Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 10 min 10 sec ago

[ Tool ] Linux kernel module generator for custom rules with Netfilter hooking.

11 June, 2019 - 12:05

Posted by Antonio Costa on Jun 11

HiddenWall is a Linux kernel module generator for custom rules with
netfilter. (block ports, Hidden mode, rootkit functions etc). The
motivation: on bad situation, attacker can put your iptables/ufw to fall...
but if you have HiddenWall, the attacker will not find the hidden kernel
module that block external access, because have a hook to netfilter on
kernel land(think like a second layer for firewall).

https://github.com/CoolerVoid/HiddenWall

[CVE-2019-12789] Telus Actiontec T2200H Local Privilege Escalation

11 June, 2019 - 12:05

Posted by Andrew Klaus on Jun 11

### Device Details
Discovered By: Andrew Klaus (andrew () aklaus ca)
Vendor: Actiontec (Telus Branded)
Model: T2200H
Affected Firmware: T2200H-31.128L.08
Device Manual:
http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manu
al.pdf

Reported: Sept 2018
CVE: CVE-2019-12789

The Telus Actiontec T2200H is bonded VDSL2 modem. It
incorporates 2 VDSL2 bonded links with a built-in firewall, bridge mode,
802.11bgn wireless, etc.

###...

Telus Actiontec WEB6000Q Serial Number Information Disclosure

11 June, 2019 - 12:05

Posted by Andrew Klaus on Jun 11

### Device Details
Discovered By: Andrew Klaus (andrew () aklaus ca)
Vendor: Actiontec (Telus Branded, but may work on others)
Model: WEB6000Q
Affected Firmware: 1.1.02.22

Reported: Sept 2018
CVE: Not needed since update is pushed by the provider.

### Summary of Findings

The wireless extenders use DHCP Option 125 to include device details
such as model number, manufacturer, and serial number.

The WCB6000Q DHCP DISCOVER and REQUEST...

Telus Actiontec T2200H Serial Number Information Disclosure

11 June, 2019 - 12:05

Posted by Andrew Klaus on Jun 11

### Device Details
Vendor: Actiontec (Telus Branded, but may work on others)
Model: T2200H
Affected Firmware: T2200H-31.128L.08
Device Manual:
http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manu
al.pdf

Reported: Sept 2018
CVE: Not needed since update is pushed by the provider.

The Telus Actiontec T2200H is bonded VDSL2 modem. It
incorporates 2 VDSL2 bonded links with a built-in firewall, bridge mode,
802.11agn wireless,...

Telus Actiontec WEB6000Q Denial of Service of Management Interface

11 June, 2019 - 12:05

Posted by Andrew Klaus on Jun 11

### Device Details
Discovered By: Andrew Klaus (andrew () aklaus ca)
Vendor: Actiontec (Telus Branded)
Model: WEB6000Q
Affected Firmware: 1.1.02.22

Reported: July 2018
CVE: Not needed since update is pushed by the provider.

### Summary of Findings
By querying CGI endpoints with empty (GET/POST/HEAD) requests causes a
Segmentation Fault of the uhttpd webserver. Since there is no watchdog
on this daemon, a device reboot is needed to restart the...

[CVE-2018-15557] Telus Actiontec WEB6000Q Remote Privilege Escalation

11 June, 2019 - 12:05

Posted by Andrew Klaus on Jun 11

### Device Details
Discovered By: Andrew Klaus (andrew () aklaus ca)
Vendor: Actiontec (Telus Branded)
Model: WEB6000Q
Affected Firmware: 1.1.02.22

Reported: July 2018
CVE: CVE-2018-15557

### Summary of Findings

Two instances of Linux run on the WEB6000Q. One is the “main” instance
that runs the web management server, TR-069 daemon, etc., while the
other is the "quantenna" management OS used to manage the wireless.

By...

[CVE-2018-15555 / 15556] Telus Actiontec WEB6000Q Local Privilege Escalation

11 June, 2019 - 12:05

Posted by Andrew Klaus on Jun 11

### Device Details
Discovered By: Andrew Klaus (andrew () aklaus ca)
Vendor: Actiontec (Telus Branded)
Model: WEB6000Q
Affected Firmware: 1.1.02.22

Reported: July 2018
CVE: CVE-2018-15555 (Main OS)
CVE: CVE-2018-15556 (Quantenna OS)

### Summary of Findings

Both “main” and “quantenna” have a UART header on the motherboard and
each of them provide full shell + bootloader access.

While the main OS has the credentials user: root pass:...

Telus Actiontec T2200H WiFi Credential Disclosure

11 June, 2019 - 12:05

Posted by Andrew Klaus on Jun 11

### Device Details
Discovered By: Andrew Klaus (andrew () aklaus ca)
Vendor: Actiontec (Telus Branded, but may work on others)
Model: T2200H (but very likely affecting other models of theirs)
Affected Firmware: T2200H-31.128L.08
Device Manual:
http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manu
al.pdf

Reported: July 2018
CVE: Not needed since update is pushed by the vendor.

The Telus Actiontec T2200H is bonded VDSL2...

Anviz M3 RFID Access Control security issues

29 May, 2019 - 21:04

Posted by Marco on May 29

Security issues have been found in the Anviz M3 RFID Access Control
device when working in standalone mode connected to a TCP/IP network,
that could lead to access control bypass and private informations
leakage and alteration.

### Advisory information

TITLE: Anviz M3 RFID Access Control security issues
ADVISORY URL: https://github.com/wizlab-it/anviz-m3-rfid-cve-2019-11523-poc/
DATE PUBLISHED: 2019/05/22
AFFECTED VENDORS: Anviz
AFFECTED...

XSS in SSI printenv command – Apache Tomcat – CVE-2019-0221

29 May, 2019 - 21:04

Posted by Nightwatch Cybersecurity Research on May 29

[Original blog post here:
https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/]

SUMMARY

Apache Tomcat had a vulnerability in its SSI implementation which
could be used to achieve cross site scripting (XSS). This is only
exploitable if SSI is enabled and the “printenv” directive is used
which is unlikely in a production system.

The vendor has rated this as a Low severity issue. A fix...

APPLE-SA-2019-5-28-1 iTunes for Windows 12.9.5

29 May, 2019 - 21:03

Posted by Apple Product Security via Fulldisclosure on May 29

APPLE-SA-2019-5-28-1 iTunes for Windows 12.9.5

iTunes for Windows 12.9.5 is now available and addresses the
following:

SQLite
Available for: Windows 7 and later
Impact: An application may be able to gain elevated privileges
Description: An input validation issue was addressed with improved
memory handling.
CVE-2019-8577: Omer Gull of Checkpoint Research

SQLite
Available for: Windows 7 and later
Impact: A maliciously crafted SQL query may lead...

APPLE-SA-2019-5-28-2 iCloud for Windows 7.12

29 May, 2019 - 21:03

Posted by Apple Product Security via Fulldisclosure on May 29

APPLE-SA-2019-5-28-2 iCloud for Windows 7.12

iCloud for Windows 7.12 is now available and addresses the following:

SQLite
Available for: Windows 7 and later
Impact: An application may be able to gain elevated privileges
Description: An input validation issue was addressed with improved
memory handling.
CVE-2019-8577: Omer Gull of Checkpoint Research

SQLite
Available for: Windows 7 and later
Impact: A maliciously crafted SQL query may lead to...

Local Privilege Escalation via Serv-U FTP Server

29 May, 2019 - 21:03

Posted by Chris on May 29

Issue: Local Privilege Escalation
CVE: CVE-2018-19999
Security researcher: Chris Moberly @ The Missing Link Security
Product name: Serv-U FTP Server
Product version: Tested on 15.1.6.25 (current as of Dec 2018)
Fixed in: 15.1.7

# Overview
The Serv-U FTP Server is vulnerable to authentication bypass leading to
privilege escalation in Windows operating environments due to broken...

[SYSS-2019-014]: Siemens LOGO! 8 - Storing Passwords in a Recoverable Format (CWE-257)

29 May, 2019 - 20:54

Posted by Matthias Deeg on May 29

Advisory ID: SYSS-2019-014
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Storing Passwords in a Recoverable Format (CWE-257)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference:...

[SYSS-2019-013]: Siemens LOGO! 8 - Missing Authentication for Critical Function (CWE-306)

29 May, 2019 - 20:54

Posted by Matthias Deeg on May 29

Advisory ID: SYSS-2020-013
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Missing Authentication for Critical Function (CWE-306)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference:...

[SYSS-2019-012]: Siemens LOGO! 8 - Use of Hard-coded Cryptographic Key (CWE-321)

29 May, 2019 - 20:54

Posted by Matthias Deeg on May 29

Advisory ID: SYSS-2019-012
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference:...

CA20190523-01: Security Notice for CA Risk Authentication and CA Strong Authentication

29 May, 2019 - 20:54

Posted by Kevin Kotas via Fulldisclosure on May 29

CA20190523-01: Security Notice for CA Risk Authentication and CA
Strong Authentication

Issued: May 23, 2019
Last Updated: May 23, 2019

The Support team for CA Technologies, A Broadcom Company, is alerting
customers to multiple potential risks with CA Risk Authentication and
CA Strong Authentication. Multiple vulnerabilities exist that can
allow a remote attacker to gain additional access in certain
configurations or possibly gain sensitive...

Cross-site Scripting Vulnerabilities in VFront 0.99.5

29 May, 2019 - 20:49

Posted by Daniel Bishtawi on May 29

Hello,

We are informing you about the vulnerabilities we reported in VFront 0.99.5.

Here are the details:

Advisory by Netsparker
Name: Multiple Reflected Cross-site Scripting in VFront 0.99.5
Affected Software: VFront
Affected Versions: 0.99.5
Homepage: http://www.vfront.org/
Vulnerability: Reflected Cross-site Scripting
Severity: High
Status: Fixed
CVE-ID: CVE-2019-9839
CVSS Score (3.0): 7.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N...

Reflected Cross-site Scripting Vulnerability in Kanboard 1.2.7

29 May, 2019 - 20:48

Posted by Daniel Bishtawi on May 29

Hello,

We are informing you about the vulnerabilities we reported in Kanboard
1.2.7.

Here are the details:

Advisory by Netsparker
Name: Reflected Cross-site Scripting in Kanboard
Affected Software: Kanboard
Affected Versions: 1.2.7
Homepage: https://kanboard.org/
Vulnerability: Reflected Cross-site Scripting
Severity: Medium
Status: Fixed
CVE-ID: CVE-2019-7324
CVSS Score (3.0): VA:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Netsparker Advisory Reference:...

[CVE-2019-11604] Quest KACE Systems Management Appliance <= 9.0 kbot_service_notsoap.php METHOD Reflected Cross-Site Scripting

24 May, 2019 - 12:23

Posted by RCE Security on May 24

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: Quest KACE Systems Management Appliance
Vendor URL: www.quest.com
Type: Cross-Site Scripting [CWE-79]
Date found: 2018-09-09
Date published: 2019-05-19
CVSSv3 Score: 4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
CVE: CVE-2019-11604

2. CREDITS
==========
This vulnerability was discovered and...