[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Portcullis Computer Security Ltd - Advisories
From:       "advisories" <advisories () portcullis-security ! com>
Date:       2007-07-10 15:41:02
Message-ID: 78FA4E96C9E69341989E9416E06225DB010CB92D () tgbex ! otl ! portcullis-security ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


 


###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company, 
registered in England in accordance with the Companies 
Act under number 02763799. The registered office 
address of Portcullis Computer Security Limited is: 
The Grange Barn, Pikes End, Pinner, MIDDX, 
United Kingdom, HA5 2EX. 
The information in this email is confidential and may be 
legally privileged. It is intended solely for the addressee. 
Any opinions expressed are those of the individual and 
do not represent the opinion of the organisation. Access 
to this email by persons other than the intended recipient 
is strictly prohibited.
If you are not the intended recipient, any disclosure, 
copying, distribution or other action taken or omitted to be 
taken in reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice 
contained in this email is subject to the terms and 
conditions expressed in the applicable Portcullis Computer 
Security Limited terms of business.
###############################################################

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal.
#####################################################################################

[Attachment #5 (text/html)]

<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:Arial;
	color:windowtext;}
@page Section1
	{size:612.0pt 792.0pt;
	margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

</div>


<P>
<HR>
</P>
<P>This email originates from the systems of Portcullis<BR>Computer Security 
Limited, a Private limited company, <BR>registered in England in accordance with 
the Companies <BR>Act under number 02763799. The registered office <BR>address 
of Portcullis Computer Security Limited is: <BR>The Grange Barn, Pikes End, 
Pinner, MIDDX, <BR>United Kingdom, HA5 2EX. <BR>The information in this email is 
confidential and may be <BR>legally privileged. It is intended solely for the 
addressee. <BR>Any opinions expressed are those of the individual and <BR>do not 
represent the opinion of the organisation. Access <BR>to this email by persons 
other than the intended recipient <BR>is strictly prohibited.<BR>If you are not 
the intended recipient, any disclosure, <BR>copying, distribution or other 
action taken or omitted to be <BR>taken in reliance on it, is prohibited and may 
be unlawful. <BR>When addressed to our clients any opinions or advice 
<BR>contained in this email is subject to the terms and <BR>conditions expressed 
in the applicable Portcullis Computer <BR>Security Limited terms of 
business.</P>
<P>
<HR>

<P></P>
<P></P>

<HR>
This e-mail message has been scanned for Viruses and Content and cleared 
by&nbsp;<FONT color=#400080><STRONG>MailMarshal</STRONG></FONT> 
<HR>
</body>

</html>


["vaversiondisclosure 06_046.txt" (text/plain)]

Portcullis Security Advisory


Vulnerable System:

Visionsoft Audit


Vulnerability Title:

The VSAOD server discloses its version.


Vulnerability discovery and development:

Portcullis Security Testing Services discovered this vulnerability during an \
application assessment. Further research was then carried out post assessment.


Credit For Discovery:

Tim Brown - Portcullis Computer Security Ltd.


Affected systems:

All known versions of Audit, this vulnerability was discovered for version 12.4.0.0.


Details:

On connecting to the remote VSAOD server, the version is disclosed:

server> Visionsoft Audit on Demand Service
server> Version: 12.4.0.0


In addition the version number can also be obtained as follows:

client> VER
server> 12.4.0.0


Impact:

An attacker could make use of the version information to identify vulnerable versions \
of the VSAOD server.


Exploit:

Exploit code is not required.

Vendor Status:

Contacted support@visionsoft.com


e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007


Copyright:

Copyright Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. \
It is not to be edited or altered in any way without the express written consent of \
Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this information \
constitutes acceptance for use in an AS IS condition. There are NO warranties, \
implied or otherwise, with regard to this information or its use. Any use of this \
information is at the user's risk. In no event shall the author/distributor \
(Portcullis Computer Security Limited) be held liable for any damages whatsoever \
arising out of or in connection with the use or spread of this information.


["vafileoverwrite-06-039.txt" (text/plain)]

Portcullis Security Advisory 06-039


Vulnerable System:

Visionsoft Audit


Vulnerability Title:

The VSAOD server allows unauthenticated arbitrary file overwrites.


Vulnerability Discovery and Development:

Portcullis Security Testing Services during an application assessment.
Further research was carried out post assessment.

Credit for Discovery:

Tim Brown - Portcullis Computer Security Ltd.

Affected systems:

All known versions of Audit, this vulnerability was discovered for version 12.4.0.0.

Details:

It is possible to set the log file name on the remote VSAOD server using the \
following unauthenticated exchange:

client> LOG.<filename>
server> Logfile set to: <filename>

Impact:

Since the VSAOD server typically runs as SYSTEM it is possible to overwrite any file \
on the system.  This can be used by an attacker to write additional ASP into web \
pages, commands to a batch file or to corrupt files on the system.

Exploit:

Exploit code is not required.

Vendor Status:

Contacted support@visionsoft.com


e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007

Copyright:

Copyright Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. \
It is not to be edited or altered in any way without the express written consent of \
Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this information \
constitutes acceptance for use in an AS IS condition. There are NO warranties, \
implied or otherwise, with regard to this information or its use. Any use of this \
information is at the user's risk. In no event shall the author/distributor \
(Portcullis Computer Security Limited) be held liable for any damages whatsoever \
arising out of or in connection with the use or spread of this information.


["vaheapoverflow - 06_040.txt" (text/plain)]

Portcullis Security Advisory


Vulnerable System:

Visionsoft Audit


Vulnerability Title:

The VSAOD server has input validation flaws which can result in an unauthenticated \
heap overflow.


Vulnerability discovery and development:

Portcullis Security Testing Services discovered this vulnerability during an \
application assessment.  Further research was then carried out post assessment.


Credit for Discovery:

Tim Brown - Portcullis Computer Security Ltd.


Affected systems:

All known versions of Audit, the vulnerability was discovered for version 12.4.0.0.


Details:

It is possible to set the log file name on the remote VSAOD server using the \
following unauthenticated exchange:

client> LOG.<filename>
server> Logfile set to: <filename>

When the file name passed is of sufficient length, the remote VSAOD server will \
terminate.  As the server writes the file to its file prior to crashing, the server \
will terminate every time it is restarted until the ini file has been fixed.


Impact:

An attacker could cause a Denial of Service or execute arbitrary code.  Since the \
VSAOD server typically runs as SYSTEM, an attacker who successfully executes \
arbitrary code will fully compromise the system.


Exploit:

Exploit code is not required.

Vendor Status:

Contacted support@visionsoft.com


e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007


Copyright:

Copyright Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. \
It is not to be edited or altered in any way without the express written consent of \
Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this information \
constitutes acceptance for use in an AS IS condition. There are NO warranties, \
implied or otherwise, with regard to this information or its use. Any use of this \
information is at the user's risk. In no event shall the author/distributor \
(Portcullis Computer Security Limited) be held liable for any damages whatsoever \
arising out of or in connection with the use or spread of this information.


["vainifileoverwrite - 06_041.txt" (text/plain)]

Portcullis Security Advisory 06-041


Vulnerable System:

Visionsoft Audit


Vulnerability Title:

Ths VSAOD server allows unauthenticated ini file overwrites.


Vulnerability discovery and development:

Portcullis Security Testing Services discovered this vulnerability during an \
application assessment. Further research was then carried out post assessment.


Credit for Discovery:

Tim Brown - Portcullis Computer Security Ltd.


Affected systems:

All known versions of Audit, this vulnerability was discovered for version 12.4.0.0.


Details:

It is possible to overwrite the ini file on the remote VSAOD server using the \
following unauthenticated exchange:

client> SETTINGSFILE
client> <whatever you like>
client> END


Impact:

This can be used by an attacker to prevent the remote VSAOD server from starting in \
future or to otherwise change its configuration.


Exploit:

Exploit code is not required.

Vendor Status:

Contacted support@visionsoft.com


e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007


Copyright:

Copyright Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. \
It is not to be edited or altered in any way without the express written consent of \
Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this information \
constitutes acceptance for use in an AS IS condition. There are NO warranties, \
implied or otherwise, with regard to this information or its use. Any use of this \
information is at the user's risk. In no event shall the author/distributor \
(Portcullis Computer Security Limited) be held liable for any damages whatsoever \
arising out of or in connection with the use or spread of this information.


["vapassword - 06-042.txt" (text/plain)]

Portcullis Security Advisory 06-042


Vulnerable System:

Visionsoft Audit


Vulnerability Title:

The VSAOD server uses a weak algorithm to obscure passwords on the wire and within \
configuration files.


Vulnerability Discovery and Development:

Portcullis Security Testing Services discovered this vulnerability during an \
application assessment.  Further research was then carried out post assessment.


Credit For Discovery:

Tim Brown and Mark Lowe - Portcullis Computer Security Ltd.


Affected systems:

All known versions of Visionsoft Audit, this vulnerability was discovered for version \
12.4.0.0.


Details:

Passwords used to authenticate with the remote VSAOD server prior to the execution of \
the requested executable are obscured on the wire and in configuration files using an \
XOR based algorithm.


Impact:

An attacker who compromised a system running a VSAOD server could unobscure the \
password identified through eavesdropping the network traffic or from the \
configuration file.  Typically this will be a domain account with privileged access \
to the systems on the network.  The attacker potentially will be able to authenticate \
with these systems using other servers.  Note: The configuration file typically has \
read permissions for both Users and Power Users.


Exploit:

Exploit code is not required.

Vendor Status:

Contacted support@visionsoft.com


e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007


Copyright:

Copyright Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. \
It is not to be edited or altered in any way without the express written consent of \
Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this information \
constitutes acceptance for use in an AS IS condition. There are NO warranties, \
implied or otherwise, with regard to this information or its use. Any use of this \
information is at the user's risk. In no event shall the author/distributor \
(Portcullis Computer Security Limited) be held liable for any damages whatsoever \
arising out of or in connection with the use or spread of this information.


["vapathdisclosure 06-043.txt" (text/plain)]

Portcullis Security Advisory 06-043


Vulnerable System:

Visionsoft Audit


Vulnerability Title:

The VSAOD server discloses the log path.


Vulnerability discovery and development:

Portcullis Security Testing Services discovered this vulnerability during an \
application assessment. Further research was then carried out post assessment.


Credit for Discovery:

Tim Brown - Portcullis Computer Security Ltd.


Affected systems:

All known versions of Audit, the vulnerability was discovered for version 12.4.0.0.


Details:

When logging is enabled on the remote VSAOD server, the log path is disclosed:

client> LOG.ON 
server> OK, logging to C:\Documents and Settings\All Users\Application \
Data\Visionsoft\VAP\vsAoD\vsAoD.log


Impact:

An attacker could make use of the log path disclosure by identifying the OS type of \
the system which they are attacking.


Exploit:

Exploit code is not required.

Vendor Status:

Contacted support@visionsoft.com


e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007


Copyright:

Copyright Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. \
It is not to be edited or altered in any way without the express written consent of \
Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this information \
constitutes acceptance for use in an AS IS condition. There are NO warranties, \
implied or otherwise, with regard to this information or its use. Any use of this \
information is at the user's risk. In no event shall the author/distributor \
(Portcullis Computer Security Limited) be held liable for any damages whatsoever \
arising out of or in connection with the use or spread of this information.


["vareplay 06_044.txt" (text/plain)]

Portcullis Security Advisory 06-044


Vulnerable System:

Visionsoft Audit.


Vulnerability Title:

The VSAOD server allows remote execution via replay attacks.


Vulnerability Discovery and Development:

Portcullis Security Testing Services discovered this vulnerability during an \
application assessment. Further research was then carried out post assessment.


Credit for Discovery:

Tim Brown - Portcullis Computer Security Ltd.


Affected systems:

All known versions of Audit, this vulnerability was discovered for version 12.4.0.0.


Details:

In order for the Audit client to schedule an audit it connects to the remote VSAOD \
server and initiates the following exchange:

server> Visionsoft Audit on Demand Service
server> Version: 12.4.0.0
server>
client> DETAILS 
client> <windows domain>
client> <user name>
client> <obscured password>
client> OK 
client> PROCESS 
client> <path to executable>
server> <status message|OK|FAIL message>

The VSAOD server will then switch to the supplied Windows domain account and execute \
the requested executable.  The supplied Windows domain account does not require \
special privileges, although obviously using a privileged account will allow the \
executable more access to the remote server.  The username and password can be \
obtained in a number of ways (some of which are vulnerabilities in their own right) \
including eavesdropping a legitimate session.  The requested executable can be either \
local to the remote server or available via a Microsoft Windows Network share.


Impact:

An attacker could execute arbitrary code on the server, by passing normal Windows \
security mechanisms.


Exploit:

Exploit code is not required.

Vendor Status:

Contacted support@visionsoft.com


e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007


Copyright:

Copyright Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. \
It is not to be edited or altered in any way without the express written consent of \
Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this information \
constitutes acceptance for use in an AS IS condition. There are NO warranties, \
implied or otherwise, with regard to this information or its use. Any use of this \
information is at the user's risk. In no event shall the author/distributor \
(Portcullis Computer Security Limited) be held liable for any damages whatsoever \
arising out of or in connection with the use or spread of this information.


["vauninstall 06_45.txt" (text/plain)]

Portcullis Security Advisory 06_045


Vulnerable System:

Visionsoft Audit


Vulnerability Title:

The VSAOD server allows unauthenticated remote uninstalls.


Vulnerability discovery and development:

Portcullis Security Testing services discovered this vulnerability during an \
application assessment.  Further research was then carried out post assessment.


Credit for Discovery:

Tim Brown - Portcullis Computer Security Ltd.


Affected systems:

All known versions of Audit, this vulnerability was discovered for version 12.4.0.0.


Details:

It is possible to remotely uninstall the remote VSAOD server using the following \
unauthenticated exchange:

server> Visionsoft Audit on Demand Service
server> Version: 12.4.0.0
server>
client> UNINSTALL 
client> Stopping

The VSAOD server will then disconnect and terminate.

Impact:

An attacker could cause a Denial of Service.

Exploit:

Exploit code is not required.


Vendor Status:

Contacted support@visionsoft.com


e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007

Copyright:

Copyright Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. \
It is not to be edited or altered in any way without the express written consent of \
Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information \
constitutes acceptance for use in an AS IS condition. There are NO warranties, \
implied or otherwise, with regard to this information or its use. Any use of this \
information is at the user's risk. In no event shall the author/distributor \
(Portcullis Computer Security Limited) be held liable for any damages whatsoever \
arising out of or in connection with the use or spread of this information.


["psinjection 06_056.txt" (text/plain)]

Portcullis Security Advisory 060-056


Vulnerable System:

P-Synch.


Vulnerability Title:

The P-Synch Windows domain password reset web applications style parameter allows \
JavaScript injection.


Vulnerability discovery and development:

This vulnerability was discovered during an application assessment.  Further research \
was then carried out post assessment.  The vendor has been notified.


Credit for Discovery:

Tim Brown of Portcullis Computer Security Ltd.


Affected systems:

All known versions of P-Synch.


Details:

It is possible to pass a remote URL for a style sheet to the P-Synch Windows domain \
password reset web application within the style parameter, which will then be \
referenced in the web pages returned.


Impact:

An attacker could use this to execute malicious code on visitors computers using the \
techniques outlined in Tim Brown's paper Misunderstanding Javascript injection[1].

[1] http://www.nth-dimension.org.uk/news/entry.php?e=156579087


Exploit:

Exploit code is not required.


Copyright:

Copyright Portcullis Computer Security Limited 2006, All rights reserved worldwide. \
Permission is hereby granted for the electronic redistribution of this information. \
It is not to be edited or altered in any way without the express written consent of \
Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this information \
constitutes acceptance for use in an AS IS condition. There are NO warranties, \
implied or otherwise, with regard to this information or itsuse. Any use of this \
information is at the user's risk. In no event shall the author/distributor \
(Portcullis Computer Security Limited) be held liable for any damages whatsoever \
arising out of or in connection with the use or spread of this information.


