Subscribe: SecuriTeam Blogs
http://blogs.securiteam.com/?feed=rss2
Added By: Feedage Forager Feedage Grade A rated
Language: English
Tags:
advisory –  advisory  continue reading  continue  hack win  reading  sophos  ssd advisory  ssd  unauthenticated  vulnerabilities   
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: SecuriTeam Blogs

SecuriTeam Blogs



We pay more for vulnerabilities



Last Build Date: Tue, 23 Jan 2018 14:30:42 +0000

 



SSD安全公告-希捷个人云存储设备多个漏洞

Mon, 22 Jan 2018 12:07:17 +0000

漏洞概要 以下安全公告描述两个未经身份验证的命令注入漏洞。 希捷个人云家庭媒体存储设备是“存储,整理,流式传输,共享所有音乐,电影,照片和重要文档的最简单的方式”。 漏洞提交者 一位独立的安全研究人员Yorick Koster向 Beyond Security 的 SSD 报告了该漏洞。 厂商响应 希捷在10月16日被告知该漏洞,虽然已确认收到漏洞信息,但拒绝回应(我们给出的)技术细节,也没有给出确定的修复时间或是协调报告。 CVE:CVE-2018-5347 漏洞详细信息 Seagate Media Server使用Django Web框架并映射到.psp扩展名。 任何以.psp结尾的URL都会使用FastCGI协议自动发送到Seagate Media Server应用程序。 /etc/lighttpd/conf.d/django-host.conf: [crayon-5a681d8dcce30594711750/] URL被映射到文件/usr/lib/django_host/seagate_media_server/urls.py中特定的views。 有两个views受到未经认证的命令注入漏洞的影响。 受影响的views是: uploadTelemetry getLogs 这些views从GET参数获取用户输入,并将这些未经验证/解析的参数传递给Python模块相应的函数。 这允许攻击者注入任意的系统命令,这些命令将以root权限执行。 /usr/lib/django_host/seagate_media_server/views.py: [crayon-5a681d8dcce39455703847/] /usr/lib/django_host/seagate_media_server/views.py: [crayon-5a681d8dcce3c908965059/] 请注意,这两个views都包含csrf_exempt decorator,它会禁用Django的默认开启的CSRF保护。 因此,这些问题可以通过跨站请求伪造来进行利用。 漏洞证明 下面的漏洞验证代码将尝试启用SSH服务,并更改root密码。 如果成功,则可以使用新密码通过SSH登录设备。 [crayon-5a681d8dcce40119514213/]



