seclist.org

Subscribe to seclist.org hírcsatorna
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Frissítve: 1 óra 23 perc
2020. április 3.

MicroStrategy Intelligence Server and Web 10.4 - multiple vulnerabilities

Posted by Red Timmy Security on Apr 03

Hi,
early last autumn we have conducted an assessment on MicroStrategy
Intellitence Server & Web 10.4, that brought to the discovery of six
different vulnerabilities and recently at the registration of a total of
five CVE(s).

CVE-2020-11450 - Information Disclosure in Axis2 Happiness Page
Microstrategy Web 10.4 and possibly above exposes JVM configuration, CPU
architecture, installation folder and other info through the URL...
2020. április 3.

Recon-Informer v1 - Intel for offensive systems tool.

Posted by hyp3rlinx on Apr 03

import logging,os,ctypes,sys,argparse,time,re
from subprocess import *
from datetime import datetime
from pkgutil import iter_modules
import pkg_resources

#Recon-Informer (c)
#By John Page (Hyp3rlinx)
#ApparitionSec
#hyp3rlinx.altervista.org
#twitter.com/hyp3rlinx
#apparitionsec () gmail com
#PoC Video URL: https://www.youtube.com/watch?v=XM-G9Udbphc
#==========================================================
#
#Recon-Informer is a basic...
2020. március 31.

Defense in depth -- the Microsoft way (part 66): attachment manager allows to load arbitrary DLLs

Posted by Stefan Kanthak on Mar 31

Hi @ll,

this is the continuation of the previous posts
<https://seclists.org/fulldisclosure/2020/Mar/45> and
<https://seclists.org/fulldisclosure/2020/Mar/48>.

(Un)fortunately the IOfficeAntiVirus interface (see
<https://support.microsoft.com/en-us/help/914922/microsoft-windows-defender-helps-provide-real-time-protection>)
has at least another weakness which also allows (unprivileged users) to
load arbitrary DLLs into web...
2020. március 31.

Re: Defense in depth -- the Microsoft way (part 64): Windows Defender loads and exeutes arbitrary DLLs

Posted by Stefan Kanthak on Mar 31

"Paul Szabo" <paul.szabo () sydney edu au> wrote:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus

Yes, partially: this vulnerability allows unprivileged users
a) to bypass "on-demand" scans of files downloaded from the internet
or other computers (which are initiated by the attachment manager),
b) to load an...
2020. március 31.

TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference

Posted by Pietro Oliva on Mar 31

Vulnerability title: TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference
Author: Pietro Oliva
CVE: CVE-2020-10231
Vendor: TP-LINK
Product: NC200, NC210, NC220, NC230, NC250, NC260, NC450
Affected version: NC200 <= 2.1.8 build 171109, NC210 <= 1.0.9 build 171214,
NC220 <= 1.3.0 build 180105, NC230 <= 1.3.0 build 171205,
NC250 <= 1.3.0 build 171205, NC260 <= 1.5.1 build 190805,...
2020. március 31.

Re: Defense in depth -- the Microsoft way (part 64): Windows Defender loads and exeutes arbitrary DLLs

Posted by Paul Szabo on Mar 31

Does this mean that unprivileged users can defeat WindowsDefender,
even when that is "enforced" by managers? Surely that would be a
vulnerability! I am not knowledgeable about Windows management,
but the pages

https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/endpoint-protection...
2020. március 31.

Recon-Informer v1 - Intel for offensive systems tool

Posted by hyp3rlinx on Mar 31

Recon-Informer is a basic real-time anti-reconnaissance detection tool for
offensive security systems, useful for penetration testers. It runs on
Windows/Linux and leverages Scapy.

https://github.com/hyp3rlinx/0/blob/master/Recon-Informer.py

Thanks and stay safe to all,
hyp3rlinx
2020. március 31.

Deskpro Helpdesk < 2019.8.0 (Privilege Escalation, RCE)

Posted by RedForce Advisory on Mar 31

RedForce Advisory
https://redforce.io

## ِAdvisory Information
Title: Deskpro Helpdesk < 2019.8.0 Multiple Vulnerabilities
Advisory URL:
https://blog.redforce.io/attacking-helpdesks-part-1-rce-chain-on-deskpro-with-bitdefender-as-case-study/

Date published: 2020-03-28
Date of last update: 2020-03-30
Vendors contacted: DeskPro

## About Deskpro

Deskpro is a helpdesk software solution that helps companies manage their
communication with...
2020. március 27.

[SYSS-2019-047] Micro Focus Vibe - Cross-Site Scripting (CVE-2020-9520)

Posted by Vladimir Bostanov on Mar 27

Advisory ID: SYSS-2019-047
Product: Micro Focus Vibe (formerly Novelle Vibe)
Manufacturer: Micro Focus International plc
Affected Version(s): 4.0.6
Tested Version(s): 4.0.6
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2019-11-07
Solution Date: 2020-03-24
Public Disclosure: 2020-03-25
CVE Reference: CVE-2020-9520
Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH...
2020. március 27.

