Next Page >>
checked
SEC Consult Vulnerability Lab Security Advisory < 20110810-0 >
=======================================================================
title: Client-side remote file upload & command execution
product: Check Point SSL VPN On-Demand applications (signed
Java applet and ActiveX control)
* SSL Network Extender (SNX)
* SecureWorkSpace
* Endpoint Security On-Demand
supplied by Check Point Connectra or other security
gateways
1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords:
1.1- http://[HC URL]/hosting/addreseller.asp?reseller=[USERNAME] -> for ex. [USERNAME]= resadmin
1.2- Now, to login without changing the password, attacker must run "ChangeDisplay.htm" then redirect to "main.asp"
~~~~~~~~~~~~~~~~1.2.1 ChangeDisplay.htm~~~~~~~~~~~~~~~~~~~~~~~~
<script>
function check(){
_action = '/AdminSettings/displays.asp?DecideAction=1&ChangeSkin=1'
frmDisplay.action = window.document.all.URL.value + _action
return true;
}
</script>
Check Point Connectra R62 Login Script Injection Vulnerability
scip AG Vulnerability ID 4020 (09/04/2009)
http://www.scip.ch/?vuldb.4020
I. INTRODUCTION
Check Point Connectra is a so-called SSL-VPN solution, which allows
users to access a remote system using a regular web browser.
More information is available on the official product web site at the
####################
2. Vulnerabilities:
####################
2.1. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can change admin password.
2.1.1. Exploit:
Check the exploit section.
2.2. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site info., such as admin email address.
2.2.1. Exploit:
Check the exploit section.
2.3. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site design. (Also, all the site settings can be changed by other parameters)
2.3.1. Exploit:
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Gleb Napatov discovered that KVM did not correctly check certain privileged
operations. A local attacker with access to a guest kernel could exploit
this to crash the host system, leading to a denial of service.
(CVE-2010-0435)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
check file permissions. A local attacker could overwrite append-only files,
leading to potential data loss. (CVE-2010-2066)
Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly
check file permissions. A local attacker could exploit this to read from
write-only files, leading to a loss of privacy. (CVE-2010-2226)
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
check file permissions. A local attacker could overwrite append-only files,
leading to potential data loss. (CVE-2010-2066)
Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly
check file permissions. A local attacker could exploit this to read from
write-only files, leading to a loss of privacy. (CVE-2010-2226)
4. *Vulnerable packages*
. Google SketchUp 7.0.10247
. Google SketchUp 7.1.4871
. Google SketchUp 7.1.6087
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. Google SketchUp 7.1.6860 (Windows)
symlink structures. If an attacker were able to trick a user or automated
system into mounting a specially crafted filesystem, it could crash the
system or exposde kernel memory, leading to a loss of privacy.
Ben Hutchings discovered that the ethtool interface did not correctly
check certain sizes. A local attacker could perform malicious ioctl calls
that could crash the system, leading to a denial of service. (Only Ubuntu
10.04 LTS was affected.) (CVE-2010-2478, CVE-2010-3084)
Eric Dumazet discovered that many network functions could leak kernel
stack contents. A local attacker could exploit this to read portions
------------------------------------------------------------------------
When a user logs into FWS, the user's IP address is stored in the
database. This is done to prevent replay of (stolen) session cookies. If
FWS is called with a session cookie from a different IP address, the
user will not be logged into FWS. The IP address is obtained using
GetUserIP(). This function first checks whether the HTTP request
contains the X-Forwarded-For or Client-IP HTTP headers. These headers
are normally set by proxy servers to expose the user's real IP
address to the webservers. If these headers are found, FWS will uses the
value of the header as the user's IP address. If these headers are
not set, FWS uses the IP address of the connecting party.
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
To be perfectly clear I was not aware of the path truncation issue
(damn!) and the use for this vulnerability was different in my mind.
If you read the discussion in [4] it was about checks. While ereg*()
functions can be poisoned by nullbytes, preg_*() and string functions
like substr() are binary safe.
