SSD Advisory – KEMP LoadMaster from XSS Pre Authentication to RCE

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

KEMP’s main product, the LoadMaster, is a load balancer built on its own proprietary software platform called LMOS, that enables it to run on almost any platform: As a KEMP LoadMaster appliance, a Virtual LoadMaster (VLM) deployed on Hyper-V, VMWare, on bare metal or in the public cloud. KEMP is available in Azure, where it is in the top 15 deployed applications as well as in AWS and VMWare vCloud Air.

A cross site scripting web vulnerability has been discovered in KEMP LoadMaster v7.135.0.13245 (latest). A non authenticated user is able to inject his own malicious Javascript code into the system and use it to create a new web administrator user.

Vendor response
We were unable to get an update beyond this statement from the vendor:
Expect a fix in our new version available Jan 2017.

Continue reading SSD Advisory – KEMP LoadMaster from XSS Pre Authentication to RCE

SSD Advisory – Synology DiskStation Manager Multiple Stored Cross-Site Scripting

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describe two (2) stored Cross-Site Scripting (XSS) found in Synology DiskStation Manager (DSM).

  1. Cross-site scripting stored in SWF file
  2. Cross-site scripting stored in Video Station application

Synology DiskStation Manager (DSM), a Linux based software package that is the operating system for the DiskStation and RackStation products. The Synology DSM is the foundation of the DiskStation, which integrates the basic functions of file sharing, centralized backup, RAID storage, multimedia streaming, virtual storage, and using the DiskStation as a network video recorder.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
Repeated emails (support@cynology.com) sent to the vendor, since March, were answered with unclear answers:
“Sorry for the misunderstanding. You reported it to us and what I meant was that our developers have verified your report and it’s been logged as a known issue now.
So, your report to us is highly appreciated and we thank you very much for your help!”

We therefore don’t know at this time whether this vulnerabilities were or not resolved.

Continue reading SSD Advisory – Synology DiskStation Manager Multiple Stored Cross-Site Scripting

SSD Advisory – Serviio Media Server Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describes a five (5) vulnerabilities found in Serviio Media Server. Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1.

Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.

Serviio works with many devices from your connected home (TV, Playstation 3, XBox 360, smart phones, tablets, etc.). It supports profiles for particular devices so that it can be tuned to maximise the device’s potential and/or minimize lack of media format playback support (via transcoding).

Serviio is based on Java technology and therefore runs on most platforms, including Windows, Mac and Linux (incl. embedded systems, e.g. NAS).

The vulnerabilities found in Serviio Media Server are:

  • Remote Code Execution
  • Local Privilege Escalation
  • Unauthenticated Password Modification
  • Information Disclosure
  • DOM-Based Cross-Site Scripting (XSS)

Credit
An independent security researcher Gjoko Krstic from Zero Science Lab has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor Response
We have tried on numerous occasions over the past two months to contact the vendor, all emails sent to them went unanswered.

Continue reading SSD Advisory – Serviio Media Server Multiple Vulnerabilities

SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describes Reflected Cross-Site Scripting (XSS) vulnerabilities and a Remote File Inclusion vulnerability that when combined can lead to arbitrary Javascript code execution, were found in HP OpenCall Media Platform (OCMP), version 4.3.2.

HPE OpenCall Media Platform (OCMP) is a suite of software and hardware applications which allow implementation of common telecom operator services such as voicemail, sms (short message service), prepaid, billing, hlr, etc. It implements industry standard telecom protocols and standards such as SS7, ISUP, TCAP, SIP, MRCP, RTSP, and VoiceXML.

HPE OpenCall Media Platform offers a highly scalable, easy-to-manage, carrier-grade media platform that adapts to future networks and applications. Through its strong support of open standards and protocols, new applications can be rapidly developed and deployed in a way that preserves investments and reduces capital expenditures (CAPEX) and operational expenditure (OPEX).

There are 3 different components that are vulnerable in HPE OpenCall Media Platform (OCMP), and for each component has the following vulnerabilities:

  • Application Content Manager
  1. Reflected Cross-Site Scripting (XSS) – /mcm/resources/


  • Platform Administration Tool
  1. Reflected Cross-Site Scripting (XSS) that leads to arbitrary Javascript code execution
  2. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE0 parameter
  3. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE1 parameter
  4. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE2 parameter
  5. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE3 parameter
  6. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME0 parameter
  7. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME1 parameter
  8. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME2 parameter
  9. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME3 parameter
  10. Reflected Cross-Site Scripting (XSS) – GetMapAction function
  11. Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NUM parameter
  12. Reflected Cross-Site Scripting (XSS) – GetMapAction function, NAME parameter
  13. Reflected Cross-Site Scripting (XSS) – cdrdispatch function, next parameter
  14. Reflected Cross-Site Scripting (XSS) – cdrdispatch function, sessionType parameter


  • VoiceXML Administration Tool
  1. Reflected Cross-Site Scripting (XSS) – event.do function
  2. Reflected Cross-Site Scripting (XSS) – call.do function
  3. Remote File Inclusion – proxylink.do function


Credit
An independent security researcher Paolo Stagno from VoidSec has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor Responses
HPE has released patches to address this vulnerability, for more details see:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03686en_us

Continue reading SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities