Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerability Lab. Show all posts
Vulnerability Lab
Vulnerability Lab

Apple fixes a vulnerability in its App store and iTunes store


Apple Inc  has fixed a serious remote vulnerability in its App Store and iTunes Store web app that posed a significant risk to buyers, sellers or Apple website managers/developers.

The flaw, which was first uncovered by a security researcher from Vulnerability Lab, Benjamin Kunz Merjri on June 8, could allow an attacker to inject malicious script into invoices that come from Apple and that lead  to session hijacking, phishing, and redirect.

"The apple itunes and appstore is taking the device cell name of the buying users. Remote attackers can manipulate the name value by an exchange with script code (special chars). After that the attacker buys any article in the appstore or itunes-store." The security advisory reads.

"During that procedure the internal appstore service takes the device value and does encode it with wrong conditions. The seller account context runs since the error with the injected script code occurs and gets this way re-implemented to the invoice. Thus results in an application-side script code execution in the invoice of apple.

Researchers said the vulnerability can be exploited by remote attackers with low privilege web-application user account with low or medium user interaction.

Following the disclosure of the vulnerability, the company fixed the flaw.
Read more »
Vulnerability Lab
hacker news stack based buffer overflow Vulnerability Vulnerability Lab

Local Stack buffer overflow Vulnerability in Quickheal antivirus

A Security researcher from Vulnerability Lab has discovered a local stack buffer overflow vulnerability in the QuickHeal AntiVirus 7.0.0.1 (b2.0.0.1) Pro software.
 
Researcher says improper handling of buffers in the 'pepoly.dll' module on certain conditions leads to a stack overflow.  Disabling the Core scanning server service could trigger the vulnerable point and crash the system.

"The vulnerability is located in the generated PE file `*.text` value. It can be overflowed by manipulating import of a malicious PE file.The issue is a classic (uni-code) stack buffer overflow"


A local attacker with low privilege can exploit this vulnerability to take control of the system or simply crash the quickheal software system process.  The security risk of this vulnerability has been estimated as medium.

Researcher also provided a solution to fix the vulnerability: "It can be patched by a secure filter and size restriction of the PE file name text flag".

The proof of concept is available here.
Read more »
Vulnerability report
hacker news Vulnerability Vulnerability Lab Vulnerability report

Microsoft SharePoint vulnerable to Exception Handling Web Vulnerability

The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the official Microsoft Sharepoint Online (cloud-based) application.

The vulnerability allows remote attackers to inject own malicious script code to a vulnerable module on application-side (persistent).

The vulnerability is located in the `Sharepoint Online Cloud 2013 Service` section when processing to request the `Berechtigungen für
den Metadatenspeicher festlegen` module with manipulated ms-descriptionText > ctl00_PlaceHolderDialogBodySection_
PlaceHolderDialogBodyMainSection_ValSummary parameters. The persistent injected script code execution occurs in the main
`invalid BDC Ãœbereinstimmung` web application exception-handling

The vulnerability can be exploited with a low (restricted) privileged application user account and low or medium required user interaction.
Successful exploitation of the vulnerability result in persistent session hijacking, persistent phishing, stable external redirect, stable
external malware loads and persistent vulnerable module context manipulation.

The vulnerability is fixed .

Read more »
Vulnerability Lab
local command injection vulnerability Vulnerability Vulnerability Lab

Multiple software vulnerabilities in Trend Micro DirectPass 1.5.0.1060


The Vulnerability Laboratory Research Team discovered multiple software vulnerabilities in the official Trend Micro DirectPass v1.5.0.1060 Software.

Trend Micro™ DirectPass™ manages website passwords and login IDs in one secure location, so you only need to remember one password. Other features include: Keystroke encryption, secure password generation, automatic form-filling, confidential notes, and a secure browser.

The first vulnerability is a local command injection vulnerability that allows local low privileged system user accounts to inject system specific commands or local path requests to compromise the software.

The second security flaw discovered by the vulnerability-lab is a persistent input validation vulnerability that allows local attackers with low privileged system user account to implement/inject malicious script code on application side (persistent) of the software.

The third one is a critical pointer vulnerability (DoS) that allows local attackers with low privileged system user account to crash the software via pointer vulnerability.

While the Local path injection vulnerability has been marked as high risk bug, other vulnerabilities has been marked as medium risk bug.

After receiving notification from Vulnerability-lab researchers, Trend micro fixed the vulnerability on 2013-05-15.

The Technical details and proof-of-concept can be found here.
Read more »
Web Application Vulnerability
Vulnerability Vulnerability Lab Web Application Vulnerability

Multiple vulnerabilities in Enterpriser16 LoadBalancer v7.1


Vulnerability-Lab researchers have found multiple persistent input validation web vulnerabilities in the  Enterpriser16 v7.1 Load Balancer Application.

The first vulnerabilities are located in the `Edit Configuration` module with the bound vulnerable Label, Virtual Host, Request to send, Email Alerts and Response expected parameters.

The secound vulnerabilities are located in the Create Solution, Access points and New Contract module with the bound vulnerable title, asset name, contract name, name or description parameter requests.

Exploitation requires low user interaction and a low privileged application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (manager/admin), persistent phishing or persistent module web context manipulation.