["easql 06-057.txt" (text/plain)]

Portcullis Security Advisory 06-057


Vulnerable System:

eVisit Analyst. 


Vulnerability Title:

The multiple CGI scripts allow SQL injection.


Vulnerability discovery and development:

Tim Brown of Portcullis Computer Security Ltd.  The vendor has been notified and the \
vulnerability fixed.


Affected systems:

All known versions of eVisit Analyst.


Details:

By modifying the id parameter which is passed during a request to the idsp1.pl, ip.pl \
and einsite_director.pl CGI scripts, it is possible to cause error messages to be \
returned which indicates the presence of an SQL injection vulnerability.  The same \
error messages also discloses the web root path.


Impact:

Portcullis believe that the script concerned can not be exploited due to the way in \
which it operates; however, this can not be confirmed with a full inspection of the \
source code.


Exploit:

Exploit code is not required.


Copyright:

Copyright © Portcullis Computer Security Limited 2007, All rights reserved worldwide.

Permission is hereby granted for the electronic redistribution of this information. \
It is not to be edited or altered in any way without the express written consent of \
Portcullis Computer Security Limited. 


Disclaimer:

The information herein contained may change without notice. Use of this information \
constitutes acceptance for use in an AS IS condition. There are NO warranties, \
implied or otherwise, with regard to this information or its use. Any use of this \
information is at the user's risk. In no event shall the author/distributor \
(Portcullis Computer Security Limited) be held liable for any damages whatsoever \
arising out of or in connection with the use or spread of this information.

 


["isdirectorytraversal 06-059.txt" (text/plain)]

Portcullis Security Advisory 06-059


Vulnerable System:

ImgSvr


Vulnerability Title:

The ImgSvr is vulnerable to directory traversal.


Vulnerability discovery and development:

Portcullis Security Testing Services.  Further research was then carried out.

Credit for Discovery:

Tim Brown - Portcullis Computer Security Ltd.


Affected systems:

All known versions of ImgSvr.


Details:

It is possible to pass a value in the template parameter of requests to ImgSvr which
causes arbitrary files to be returned from outside of the web root as follows:

GET /?template=../../../../../../../../../../etc/passwd HTTP/1.0


Impact:

An attacker could cause access to arbitrary files.


Exploit:

Exploit code is not required.


Vendor Status:

Contacted frett27@userssourceforge.net and p.orbry@wanadoo.fr


e-mailed - 16th January 2007
e-mailed - 22nd January 2007
e-mailed - 14th February 2007
e-mailed - 15th March 2007


Copyright:

Copyright © Portcullis Computer Security Limited 2005, All rights reserved 
worldwide.

Permission is hereby granted for the electronic redistribution of this 
information. It is not to be edited or altered in any way without the express 
written consent of Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are 
NO warranties, implied or otherwise, with regard to this information or its 
use. Any use of this information is at the user's risk. In no event shall the 
author/distributor (Portcullis Computer Security Limited) be held liable for 
any damages whatsoever arising out of or in connection with the use or spread 
of this information.
["isstackoverflow 06_058.txt" (text/plain)]

Portcullis Security Advisory 06-058


Vulnerable System:

ImgSvr.


Vulnerability Title:

The ImgSvr is vulnerable to a stack overflow.


Vulnerability discovery and development:

Portcullis Security Testing Services.  Further research was then carried out by Tim Brown and 
Neil Kettle. 


Credit for Discovery:

Tim Brown and Neil Kettle of Portcullis Computer Security Ltd.


Affected systems:

All known versions of ImgSvr.


Details:

Following the Bugtraq posting "imgsvr dos exploit by n00b" which described a
remote Denial of Service of the Windows version of ImgSvr, research was carried out which
indicated that the Linux version was also vulnerable to the same attack
although, significantly more input was required.

