Next Page >>
default
http://www.gnucitizen.org/blog/default-key-algorithm-in-thomson-and-bt-home-hub-routers/
Yes, we're back with more embedded devices vulnerability research! And
yes, we're also back with more security attacks against the BT Home
Hub (most popular DSL router in the UK)!
As you know, we encourage folks in the community to team up with
GNUCITIZEN in different projects as we've had very successful
experiences doing so. This time it was Kevin Devine's turn. Kevin, who
is an independent senior security researcher, did an awesome job at
http://www.gnucitizen.org/blog/default-key-algorithm-in-thomson-and-bt-home-hub-routers/
Yes, we're back with more embedded devices vulnerability research! And
yes, we're also back with more security attacks against the BT Home
Hub (most popular DSL router in the UK)!
As you know, we encourage folks in the community to team up with
GNUCITIZEN in different projects as we've had very successful
experiences doing so. This time it was Kevin Devine's turn. Kevin, who
is an independent senior security researcher, did an awesome job at
http://www.gnucitizen.org/blog/default-key-algorithm-in-thomson-and-bt-home-hub-routers/
Yes, we're back with more embedded devices vulnerability research! And
yes, we're also back with more security attacks against the BT Home
Hub (most popular DSL router in the UK)!
As you know, we encourage folks in the community to team up with
GNUCITIZEN in different projects as we've had very successful
experiences doing so. This time it was Kevin Devine's turn. Kevin, who
is an independent senior security researcher, did an awesome job at
http://www.gnucitizen.org/blog/default-key-algorithm-in-thomson-and-bt-home-hub-routers/
Yes, we're back with more embedded devices vulnerability research! And
yes, we're also back with more security attacks against the BT Home
Hub (most popular DSL router in the UK)!
As you know, we encourage folks in the community to team up with
GNUCITIZEN in different projects as we've had very successful
experiences doing so. This time it was Kevin Devine's turn. Kevin, who
is an independent senior security researcher, did an awesome job at
This security advisory identifies the following vulnerabilities:
* ACE Device Manager and ANM invalid directory permissions
vulnerability
* ANM default user credentials vulnerability
* ANM MySQL default credentials vulnerability
* ANM Java agent privilege escalation
Cisco has released free software updates that address these
vulnerabilities. A workaround that mitigates one of the issues is
The Cisco ACE Application Control Engine Module and Cisco ACE 4710
Application Control Engine Cisco ACE Module and Cisco ACE 4710
Application Control Engine contain multiple vulnerabilities that, if
exploited, can could result in any of the following impacts:
* Administrative level access via default user names and passwords
* Privilege escalation
* A denial of service (DoS) condition
Cisco has released free software updates available for affected
customers. Workarounds that mitigate some of the vulnerabilities are
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Default Credentials for root Account on the
Cisco Media Experience Engine 5600
Advisory ID: cisco-sa-20110601-mxe
Revision 1.0
the vulnerability to be successfully exploited.
Airline Product Set (ALPS)
+-------------------------
Devices configured for ALPS are vulnerable. The default TCP listening
ports for ALPS are 350 and 10000. The following example shows a
vulnerable ALPS configuration:
alps local-peer <ip address>
Devices: CMC-TC PU II DK 7320.100 SW: V2.45 HW: V3.01,
possibly other Rittal products
Attack type : XSS Type I, XSS Type II, Session prediction,
Remote command execution in default configuration
Severity: Moderate
Vendor Status: Vendor notified.
Patch already available for XSS vulnerabilities.
Other vulnerabilities will be addressed in a future
version, no release date set.
-- Vulnerability Details:
The Accellion File Transfer Appliance, prior to version FTA_8_0_562, suffers from a number of security flaws that can lead to a remote root compromise.
