Security News

Pulse Secure Client < 9.1R6 TOCTOU Privilege Escalation (CVE-2020-13162)

Full Disclosure - 16 June, 2020 - 11:14

Posted by Red Timmy Security on Jun 16

Pulse Secure is recognized among the top 10 Network Access Control (NAC)
vendors by global revenue market share. The componay declares that "80%
of Fortune 500 trust its VPN products by protecting over 20 million
users".

At Red Timmy Security we have discovered that Pulse Secure Client for
Windows suffers of a local privilege escalation vulnerability in the
“PulseSecureService.exe” service. Exploiting this issue allows an...

TP-LINK Cloud Cameras NCXXX DelMultiUser Stack Overflow

Full Disclosure - 16 June, 2020 - 11:14

Posted by Pietro Oliva on Jun 16

Vulnerability title: TP-LINK Cloud Cameras NCXXX DelMultiUser Stack Overflow
Author: Pietro Oliva
CVE: CVE-2020-13224
Vendor: TP-LINK
Product: NC200, NC210, NC220, NC230, NC250, NC260, NC450
Affected versions: NC200 <= 2.1.10 build 200401, NC210 <= 1.0.10 build 200401,
NC220 <= 1.3.1 build 200401, NC230 <= 1.3.1 build 200401,
NC250 <= 1.3.1 build 200401, NC260 <= 1.5.3 build_200401,...

[CVE-2020-12827] MJML <= 4.6.2 mj-include "path" Path Traversal

Full Disclosure - 16 June, 2020 - 11:10

Posted by Julien Ahrens (RCE Security) on Jun 16

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: MJML
Vendor URL: https://github.com/mjmlio/mjml/
Type: Path Traversal [CWE-22]
Date found: 2020-04-28
Date published: 2020-06-14
CVSSv3 Score: 7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L)
CVE: CVE-2020-12827

2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens...

Code (library) economics

Daily Dave - 16 June, 2020 - 05:54

Posted by Konrads Smelkovs via Dailydave on Jun 16

When I want to code something from scratch, I will often look for
libraries that help me achieve it best regardless of language they are
written - for common situations Python has a good ecosystem (but web
interfaces don't look so great there anymore), if it's enterprise-y, most
likely Java (which I'll use via Jython if I can help it), if it's
Windows-ish - C# with WinApi calls. Weirdly RubyDNS/EventMachine is good
for quick...

Primordial Fire

Daily Dave - 15 June, 2020 - 10:01

Posted by Dave Aitel on Jun 15

I've moved to a part time contract with AppGate and I'm focused largely on
INFILTRATE now, which gives me some time to attend cyber policy briefings.
Most cyber policy briefings are the same 200 people, and they tend to be
held under Chatham House rules, which means they are not recorded and you
can't quote anyone directly. I'm not sure why, since getting someone in
Cyber Policy to say anything controversial is as impossible...

TheBigIndexer - Index services and leaks over the ipv4 internet

Full Disclosure - 12 June, 2020 - 21:35

Posted by Gregory Boddin on Jun 12

Hi,

I'd like to share my new current project with you all :

https://leaks.nobody.run

It's a search engine indexing open hosts on the internet. It focuses on
listing the databases and table names and keeps history of every successful
connection.

New database software support is added on a regular basis.

It currently includes :

- mysql
- redis
- mongodb
- elasticsearch
- cassandra
- kafka
- couchdb
- mssql

Open-Xchange Security Advisory 2020-06-12

Full Disclosure - 12 June, 2020 - 11:54

Posted by Open-Xchange GmbH via Fulldisclosure on Jun 12

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Product: OX App Suite / OX Documents
Vendor: OX Software GmbH

Internal reference: 68441, 68453, 68454 (Bug ID)
Vulnerability type: Server-Side...

Open-Xchange Security Advisory 2020-06-12

Full Disclosure - 12 June, 2020 - 11:54

Posted by Open-Xchange GmbH via Fulldisclosure on Jun 12

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Product: OX Guard
Vendor: OX Software GmbH

Internal reference: GUARD-179
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version:...

New Release: UFONet v1.5 - [MLV] "MuLTi.V3rSe!"...

Full Disclosure - 12 June, 2020 - 11:50

Posted by psy on Jun 12

Hi Community,

I am glad to present a new release of this tool:

- https://ufonet.03c8.net

"UFONet is a free software, P2P and cryptographic -disruptive toolkit-
that allows to perform DoS and DDoS attacks; on the Layer 7 (APP/HTTP)
through the exploitation of Open Redirect vectors on third-party
websites to act as a botnet and on the Layer3 (Network) abusing the
protocol."

See these links for more info:

- UFONet schema (WebAbuse...

Web Application Firewall bypass - part 3

Full Disclosure - 9 June, 2020 - 11:45

Posted by Red Timmy Security on Jun 09

Hi
we have published the part 3 of "How to hack a company by circumventing
its WAF for fun and profit". We basically show how the usage of a single
character can be abused to skip common checks performed at layer 7 by
network devices and security appliances.

Also another case where F5 Big-IP WAF is bypassed by means of SSRF is
shown.

Full story here:...

RoyalTS SSH Tunnel - Authentication Bypass

Full Disclosure - 9 June, 2020 - 11:42

Posted by michele on Jun 09

RoyalTS SSH Tunnel - Authentication Bypass
===============================================================================

Identifiers
-------------------------------------------------
* CVE-2020-13872

CVSSv3 score
-------------------------------------------------
8.8 - [AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L](
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L&version=3.1
)

Vendor...

WebUntis: Stored XSS (Filter Bypass)

Full Disclosure - 9 June, 2020 - 11:38

Posted by Robin Meis via Fulldisclosure on Jun 09

I. VULNERABILITY
-------------------------
WebUntis 2020.12.1 - (Authenticated) Cross Site Scripting

II. BACKGROUND
-------------------------
WebUntis is a tool for schools and universities to deliver electronic timetables to their students. Depending from the
activated modules it does also contain sensitive information within the integrated class-register and grade-book.
Furthermore it supports private messaging.

III. DESCRIPTION...

CVE-2020-13432 - HFS HTTP File Server / Remote Buffer Overflow DoS

Full Disclosure - 9 June, 2020 - 11:38

Posted by hyp3rlinx on Jun 09

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/HFS-HTTP-FILE-SERVER-v2.3-REMOTE-BUFFER-OVERFLOW-DoS.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
www.rejetto.com

[Product]
HFS Http File Server v2.3m Build 300

[Vulnerability Type]
Remote Buffer Overflow (DoS)

[CVE Reference]
CVE-2020-13432

[Security Issue]
rejetto HFS (aka HTTP File Server)...

Avaya IP Office v9.1.8.0 - 11 Insecure Transit Password Disclosure CVE-2020-7030

Full Disclosure - 9 June, 2020 - 11:38

Posted by hyp3rlinx on Jun 09

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AVAYA-IP-OFFICE-INSECURE-TRANSIT-PASSWORD-DISCLOSURE.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]www.avaya.com

[Product]
Avaya IP Office v9.1.8.0 - 11

IP Office Platform provides a single, stackable, scalable small
business communications system that grows with your business easily
and...

WinGate v9.4.1.5998 Insecure Permissions EoP CVE-2020-13866

Full Disclosure - 9 June, 2020 - 11:38

Posted by hyp3rlinx on Jun 09

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WINGATE-INSECURE-PERMISSIONS-LOCAL-PRIVILEGE-ESCALATION.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]wingate.com

[Product]
WinGate v9.4.1.5998

WinGate is a sophisticated integrated Internet gateway and
communications server designed to meet the control,
security and email needs of...

Defense in depth -- the Microsoft way (part 69): security remarks are as futile as the qUACkery!

Full Disclosure - 5 June, 2020 - 11:31

Posted by Stefan Kanthak on Jun 05

Hi @ll,

the MSDN article "Security Considerations: Microsoft Windows Shell"
<https://msdn.microsoft.com/en-us/library/bb776776.aspx#shellexecute-shellexecuteex-and-related-functions>
provides since MANY years the following advice for calls of ShellExecute():

| Make sure you provide an unambiguous definition of the application that is to
| be executed.
|
| * When providing the executable file's path, provide the fully...

Defense in depth -- the Microsoft way (part 68): qUACkery is futile!

Full Disclosure - 5 June, 2020 - 11:31

Posted by Stefan Kanthak on Jun 05

Hi @ll,

the help text displayed by the command line "%COMSPEC% /?" as well as the
documentation <https://msdn.microsoft.com/en-us/library/cc771320.aspx> of
Windows' command processor CMD.EXE both state:

| * Executing registry subkeys
|
| If you do not specify /d in String, Cmd.exe looks for the following
| registry subkeys:
|
| HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun\REG_SZ
|
|...

Castel NextGen DVR multiple CVEs

Full Disclosure - 5 June, 2020 - 11:22

Posted by Aaron Bishop on Jun 05

All issues are associated with *Castel NextGen DVR v1.0.0 *and have been
resolved in v1.0.1*.*

-------------------------------
*CVE-2020-11679
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11679>*

*Original Disclosure*
https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass

*Description*
A low privileged user can call functionality reserved for an Administrator
which promotes a low privileged account...
Syndicate content