Through further research, it was then identified that the same remote Denial of 
Service could also be caused by passing a large value to the template parameter as
follows:

GET /?template=<large value> HTTP/1.0

In both cases this led to ImgSvr failing within the internal ADA function 
system__file_io__open.  Due to the way the Linux implementation of the GNU ADA
compiler works to protect against stack overflows, a secondary stack of $ebp,
$eip and $esp is maintained above the primary stack.  When our request causes
system__file_io__open to fail, an exception is caught by the exception handler
which uses the values of the secondary stack in an attempt to handle the
exception in a graceful manner.  However, because we have smashed through into
the $ebp and $eip values on the secondary stack, we can influence further code
execution.

Impact:

An attacker could cause a Denial of Service or execute arbitrary code.
In addition, it is believed that variants of this vulnerability may exist in
other products.  ImgSvr uses AWS, a generic web server implemented in ADA
which is likely to have been used in other products.  In addition, the flaw
in the secondary stack implementation can be attributed to the GNU ADA compiler
and is not unique to ImgSvr.

Exploit:

The proof of concept exploit code is available.

Vendor Status:

Contacted frett27@userssourceforge.net and p.orbry@wanadoo.fr


e-mailed - 16th January 2007
e-mailed - 22nd January 2007
e-mailed - 14th February 2007
e-mailed - 15th March 2007

Copyright:

Copyright © Portcullis Computer Security Limited 2005, All rights reserved 
worldwide.

Permission is hereby granted for the electronic redistribution of this 
information. It is not to be edited or altered in any way without the express 
written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are 
NO warranties, implied or otherwise, with regard to this information or its 
use. Any use of this information is at the user's risk. In no event shall the 
author/distributor (Portcullis Computer Security Limited) be held liable for 
any damages whatsoever arising out of or in connection with the use or spread 
of this information.
["SurgeMail_73b8_fmt 06_060.txt" (text/plain)]

Portcullis Security Advisory 06-060


Vulnerable System:

SurgeMail.


Vulnerability Title:

SurgeMail is prone to a format string vulnerability.


Vulnerability discovery and development: 

Portcullis Security Testing Services discovered this vulnerability. 
Further research was then carried out.


Credit For Discovery:

Nico Leidecker - Portcullis Computer Security Ltd.


Affected systems: 

Version 3.7b8 Linux and maybe previous versions and on other platforms.


Details:

SurgeMail offers the ability to charge the recipients a fee for receiving 
emails from certain addresses. As soon as such an email comes in, a 
notification email containing the amount payable is composed and sent to the 
user requesting payment.  A user with the privileges allowing them to change 
these amounts is then able to exploit a format string vulnerability, caused by 
the abdiction of an explicit format string while using the amount value as 
parameter in such a function. Furthermore, the amount value can consist of 
arbitrary characters.


Impact:

An attacker could cause a Denial of Service or execute arbitrary code in the 
context of the server.


Exploit:

The proof of concept exploit code is available.


Vendor Status:

Vendor notified. The vulnerability has been fixed.


Copyright:

Copyright © Portcullis Computer Security Limited 2005, All rights reserved 
worldwide.

Permission is hereby granted for the electronic redistribution of this 
information. It is not to be edited or altered in any way without the express 
written consent of Portcullis Computer Security Limited.


Disclaimer: 

The information herein contained may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are NO 
warranties, implied or otherwise, with regard to this information or its use. 
Any use of this information is at the user's risk. In no event shall the 
author/distributor (Portcullis Computer Security Limited) be held liable for 
any damages whatsoever arising out of or in connection with the use or spread 
of this information.

["SurgeFTP_23a1_dos 06_061.txt" (text/plain)]

Portcullis Security Advisory 06-061




Vulnerable System:

SurgeFTP


Vulnerability Title:

The mirror mechanism allows Denial of Service.


Vulnerability discovery and development:

Portcullis Security Testing Services discovered this vulnerability.  
Further research was then carried out.


Credit for Discovery:

Nico Leidecker - Portcullis Computer Security Ltd.


Affected systems: 

Version 2.3a1 Linux and is likely to affect other platforms.


