SSD Advisory – AppLock Multiple Vulnerabilities

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
AppLock is Most downloaded app lock in Play Store:

  • #1 App lock in over 50 countries.
  • Over 100 Million users, supporting 24 languages.
  • AppLock can lock SMS, Contacts, Gmail, Facebook, Gallery, Market, Settings, Calls and any app you choose, with abundant options, protecting your privacy.
  • AppLock can hide pictures and videos, AppLock empowers you to control photo and video access. Selected pictures vanish from your photo gallery, and stay locked behind an easy-to-use PIN pad. With AppLock, only you can see your hidden pictures. Privacy made easy!

Vulnerability Details
The following report describes three ( 3 ) different vulnerabilities found in the AppLock, an Android application, with over 10 Millions of downloads, used to secure pictures, videos and application with a PIN code.

The first vulnerability will show how the pictures and videos are not encrypted but just hidden from the users, and even without root permission we can recover them, even with their original filename.

The second vulnerability shows how an user, with root permission on the device, can easily remove the PIN code from applications or add it to others. He can moreover change the PIN code.

The last, and most critical, vulnerability is a PIN bypass. It is possible, without root permissions and with all applications, settings, etc blocked from the app, reset the PIN code to one of our choice, and the take full control of the application.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Symantec NetBackup OpsCenter Server Java Code Injection RCE

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Symantec NetBackup OpsCenter is an optional web based application that, if installed, is installed separately in a customer’s environment for advanced monitoring, alerting, and reporting capabilities. Symantec NetBackup OpsCenter for Linux/Unix is susceptible to Java Code injection that could potentially result in privileged access to the application.

Vulnerability Details
A vulnerability in Symantec NetBackup OpsCenter when installed on a Linux based operating system allows remote unauthenticated attackers to cause the product to execute arbitrary code. The vulnerability exploits a mechanism that allows users to provide Java code to the server that is then executed as part of its internal process, due to a flaw in the way this code is handled an attacker can cause it to execute arbitrary code of his choice and elevate it to gain root privileges on the remote machine.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Microsoft Office Word 2003/2007 Code Execution

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Microsoft Word is a word processor developed by Microsoft. It was first released in 1983 under the name Multi-Tool Word for Xenix systems.

Vulnerability Details
Word 2003/2007 is prone to a remote code execution issue because of a component that allows script execution in the context of the opened document which will run in the context of the local machine security zone of Windows/Internet Explorer. This security zone has relaxed restrictions allowing arbitrary code to be executed using eg. ADO objects such as the ADODB.recordset that is able to create arbitrary files in arbitrary locations in the disk, including of course, the currently logged on user´s startup folder. The file can be an HTML application, and will be run next time Windows boots and the same user that was affected by this vulnerability logs on to Windows.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – Horde Groupware Files Application XSS

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Horde Groupware is a free, enterprise ready, browser based collaboration suite. Users can manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project. Horde Groupware bundles the separately available applications Kronolith, Turba, Nag Mnemo, Gollem, and Trean.

Vulnerability Details
A vulnerability in the way Horde Groupware handles directory contents allows an authenticated attacker to inject a XSS into directories and files and have others become victim to their code execution via the sharing option.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Advisory – ZendXml Multibyte Payloads XXE/XEE

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
ZendXml is a utility component for XML usage and best practices in PHP.

Vulnerability Details
The XML standard defines a concept of an external entites. XXE (XML eXternal Entity) attack is an attack on an application that parses XML input from untrusted sources using incorrectly configured XML parser. The application may be forced to open arbitrary files and/or network resources. Exploiting XXE issues on PHP applications may also lead to denial of service or in some cases (for example, when an ‘expect’ PHP module is installed) lead to command execution.

An independent security research of Zend Framework revealed that it is possible to bypass XXE security controls within the framework in case when the PHP application using Zend XML related classes (e.g Zend_XmlRpc_Server, Zend_Feed, Zend_Config_Xml etc.) from Zend Framework (including the latest version) is served via PHP FPM. Bypassing the controls may allow XXE attacks and lead to the aforementioned exploitation possibilities on systems where the XML parser is set to resolve entities.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

SSD Adivsory – QNAP QTS LDAP Authentication Remote Code Execution

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Based on Linux, QNAP QTS 4 is a powerful operating system deployed on all QNAP Turbo NAS devices to bring performance and enhanced functionalities under an easy-to-use web GUI. QTS allows traditional NAS capabilities, in addition to advanced sharing features and mobile platforms support. Moreover, QTS supports custom applications to expand NAS functionalities for sharing and media streaming.

On top of a traditional Linux kernel (3.4.6, x86 64), QTS 4 provides NAS capabilities implemented in user-land and a web-based UI built using cgi-bin technology. Although SSH access is available on all QNAP devices, it is possible to completely manage the device using the web interface.

From the technical standpoint, QTS 4 web UI consists of two main components:
 

  • A web server thttpd and CGI binaries. In the default configuration, this service runs as ”admin”, a user with root permissions. On 80/tcp, the web server hosts a set of scripts to perform a redirect to port 8080/tcp. The service is also available over SSL (443/tcp) using Apache configured as a reverse-proxy, pointing to 8080/tcp. The webroot is located at /home/httpd.