[SYSS-2019-046] Micro Focus Vibe - HTML Injection

Posted by Vladimir Bostanov on Mar 27

Advisory ID: SYSS-2019-046
Product: Micro Focus Vibe (formerly Novelle Vibe)
Manufacturer: Micro Focus International plc
Affected Version(s): 4.0.6
Tested Version(s): 4.0.6
Vulnerability Type: HTML Injection (CWE-79)
Risk Level: Low
Solution Status: Fixed
Manufacturer Notification: 2019-11-07
Solution Date: 2020-03-24
Public Disclosure: 2020-03-25
CVE Reference: Not assigned
Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH...
2020. március 27.

Defense in depth -- the Microsoft way (part 65): unsafe, easy to rediect paths all over

Posted by Stefan Kanthak on Mar 27

Hi @ll,

Microsoft still registers LOTS of DLLs (which implement COM classes,
cryptography service providers, services etc.) as well as command lines
with paths containing the (pre-defined) environment variables %windir%,
%SystemRoot%, %ProgramFiles%, %CommonProgramFiles%, %ProgramFiles(x86)%
and %CommonProgramFiles(x86)%.

For example, Windows Defender shipped with Windows Vista and newer versions
of Windows, installs a COM class which...
2020. március 27.

Defense in depth -- the Microsoft way (part 64): Windows Defender loads and exeutes arbitrary DLLs

Posted by Stefan Kanthak on Mar 27

Hi @ll,

in September 2017, Microsoft relocated many executable files of Windows
Defender from the directory "%ProgramFiles%\Windows Defender\" to
"%ProgramData%\Microsoft\Windows Defender\platform\<version>\": see
<https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform>

JFTR: if Microsoft were only capable to understand English language and
notice the difference...
2020. március 27.

APPLE-SA-2020-03-25-2 iCloud for Windows 7.18

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-2020-03-25-2 iCloud for Windows 7.18

iCloud for Windows 7.18 is now available and addresses the following:

libxml2
Available for: Windows 7 and later
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved size
validation.
CVE-2020-3910: LGTM.com

libxml2
Available for: Windows 7 and later
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved bounds
checking....
2020. március 27.

APPLE-SA-2020-03-25-1 iCloud for Windows 10.9.3

Posted by Apple Product Security via Fulldisclosure on Mar 27

APPLE-SA-2020-03-25-1 iCloud for Windows 10.9.3

iCloud for Windows 10.9.3 is now available and addresses the
following:

libxml2
Available for: Windows 10 and later via the Microsoft Store
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved size
validation.
CVE-2020-3910: LGTM.com

libxml2
Available for: Windows 10 and later via the Microsoft Store
Impact: Multiple issues in libxml2
Description: A buffer...
2020. március 27.

CVE-2019-4716: conf overwrite + auth bypass = rce as root / SYSTEM on IBM PA / TM1

Posted by Pedro Ribeiro on Mar 27

Hi,

Here's a fun one I have been working on for some time.
tl;dr IBM PA / TM1, dating back to 2014, maybe 2009 is vulnerable to a unauthenticated configuration overwrite; this is
abused to "fake authenticate" to it, and finally execute code as root / SYSTEM using TM1 scripting.

Advisory below, permalink in:
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/ibm-tm1-rce.txt

Exploit:...
2020. március 27.

New tool: nullscan v1.0.0 - A modular framework designed to chain and automate security tests

Posted by Levon Kayan on Mar 27

Howdy,

We've just released nullscan v1.0.0, a modular framework designed to
chain and automate security tests. It's a beast and highly recommended
to learn and use it. :)

Here are some details:

[ Description ]

A modular framework designed to chain and automate security tests. It
parses target definitions from the command line and runs corresponding
modules and their nullscan-tools afterwards. It can also take hosts and
start nmap...
2020. március 27.

CVE-2019-19913

Posted by Georg Ph E Heise via Fulldisclosure on Mar 27

codeBeamer – Stored Cross-Site Scripting

===============================================================================

Identifiers

-------------------------------------------------

* CVE-2019-19913

CVSSv3 score

-------------------------------------------------

6.4
([AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:H&version=3.1))

Vendor...
2020. március 27.

CVE-2019-19912

Posted by Georg Ph E Heise via Fulldisclosure on Mar 27

codeBeamer – Stored Cross-Site Scripting

===============================================================================

Identifiers

-------------------------------------------------

* CVE-2019-19912

CVSSv3 score

-------------------------------------------------

6.4 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:H)

Vendor

-------------------------------------------------

Intland – Codebeamer (https://codebeamer.com)

Product...
2020. március 25.

HP ThinPro - Privileged command injection

Posted by Eldar Marcussen on Mar 24

HP ThinPro - Privileged command injection
===============================================================================

Identifiers
-------------------------------------------------
* CVE-2019-18910

CVSSv3 score
-------------------------------------------------
7.6 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)

Vendor
-------------------------------------------------
HP - [https://www.hp.com](https://www.hp.com)

Product...
2020. március 25.

HP ThinPro - Citrix command injection

Posted by Eldar Marcussen on Mar 24

HP ThinPro - Citrix command injection
===============================================================================

Identifiers
-------------------------------------------------
* CVE-2019-18909

CVSSv3 score
-------------------------------------------------
6.1 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Vendor
-------------------------------------------------
HP - [https://www.hp.com](https://www.hp.com)

Product...