Details:

SurgeFTP provides a mirror functionality but fails to detect malformated 
command responses.  This concerns the PASV command and its response from the 
mirrored server. SurgeFTP fails to parse a response to PASV properly so that
it will crash if the response was malformated.


Impact:

It may be possible for an attacker to shut down the service. By default, 
SurgeFTP respawns after a couple of seconds. But then, immediately reconnects 
to the mirrored server. As long as the attacker keeps sending malformated 
PASV responses to the server, it will keep shutting down immediately after 
restarting.


Exploit:

The proof of concept exploit code is available.


Vendor Status:

Vendor notified. The vulnerability has been fixed.


Copyright: 

Copyright © Portcullis Computer Security Limited 2005, All rights reserved 
worldwide. 

Permission is hereby granted for the electronic redistribution of this 
information. It is not to be edited or altered in any way without the express 
written consent of Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are NO 
warranties, implied or otherwise, with regard to this information or its use. 
Any use of this information is at the user's risk. In no event shall the 
author/distributor (Portcullis Computer Security Limited) be held liable for 
any damages whatsoever arising out of or in connection with the use or spread 
of this information.

["SurgeFTP_23a1_xss 06_062.txt" (text/plain)]

Portcullis Security Advisory 06-062


Vulnerable System:

SurgeFTP


Vulnerability Title:

SurgeFTP is vulnerable to Cross-site Scripting(XSS).


Vulnerability Discovery And Development: 

Portcullis Security Testing services discovered this vulnerability.  
Further research was then carried out.


Credit For Discovery:

Nico Leidecker - Portcullis Computer Security Ltd.


Affected systems: 

Version 2.3a1 Linux and probably other platforms.


Details:

SurgeFTP provides a web interface for managing mirrored servers. The state of 
every last mirroring process is displayed in the overview screen. If SurgeFTP
receives a server response where the first characters are not the numeric 
status code, an error message is printed which also includes the received 
message from the mirrored server. SurgeFTP fails to sanitise HTML and script 
code from that message.                                                       


Impact:

An attacker can gain root access on the server. In order to achieve that, he 
will have the ability to execute script code that creates an FTP user who can 
access the real root directory and acts without dropping privileges. In one 
scenario, for the next step, the attacker accesses the vulnerable host via FTP 
and uploads a modified crontab file with the intention of executing a command 
which binds a shell to a port.


Exploit:

The proof of concept exploit code is available.


Vendor Status:

Vendor notified. The vulnerability has been fixed.


Copyright: 

Copyright © Portcullis Computer Security Limited 2005, All rights reserved 
worldwide. 

Permission is hereby granted for the electronic redistribution of this 
information. It is not to be edited or altered in any way without the express 
written consent of Portcullis Computer Security Limited.


Disclaimer: 

The information herein contained may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are NO 
warranties, implied or otherwise, with regard to this information or its use. 
Any use of this information is at the user's risk. In no event shall the 
author/distributor (Portcullis Computer Security Limited) be held liable for 
any damages whatsoever arising out of or in connection with the use or spread 
of this information.

["centericq_421_bo 06_063.txt" (text/plain)]

Portcullis Security Advisory 06-063

 
Vulnerable System: 

centericq

 
Vulnerability Title:

Centericq is vulnerable to multiple buffer overflows.


Vulnerability Discovery And Development: 

Portcullis Security Testing Services discovered this vulnerability. 
Further research was then carried out..


Credit for Discovery:

Nico Leidecker - Portcullis Computer Security Ltd. 


Affected systems: 

Version 4.21 on FreeBSD and the official sources were tested as vulnerable.
Previous versions and those versions running on various Linux distributions may be
affected.

Details:

Centericq provides modules to several messaging and chat protocols.  The 
modules for Yahoo, LiveJournal, Jabber and IRC are vulnerable to multiple 
buffer overflows mainly, when the user receives a notification message for 
certain events.  The following list identifies the events which have to be 
undertaken in order to result in a possible buffer overflow.

