Advisories

A stands for Advisories, that’s good enough for me.

Overview
——————-
Certain Lexmark devices are vulnerable to unverified password changes and stored cross-site scripting attacks.

Description:
——————-
Unverified Password Change – CVE-2013-6032
Certain models of Lexmark laser printers and MarkNet devices are vulnerable to an attack which allows a remote unauthenticated attacker to change the administrative password of the printer’s web administration interface. The interface does not perform sufficient validation of the vac.255.GENPASSWORD parameter in POST requests to the /cgi-bin/postpf/cgi-bin/dynamic/config/config.html page, allowing an unauthenticated remote attacker to reset the administrative password to an empty string.

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) – CVE-2013-6033
Certain models of Lexmark laser printers are vulnerable to stored cross-site scripting attacks. The printers’ administrative web interface does not perform sufficient validation of user input to the “Location” and “Contact Name” fields in the “General Settings” configuration page.

Impact:
——————-
An attacker may be able to run arbitrary script in the context of a victim’s browser. The attacker may also be able to gain full administrative control of the printer.

Solution:
——————-
Apply an Update

Lexmark advises users to update to the latest firmware version. A list of affected models and firmware versions, as well as accompanying fixes, can be found at Lexmark’s advisory page.
Vendor Information: http://support.lexmark.com/alerts/

CVSS Metrics:
——————-
Group Score Vector
Base 9.0 AV:N/AC:L/Au:N/C:P/I:P/A:C
Temporal 7.4 E:F/RL:OF/RC:C
Environmental 1.9 CDP:N/TD:L/CR:ND/IR:ND/AR:ND

Vendor Date Notified: 16 Oct 2013

At Defcon 19 during my presentation we discussed a new attack method against printers. This attack method involved tricking the printer into passing LDAP or SMB credential back to attacker in plain text. We refer to this attack as a Pass-Back-Attack . So its been awhile, but we wanted to release a short tutorial discussing how this attack is performed. A PDF of the Tutorial can be downloaded from here

Wow this one was so simple I still cant stop laughing. This was originally released at Shmoocon on January 29 2011 Thought it was time to follow up with an advisory because most end users still do not know about this vulnerability. The authentication on Toshiba eStudio MFP devices is easily bypassed by adding an extra / in the URL after TopAccess.

Example:
http://IP Address/TopAccess//Administrator/Setup/ScanToFile/List.htm

For Latest Advisory click here

Really easy as you can see. Iam looking for assistance to better map out devices with this issue. If you have a Toshiba eStudio please check out the request at http://praeda.foofus.net to give me a hand.

I discovered a single XSS finding, with the ability to pop-up only a numeric value. I was able to see that my variable was getting included inside of some javascript in the returned page. I started adding more commands with a semi-colon at the end and low and behold they worked! As long as I didn’t use a ‘>’ character and trigger the .NET validation routines. It’s interesting because you can inject just about any javascript you want, and that leaves a lot of room for client-side mischief like false web sites to harvest passwords, etc.

For the latest advisory Click Here

Multi-Tech Systems “MultiModem iSMS” appliance is affected by multiple XSS (cross-site scripting) vulnerabilities, which potientally leads to the comprimise of the device.

For the latest advisory Click Here

Attack #2 is more interesting because it can be remotely exploited via a SMS message.

When reporting this issue it did come into question the 160 character limitation of SMS technology and if this would to limit the attacker.  In the proof of concept video, you can see exploitation was successful with 158 characters using the Browser Exploitation Framework BeEF!

please visit www.securitypentest.com for the original advisory.

Trustwave’s WebDefend console software is prone to static MySQL database passwords in the binary files, which leads to a comprimise of sensitive information.

For the latest advisory Click Here

Below are the steps that led up to the discovery of this low hanging fruit:

  • I first started by using tcpdump to capture traffic between the appliance and a workstation running the console software.
  • When using the console software to login, I noticed the authentication was done over port 5000.  After I logged in, the console software started to load data over MySQL port 3306. What I found interesting was all the sql traffic was getting initated by the workstation. At this point I wanted to know how the workstation was able to login to the MySQL server on the appliance.
  • By using several sysinternal tools on the workstation, I was able to determine which binary files the console software was using when the sql connection got initiated.
  • I then used a combination of strings and IDA Pro to search through the binaries for the sql login and bingo found it!

please visit www.securitypentest.com for more WebDefend advisories

This is a very interesting flaw that I came across in Symantec Antivirus Corporate edition in July 2009 while trying to recreate the XFR.EXE design flaw (CVE-2009-1431). At first I thought this was the same flaw, but while running a serious of test against multiple versions of SAVCE. I realized I had tested it against the latest patched 10.1.8 version of the product and the vulnerability was still there. Upon further investigation I discovered this flaw went against the Intel Alert Handler Service (hndlrsvc.exe) over TCP port 38292.

POC: http://www.foofus.net/~spider/code/ams-cmd.cpp.txt

For the latest advisory Click Here