same URL under Firefox and Internet Explorer, will return:
404 - Article not found

Of course, the vulnerability is not in Chrome, but is a real issue caused by Joomla not properly escaping the URL.

The problem has been already spotted in a different section of Joomla, the search option, as can be seen by this post: http://joomlacode.org/gf/../?action=TrackerItemEdit&tracker_item_id=31036&start=0

So the problem isn’t just in the search, it also spans to other sections of the Joomla framework.

We will keep you posted when a fix is provided, or we have a workaround for this issue.

Someone always checks up on you

I would like to start by thanking Smit Bharatkumar Shah from http://about.me/smitbshah for bringing to our attention that our site has a potential security vulnerability that could be used by malicious attackers to preform phishing and/or clickjacking attacks. With his help we were able to prevent this attack from occurring. No customers have been affected by this issue.

Our ScanMyServer.com service has been providing security scan reports and vulnerability information for sites from all over the world; but we did however neglect to do one small thing, which is scan our web site with the same service. If we had, ScanMyServer.com would have shown us of the potential issue. How embarrassing is that?!

We have checked our logs for any sign that the vulnerability has been exploited or our customers have been misused but nothing came out. Due to the nature of this issue, any attack would have been recorded in the logs.

The solution for the above mentioned vulnerability is a simple two step fix:
1) Run:
a2enmod headers

2) Add to /etc/apache2/conf.d/security the following line:
Header always append X-Frame-Options SAMEORIGIN

If any of you finds any other issues in our site, please contact us at support@beyondsecurity.com and we will be happy to credit you with the find. Thanks for making our service better!