SSD Advisory – Adobe Reader Combobox Code Execution

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
More powerful than other PDF software, Adobe Acrobat Reader DC is the free, trusted standard for viewing, printing, and annotating PDFs. And now, it’s connected to Adobe Document Cloud — so it’s easier than ever to work with PDFs on computers and mobile devices.

Vulnerability Details
A vulnerability in the way Adobe Reader handles comboxes allows a malicious user to send a specially crafted PDF file that once opened, and its presented combobox is accessed a code execution vulnerability can be triggered.

SSD Advisory – Symantec Critical System Protection Remote Code Execution

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Symantec Critical System Protection provides policy-based behavior control and detection for server and desktop computers. Symantec Critical System Protection includes management console and server components, and agent components that enforce policies on computers.

Vulnerability Details
The agent control interface of the SCSP Server (sis-agent) is affected by a remote unauthenticated code execution vulnerability. This interface is used by the IDS/IPS agents to communicate with the SCSP server: register themselves, fetch policy updates, report events, etc. Since all the protected hosts need to communicate with the SCSP Server we can expect that this interface will be exposed to wide network ranges.

SSD Advisory – Multiple Evernote Vulnerabilities

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Evernote lets you take notes, sync files across your devices, save webpages, capture inspiration, and share your ideas with friends and colleagues.

Vulnerability Details
Multiple vulnerabilities have been found in Evernote for Windows, these vulnerabilities can lead to remote code execution.

OpenSSL ACCF Vulnerability (CVE-2015-1793)

A new vulnerability has been recently patched in OpenSSL:

During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate.

This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.

This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.

OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p

This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project.

The vulnerability description and its lack of a cool name (Heartbleed, POODLE, etc) makes it feel like this vulnerability is not that critical as it was believed to be.

The circumstances that are required here and the outcome, are a bit weak at the moment – though as more details come to light, the severity could be better justified.

SSD Advisory – AIX cmdlvm Vulnerability

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
AIX (Advanced Interactive eXecutive) is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms. Originally released for the IBM 6150 RISC workstation, AIX now supports or has supported a wide variety of hardware platforms, including the IBM RS/6000 series and later POWER and PowerPC-based systems, IBM System i, System/370 mainframes, PS/2 personal computers, and the Apple Network Server.

Vulnerability Details
The running of lquerylv command with variable DBGCMD_LQUERYLV set may allow a local user to gain root privileges.

SSD Adivsory – Roundcube Password Plugin

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Roundcube webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking.

Vulnerability Details
Roundcube 1.0.4 is shipped with the Password plugin version 3.4. It is, as any other plugin, disabled by default. Once enabled, it allows an authenticated user to change his current password in the web interface. For this purpose, the plugin offers several drivers that can be used to perform the actual password change in the back end. The DBMail driver suffers from a critical Remote Command Execution vulnerability that enables an attacker to execute arbitrary system commands with root privileges.

SSD Adivsory – eFront Multiple Vulnerabilities

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
eFront is a powerful learning management system that fits your brand preferences and delivers effective online & blended learning. eFront can help you improve employee performance, ensure compliance, engage your workforce and support organizational goals. Trusted by hundreds of companies and organizations around the world, eFront is committed to assist you train people. Better.

Vulnerability Details
eFront (version 3.6.15 and possibly earlier) has been found to contain multiple vulnerabilities:

 

  • module_chat chat.php getChatHistory() ‘chat_with’ Parameter SQL Injection
  • scripts.php ‘load’ Parameter File Inclusion Code Execution
  • module_flashcards module_flashcards.class.php ‘view_deck’ Parameter SQL Injection
  • module_journal module_journal.class.php ‘edit_entry’ Parameter SQL Injection
  • module_crossword module_crossword_class.php getNavigationLinks() ‘view_list’ Parameter SQL Injection
  • module_bbb module_bbb_class.php ‘edit_BBB’ Parameter Blind SQL Injection
  • forum.class.php create() forum_id Parameter SQL Injection

SSD Advisory – Panopta OnSight Remote Root

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Panopta OnSight Enterprise is a monitoring platform made up of adaptable building blocks which can be assembled for a custom fit solution. Use a mixture of deployment on-site and on our public cloud to build the most powerful managed hybrid solution available in the industry.

That combined with Panopta world class support means a fully managed monitoring experience so that you can focus on running your business. Get the ultimate combination of flexibility and control with tight integration into existing systems and other best of breed tools already in place. All without having to compromise any of your network security. Panopta OnSight Enterprise doesn’t force you to change the way you operate. It just fits like a glove.

Vulnerability Details
Panopta OnSight is a virtual appliance which exposes two primary network services, nginx and sshd. There are two undocumented user accounts on the system, one of which’s password leaked after examining the file system. This user is in the sudo group, so after login to the system, privileges can be elevated and a user can execute arbitrary shell commands as root.