SSD Advisory – AIX cmdlvm Vulnerability

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
AIX (Advanced Interactive eXecutive) is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms. Originally released for the IBM 6150 RISC workstation, AIX now supports or has supported a wide variety of hardware platforms, including the IBM RS/6000 series and later POWER and PowerPC-based systems, IBM System i, System/370 mainframes, PS/2 personal computers, and the Apple Network Server.

Vulnerability Details
The running of lquerylv command with variable DBGCMD_LQUERYLV set may allow a local user to gain root privileges.

SSD Adivsory – Roundcube Password Plugin

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Roundcube webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking.

Vulnerability Details
Roundcube 1.0.4 is shipped with the Password plugin version 3.4. It is, as any other plugin, disabled by default. Once enabled, it allows an authenticated user to change his current password in the web interface. For this purpose, the plugin offers several drivers that can be used to perform the actual password change in the back end. The DBMail driver suffers from a critical Remote Command Execution vulnerability that enables an attacker to execute arbitrary system commands with root privileges.

SSD Adivsory – eFront Multiple Vulnerabilities

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
eFront is a powerful learning management system that fits your brand preferences and delivers effective online & blended learning. eFront can help you improve employee performance, ensure compliance, engage your workforce and support organizational goals. Trusted by hundreds of companies and organizations around the world, eFront is committed to assist you train people. Better.

Vulnerability Details
eFront (version 3.6.15 and possibly earlier) has been found to contain multiple vulnerabilities:

 

  • module_chat chat.php getChatHistory() ‘chat_with’ Parameter SQL Injection
  • scripts.php ‘load’ Parameter File Inclusion Code Execution
  • module_flashcards module_flashcards.class.php ‘view_deck’ Parameter SQL Injection
  • module_journal module_journal.class.php ‘edit_entry’ Parameter SQL Injection
  • module_crossword module_crossword_class.php getNavigationLinks() ‘view_list’ Parameter SQL Injection
  • module_bbb module_bbb_class.php ‘edit_BBB’ Parameter Blind SQL Injection
  • forum.class.php create() forum_id Parameter SQL Injection

SSD Advisory – Panopta OnSight Remote Root

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction
Panopta OnSight Enterprise is a monitoring platform made up of adaptable building blocks which can be assembled for a custom fit solution. Use a mixture of deployment on-site and on our public cloud to build the most powerful managed hybrid solution available in the industry.

That combined with Panopta world class support means a fully managed monitoring experience so that you can focus on running your business. Get the ultimate combination of flexibility and control with tight integration into existing systems and other best of breed tools already in place. All without having to compromise any of your network security. Panopta OnSight Enterprise doesn’t force you to change the way you operate. It just fits like a glove.

Vulnerability Details
Panopta OnSight is a virtual appliance which exposes two primary network services, nginx and sshd. There are two undocumented user accounts on the system, one of which’s password leaked after examining the file system. This user is in the sudo group, so after login to the system, privileges can be elevated and a user can execute arbitrary shell commands as root.