Security News

Re: Google's Android: remote install backdoor in Google Play Services

Full Disclosure - 20 October, 2020 - 12:37

Posted by Adrian Sanabria on Oct 20

If I recall correctly, iOS and MacOS work in much the same way. They can
push and remove software from devices at will. There are precedents of
Google and Apple using this power, generally to get rid of malware that
made it past app store detection and review mechanisms.

This isn't anything new and it has been standardized across both major
mobile platforms. Of course, that doesn't mean there aren't legal
implications, I'm...

Things to Watch!

Daily Dave - 19 October, 2020 - 08:35

Posted by Dave Aitel via Dailydave on Oct 19

It's MONDAY, and I wanted to send over the shorts we did with Chris Eng and
Ben Edwards. I think there's a lot of value in a robust question and answer
session with paper authors. Too often papers are supposed to stand on their
own without any real discussion.

(PHP IS DOUBLE PLUS UNGOOD)
https://vimeo.com/457850389/373c907909

(CVSS, an INTRODUCTION TO FAIL)
https://vimeo.com/454453494/330060fbb2

(XXE)
https://vimeo.com/464273744...

[RT-SA-2020-003] FRITZ!Box DNS Rebinding Protection Bypass

Full Disclosure - 19 October, 2020 - 07:18

Posted by RedTeam Pentesting GmbH on Oct 19

Advisory: FRITZ!Box DNS Rebinding Protection Bypass

RedTeam Pentesting discovered a vulnerability in FRITZ!Box router
devices which allows to resolve DNS answers that point to IP addresses
in the private local network, despite the DNS rebinding protection
mechanism.

Details
=======

Product: FRITZ!Box 7490 and potentially others
Affected Versions: 7.20 and below
Fixed Versions: >= 7.21
Vulnerability Type: Bypass
Security Risk: low
Vendor...

Open-Xchange Security Advisory 2020-10-13

Full Disclosure - 16 October, 2020 - 12:02

Posted by Open-Xchange GmbH via Fulldisclosure on Oct 16

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Product: OX App Suite / OX Documents
Vendor: OX Software GmbH

Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.2,...

Re: Google's Android: remote install backdoor in Google Play Services

Full Disclosure - 16 October, 2020 - 12:02

Posted by Enrico Weigelt, metux IT consult on Oct 16

Hello folks,

In short, Google's playstore receives notifications from Google and
installs any app that Google wants to be installed - without any further
notification or even interaction of the user.

Google silently controls your device as soon you enter an google account.

Actually, it's not a bug, but a on-purpose backdoor. I've published it
here, in order to let everybody know. Futher actions have to be done by
the enforcement...

Java deserialization vulnerability in QRadar RemoteJavaScript Servlet

Full Disclosure - 16 October, 2020 - 12:01

Posted by Securify B.V. via Fulldisclosure on Oct 16

------------------------------------------------------------------------
Java deserialization vulnerability in QRadar RemoteJavaScript Servlet
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Java deserialization vulnerability exists in the QRadar
RemoteJavaScript Servlet. An authenticated user can call one of the
vulnerable methods and...

SEC Consult SA-20201012-0 :: Reflected Cross-Site Scripting and Unauthenticated Malicious File Upload in Sage DPW

Full Disclosure - 12 October, 2020 - 10:05

Posted by SEC Consult Vulnerability Lab on Oct 12

SEC Consult Vulnerability Lab Security Advisory < 20201012-0 >
=======================================================================
title: Reflected Cross-Site Scripting and Unauthenticated
Malicious File Upload
product: Sage DPW
vulnerable version: 2020_06_000 & 2020_06_001
fixed version: 2020_06_002
CVE number: CVE-2020-26583 & CVE-2020-26584
impact:...

Cisco Webex Teams Client for Windows DLL Hijacking Vulnerability

Full Disclosure - 9 October, 2020 - 12:01

Posted by houjingyi on Oct 09

new dll hijacking scenario found by accident
<http://houjingyi233.com/2020/10/09/new-dll-hijacking-scenario-found-by-accident/>

Speaking of dll hijacking, many people may think it is a very useless.
However, I noticed researchers disclosured some special dll hijacking
scenarios that can lead to LPE and even RCE. Some times ago, I accidentally
discovered vulnerability in dll loading mechanism in cisco webex teams that
can lead to LPE, and...

SEC Consult SA-20201008-0 :: Multiple Cross-Site Scripting Vulnerabilities in Confluence Marketplace Plugins

Full Disclosure - 9 October, 2020 - 05:47

Posted by SEC Consult Vulnerability Lab on Oct 09

SEC Consult Vulnerability Lab Security Advisory < 20201008-0 >
=======================================================================
title: Multiple Cross-Site Scripting Vulnerabilities
products: PlantUML, Refined Toolkit for Confluence, Linking for Confluence, Countdown Timer, Server Status
vulnerable versions: PlantUML: 6.43, Refined Toolkit for Confluence: 2.2.5, Linking for Confluence: 5.5.3, Countdown
Timer:...

[RT-SA-2020-002] Denial of Service in D-Link DSR-250N

Full Disclosure - 8 October, 2020 - 06:08

Posted by RedTeam Pentesting GmbH on Oct 08

Advisory: Denial of Service in D-Link DSR-250N

RedTeam Pentesting discovered a Denial-of-Service vulnerability in the
D-Link DSR-250N device which allows unauthenticated attackers in the
same local network to execute a CGI script which reboots the device.

Details
=======

Product: D-Link DSR-250N
Affected Versions: 3.12 and potentially later
Fixed Versions: 3.17B
Vulnerability Type: DoS
Security Risk: low
Vendor URL:...

Student Result Management System 1.0 - Multiple SQL Injection Vulnerabilities

Full Disclosure - 6 October, 2020 - 12:18

Posted by b1nary on Oct 06

# Exploit Title: Student Result Management System 1.0 - Multiple SQL
Injection Vulnerabilities
# Date: 2020-10-02
# Exploit Author: b1nary
# Vendor Homepage:
https://projectworlds.in/free-projects/php-projects/student-result-management-system-project-in-php/
# Software Link: https://github.com/projectworlds32/srms/archive/master.zip
# Version: 1.0
# Tested On: Linux + Apache2
# Description: Project Worlds Student Result Management System 1.0 is...

CVE-2020-24722: GAEN Protocol Metadata Deanonymization and Risk-score Inflation Issues

Full Disclosure - 6 October, 2020 - 12:18

Posted by Stefan Marsiske via Fulldisclosure on Oct 06

GAEN Protocol Metadata Deanonymization and Risk-score Inflation Issues (CVE-2020-24722)

Summary

The TX Power value in the metadata in the beacon of the GAEN protocol
used by the corona/contact tracing app allows for attackers to
influence risk-score calculations in their favor, the same metadata
can also be used to deanonymize diagnosed users based on the type of
phone they are using.

Intro: GAEN Metadata in a nutshell

The beacon sent out by...

CVE-2020-25790

Full Disclosure - 6 October, 2020 - 12:17

Posted by Rodolfo Augusto do Nascimento Tavares on Oct 06

Hello, all

Could you please publish the item below? I attached the text too. Thank you.

=====[ Tempest Security Intelligence - ADV-09/2020
]==========================

Typesetter CMS

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================

- Overview
- Detailed description
- Timeline of disclosure
- Thanks &...

FortSIEM <= 5.2.8 RCE due to EL Injection - analysis

Full Disclosure - 6 October, 2020 - 12:17

Posted by Red Timmy Security on Oct 06

On June 21st 2020 Fortinet has released a security bulletin for its
FortiSIEM product: https://www.fortiguard.com/psirt/FG-IR-20-041. All
versions of the product equal to/minor than 5.2.8 are vulnerable to an
unauthorized remote command execution via Expression Language injection.
The affected component, found and reported by Code White guys, is an old
acquaintance of ours: the infamous java library Richfaces.

7 months ago we have publicly...

Re: Navy Federal Reflective Cross Site Scripting (XSS)

Full Disclosure - 6 October, 2020 - 12:14

Posted by Ken on Oct 06

ASC, Thanks for the follow up.

For your reference (and anyone else out there), I have verified the
exploitability of multiple of your CVEs in later versions of onbase.
Specifically 18.0.0.37.

CVE-2020-25254 - SQL Injection - this appears to be limited to
read-only and often requires more than basic user privileges on
(workview configuration privilege) in addition to a basic user. In EP3
these appear to always require workview configuration...

Recon Informer v1.2 - Intel for offensive systems tool.

Full Disclosure - 6 October, 2020 - 12:14

Posted by hyp3rlinx on Oct 06

import logging,os,ctypes,sys,argparse,time,re
from subprocess import *
from datetime import datetime
from pkgutil import iter_modules
import pkg_resources

#Recon Informer (c) v1.2
#By John Page (hyp3rlinx)
#ApparitionSec
#hyp3rlinx.altervista.org
#twitter.com/hyp3rlinx
#apparitionsec () gmail com
#PoC Video URL: https://www.youtube.com/watch?v=XM-G9Udbphc
#==========================================================
#v1.2 fixed: window title bug,...

XSS in krpano Panorama Viewer

Full Disclosure - 6 October, 2020 - 12:13

Posted by Adriano Marcio Monteiro on Oct 06

# Exploit Title: XSS in krpano Panorama Viewer
# Google Dork: inurl:krpano.html
# Date: 10/05/2020
# Exploit Author: Adriano Marcio Monteiro (@adrianomarcmont)
# Exploit Author Site: https://www.brztec.com
# Exploit Author E-mail: adriano () brztec com
# Exploit Author Packetstorm Bio:
https://packetstormsecurity.com/files/author/11063/
# Vendor Homepage: https://krpano.com/
# Software Link: https://krpano.com/download/
# Version: <=1.20.8
#...

SEC Consult SA-20201005-0 :: Multiple Critical Vulnerabilities in RocketLinx Series

Full Disclosure - 5 October, 2020 - 10:07

Posted by SEC Consult Vulnerability Lab on Oct 05

SEC Consult Vulnerability Lab Security Advisory < 20201005-0 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: RocketLinx Series
vulnerable version: See "Vulnerable / tested versions"
fixed version: 1.3.1 (partial fix)
CVE number: CVE-2020-12500, CVE-2020-12501, CVE-2020-12502,
CVE-2020-12503,...

SEC Consult SA-20201002-0 :: Multiple Vulnerabilities in SevOne Network Management System (NMS)

Full Disclosure - 2 October, 2020 - 13:20

Posted by SEC Consult Vulnerability Lab on Oct 02

SEC Consult Vulnerability Lab Security Advisory < 20201002-0 >
=======================================================================
title: Multiple Vulnerabilities
product: SevOne Network Management System (NMS)
vulnerable version: 5.7.2.22
fixed version:
CVE number:
impact: Critical
homepage: https://www.sevone.com/
found: 2020-07-16
by:...

SEC Consult SA-20201001-0 :: Broken Access Control in Platinum Mobile

Full Disclosure - 2 October, 2020 - 13:17

Posted by SEC Consult Vulnerability Lab on Oct 02

SEC Consult Vulnerability Lab Security Advisory < 20201001-0 >
=======================================================================
title: Broken Access Control
product: Platinum Mobile
vulnerable version: 1.0.4.850
fixed version: 1.0.4.851
CVE number: -
impact: critical
homepage: https://www.platinumchina.com/en/products/p11
found: 2020-04-24...
Syndicate content