Hack2Win – a CodeBlue Conference Event

Hi everyone,

(Please note there is an update for this event here: https://blogs.securiteam.com/index.php/archives/2653)

A Japanese version is available here: https://blogs.securiteam.com/index.php/archives/2630

We have decided this year to not only sponsor CodeBlue, but also try something new (for us and I believe the conference’s attendees).

We will be bringing 11 devices to the conference premises and allowing people to try their skills at hacking them.

We tried to look wide and far for different devices, all around the 200$ USD mark, so that they won’t be expensive for you to buy and try out before the event

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Kloxo Sensitive Information Disclosure

SecuriTeam Secure Disclosure

SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Introduction
Kloxo (formerly known as Lxadmin) is a free, opensource web hosting control panel for the Red Hat and CentOS Linux distributions.

Vulnerability Details
Kloxo contains a vulnerability that could allow an authenticated remote attacker (client or auxiliary) to get almost any info from DB, for example passwords of other users (including administrators), credentials for DB connection, etc. After gathering credentials of user (reseller or admin) who has created current client it is possible to assign “admin” role to current client.

Authentication is required to exploit this vulnerability (any unprivileged client or auxiliary). So any unprivileged user will be able to login as administrator and manage system or execute any OS command or upload PHP file and execute desired PHP code (there are such ’legal’ features for administrator).

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Rocket BlueZone Multiple Vulnerabilities

SecuriTeam Secure Disclosure

SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Introduction
Rocket BlueZone Terminal Emulation Suite is the solution you need if you are looking to replace your aging, expensive, current Terminal Emulation solution. Our software is a secure, slim, powerhouse of a solution built for the IBM Mainframe (TN3270), i Series (TN5250), UNIX/DEC (VT), Unisys (T27 & UTS) and secure File Transfer Protocol (FTP) systems.

Vulnerability Details
Multiple vulnerabilities have been found in Rocket BlueZone:

  • WhllObj ActiveX Control Run Method Command Execution
  • WhllObj ActiveX Control Shell Method Command Execution
  • LIPI ActiveX Control SaveSettings Method Code Execution
  • WhllObj ActiveX Control StatusBarText Property Stack Buffer Overflow Vulnerability
  • WhllObj ActiveX Control GetOpenFilename Method FileFilter Stack Buffer Overflow Vulnerability
  • WhllObj ActiveX Control GetSaveAsFilename Method FileFilter Stack Buffer Overflow Vulnerability
  • LIPI ActiveX Control SendFile Method Heap Buffer Overflow Vulnerability
  • LIPI ActiveX Control ReceiveFile Method Heap Buffer Overflow Vulnerability

WhllObj ActiveX Control Run Method Command Execution
BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
This ActiveX control offers the insecure Run() method, see typelib:

The ActiveX calls CreateProcessA() with user supplied command line parameters. As attachment, proof of concept code which launch calc.exe.

Proof of Concept

WhllObj ActiveX Control Shell Method Command Execution
Rocket BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
this ActiveX control offers the insecure Shell() method, see typelib:

The ActiveX calls CreateProcessA() with user supplied command line parameters. As attachment, proof of concept code which launch calc.exe.

Proof of Concept

LIPI ActiveX Control SaveSettings Method Code Execution
Rocket BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
This ActiveX control offers the insecure SaveSettings() method, see typelib:

This method simply accepts a file name as argument and can be used to save arbitrary files into target computers. Also directory traversal sequences can be used. File content can be controlled by setting the ‘Username’ property.

Given this, a remote attacker could store an executable hta file inside automatic startup folders. As attachment, proof of concept code which launches calc.exe at the computer reboot.

Proof of Concept

WhllObj ActiveX Control StatusBarText Property Stack Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
The ActiveX offers the StatusBarText property, see typelib:

This property suffer of a stack based buffer overflow because of a copy loop inside bzwhll.dll. See vulnerable code below.

Proof of Concept

WhllObj ActiveX Control GetOpenFilename Method FileFilter Stack Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
The ActiveX offers the GetOpenFilename method, see typelib:

This method suffers of a stack based buffer overflow caused by an overlong FileFilter argument, this is because of a copy loop inside bzwhll.dll. See vulnerable code below.

Proof of Concept

WhllObj ActiveX Control GetSaveAsFilename Method FileFilter Stack Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
The ActiveX offers the GetSaveAsFilename() method, see typelib:

This function suffers of a stack based buffer overflow in the second argument due to a copy loop inside bzwhll.dll, see vulnerable code below.