SSD安全公告-Sophos XG从未经身份验证的存储型XSS漏洞到Root访问

Mon, 22 Jan 2018 11:52:38 +0000

漏洞概要 以下安全公告描述了在Sophos XG 17中发现的一个存储型XSS漏洞,成功利用该漏洞可以获取root访问。 Sophos XG防火墙“全新的控制中心为用户的网络提供前所未有的可视性。可以获得丰富的报告,还可以添加Sophos iView,以便跨多个防火墙进行集中报告。“ 漏洞提交者 一位独立的安全研究人员向 Beyond Security 的 SSD 报告了该漏洞 厂商响应 Sophos已被告知这个漏洞,他们的回应是: 12月11日,我们收到并确认您提交的问题 12月12日,我们确认了这个问题,并开始进行修复 12月20日,我们发布了XGv17 MR3的官方修复:https:https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-17-0-3-mr3-released 12月29日,我们完成了对之前发布的XGv16,v16.5,v17版本的修复 12月31日,我们根据您的要求发布了我们的安全公告:https://community.sophos.com/kb/en-us/128024?elqTrackId=3a6db4656f654d65b352f526d26c6a17&elq=1514ab02d2764e8cb73e6b0bdbe7e7be&elqaid=2739&elqat=1&elqCampaignId=27053 CVE:CVE-2017-18014 漏洞详细信息 未经身份验证的用户可以在webadmin界面中的WAF日志页面(控制中心 – >日志浏览器 – >,在过滤器选项“Web服务器保护”中)中触发存储型XSS漏洞,该漏洞可执行防火墙webadmin 可以执行的任何动作(创建新的用户/ 启用ssh和添加ssh授权密钥等)。 为了触发这个漏洞,我们将演示以下场景: Sophos XG Firewall配置3个区域:Trusted,Untrusted,DMZ WEB服务器被放置在DMZ中 防火墙使用Sophos推荐的默认Web应用防火墙(WAF)保护Web服务器。 来自Untrusted网络的攻击者向DMZ中的Web服务器发送URL请求,造成到脚本注入WAF日志页面 来自Trusted的管理员访问WAF日志页面 没有任何其他交互或警告,脚本向管理用户添加一个SSH授权密钥,并允许来自Untrusted的ssh管理。 攻击者获得完整的root ssh shell Sophos XG WAF日志页面将执行POST请求中“User-Agent”参数。 漏洞证明 Sophos XG配置: 防火墙接口可信 – 192.168.10.190端口A. 防火墙接口不可信 – 192.168.0.192端口B. … Continue reading SSD安全公告-Sophos XG从未经身份验证的存储型XSS漏洞到Root访问



SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution

Mon, 22 Jan 2018 11:50:36 +0000

Vulnerabilities Summary The following advisory describes two (2) vulnerabilities found in AsusWRT Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to LAN remote command execution on any Asus router. AsusWRT is “THE POWERFUL USER-FRIENDLY INTERFACE – The enhanced ASUSWRT graphical user interface gives you easy access to the 30-second, 3-step web-based installation process. It’s also … Continue reading SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution



Hack2Win eXtreme

Mon, 22 Jan 2018 08:40:05 +0000

Hack2Win is a hacking competition we launched 5 years ago. The competition had so far two flavors – Hack2Win Online and Hack2Win CodeBlue. We decided to go big this year and with Hack2Win eXtreme! Hack2Win eXtreme will focus on two primary targets, browsers and mobile. We have up to $500,000 USD to give away! The … Continue reading Hack2Win eXtreme



SSD Advisory – GitStack Unauthenticated Remote Code Execution

Mon, 15 Jan 2018 12:22:25 +0000

Vulnerability Summary The following advisory describes an unauthenticated action that allows a remote attacker to add a user to GitStack and then used to trigger an unauthenticated remote code execution. GitStack is “a software that lets you setup your own private Git server for Windows. This means that you create a leading edge versioning system … Continue reading SSD Advisory – GitStack Unauthenticated Remote Code Execution



SSD Advisory – Seagate Personal Cloud Multiple Vulnerabilities

Thu, 11 Jan 2018 13:45:21 +0000

Vulnerabilities summary The following advisory describes two (2) unauthenticated command injection vulnerabilities. Seagate Personal Cloud Home Media Storage is “the easiest way to store, organize, stream and share all your music, movies, photos, and important documents.” Credit An independent security researcher, Yorick Koster, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program Vendor … Continue reading SSD Advisory – Seagate Personal Cloud Multiple Vulnerabilities



SSD Advisory – Sophos XG from Unauthenticated Persistent XSS to Unauthorized Root Access

Mon, 08 Jan 2018 06:21:27 +0000

Vulnerability Summary The following advisory describes an unauthenticated persistent XSS that leads to unauthorized root access found in Sophos XG version 17. Sophos XG Firewall “provides unprecedented visibility into your network, users, and applications directly from the all-new control center. You also get rich on-box reporting and the option to add Sophos iView for centralized … Continue reading SSD Advisory – Sophos XG from Unauthenticated Persistent XSS to Unauthorized Root Access