 

  • A set of custom binaries and standard Linux utilities (e.g. ldapsearch) that are invoked from the CGI scripts, to perform required tasks

By default, the web interface is available from remote hosts with no network filtering.

Vulnerability Overview
A code injection vulnerability has been discovered in the current version of QNAP QTS 4. As mentioned, this vulnerability affects all QNAP NAS products using LDAP authentication. Valid credentials are NOT required in order to exploit this issue, allowing a remote attacker to execute arbitrary system commands as root.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Oracle CSO is right

The internet (or at least twitter) is exploding regarding this, now deleted, post : Mary Ann Davidson blog post

Let me start by saying that she is right. Yes, she’s right. Breaking the EULA is against the law. You can’t argue about that.

You can’t argue that they should be paying a bug bounty. You may *want* them to pay a bug bounty, but that is the companies decision. If they choose not to pay a bug bounty, that’s their prerogative.

As a consumer, you can choose to use their product (EULA and all) or not. That is something that you have control over.

As a researcher, you can choose to break the EULA or not. Arguing that someone should modify their EULA so that what you’re doing isn’t a violation is childish.

I wish Oracle had stood by their CSO and left the blog online. I understand that they don’t want additional scrutiny on their product, but the scrutiny will be there irregardless (as it has been for many years now). Leaving the post online would have shown some ‘backbone’. If INFOSEC goes PC, it’s bad for us all. I’d rather someone tell me what they really think and we can go from there.

!Dmitry
dmitry.chan@gmail.com

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Play some D!

Hi there. Long-time-no-blog :)

If you haven’t already, go read this: https://t.co/d2hwhmzzuz

Note: this blog applies to Corporate networks. If you’re a coffee shop or a college, you’re on your own :)

I’ve been a network defender for many years. I currently work for a software company that builds network software which helps companies gain insight into how their network is being used and/or abused. I didn’t choose to go into network defense – it chose me. In 1997 at my first “real job” out of college, I was a part of a team that tracked down some hackers that were running around owning a bunch of Solaris servers. From that day, I was hooked.

Network defenders don’t get a lot of credit. If you do your job right, no one ever talks about it. If you do your job wrong, you’ll hear about it every day for the rest or your short-lived career. An attacker can be wrong a million times and only needs to be right once. That’s an advantage. An attacker can spend 2 years in the bowels of one software app. A defender cannot. Accept this fact and move on…we can still win. The attacker has to use your network whilst evading detection. A lot of them don’t spend a lot of time figuring out how to do this right. They don’t have to be stealthy about exfiltrating data because it hasn’t mattered – the defense has been weak. How many recent infections used the darknet as a C&C?…ummm, your network monitoring solution should be SCREAMING AT YOU if someone connects out via Tor or i2p.

The network is like a bodies immune system (though not nearly as complex). The job, if you’re up to it, is to be the immune system. You can’t stop all infections from getting in. In fact, it can be argued that infections must get in to build the immune system. Firewalls and other devices can block things that we have knowledge of; however, something that we haven’t previously encountered will eventually get in (maybe via email, hacked USB drive, 0-day, whatever). Our job is to detect the foreign body, eradicate it, and update the immune system such that that strain of virus can no longer get it. So, how can you do this?

1) know what is “normal” for each host on your network. What ports do they offer? What ports do they connect to? What do their traffic patterns look like for each port? Who do they talk to? Who talks to them? what network protocols do they speak? How long do sessions stay nailed up? If you know this sort of stuff, then an attacker exfiltrating a gig of data cannot be hidden…it’ll stick out like a clown at an IBM business meeting.

2) Method 1 will detect lateral movement, but if you employ dead space within your network, you can flag lateral movement with just a single packet. Use honeynets, host-based IDS, traffic analysis (why is engineering dept trying to talk to HR?), etc. Spray your databases with bogus data that should never be accessed. Put up fake file servers and watch for access or watermark the files and watch them if they move around the network. Be creative…make your network a hostile environment for those who would attack it. The locals know how to get around, the attacker will have to figure out how to move around the network. Make this a painful process for him/her.

3) Look for invalid use of standard ports. Have you ever seen Skype find an “out door” on a network…What about vpn, i2p, p2p, Tor,etc.? Sending outbound traffic over well known ports is very, very common on most networks I have monitored. For each outbound port allowed through your firewall, you should flag on anomalous traffic over that port. What is anomalous? If the port is 80, only valid HTTP should flow over that port. If the port is 443, only TLS/SSL should flow over that port. Find the people tunneling data or sessions out of your network and you have a short list of the folks to keep an eye on.

4) Let the users know that you are watching. If Mabel from Accounting comes in on Monday morning and uploads 2 gig of baby pictures to dropbox, you should go have a chat with her. Get the word out. User education is often overlooked…millions is spent on nifty software but you don’t even have a full time employee working on user education. Sad.

There’s a lot more that I could write, but network defense isn’t a “cookie cutter” operation. Each admin will have to be creative and come up with their own maze for the attackers to run. Good luck out there!

!Dmitry
dmitry.chan@gmail.com

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.