SSD Advisory – Linksys PPPoE Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in Linksys EA, XAC and AC series devices.

The vulnerabilities has been found in the way the Linksys devices (EA, XAC and AC series) handle the Point-to-point protocol over Ethernet (PPPoE) Discovery (PPPoED) process allowing an unprivileged active attacker on the same network segment (layer2) to inject arbitrary shell commands by answering PPPoE Active Discovery probe requests (PADI) with a malicious PPPoE Active Discovery Offer (PADO). The exact same code is also vulnerable to a buffer overwrite.

The vulnerabilities are:

  • Command Injection
  • Buffer Overwrite

Credit
An independent security researcher, 0x721427D8, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor Responses
Linksys has released patches to address this vulnerability.

Continue reading SSD Advisory – Linksys PPPoE Multiple Vulnerabilities

SSD Advisory – HiSilicon Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describes 2 vulnerabilities found in HiSilicon application-specific integrated circuit (ASIC) chip set firmware.

HiSilicon provides ASICs and solutions for communication network and digital media. These ASICs are widely used in over 100 countries and regions around the world. In the digital media field, HiSilicon has already released the SoC and solution for network surveillance, videophone, DVB and IPTV.

The vulnerabilities found in HiSilicon ASIC firmware are:

  1. Buffer overflow in built-in webserver
  2. Directory path traversal built-in webserver

The list of vendors working with HiSilicon is unknown. We manage to identify 55 different vendors, all of them are still vulnerable.

Here is example of 10 vendors using the HiSilicon application-specific integrated circuit (ASIC) chip set in their products (the full list can be found in the end of this report):

  1. http://www.vacron.com/products_CCTV_dvr.html
  2. http://www.gess-inc.com/gess/dvrs/
  3. http://www.jufenginfo.com/en/product-list.php?cid=10&pid=166&parid=175
  4. http://egpis.co.kr/egpis/product.php?category=AHD&category2=AHD_D
  5. http://optimus-cctv.ru/catalog/ahd-videoregistratory
  6. http://www.clearcftv.com.br/linha.php?l=5&ln=ahd
  7. http://click-cam.com/html2/products.php?t=2
  8. http://www.ccd.dn.ua/ahd-videoregistratory.html
  9. http://www.dhssicurezza.com/tvcc-ahd/dvr-ahd-720p/
  10. http://www.gigasecurity.com.br/subcategoria-gravadores-de-video-dvr

Credit
An independent security researcher Istvan Toth has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
We tried to communicate with the vendor through emails and twitter, over the course of several months, we were unable to get any response.

Continue reading SSD Advisory – HiSilicon Multiple Vulnerabilities

SSD Advisory – DropBear Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describes four (4) vulnerabilities in DropBear. DropBear is a SSH server and client. It runs on a variety of POSIX-based platforms. DropBear is open source software, distributed under a MIT-style license. DropBear is particularly useful for “embedded”-type Linux (or other Unix) systems, such as wireless routers.

The four vulnerabilities found in DropBear are:

  1. Server-side disclose memory
  2. Stack buffer overflow
  3. Format string vulnerability
  4. Heap buffer overwrite and arbitrary memory read vulnerabilities

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
The vendor has released DropBear patches (21st of July 2016) to address the vulnerabilities, advisory can be found https://matt.ucc.asn.au/dropbear/CHANGES.

Continue reading SSD Advisory – DropBear Multiple Vulnerabilities

SSD Advisory – Pervasive SQL Heap Overflow

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerability Summary
The following advisory describes Heap overflow vulnerability that can lead to remote code execution in Pervasive SQL server (Version 12.01.031.000).

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Continue reading SSD Advisory – Pervasive SQL Heap Overflow