1. Message Routing Daemon Default Encryption Keys
The appliance ships with UDP port 8812 allowed through the firewall. The port correlates to an internal service that routes messages between backend processes. To authenticate access to this service, all messages must be encrypted with a secret key using the blowfish algorithm. The appliance ships with two default keys, neither of which is random, which results in an attacker being able to communicate with the internal processes of the appliance and perform administration tasks on the appliance itself. These two default keys are 123456789ABCDEF0123456789ABCDEF0 and 0123456789ABCDEF0123456789ABCDEF, which are expanded with MD5 to create 448-bit blowfish keys.
2. MatchRep Daemon insert_plugin_meta_info() Command Injection
Gateway products
-----------------
InterScan Web Security Suite product lines and
InterScan Web Protect for ISA
Impact: Detection is evaded but files are quarantined by default
,residual risk of an administrator deblocking a file as there is
no detection of malicious code.
InterScan Messaging Security Appliance
Impact: Detection is evaded but files are quarantined by default
Hello Susan!
If Microsoft did it, than it's good. But better for my opinion to do such as
in Windows XP Professional - not to disable admin account by default, but to
make password of default admin account similar to password of first admin
(during installation process). Because if default admin account will be
enabled later (with empty password) and will forget to set new password,
than it'll be much worse.
I'm not using Vista, so I can't check this issue on any of my computers. And
Advisory-ID: 200905111
Discovery Date: 3.23.2009
Release Date: 5.11.2009
Affected Applications: A-A-S 2.0.48 and possibly older versions
Class: XSRF (Cross Site Request Forgery) Arbitrary Command Execution,
Undocumented Default Password, Insecure Password Storage
Status: Vendor informed. No fix available
Vendor: Klinzmann
Vendor URL: http://www.klinzmann.name/a-a-s/index_en.html
Advisory URL: http://www.syhunt.com/advisories/?id=aas-multiple
MustLive wrote:
> Hello Susan!
>
> If Microsoft did it, than it's good. But better for my opinion to do
> such as
> in Windows XP Professional - not to disable admin account by default,
> but to
> make password of default admin account similar to password of first admin
> (during installation process). Because if default admin account will be
> enabled later (with empty password) and will forget to set new password,
> than it'll be much worse.
| Escalation Through | to but not | |
| Microsoft Windows Dial-Up | including | |
| Networking Interface | 4.8.02.0010 | |
|-----------------------------+------------------+---------------|
| 2. Local Privilege | All versions up | CSCsj00785 |
| Escalation Through Default | to but not | |
| cvpnd.exe File Permissions | including | |
| | 5.0.01.0600 | |
+----------------------------------------------------------------+
Note: The VPN Client for Windows software is distributed as both a
* X Display Manager Control Protocol (XDMCP)
* IBM NetBios
* Instant Messaging (depending on the particular IM client/solution
being used)
Note: UDP inspection engines may be enabled by default on Cisco ASA
Software. Please consult your user guide for more information.
The default inspected ports are listed at the following link:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_overview.html
1) Arbitrary File Manipulation in Open Journal Systems: CVE-2012-1467
1.1 Arbitrary File Deletion
Input passed via the "param" parameter to "/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php" is not properly validated before being used in unlink() function. This can be exploited to delete arbitrary files via directory traversal sequences.
The vulnerability exists in "iBrowser" software component that is a built-in part of OJS 2.3.6 by default.
The following PoC (Proof-of-Concept) code is available:
http://[host]/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php?lang=en¶m=delete|/../../../../../../../../../../../../../../../../../../../temp/file_to_delete
switch( $this->p_attack )
{
case 1: $this->code_exec(); break;
case 2; $this->bf_sql_pwd(); break;
case 3: $this->bf_usr_pwd(); break;
default: $this->usage();
}
return;
}
RTSP Inspection DoS Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cisco ACE Application Control Engine Module and Cisco ACE 4710
Application Control Engine appliances configured with RTSP inspection
are affected. RTSP inspection is disabled by default.
HTTP, RTSP, and SIP Inspection DoS Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cisco ACE 4710 Application Control Engine appliances configured with
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Default Credentials for Root Account on
Tandberg E, EX and C Series Endpoints
Advisory ID: cisco-sa-20110202-tandberg
Revision 1.0
<input type="hidden" name="delete_ok" value="">
<input type="submit" value="submit" id="btn">
</form>
Successful exploitation of this vulnerability requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" (default value is "default").
2) Input appended to the URL after /modules/system/admin/images/browser.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.
The following PoC code is available:
Multiple vulnerabilities exist in the Cisco Network Building Mediator
(NBM) products. These vulnerabilities also affect the legacy
Richards-Zeta Mediator products. This security advisory outlines
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
> -GMAIL_AT: is an alphanumeric value associated to the user and
> transmitted in the cookie. It is only known after authentication
> and starts with characters "xn3j3".
> -GX: alphanumeric value associated to the user and transmitted in
> the cookie. It is only known after authentication.
> -ui: numeric value. Can be fixed to value "2" (default value) and is
> transmitted via GET.
> -view: string value. Can be fixed to string "ma" (default value) and
> is transmitted via GET.
> -map: numeric value. Can be fixed to value "2" (default value) and
> is transmitted via POST.
-GMAIL_AT: is an alphanumeric value associated to the user and
transmitted in the cookie. It is only known after authentication
and starts with characters "xn3j3".
-GX: alphanumeric value associated to the user and transmitted in
the cookie. It is only known after authentication.
-ui: numeric value. Can be fixed to value "2" (default value) and is
transmitted via GET.
-view: string value. Can be fixed to string "ma" (default value) and
is transmitted via GET.
-map: numeric value. Can be fixed to value "2" (default value) and
is transmitted via POST.
>> -GMAIL_AT: is an alphanumeric value associated to the user and
>> transmitted in the cookie. It is only known after authentication
>> and starts with characters "xn3j3".
>> -GX: alphanumeric value associated to the user and transmitted in
>> the cookie. It is only known after authentication.
>> -ui: numeric value. Can be fixed to value "2" (default value) and is
>> transmitted via GET.
>> -view: string value. Can be fixed to string "ma" (default value) and
>> is transmitted via GET.
>> -map: numeric value. Can be fixed to value "2" (default value) and
>> is transmitted via POST.
Description:
Huawei D100 is a device offered by the polish telecom operator - Play, to provide broadband Internet in CDMA technology and it's already widely in use.
Overview:
Huawei D100 firmware and its default configuration has flaws, which allows LAN users to gain unauthorized full access to device.
#1 No HTTPS support for the web interface
Communication to the web interface can be sniffed by the attacker.
#2 System doesn't force administrator to change default password upon first login
{
$dump_file.='create table `'.$rows[0]."`(\n";
for($j=0;$j<mysql_num_rows($result2)-1;$j++)
{
$rows2=mysql_fetch_array($result2);
$dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL').",\n";
}
$rows2=mysql_fetch_array($result2);
$dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL')."\n";
$type[$j]=$rows2[1];
$dump_file.=");\n";
* The device has interfaces with IPv6 addresses
* System logging is enabled (command logging enable)
* The device is configured in any way to generate system log
message 302015 (refer to the following examples)
System log message 302015 has a default severity level of 6
(informational) so, assuming that the system administrator has not
changed this default severity level, the vulnerability can be
triggered if the device is logging to any destination at level 6 or
level 7 (debug). As an example, the following configuration is
vulnerable:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco TelePresence System Integrator C Series and Cisco TelePresence EX Series Device Default Root Account Manufacturing Error
Advisory ID: cisco-sa-20111109-telepresence-c-ex-series
Revision 1.0
For Public Release 2011 November 9 16:00 UTC (GMT)
Axesstel MV 410R is a device offered by the two leading polish telecom
operators Orange and Polish Telecom to provide broadband Internet in
CDMA technology and it's already widely in use.
Overview:
Axesstel MV 410R firmware and its default configuration has many flaws,
which allows remote unauthorized access to device and the internal
network behind it.
#1 Access from the Internet to device enabled by default
Anyone is able to automatically detect devices, which are online and
Next Page>>
|
