SSD Advisory – Polycom Video Conference Persistent and Unauthenticated XSS

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability Description
A persistent, pre-authenticated, cross site scripting vulnerability in Polycom HDX Web interface allows remote attackers to take over the camera and control it.
Continue reading SSD Advisory – Polycom Video Conference Persistent and Unauthenticated XSS

SSD Advisory – 3CX VoIP Phone System Manager Server Remote Code Execution Vulnerability (with SYSTEM privileges)

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability Description
The 3CX product installs a Windows service called “Abyss Web Server” (abyssws.exe) which listens on default public ports 5000 (tcp/http) and 5001 (tcp/https) for incoming requests to the web panel and runs with NT AUTHORITY\SYSTEM privileges.

Without requiring authentication/authorization it is possible to upload arbitrary scripts into an accessible web path through the VAD_Deploy.aspx script.

Given this, it is possible to run arbitrary code/commands with the privileges of the target server.
Continue reading SSD Advisory – 3CX VoIP Phone System Manager Server Remote Code Execution Vulnerability (with SYSTEM privileges)

SSD Advisory – Forma LMS scorm.php Directory Traversal Vulnerability and Remote Code Execution

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability Description
A remote authenticated user (student) could place malicious PHP files inside a public web path and execute arbitrary code/commands (note that self-registration will be probably enabled on most implementations).

This is because the insitem() function inside /appLms/modules/scorm/scorm.php which subsequently calls into /addons/pclzip/pclzip.lib.php to extract uploaded zip files.

If the zip file contains a malicious file entry with directory traversal specifiers (like ex. ./../../../../plugins/index.php) the application will not strip them and will cause the file to be written outside the temporary newly created folder.

As attachment, proof of concept code. Configure it. Finally launch from the command line.
Continue reading SSD Advisory – Forma LMS scorm.php Directory Traversal Vulnerability and Remote Code Execution

SSD Advisory – Wget Arbitrary Commands Execution

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability Description
A vulnerability in the way wget handles redirects allows attackers that are able to hijack a connection initiated by wget or compromise a server from which wget is downloading files from, would allow them to cause the user running wget to execute arbitrary commands. The commands are executed with the privileges with which wget is running. This could prove to be quite severe when wget is launched as ‘root’.

Credit

An independent security researcher Dawid Golunski (https://legalhackers.com/) has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Continue reading SSD Advisory – Wget Arbitrary Commands Execution