Proof of Concept

LIPI ActiveX Control SendFile Method Heap Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
The ActiveX offers the SendFile() method, see typelib:

This method suffers of a heap buffer overflow in the first argument because of an dangerous call to a strcat-like function inside bzlipiobj.dll, see vulnerable code below.

Note that you need to set ‘Username’ and ‘Password’ properties to avoid a login input box.

When browsing sendfile.html, WinDBG shows:

to reach the call browse sendfile_crash.html, a login box is showed. Set a breakpoint in memory to KERNEL32.dll!lstrcatA, click OK.

Proof of Concept

LIPI ActiveX Control ReceiveFile Method Heap Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).

Vulnerability
The ActiveX offers the ReceiveFile() method, see typelib:

This method suffers of a heap buffer overflow in the first argument because of an dangerous call to a strcat-like function inside bzlipiobj.dll, see vulnerable code below.

Note that you need to set ‘Username’ and ‘Password’ properties to avoid a login input box.

When browsing receivefile.html, WinDBG shows:

Proof of Concept

Vendor Response
The vendor has responded that they have released a patch (2nd of September 2015) and commented that:

In addition to placing the BlueZone announcement on the Rocket Customer Portal, we have added the vulnerability announcement to our website.

You may find the information via this link on our BlueZone product page:
https://www.rocketsoftware.com/product-families/rocket-bluezone-passport

There is also a dedicated page for the announcement if someone does a search for it on the Rocket website:
https://www.rocketsoftware.com/rocket-bluezone-security-annoucement

The patch location is within Rocket’s Customer Portal, and is accessible by all affected customers.

Thanks again for your help and your notification to us.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Zenario CMS Multiple Vulnerabilities

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Zenario is a web-based content management system for sites with one or many languages. It’s designed to grow with your site, adding extranet, online database and custom functionality when you need it.

Vulnerability Details
Multiple vulnerabilities have been discovered in Zenario:
 

  • compressor.php Query String Multiple Bypasses readfile() Absolute Path Traversal Database Credentials Disclosure Vulnerability
  • user_functions.inc.php logUserIn() “X-FORWARDED-FOR” Remote Blind SQL Injection Vulnerability
    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Kirby CMS Multiple Vulnerabilities

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Kirby is “a file‑based CMS. Easy to setup. Easy to use. Flexible as hell”.

Vulnerability Details
Two security vulnerabilities have been found in Kirby CMS:
 

  • Authentication Bypass via Path Traversal
  • CSRF Content Upload and PHP Script Execution
    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Multiple Dokeos Vulnerabilities

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Dokeos e-Learning is an open source elearning solution. It is the result of work by a large community bringing together hundreds of developers in more than 5 countries, as well as users and translators. This open source elearning solution is distributed in over 20 languages ​​and 60 countries worldwide.

Vulnerability Details
Multiple vulnerabilities have been found in Dokeos:
 

  • Unrestricted File Upload leading to Code Execution Vulnerability
  • Directory Traversal leading to Arbitrary File Deletion
  • Blind SQL Injection Vulnerability
  • Multiple Cross Site Scripting Vulnerabilities
    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Ubiquiti Networks mFi Controller Server Authentication Bypass

(Update: We are republishing this after removing it – as requested by the vendor – but as the vendor has not responded nor provided any progress in the last 30 days, we are making the information public again)

Introduction
mFi hardware and software combines plug-and-play installation with big-data analytics, event reporting and scheduling to create powerful relationships between sensors, machines and power control.

Vulnerability Details
Ubiquiti Networks mFi Controller Server installs a web management interface which listens on default public port 6443 (tcp/https). It offers a login screen where only the administrator user can monitor and control remotely the configured devices .

Because of two errors inside the underlying com.ubnt.ace.view.AuthFilter class, it is possible to bypass the authentication mechanism and have access ex. to the “ApiServlet” servlet.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – IMail Cross Site Scripting

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
IMail Server is a Windows Email Server designed specifically for the small-to-medium sized business.

Vulnerability Details
A persistent, unauthenticated, cross site scripting and cross authentication vulnerability in IClient Web interface and IAdmin web interface of IPSwitch allows attackers to execute arbitrary code, which as can be seen below allows the creation of a new user whenever the attack is triggered against the administrator of the system.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.