So if there is a "blacklist" or negative check you can bypass it with
path normalization:
####################
2. Vulnerabilities:
####################
2.1. Directory Traversal in "/download.php" in "dfile" parameter.
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Injection Flaws. SQL Injection in "/rating.php" in "book_id" parameter.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Cross Site Scripting (XSS). Reflected XSS attack in "/login.php" in URL parameters.
2.3.1. Exploit:
####################
2. Vulnerabilities:
####################
2.1. Directory Traversal in "/download.php" in "dfile" parameter.
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Injection Flaws. SQL Injection in "/rating.php" in "book_id" parameter.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Cross Site Scripting (XSS). Reflected XSS attack in "/login.php" in URL parameters.
2.3.1. Exploit:
####################
2. Vulnerabilities:
####################
2.1. Directory Traversal in "/download.php" in "dfile" parameter.
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Injection Flaws. SQL Injection in "/rating.php" in "book_id" parameter.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Cross Site Scripting (XSS). Reflected XSS attack in "/login.php" in URL parameters.
2.3.1. Exploit:
R7-0038: Check Point Endpoint Security Server Information Disclosure
February 7, 2011
-- Vulnerability Details:
The Check Point Endpoint Security Server and Integrity Server products inadvertently expose a number of private directories through the web interface. These directories include the SSL private keys, sensitive configuration files (often containing passwords), and application binaries.
Examples of exposed files include:
https://server/conf/ssl/apache/integrity-smartcenter.cert
make password of default admin account similar to password of first admin
(during installation process). Because if default admin account will be
enabled later (with empty password) and will forget to set new password,
than it'll be much worse.
I'm not using Vista, so I can't check this issue on any of my computers. And
I want to check it by myself - is there such issue on Vista or not. For this
I'm planning to check one notebook of my friend (with Vista). But for more
than two weeks I couldn't meet with him and take his notebook. I quickly
checked two Asus notebook of my friends (as I wrote already to bugtraq), but
there is some delay with this Acer notebook with Vista. If in near time I'll
> make password of default admin account similar to password of first admin
> (during installation process). Because if default admin account will be
> enabled later (with empty password) and will forget to set new password,
> than it'll be much worse.
>
> I'm not using Vista, so I can't check this issue on any of my
> computers. And
> I want to check it by myself - is there such issue on Vista or not.
> For this
> I'm planning to check one notebook of my friend (with Vista). But for
> more
issues can be found in plog-download.php, and plog-remote.php
As mentioned earlier this issue also allows for the download
of arbitrary files on the target web server.
elseif($type == "album" || $type == "search"){
foreach ($checked as $pid){
$query = "SELECT * FROM `".TABLE_PREFIX."pictures` WHERE
`id`='".$pid."'";
$result = run_query($query);
while ($row = mysql_fetch_assoc($result)){
ingstop
6. Change directory to the patch directory:
cd patchXXXXX
7. Within the patch directory run the following command:
./utility/iiinstaller
Please check the $II_SYSTEM/ingres/files/patch.log file to
make sure the patch was applied successfully. Also check the
$II_SYSTEM/ingres/version.rel to make sure the patch is
referenced.
Note: The patch can also be installed silently using the ‘-m'
flag with iiinstaller:
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-08-18
Last Updated: 2008-08-18
Potential Security Impact: Please check the table below
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Various potential security vulnerabilities have been identified in Microsoft software that is running on the Storage Management Appliance (SMA). Some of these vulnerabilities may be pertinent to the SMA, please check the table in the Resolution section of this Security Bulletin.
####################
2. Vulnerabilities:
####################
2.1. Injection Flaws, Cross Site Scripting (XSS). SQL Injection in "/ansFAQ.asp" in "id" parameter. Reflected XSS attack in "/ansFAQ.asp" in "topic" and "button" parameters.
