Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 8 min 9 sec ago

Executable installers are vulnerable^WEVIL (case 30): clamwin-0.99-setup.exe allows arbitrary (remote) code execution WITH escalation of privilege

9 March, 2016 - 22:13

Posted by Stefan Kanthak on Mar 09

Hi @ll,

the executable installer clamwin-0.99-setup.exe (available from
<http://www.clamwin.com/download>) loads and executes DWMAPI.dll
or UXTheme.dll from its "application directory".

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<...

Re: Windows Mail Find People DLL side loading vulnerability

9 March, 2016 - 22:12

Posted by Stefan Kanthak on Mar 09

"Securify B.V." wrote:

[...]

This vulnerability demonstrates Microsoft's terrible SLOPPY coding
horror^Wpractice: it needs two mistakes to create this kind of bug!

"%CommonProgramFiles%\System\wab32res.dll" is (as its name implies)
a resource DLL, which means that it contains no code, but only
(localized) resources, and SHOULD (better: MUST) be loaded via...

Open Vulnerablity ID tracker instead of CVE. Maybe

9 March, 2016 - 22:11

Posted by op7ic \x00 on Mar 09

Hello List,

I`m growing a bit tired of the way MITRE assigns CVEs (or just ignores you)
so instead, I thought some unmoderated list would be easier to manage. I
opted out to keep the same format as CVE with exception of first three
letters.

https://www.freeovi.com

Its completly unmoderated generator so feel free to use it and suggest
improvements.

Thanks

Security contact @ Gigabyte

9 March, 2016 - 22:11

Posted by Gustavo Sorondo on Mar 09

Hi list,

I'd like to know if anyone here know someone working on security at
Gigabyte (http://www.gigabyte.com/), since we are trying to responsibly
report a high risk security flaw we found.

We opened a ticket asking to be contacted by their security team, and the
answer we got was:

"Thanks for your interest, but we already have a security team for our
websites. Regards, GIGABYTE" (sigh)

So, if any of you knows someone in...

Re: Netgear GS105Ev2 - Multiple Vulnerabilities

9 March, 2016 - 17:15

Posted by Benedikt Westermann on Mar 09

Hi Nick,

Status remains the same. The vulnerabilities are also valid for the new version 1.4.0.6. I checked it and could still
reproduce the password-reset, the XSS, the CSRF, and the found also the cookie mentioned in the report after login. So,
nothing has changed with respect to the vulnerabilities.

Regards,
Benedikt

Thomson TWG850 Wireless Router Multiple Vulnerabilities

9 March, 2016 - 17:14

Posted by Sebastian Perez on Mar 09

[System Affected]
Thomson Router
HW Revision 2.0
VENDOR Thomson
BOOT Revision 2.1.7i
MODEL TWG850-4U
Software Version ST9D.01.09
Serial Number 00939902404041
Firmware Name TWG850-4U-9D.01.09-100528-S-001.bin

[Vulnerabilities]
1- Cross-Site Request Forgery
2- Unauthenticated access to resources
3- Persistent Cross-Site Scripting

[Advisory Timeline]
06-Jan-2016 - Vendor contacted through the website
11-Jan-2016 - Email sent to vendor
09-Mar-2016...

New Security Tool: MrLooquer - IPv6 Intelligence

9 March, 2016 - 17:14

Posted by Rafa Sanchez on Mar 09

Dear colleagues,

Please, allow us to introduce MrLooquer -> https://www.mrlooquer.com

MrLooquer combines open source intelligence techniques with heuristic and
data mining to perform one of the first attempts to create a real map about
IPv6 deployment and its relationship with current networks and protocols.

MrLooquer is born as an open initiative with Creative Commons license
focused on:
- Data discovery
- Visual intelligence
-...

CVE-2016-2563 - PuTTY/PSCP <=0.66 buffer overflow - vuln-pscp-sink-sscanf

9 March, 2016 - 17:13

Posted by oststrom (public) on Mar 09

A potential addition to your honeypots.

Author: <github.com/tintinweb>
Ref:
https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563
Version: 0.1
Date: Feb 20th, 2016

Tag: putty pscp client-side post-auth stack buffer overwrite when
processing remote file size

Overview
--------

Name: putty
Vendor: sgtatham
References: * http://www.chiark.greenend.org.uk/~sgtatham/putty/...

Advisory X41-2016-001: Memory Corruption Vulnerability in "libotr"

9 March, 2016 - 17:10

Posted by X41 D-Sec GmbH Advisories on Mar 09

X41 D-Sec GmbH Security Advisory: X41-2016-001

Memory Corruption Vulnerability in "libotr"
===========================================

Overview
--------
Severity Rating: high
Confirmed Affected Version: 4.1.0 and below
Confirmed Patched Version: libotr 4.1.1
Vendor: OTR Development Team
Vendor URL: https://otr.cypherpunks.ca
Vendor Reference: OTR Security Advisory 2016-01
Vector: Remote
Credit: X41 D-Sec GmbH, Markus Vervier
Status:...

[CORE-2016-0004] - SAP Download Manager Password Weak Encryption

9 March, 2016 - 13:28

Posted by CORE Advisories Team on Mar 09

1. Advisory Information

Title: SAP Download Manager Password Weak Encryption
Advisory ID: CORE-2016-0004
Advisory URL: http://www.coresecurity.com/advisories/sap-download-manager-password-weak-encryption
Date published: 2016-03-08
Date of last update: 2016-03-07
Vendors contacted: SAP
Release mode: Coordinated release

2. Vulnerability Information

Class: Storing Passwords in a Recoverable Format [CWE-257]
Impact: Information leak
Remotely...

[CORE-2016-0003] - Samsung SW Update Tool MiTM

9 March, 2016 - 13:25

Posted by CORE Advisories Team on Mar 09

1. Advisory Information

Title: Samsung SW Update Tool MiTM
Advisory ID: CORE-2016-0003
Advisory URL: http://www.coresecurity.com/advisories/samsung-sw-update-tool-mitm
Date published: 2016-03-07
Date of last update: 2016-03-04
Vendors contacted: Samsung
Release mode: Coordinated release

2. Vulnerability Information

Class: Cleartext Transmission of Sensitive Information [CWE-319], Insufficient Verification of Data Authenticity
[CWE-345]...

Re: Windows Mail Find People DLL side loading vulnerability

9 March, 2016 - 12:29

Posted by Securify B.V. on Mar 09

Hi Stefan,

See below.

They still use LoadLibrary() to load wab32res.dll. Previously, the
fetched a path from HKLM\Software\Microsoft\WAB\DLLPath and appended
wab32res.dll to the result, which was fed into LoadLibrary().

With MS16-025 they sanitize DLLpath using PathRemoveFileSpec(). By
default DLLPath is set to %CommonProgramFiles%\System\wab32.dll,
PathRemoveFileSpec() removes wab32.dll from the path. They also call...

LSE Leading Security Experts GmbH - LSE-2016-01-01 - Wordpress ProjectTheme - Multiple Vulnerabilities

9 March, 2016 - 02:55

Posted by LSE-Advisories on Mar 08

=== LSE Leading Security Experts GmbH - Security Advisory 2016-01-01 ===

Wordpress ProjectTheme Multiple Vulnerabilities

- ------------------------------------------------------------

Affected Version

================

Project Theme: 2.0.9.5

Problem Overview

================

Technical Risk: high

Likelihood of Exploitation: low

Vendor: http://sitemile.com/

Credits: LSE Leading Security Experts GmbH employee Tim Herres

Advisory:...

Windows Mail Find People DLL side loading vulnerability

8 March, 2016 - 16:49

Posted by Securify B.V. on Mar 08

------------------------------------------------------------------------
Windows Mail Find People DLL side loading vulnerability
------------------------------------------------------------------------
Yorick Koster, September 2015

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A DLL side loading vulnerability was found in the Windows Mail...

Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link)

7 March, 2016 - 03:52

Posted by Vulnerability Lab on Mar 07

Document Title:
===============
Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link)

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1778

Video: http://www.vulnerability-lab.com/get_content.php?id=1779

Release Date:
=============
2016-03-07

Vulnerability Laboratory ID (VL-ID):
====================================
1778

Common...

Re: Netgear GS105Ev2 - Multiple Vulnerabilities

4 March, 2016 - 13:50

Posted by Nick Boyce on Mar 04

JFTR, on 10th.Feb Benedikt replied to me off-list as follows:

Thanks Benedikt.

Now that end hosts have been thoroughly analysed by vendors and
researchers alike, perhaps networking equipment is the new frontier
(cf: operating systems vs applications). The dire state of the
quality of the software embedded in comms hardware, for both home and
business use, is emerging from the fog to become the elephant in the
room. We seem to be caught...

McAfee VirusScan Enterprise security restrictions bypass

4 March, 2016 - 13:50

Posted by Agazzini Maurizio on Mar 04

Security Advisory @ Mediaservice.net Srl
(#01, 13/04/2016) Data Security Division

Title: McAfee VirusScan Enterprise security restrictions bypass
Application: McAfee VirusScan Enterprise 8.8 and prior versions
Platform: Microsoft Windows
Description: A local Windows administrator is able to bypass the
security restrictions and disable the antivirus engine...

Executable installers are vulnerable^WEVIL (case 29): putty-0.66-installer.exe allowa arbitrary (remote) code execution WITH escalation of privilege

4 March, 2016 - 13:49

Posted by Stefan Kanthak on Mar 04

Hi,

putty-0.66-installer.exe loads and executes DWMAPI.dll or
UXTheme.dll from its "application directory".

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <...