SSD Advisory – Remote Command Execution in Proliant iLO Intelligent Provisioning

Vulnerability Description
iLO is an embedded operating system available within HP Proliant and Integrity servers. IP is a feature within iLO that provides local and remote access for provisioning purposes. It was discovered that hidden requests were being made to server during a normal client session. Exploring this obfuscated functionality revealed the ability to execute arbitrary commands as root on the system.
Continue reading SSD Advisory – Remote Command Execution in Proliant iLO Intelligent Provisioning

SSD Advisory – Dynamic Web TWAIN SDK Vulnerabilities

Dynamic Web TWAIN is a TWAIN-based scanning SDK software specifically designed for web applications. With just a few lines of code, you can develop robust applications to scan documents from TWAIN-compatible scanners, edit the scanned images and save them to a file system.

Vulnerability Details
Two security vulnerabilities have been found in Dynamic Web TAWIN:

  • DynamicWebTwainCtrl.DynamicWebTwain.1 ActiveXObject SaveAllAsPDF/SaveAsPDF Methods lstrcpyA() Call Stack Buffer Overflow Vulnerability
  • WebTWAINService.exe Service SaveAllAsPDF/SaveAsPDF Methods lstrcpyA() Call Stack Buffer Overflow Vulnerability

Continue reading SSD Advisory – Dynamic Web TWAIN SDK Vulnerabilities

SSD Advisory – Yahoo RSS Reader XXE Vulnerability (CFAJAX)

Vulnerability Description
A vulnerability in the way CFAJAX handles incoming requests allows attackers to cause the program to execute arbitrary code. The vulnerability is present in a few packages that CFAJAX provides, below is an example of exploitation of this vulnerability in Yahoo RSS Reader. The vulnerability is not limited to this software, but to any software that uses CFAJAX.

Unfortunately CFAJAX is no longer maintained (last version came out on Nov 21st 2005), emails sent to the author go unanswered, but it is still found in several web sites we found on the Internet.

Technical Details
The vulnerability is exploited by supplying an XML file to the CFAJAX written program which is vulnerable to an XXE. The XXE vulnerability allows us to read locally stored files, in our example neo-security.xml and, which we can then crack (through bruteforce) to gain the administrative panel of Coldfusion.

1. Send one HTTP POST request to a vulnerable server. Exploit data will not be logged (by default POST request’s payloads don’t get logged), only the URL being accessed.

2. Content of cf-92655311.xml listed below:

3. Content of cdata-xxe.dtd listed below:

4. You should receive a response like this:

4. Extract salt and password values:

5. Now that you have the salt and password. You can crack the password by following these instructions:
Hash is password variable from ./lib/
Salt is admin.userid.root.salt variable from ./lib/neo-security.xml

Configuration file for John the Ripper:

6. Recover password and go to admin console (/CFIDE URL)

Hack2Win – 2nd Day and Summary

At the end of day 2 we had a total of 11 people taking place in the hacking contests, with about 30 people watching them hack live. Thank you all!

I’d like to especially mention the skilled security researchers from Korea, who were the ultimate winners of this contest by finding the most impressive vulnerability as selected by the judges.

As a group they were awarded 1st place and won the cash prize.

We are already thinking about next year’s event. It might be fun to change from IP Cameras to other consumer electronics. The IP cameras were not much of a challenge this year with 2 out of the 3 getting hacked, the 3rd getting totally ‘bricked’, not even working after factory reset.

We will keep you posted on the vendor reaction to these vulnerabilities, with updates on fixes they post and of course additional information on what were the researcher’s findings.

Until next year!