The post Security Advisory – SOS-19-001 – XML External Entities Injection (XXE) in XNAT 1.7 appeared first on Sense of Security.
]]>Release Date: 23-Oct-2019
Last Update: –
Vendor Notification Date: 09-Jul-2019
Product: XNAT
Platform: Linux and possibly others
Affected versions: 1.7.5.3 (confirmed) and possibly earlier versions
Severity Rating: High
Impact: System Access
Attack Vector: Remote with authentication
Solution Status: XNAT 1.7.5.4 Hotfix Release
CVE reference: CVE – 2019-14276
An XML External Entity (XXE) vulnerability is an attack against an application that parses XML input. Importing an XML file that contains an XML external entity to the XNAT application permits an attacker to retrieve a local file from the web server. The attacker must be authenticated to the application. This attack occurs when XML input contains a reference to an external entity such as a local file on the web server. Common targets include configuration files, e.g. ASP.NET web.config or Linux password files, e.g. /etc/shadow.
The following URL is affected: /REST/search
Please refer to the PDF version of this advisory for proof of concept code examples.
Apply patch from XNAT 1.7.5.4 Hotfix Release.
Additional information is available at:
https://wiki.xnat.org/news/blog/2019/08/xnat-1-7-5-4-hotfix-release-now-available
https://wiki.xnat.org/documentation/getting-started-with-xnat/what-s-new-in-xnat/xnat-1-7-5-4-release-notes
Hamed Merati from Sense of Security Labs.
The post Security Advisory – SOS-19-001 – XML External Entities Injection (XXE) in XNAT 1.7 appeared first on Sense of Security.
]]>The post Security Advisory – SOS-18-003 – Inteset Secure Lockdown appeared first on Sense of Security.
]]>Release Date: 25-Oct-2018
Last Update: –
Vendor Notification Date: 23-Feb-2018
Product: Inteset Secure Lockdown Standard Edition
Platform: Tested on Microsoft Windows 7, 8.1 and 10
Affected versions: Tested versions v2.00.160 -> v2.00.196
Severity Rating: High
Impact: Privilege escalation , Security bypass
Attack Vector: From local system
Solution Status: Currently no solution
CVE reference: CVE – Not yet assigned
The Inteset Secure Lockdown desktop application allows the use of the deprecated SHA-1 hash function to store the Inteset administrator’s password in the Windows registry.
The hash can be found at the following registry location: HKEY_CURRENT_USER\Software\Inteset\SecureLockdown_v2\Password
The above key is configured to be read and can be written to by the logged in user by design. This allows an attacker to view or edit the registry while the application is running and replace the stored hash with a self-generated known plain-text hash value. More recent versions of the application use a stronger PKCS1 RSA function to store the password, though the stored value is still susceptible to being replaced with an attacker-known value to escalate permissions.
Once the hash has been replaced the user can open Inteset using the ‘alt + shift + s’ key combination and enter the newly configured password to take control of the locked down system.
Please refer to the PDF version of this advisory for proof of concept code examples.
No vendor supplied solution has been offered.
Nathaniel Carew from Sense of Security Labs.
The post Security Advisory – SOS-18-003 – Inteset Secure Lockdown appeared first on Sense of Security.
]]>The post Security Advisory – SOS-18-002 – CA Workload Automation AE SQL Injection appeared first on Sense of Security.
]]>Release Date: 29-Mar-2018
Last Update: –
Vendor Notification Date: 17-Oct-2017
Product: CA Workload Automation AE
Platform: Microsoft Windows
Affected versions: CA Workload Automation AE r11.3.5, r11.3.6 SP6 and earlier
Severity Rating: Medium
Impact: Exposure of sensitive information and exposure of system information
Attack Vector: Remote with authentication
Solution Status: CA Workload Automation AE Release 11.3.6 SP7
CVE reference: CVE-2018-8953
CA Workload Automation AE (AutoSys Edition) is a workload automation tool supplied by CA Technologies. CA Workload Automation AE suffers from SQL injection vulnerabilities as it fails to validate data supplied before being used in a SQL query.
Please refer to the PDF version of this advisory for proof of concept code examples.
Apply patch from CA Workload Automation AE Release 11.3.6 SP7 released on 2 March 2018.
Additional information is available here.
Hamed Merati from Sense of Security Labs.
The post Security Advisory – SOS-18-002 – CA Workload Automation AE SQL Injection appeared first on Sense of Security.
]]>The post Security Advisory – SOS-18-001 – CA Workload Automation AE RCE appeared first on Sense of Security.
]]>Release Date: 29-Mar-2018
Last Update: –
Vendor Notification Date: 25-Oct-2017
Product: CA Workload Automation AE
Platform: Windows
Tested versions: CA Workload Control Center (CA WCC) r11.4 SP5 and earlier
Severity Rating: High
Impact: System Access
Attack Vector: Remote with authentication
Solution Status: CA WCC Release 11.4 SP6
CVE reference: CVE-2018-8954
CA Workload Automation AE (AutoSys Edition) is a workload automation tool supplied by CA Technologies. Apache MyFaces is an implementation of Java Server Faces (JSF). CA Workload Automation AE uses MyFaces client-side ViewState and has disabled the default encryption (i.e. org.apache.myfaces.USE_ENCRYPTION).
As a result, the attacker can send a malicious serialised payload in the ViewState back to the server. MyFaces will try to deserialise the provided ViewState and the payload will be executed even before the deserialisation of the ViewState has ended.
This allows an authenticated remote attacker to conduct remote code execution attacks and obtain system level access.
All URLs that accept javax.faces.ViewStateparameter are vulnerable to this attack.
Please refer to the PDF version of this advisory for proof of concept code examples.
Apply patch from CA WCC Release 11.4 SP6 released on 8 March 2018.
Additional information is available at: CA Support.
Hamed Merati and Kacper Nowak from Sense of Security Labs.
The post Security Advisory – SOS-18-001 – CA Workload Automation AE RCE appeared first on Sense of Security.
]]>The post Security Advisory – SOS-17-001 – Emsisoft Anti-Malware Behavior Blocker Bypass appeared first on Sense of Security.
]]>Release Date: 10-Feb-2017
Last Update: –
Vendor Notification Date: 20-Jan-2017
Product: Emsisoft Anti-Malware
Platform: Microsoft Windows 8/8.1/10
Affected versions: a2hooks32.dll 10.0.0.218
Severity Rating: Medium
Impact: Security bypass
Attack Vector: From local system
Solution Status: Vendor patch
CVE reference: Not yet assigned
Emsisoft Anti-Malware injects user mode hooks into each running process via a2hooks32.dll. The hooks allow Emsisoft Anti-Malware to analyse the behaviour of the process and alert the user when malware actions are suspected, such as listening on a port or interacting with other processes.
The issue exists in the dynamic library a2hooks32.dll as it can be unloaded from memory without alerting the user. A malware developer can unload the hooks to bypass the Behavior Blocker.
Please refer to the PDF version of this advisory for proof of concept code examples.
Emsisoft fixed the issue in the latest version by making the hooks DLL statically linked.
Ayman Sagy from Sense of Security Labs.
The post Security Advisory – SOS-17-001 – Emsisoft Anti-Malware Behavior Blocker Bypass appeared first on Sense of Security.
]]>