SSD Advisory – Dasan Unauthenticated Remote Code Execution

Credit to Author: SSD / Maor Schwartz| Date: Wed, 06 Dec 2017 06:42:29 +0000

Vulnerability Summary The following advisory describes a buffer overflow that leads to remote code execution found in Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 Dasan Networks GPON ONT WiFi Router “is indoor type ONT dedicated for FTTH (Fibre to the Home) or FTTP (Fiber to the Premises) deployments. That … Continue reading SSD Advisory – Dasan Unauthenticated Remote Code Execution

Read more

SSD Advisory – Monstra CMS RCE

Credit to Author: SSD / Noam Rathaus| Date: Wed, 06 Dec 2017 06:35:44 +0000

Vulnerabilities Summary The following advisory describes a vulnerability found in Monstra CMS. Monstra is “a modern and lightweight Content Management System. It is Easy to install, upgrade and use.” The vulnerability found is a remote code execution vulnerability through an arbitrary file upload mechanism. Credit An independent security researcher, Ishaq Mohammed, has reported this vulnerability … Continue reading SSD Advisory – Monstra CMS RCE

Read more

SSD安全公告–Ikraus Anti Virus 远程代码执行漏洞

Credit to Author: SSD / Maor Schwartz| Date: Mon, 27 Nov 2017 07:50:39 +0000

漏洞概要 以下安全公告描述了在Ikraus Anti Virus 2.16.7中发现的一个远程代码执行漏洞。 KARUS anti.virus“可以保护你的个人数据和PC免受各种恶意软件的入侵。此外,反垃圾邮件模块可以保护用户免受垃圾邮件和电子邮件中的恶意软件攻击。 选择获奖的IKARUS扫描引擎,可以有效保护自己免受网络犯罪分子的侵害。 IKARUS是世界上最好的扫描引擎,它每天都在检测未知和已知的威胁。 漏洞提交者 一位独立的安全研究人员向 Beyond Security 的 SSD 报告了该漏洞 厂商响应 更新一 CVE: CVE-2017-15643 厂商已经发布了这些漏洞的补丁。获取更多信息: https://www.ikarussecurity.com/about-ikarus/security-blog/vulnerability-in-windows-antivirus-products-ik-sa-2017-0001/ 漏洞详细信息 网络攻击者(中间人攻击)可以在运行Ikraus反病毒软件的计算机上实现远程代码执行。 Windows版的Ikarus AV使用明文HTTP和CRC32校验进行更新,以及用于验证下载文件的一个更新值。 另外,ikarus检查更新版本号,通过增加更新的版本号,以推动更新进程进行更新。 在ikarus中执行更新的可执行文件是guardxup.exe guardxup.exe,通过端口80,发送更新请求如下: [crayon-5a1c8f5b8564c832670696/] 服务器响应如下: [crayon-5a1c8f5b85655113594378/] 通过代理,我们可以修改响应,将“update”值加1,并将响应转发给客户端。 然后,客户端将通过此URL请求更新:http://mirror04.ikarus.at/updates/guardxup001005048.full ikarus服务器将返回404: [crayon-5a1c8f5b8565a461056357/] 但我们可以用IKUP格式修改上述响应: [crayon-5a1c8f5b8565f465486246/] 然后,我们将修改过后的响应转发到客户端,在那里用我们的可执行文件替换guardxup.exe。 漏洞证明 安装mitmproxy 0.17 – pip install mitmproxy == 0.17 要使用这个脚本,在透明代理模式下,通过中间人80端口转发客户端的通信流量。 设置你的防火墙规则以拦截8080端口上的通信流量: [crayon-5a1c8f5b85664388983146/] 然后执行如下脚本: ./poc.py file_to_deploy.exe [crayon-5a1c8f5b85668324361117/]