Happy New Year 2018 – Challenge Solution

Mon, 08 Jan 2018 06:15:57 +0000

In our post found here: https://blogs.securiteam.com/index.php/archives/3616, we hid a challenge. The challenge was split into two parts: 1. Finding it 2. Solving it Finding it wasn’t very hard, the challenge was hidden inside the image, it wasn’t anything fancy, just inside the image you had a zip file appended to the end of the file: … Continue reading Happy New Year 2018 – Challenge Solution



SSD Advisory–D-Link DSL-6850U多个漏洞

Sun, 07 Jan 2018 06:28:24 +0000

漏洞概要 以下安全公告描述了在D-Link DSL-6850U BZ_1.00.01 – BZ_1.00.09中的发现的两个漏洞。 D-Link DSL-6850U是一款“以色列Bezeq制造的路由器”,在这款路由器中发现的漏洞是: 默认凭证 远程命令执行 漏洞提交者 一位独立的安全研究人员向 Beyond Security 的 SSD 报告了该漏洞 厂商响应 Bezeq在6月9日被告知了这个漏洞,并且发布了补丁来解决这些漏洞。 漏洞详细信息 该设备定制的固件存在以下问题: 默认启用远程Web管理 不能禁用默认帐户 默认凭证 默认帐户用户名是:support 密码是:support 远程命令执行 shell界面只允许执行一组内置命令,但是你可以通过’&’ ‘||’ 插入命令到shell: [crayon-5a681d8dd0367558670729/] 上述命令执行后返回一个BusyBox shell



Know your community – Sergi Alvarez AKA Pancake

Thu, 04 Jan 2018 11:13:19 +0000

The creator of Radare2, vulnerability researcher, chef and a family man – meet Sergi Alvarez also known as Pancake! Questions Q: How many years have you been working in the security field? A: I started programming BASIC in Spectrum and PC/M. Then I switched to MSDOS and assembly (TASM) as a main language. From there … Continue reading Know your community – Sergi Alvarez AKA Pancake



SSD Advisory – Livebox Fibra (Orange Router) Multiple Vulnerabilities

Wed, 03 Jan 2018 06:33:51 +0000

Vulnerabilities Summary The following advisory describes four (4) vulnerabilities found in Livebox Fibra router version AR_LBFIBRA\_sp-00.03.04.112S. It is possible to chain the vulnerabilities into remote code execution. The “Livebox Fibra” router is “manufactured by Arcadyan for Orange and Jazztel in Spain” The vulnerabilities found in Arcadyan routers are: Unauthenticated configuration information leak Hard-coded credentials Memory … Continue reading SSD Advisory – Livebox Fibra (Orange Router) Multiple Vulnerabilities



Happy New Year – 2018

Tue, 02 Jan 2018 14:35:57 +0000

Happy new year everyone! Hope you had the chance to celebrate and think about all the good things that happened to you in 2017. We have a nice surprise for you – this link is worth 1,000$ USD !* *You don’t need to hack the website, the money is out there in the link* We … Continue reading Happy New Year – 2018



SSD Advisory – D-Link DSL-6850U Multiple Vulnerabilities

Mon, 01 Jan 2018 10:41:38 +0000

Vulnerabilities Summary The following advisory describes two (2) vulnerabilities found in D-Link DSL-6850U versions BZ_1.00.01 – BZ_1.00.09. D-Link DSL-6850U is a router “manufactured by D-Link for Bezeq in Israel” The vulnerabilities found are: Default Credentials Remote Command Execution Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. Vendor … Continue reading SSD Advisory – D-Link DSL-6850U Multiple Vulnerabilities



SSD安全公告-vBulletin routestring未经验证的远程代码执行

Sun, 31 Dec 2017 06:31:17 +0000

漏洞概要 以下安全公告描述了在vBulletin5中发现的一个未经身份验证的文件包含漏洞,成功利用该漏洞可造成远程代码执行。 vBulletin也称为vB,由vBulletin Solutions公司基于PHP和MySQL开发,广泛用于搭建网络论坛。 vBulletin为许多网络大型的社交网站提供技术支持,数量超过10万,其中包括财富500强和Alexa Top 1M公司的网站和论坛。根据最新的W3Techs1统计,vBulletin 4拥有超过55%的vBulletin市场份额,而vBulletin 3和vBulletin 5则占剩下的45%。 漏洞提交者 一位独立的安全研究人员向 Beyond Security 的 SSD 报告了该漏洞 厂商响应 自2017年11月21日起,我们多次尝试联系vBulletin,但是暂时没有得到回复。目前,漏洞暂时还没有解决方案。 漏洞详细信息 vBulletin存在一个漏洞,导致远程攻击者可以从vBulletin服务器中包含任意文件并执行PHP代码。 未经身份验证的用户可以向/index.php发送GET请求,然后使用参数routestring =触发文件包含漏洞。 该请求允许攻击者向安装在Windows操作系统上的Vbulletin服务器创建精心制作的请求,并在Web服务器上包含任意文件。 /index.php 部分代码: [crayon-5a681d8dd183d359287595/] 让我们仔细看看vB5_Frontend_Application :: init — /includes/vb5/frontend/application.php部分代码: [crayon-5a681d8dd1847524525678/] 我们可以看到setRoutes()被调用 /includes/vb5/frontend/routing.php部分代码: [crayon-5a681d8dd184c264701291/] 因此,如果我们的字符串不以’.gif,‘.png’,’.jpg’,’.css’或者‘’结尾并且不包含’/’字符,vBulletin会从vB5_Frontend_Controller_Relay中调用legacy() /includes/vb5/frontend/controller/relay.php部分代码: [crayon-5a681d8dd185b262850089/] 如果我们从Api_Interface_Collapsed类中检查relay() /include/api/interface/collapsed.php部分代码: [crayon-5a681d8dd185e719589495/] 正如我们所看到的,攻击者无法在$文件中使用“/”,所以不能在Linux上更改当前目录。但是对于Windows而言,可以使用’\’作为路径分隔符,通过PHP包含任意所需的文件(也可以使用’\ .. \’技巧)。 如果我们想包含扩展名为’.gif’,’.png’,’.jpg’,’.css’或’’这样的文件,需要绕过setRoutes()方法里面的过滤,绕过很容易,可以通过添加点(’.’)或空格(’%20’)到文件名来绕过。 完整的漏洞证明 我们可以通过发送下面的GET请求来检查服务器是否有漏洞: /index.php?routestring=.\\ 如果回显是: 那么服务器存在漏洞 如果我们想要在服务器上的任何文件中注入一个php代码,我们可以使用access.log例如: /?LogINJ_START=< ?php phpinfo();?>LogINJ_END … Continue reading SSD安全公告-vBulletin routestring未经验证的远程代码执行



SSD Advisory – Kingsoft Antivirus/Internet Security 9+ Privilege Escalation

Tue, 26 Dec 2017 10:03:53 +0000

Vulnerability Summary The following advisory describes a kernel stack buffer overflow that leads to privilege escalation found in Kingsoft Antivirus/Internet Security 9+. Kingsoft Antivirus “provides effective and efficient protection solution at no cost to users. It applies cloud security technology to monitor, scan and protect your systems without any worrying. The comprehensive defender and anti-virus … Continue reading SSD Advisory – Kingsoft Antivirus/Internet Security 9+ Privilege Escalation



SSD Advisory – Trustwave SWG Unauthorized Access

Tue, 26 Dec 2017 07:07:13 +0000

Vulnerability Summary The following advisory describes an unauthorized access vulnerability that allows an unauthenticated user to add their own SSH key to a remote Trustwave SWG version 11.8.0.27. Trustwave Secure Web Gateway (SWG) “provides distributed enterprises effective real-time protection against dynamic new malware, strong policy enforcement, and a unique Zero-Malware Guarantee when managed for you … Continue reading SSD Advisory – Trustwave SWG Unauthorized Access