A detailed proof-of-concept can be found here.
Read more »
Vulnerability Lab
Inj3ct0r Team Reflected xss vulnerability Vulnerability Vulnerability Lab

Reflected XSS in Vulnerability-Lab site(vulnerability-lab.com)


The Inj3ct0r team has found Reflected Cross Site scripting(XSS) vulnerability in the official website of Vulnerability-Lab.

The subdomain of Vulnerability Lab (video.vulnerability-lab.com/) that host video demo of exploits, has been found to be vulnerable to the non-persistent XSS security flaw.


vulnerability lab xss


The inj3ct0r team provided us the POC for the vulnerability :
173.0.61.44/video/?s="><script>alert("Inj3ct0r Team found Xss on vulnerability-lab")</script>&x=7&y=8
The above code will display a popup with the text "Inj3ct0r Team found Xss on vulnerability-lab".  At first the URL confused me, it points to some other IP.

 But I visit "video.vulnerability-lab.com" website and verified the security flaw by entering the script .  It seems like the result is being loaded from the above mentioned IP address.


"We know already about the issue 3 week ago."The vulnerability Lab team has responded. "The issue is not exploitable ... its fake because the issue is located in the website were no login is in use even if it is wordpress."

"The module and the video blog itself was secured ... only the update made the vulnerable module back available."
Read more »
Vulnerability Lab
IT Security News PayPal Bug bounty Persistent Cross Site Scripting Vulnerability Vulnerability Lab

Persistent Cross Site Scripting Vulnerability in the official Paypal ecommerce


The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official Paypal ecommerce website content management system.

The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability is located in the Artikel pro Seite listing module with the bound vulnerable filterVal1 parameter.

Remote exploitation requires low user inter action or privileged application user account for local exploitation. Successful exploitation of the vulnerability can lead to session hijacking (admin), account steal via persistent web attack or stable (persistent) context manipulation.


Proof of Concept:
=================
The persistent vulnerability can be exploited by remote attackers & local privileged user accounts with low required user inter action.
For demonstration or reproduce ...

Review: [ALL Listing] (index) Rechnungen Verwalten -  Geld Anfordern > Artikel pro Seite (Listing) > filterVal1

var currencyVals = ["EUR", "AUD", "BRL", "GBP", "DKK", "HKD", "ILS", "JPY", "CAD", "MXN", "TWD", "NZD", "NOK", "PHP",
"PLN", "SEK", "CHF", "SGD", "THB", "CZK", "HUF", "USD", ""];
var txt1 = "zwischen";
var txt2 = " und ";
var txtLabel = "Wert 2";
var advFilter = "email";
var dateFilter = "invoice_date";
var filterVal1 = "<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;"> <META HTTP-EQUIV="Set-Cookie"
Content="USERID=<SCRIPT>document.cookie=true</script>"> <script>document.cookie=true;</script>


PoC:  "><iframe src=http://vuln-lab.com onload=alert("VulnerabilityLab") <

The security risk of the persistent script code inject vulnerability is estimated as medium(+).The vulnerability successfully fixed by Paypal.

Read more »
Vulnerability Lab
PayPal Bug bounty Vulnerability Vulnerability Lab

A persistent input validation Vulnerability in the official Paypal Plaza


The Vulnerability Laboratory Research Team discovered a persistent input validation Vulnerability in the official Paypal Plaza website application.

The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the paypal plaza egreetings web service. The vulnerability is located in the (Step 5 Preview) eGreeting module notification with the bound vulnerable your name and recipient’s name parameters.

The vulnerability can be exploited by remote attackers with low or medium required user interaction and without privileged Customer/Pro/Seller account. Successful exploitation of the vulnerability can lead to session hijacking (customers),account steal via persistent web attacks, persistent phishing or stable (persistent) mail notification context manipulation.

Proof of Concept:
=================

The persistent input validation vulnerability can be exploited by remote attackers with low or medium required user inter action.
For demonstration or reproduce ...

Review:  Notification Mail - eGreetings Card Notification

<html>
<head>
<title>You have received a eCard from your loved one.</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><b>Betreff: </b>
You have received a eCard from your loved one.</td></tr><tr><td><b>Von: </b>=?utf-8?B?Ij48aWZyYW1lIHNyYz1hIG9ubG9hZD1hbGVydCgiSEkiKSA8?=
 <admin@vulnerability-lab.com></td></tr><tr><td><b>Datum: </b>14.08.2012 05:15</td></tr></table><table border=0 cellspacing=0
cellpadding=0 width="100%" class="header-part2"><tr><td><b>An: </b>research@vulnerability-lab.com</td></tr></table><br>
Dear "><[PERSISTENT INJECTED SCRIPT CODE OUTSIDE OF GREETINGSCARD ITSELF!]") <,<br/><br/>
Greetings! "><"><[PERSISTENT INJECTED SCRIPT CODE OUTSIDE OF GREETINGSCARD ITSELF!]") < has just sent you a eCard.
<br/><br/>
<a href="https://www.paypal-plaza.com/giftcard/2494/lang/en_au">View your eCard now.</a>
</body>
</html>

The security risk of the persistent input validation vulnerability in the mail notification service filter is estimated as medium. The vulnerability has been fixed by Paypal now.
Read more »
Subscribe to: Posts (Atom)