Read more

SSD安全公告-思科UCS平台模拟器远程代

Credit to Author: SSD / Maor Schwartz| Date: Tue, 14 Nov 2017 12:27:06 +0000

漏洞概要 以下安全公告描述了在思科UCS平台模拟器3.1(2ePE1)中发现的两个远程代码执行漏洞。 思科UCS平台模拟器是捆绑到虚拟机(VM)中的Cisco UCS Manager应用程序,VM包含模拟思科统一计算系统(Cisco UCS)硬件通信的软件,思科统一计算系统(Cisco UCS)硬件由思科UCS Manager配置和管理。 例如,你可以使用思科UCS平台模拟器来创建和测试支持的思科UCS配置,或者复制现有的思科UCS环境,以进行故障排除或开发。 在思科UCS平台模拟器中发现的漏洞是: 未经验证的远程代码执行漏洞 经认证的远程代码执行漏洞 一名独立的安全研究者向 Beyond Security 的 SSD 报告了该漏洞。 厂商响应 厂商已经发布了该漏洞的补丁,并发布以下CVE: CVE-2017-12243 漏洞详细信息 未经验证的远程代码执行漏洞 由于用户的输入在传递给IP/settings/ping函数时没有进行充分的过滤,导致未经身份验证的攻击者可以通过ping_NUM和ping_IP_ADDR参数注入命令,这些命令将在远程机器上以root身份执行。 漏洞证明 [crayon-5a0b6be0a3646409145393/] 通过发送以上请求之一后,思科 UCS响应如下: [crayon-5a0b6be0a364d408882306/] 经认证的远程代码执行漏洞 思科UCS平台模拟器容易受到格式字符串漏洞的攻击,导致远程代码执行。 思科UCS平台模拟器默认运行一个SSH服务器,通过ssh登录的用户运行以下命令: [crayon-5a0b6be0a3651407130446/] 得到下面的响应: [crayon-5a0b6be0a3653646969713/] 可以看到,通过执行ssh“show sel %x”命令,我们用libsamvsh.so中的system函数覆写了_ZN7clidcos15CommandEmulator16cli_param_filterEPKc函数的入口。 漏洞证明 为了利用此漏洞,请按照以下说明操作: 使用以下用户名和密码在vm上安装ucspe(安装全部3个网卡): 默认的ucspe用户:ucspe 默认的ucspe密码:ucspe 运行ucspe并记下ucspe的ip地址(在控制台可以看到“Connected to IP: ….”) 在这次漏洞证明中,我们将会使用ip-192.168.1.43。 在另一台机器上打开两个终端(例如Kali) 首先,在第一个终端上执行如下操作: 创建poc目录,将poc4_ucspe_3.1.2e.py放入poc目录,然后将当前目录改为poc目录 创建fifo1: [crayon-5a0b6be0a3656341006860/] 创建输出目录: [crayon-5a0b6be0a3658354860561/] … Continue reading SSD安全公告-思科UCS平台模拟器远程代

Read more

SSD 安全公告-McAfee LiveSafe MiTM 注册表 修改导致远程执行命令漏洞

Credit to Author: SSD / Maor Schwartz| Date: Tue, 14 Nov 2017 12:11:39 +0000

漏洞概要 以下安全公告描述了在 McAfee LiveSafe (MLS) 中存在的一个远程命令执行漏洞,该漏洞影响了McAfee LiveSafe(MLS)16.0.3 之前全部版本. 之前全部版本. 漏洞允许网络攻击者通过篡改 HTTP 后端响应, 进而修改与 McAfee 更新相关的 Windows 注册表值. McAfee Security Scan Plus 是一个免费的诊断工具,通过主动地检查计算机中最新的防病毒软件、防火墙和网络安全软件更新,确保用户免受威胁,同时还会扫᧿正在运行程序中的威胁. 漏洞ᨀ交者 一家独立的安全研究公司 Silent Signal 向 Beyond Security 的 SSD 报告了该漏洞。 厂商响应 厂商已经发布针对该漏洞的补丁地址。获取更多信息: https://service.mcafee.com/webcenter/portal/cp/home/articleview?articleId=TS102714 CVE: CVE-2017-3898 漏洞详细信息 网络攻击者可以在多个 McAfee 产品中实现远程代码执行。受影响的产品会通过明文 HTTP 通道从 http://COUNTRY.mcafee.com/apps/msc/webupdates/mscconfig.asp 中检索配置数据 (其中的“COUNTRY”修改为国家的两字母标识符,例如“uk”) 响应的正文包含 XML 格式数据,类似于下面的代码: [crayon-5a0b6be0a3ef1483398647/] 上述响应᧿述了在 webservice-response/update 路径下使用 reg 标签进行注册表修改的行为。 … Continue reading SSD 安全公告-McAfee LiveSafe MiTM 注册表 修改导致远程执行命令漏洞