IRC Hook
    - a user in the victims contact list changes his nickname. The sum of the 
      length of his old and his new nickname has to be greater than 100.
    - a user joins or leaves a channel and the length of nickname and real 
      name are greater than 512.
    - the victim obtains the IRC client information from another user. The 
      information length must be greater than 512 bytes.
    - in the event message, when a user gets kicked from a channel and the 
      length of his username and the name of the op user are greater than 512.
    - a third user or the victim gets opped or deopped by an op whereas length 
      of username and op name are greater than 512.

Untested buffer overflows in the following modules:

Jabber Hook

    - the victim obtains the Jabber client information from another user. The 
      information length must be greater than 512 bytes.

LiveJournal Hook

    - in the notification message, when the attacker adds or removes the victim 
      to or from his friend list.

Yahoo Hook

    - in the notification message, when a user invites the victim to a 
      conference. 
    - if the attacker declines a conference invitation
    - a user joins or leaves a conference
    - a user gets informed, when he received a new email.
      when the total length of sender and subject are greater than 1024 a 
      buffer overflow follows.

As an example:
One of the modules is an Internet Relay Chat (IRC) module. The centericq user 
is notified for every change of nickname for any user in his contact list and
logs it to a file. However, only 100 bytes are allocated for the log message 
which includes both the old and new username. Furthermore, centericq fails to
check the sizes of the usernames and therefore suffers from a buffer overflow
if the sum of the length of old and new username is greater than 40 (format 
string covers the remaining 60 bytes).  In order to get into the victims contact
list, the attacker simply sends a message to the user. He has not joined any
channel by doing that. In the next step, the attacker changes his nickname to
another name that may include arbitrary code to execute within the context of
the running of centericq.  Official IRC Servers may not support usernames that
are 20 bytes or longer. Although, the attacker could lead the victim to a server
controlled by him to exploit these vulnerabilities.


Impact:

The attacker could cause a Denial of Service or execute arbitrary code with 
the users privileges.


Exploit:

The proof of concept exploit code is available.


Vendor Status:

Contacted k@thekonst.net

e-mailed - 16th January 2007
e-mailed - 14th February 2007
e-mailed - 15th March 2007

Copyright:

Copyright © Portcullis Computer Security Limited 2005, All rights reserved 
worldwide.

Permission is hereby granted for the electronic redistribution of this 
information. It is not to be edited or altered in any way without the express 
written consent of Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are NO 
warranties, implied or otherwise, with regard to this information or its use. 
Any use of this information is at the user's risk. In no event shall the 
author/distributor (Portcullis Computer Security Limited) be held liable for 
any damages whatsoever arising out of or in connection with the use or spread 
of this information.


["Belkin_Router_fw_40503_xss 06_64.txt" (text/plain)]

Portcullis Security Advisory 06-064
 

Vulnerable System: 

Belkin Wireless G Plus Router



Vulnerability Title: 

Belkin Router G Plus Router (F5D7231-4) Administration Web Interface 
Cross-site-Scripting.


Vulnerability discovery and development: 

Portcullis Security Testing Services. Further research was then carried out.


Credit for Discovery:

Nico Leidecker of Portcullis Computer Security Ltd.


Affected systems: 

Belkin G Plus Router (F5D7231-4), Firmware version 4.05.03, was tested as 
vulnerable.


Details:

The Belkin administration web interface is prone to a Cross-site Scripting
vulnerability. The network's administrator can overview a DHCP client list,
where IP, MAC addresses and the hostnames are displayed.
There is no sanitising for HTML and script code which could appear in the 
hostname.


Impact:

An attacker might be able to execute arbitrary script code in the admins 
browser.


Exploit:

There is no exploit code required.


Copyright: 
 
Copyright © Portcullis Computer Security Limited 2005, All rights reserved 
worldwide. 

Permission is hereby granted for the electronic redistribution of this 
information. It is not to be edited or altered in any way without the express 
written consent of Portcullis Computer Security Limited.


Disclaimer: 

The information herein contained may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are NO 
warranties, implied or otherwise, with regard to this information or its use. 
Any use of this information is at the user's risk. In no event shall the 
author/distributor (Portcullis Computer Security Limited) be held liable for 
any damages whatsoever arising out of or in connection with the use or spread 
of this information.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic