High-Tech Bridge: April 2013

Monday, April 15, 2013

OpenX vulnerabilities in SemperVideo's News

Security Advisory in OpenX HTB23116 mentioned in SemperVideo's YouTube channel (News 07.04.2013, about OpenX from 2:33):

Saturday, April 13, 2013

HTB23149: Hero Framework 3.791 multiple XSS

Hero Framework version 3.791 contain 2 XSS vulnerabilities, which can be exploited to perform cross-site scripting attacks against vulnerable application.

Vulnerabilities exists due to insufficient sanitisations of user-supplied data in "username" HTTP GET parameter passed to "/users/login" and "error" HTTP GET parameter passed to "/users/forgot_password" URLs. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in victim's browser in context of the vulnerable website.

Solution: upgrade to Hero Framework version 3.80.

Source: High-Tech Bridge Advisory HTB23149 - Multiple XSS in Hero Framework.

Thursday, April 11, 2013

Novell GroupWise untrusted pointer dereference exploitation

In November 2012 High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Novell GroupWise 2012. Details of the security advisory was disclosed in April 2013 (available on htbridge.blogspot.com here). Next paper demonstrates vulnerability exploitation to execute arbitrary code on the vulnerable system: Novell GroupWise Untrusted Pointer Dereference Exploitation.

Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation from High-Tech Bridge SA (HTBridge)

Demonstration video available for this security publication:

Direct link to files:
Publication PDF: Novell GroupeWise Untrusted Pointer Dereference
Exploit files: Novell-GroupWise-exploit.rar pass: htbridge

Friday, April 5, 2013

HTB23131: Novell GroupWise Multiple Remote Code Execution Vulnerabilities

High-Tech Bridge Security Research Lab discovered multiple untrusted pointer dereference vulnerabilities in Novell GroupWise, which could be exploited to compromise a remote system.

Short description of untrusted pointer dereferences CWE-822 in Novell GroupWise 2012 (CVE-2013-0804), vulnerabilities exists due to an untrusted pointer dereference errors in next ActiveX methods:

InvokeContact() method within the ActiveX control (gwabdlg.dll, GUID {54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}, located by default in "C:\Program Files\Novell\GroupWise\gwabdlg.dll".

A remote attacker can pass an arbitrary value to the pInvokeParams argument of the InvokeContact() method and trigger the ACCESS_VIOLATION exception on a MOV EAX, DWORD PTR [EAX+4] instruction.
GenerateSummaryPage() method within the ActiveX control (gwabdlg.dll, GUID {54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}, located by default in "C:\Program Files\Novell\GroupWise\gwabdlg.dll".

A remote attacker can pass an arbitrary value to the pInvokeParams argument of the GenerateSummaryPage() method and trigger the ACCESS_VIOLATION exception on a MOV EAX, DWORD PTR [EAX+4] instruction.
SecManageRecipientCertificates() method within the ActiveX control (gwmim1.ocx, GUID {BFEC5A01-1EB1-11D1-BC96-00805FC1C85A}, located by default in "C:\Program Files\Novell\GroupWise\gwmim1.ocx".

A remote attacker can pass an arbitrary value to the lProp argument of the SecManageRecipientCertificates() method and trigger the ACCESS_VIOLATION exception on a MOV EDX,DWORD PTR DS:[ECX] instruction.

For all of these security issues researchers presented Proof-of-Concept (PoC) codes, which will crash Internet Explorer 7/8/9.

Apply GroupWise 8.0.3 Hot Patch 2 (or later) or GroupWise 2012 SP1 Hot Patch 1 to stay secure from this vulnerability. Read more at Novell Knowledgebase about this security issue: GroupWise Client for Windows Remote Untrusted Pointer Dereference Vulnerability.

Thursday, April 4, 2013

HTB23148: Symphony 2.3.1 SQL injection vulnerability

SQL injection vulnerability found in Symphony version 2.3.1

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in Symphony, which can be exploited to alter SQL requests to database of the vulnerable application.

The vulnerability exists due to insufficient filtration of "sort" HTTP GET parameter passed via "/symphony/system/authors/" URL to "index.php" script. A remote authenticated administrator can execute arbitrary SQL commands in the application's database.

See more details at High-Tech Bridge Advisory HTB23148 - SQL Injection in Symphony.

HTB23146: FUDforum PHP Code Injection

FUDforum logo from Wikipedia

PHP code injection found in FUDforum 3.0.4. High-Tech Bridge Security Research Lab discovered vulnerability in FUDforum, which can be exploited to execute arbitrary PHP code on the target system.

As described in Wikipedia, FUDforum is a free and open source Internet forum software, that is now maintained by the user community. The name "FUDforum" is an abbreviation of Fast Uncompromising Discussion forum. It is comparable to other forum software. FUDforum is customizable and has a large feature set relative to other forum packages.

The vulnerability exists due to insufficient validation of HTTP POST parameters "regex_str", "regex_str_opt" and "regex_with" in "adm/admreplace.php" script before using them in the "preg_replace()" function. A remote administrator can send a specially crafted HTTP POST request, inject and execute arbitrary PHP code on the target system with privileges of the web server.

More details about this vulnerability, PoC code an solution you can found in original advisory HTB23146: PHP Code Injection in FUDforum.

Tuesday, April 2, 2013

HTB23128: McAfee Virtual Technician ActiveX Control Insecure Method

McAfee Virtual Technician ActiveX Control Insecure Method version 6.5.0.2101 suffers from Exposed Unsafe ActiveX Method [CWE-618]. This vulnerability can be exploited by remote malicious person to overwrite arbitrary files with garbage data on a vulnerable system.

The vulnerability exists due to the ActiveX control including the insecure "Save()" method in "McHealthCheck.dll" DLL. This can be exploited to corrupt or create arbitrary files in the context of the current user. Proof-of-Concept (PoC) code available on security advisory page.

Solution: upgrade to McAfee Virtual Technician (MVT) 7.1