Read more

SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution

Credit to Author: SSD / Maor Schwartz| Date: Wed, 01 Nov 2017 05:08:10 +0000

Vulnerabilities Summary The following advisory describes two remote code execution vulnerabilities found in Cisco UCS Platform Emulator version 3.1(2ePE1). Cisco UCS Platform Emulator is the Cisco UCS Manager application bundled into a virtual machine (VM). The VM includes software that emulates hardware communications for the Cisco Unified Computing System (Cisco UCS) hardware that is configured … Continue reading SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution

Read more

SSD Advisory – Ikraus Anti Virus Remote Code Execution

Credit to Author: SSD / Maor Schwartz| Date: Mon, 16 Oct 2017 09:21:04 +0000

Vulnerability summary The following advisory describes an remote code execution found in Ikraus Anti Virus version 2.16.7. KARUS anti.virus “secures your personal data and PC from all kinds of malware. Additionally, the Anti-SPAM module protects you from SPAM and malware from e-mails. Prevent intrusion and protect yourself against cyber-criminals by choosing IKARUS anti.virus, powered by … Continue reading SSD Advisory – Ikraus Anti Virus Remote Code Execution

Read more

SSD Advisory – McAfee LiveSafe MiTM Registry Modification leading to Remote Command Execution

Credit to Author: SSD / Maor Schwartz| Date: Thu, 07 Sep 2017 06:14:58 +0000

Vulnerabilities Summary The following advisory describes a Remote Code Execution found in McAfee McAfee LiveSafe (MLS) versions prior to 16.0.3. The vulnerability allows network attackers to modify the Windows registry value associated with the McAfee update via the HTTP backend-response. McAfee Security Scan Plus is a free diagnostic tool that ensures you are protected from … Continue reading SSD Advisory – McAfee LiveSafe MiTM Registry Modification leading to Remote Command Execution

Read more

SSD Advisory – ScrumWorks Pro Remote Code Execution

Credit to Author: SSD / Maor Schwartz| Date: Tue, 22 Aug 2017 05:22:12 +0000

Vulnerability Summary The following advisory describes a remote code execution vulnerability found in ScrumWorks Pro version 6.7.0. “CollabNet ScrumWorks Pro is an Agile Project Management for Developers, Scrum Masters, and Business”. A trial version can be downloaded from the vendor: https://www.collab.net/products/scrumworks Credit A security researcher from, Siberas, has reported this vulnerability to Beyond Security’s SecuriTeam … Continue reading SSD Advisory – ScrumWorks Pro Remote Code Execution

Read more

SSD Advisory – Chrome Turbofan Remote Code Execution

Credit to Author: SSD / Maor Schwartz| Date: Wed, 16 Aug 2017 07:21:39 +0000

Vulnerability Summary The following advisory describes a type confusion vulnerability that leads to remote code execution found in Chrome browser version 59. Chrome browser is affected by a type confusion vulnerability. The vulnerability results from incorrect optimization by the turbofan compiler, which causes confusion between access to an object array and a value array, and … Continue reading SSD Advisory – Chrome Turbofan Remote Code Execution

Read more

SSD Advisory – Acrobat Reader DC – Stream Object Remote Code Execution

Credit to Author: SSD / Maor Schwartz| Date: Wed, 09 Aug 2017 10:50:38 +0000

Vulnerability Summary The following advisory describes a use after free vulnerability that leads to remote code execution found in Acrobat Reader DC version 2017.009.20044. Credit A security researcher from, Siberas, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program Vendor response The vendor has released patches to address this vulnerability. For more information: … Continue reading SSD Advisory – Acrobat Reader DC – Stream Object Remote Code Execution

Read more