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Injection Flaws. SQL Injection in "preview.asp" in "template_id" parameter.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Information Leakage. Database path disclosure in "/cms/include/trigger.asp" and/or "/cms/include/common2.asp".
2.3.1. Exploit:
####################
2. Vulnerabilities:
####################
2.1. Injection Flaws, Cross Site Scripting (XSS). SQL Injection in "/ansFAQ.asp" in "id" parameter. Reflected XSS attack in "/ansFAQ.asp" in "topic" and "button" parameters.
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Injection Flaws. SQL Injection in "preview.asp" in "template_id" parameter.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Information Leakage. Database path disclosure in "/cms/include/trigger.asp" and/or "/cms/include/common2.asp".
2.3.1. Exploit:
####################
2. Vulnerabilities:
####################
2.1. Injection Flaws, Cross Site Scripting (XSS). SQL Injection in "/ansFAQ.asp" in "id" parameter. Reflected XSS attack in "/ansFAQ.asp" in "topic" and "button" parameters.
2.1.1. Exploit:
Check the exploit/POC section.
2.2. Injection Flaws. SQL Injection in "preview.asp" in "template_id" parameter.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Information Leakage. Database path disclosure in "/cms/include/trigger.asp" and/or "/cms/include/common2.asp".
2.3.1. Exploit:
In this case, the host key has simply been changed, and you
should update the relevant known_hosts file as indicated in the
error message.
3. Check all OpenSSH user keys
The safest course of action is to regenerate all OpenSSH user
keys, except where it can be established to a high degree of
certainty that the key was generated on an unaffected system.
In addition to user-specific known_hosts files, there may be a
system-wide known hosts file /etc/ssh/known_hosts. This is file is
used both by the ssh client and by sshd for the hosts.equiv
functionality. This file needs to be updated as well.
3. Check all OpenSSH user keys
The safest course of action is to regenerate all OpenSSH user keys,
except where it can be established to a high degree of certainty that the
key was generated on an unaffected system.
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-04-15
Last Updated: 2008-04-15
Potential Security Impact: Please check the table below
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Various potential security vulnerabilities have been identified in Microsoft software that is running on the Storage Management Appliance (SMA). Some of these vulnerabilities may be pertinent to the SMA, please check the table in the Resolution section of this Security Bulletin.
In addition if we enter as user name: "><script>alert(/XSS/);</script>,
then we have another XSS.
B) Path Disclosure Vulnerabilities
The program checks the value of a non existent parameter. This produces
an error that discloses the absolute installation path:
http://www.example.com/cacti/graph.php?local_graph_id=1
Other vulnerable code exists since in Cacti PHP errors are displayed as
Routers that are configured with Border Gateway Protocol (BGP) can be
protected further by using the Generalized Time to Live (TTL) Security
Mechanism (GTSM) feature. GTSM allows users to configure the expected
TTL of a packet between a source and destination address. Packets that
fail the GTSM check will be dropped before TCP processing occurs, which
prevents an attacker from exploiting this vulnerability through BGP.
GTSM is implemented with the command "ttl-security hops".
Further information on protecting BGP can be found in
"Protecting Border Gateway Protocol for the Enterprise"
- linux-ti-omap4: Linux kernel for OMAP4 devices
Details:
Dan Rosenberg discovered that the RDS network protocol did not correctly
check certain parameters. A local attacker could exploit this gain root
privileges. (CVE-2010-3904)
Nelson Elhage discovered several problems with the Acorn Econet protocol
driver. A local user could cause a denial of service via a NULL pointer
dereference, escalate privileges by overflowing the kernel stack, and
=======================================================================
title: Symlink Following and Second-Order Symlink
Vulnerabilities in Multiple Check Point Security Management Products
product: Check Point Security Management
* Multi-Domain Security Management / Provider-1
* SmartCenter
vulnerable version: multiple products, see sections below
fixed version: multiple products, see sections below
CVE number: CVE-2011-2664
impact: high
Next Page>>
|
