[guru] Halozati eszkozok biztonsagi frissitesei
DATE: Mon, 26 Jan 2009 22:13:30 +0100
Az Aruba Mobility Controller-en egy megfelelően preparált EAP csomag
hatására az azonosítást végző szervíz összeomlik, majd automatikusan
újraindul. Ha a támadó az eszközt preparált EAP csomagokkal árasztja
el, akkor új felhasználók nem tudnak belépni.
A HTC Touch telefon WAP-vCard szolgáltatása (9204/udp) elérhető a
wifi és a GPRS/UMTS hálózatokon át is, a támadó így képes SMS-ket
küldeni és fogadni.
A COMTREND CT-536/HG-536+ wifi ADSL router-ei hozzáférés ellenőrzési,
titkosítatlan jelszó küldési, XSS és buffer overflow hibákat tartalmaznak.
Az IBM DataPower XS40 Security Gateway könnyen DoS-olható, amennyiben
véletlenszerű sztringet küldenek a felépített SSL kapcsolatba.
A Netgear WG102 Access Point-ok SNMP írási community-je lekérdezhető
az olvasási community segítségével.
Az Aethra SV 1042 Adsl/Voip Router admin jelszava konzolról felülírható,
és ehhez az eszközt nem kell sem reset-elni sem firmware-t újraírni.
Több Ralinktech wlan kártya meghajtóprogramja is integer overflow
hibát tartalmaz.
Az AXIS 70U Network Document Server több biztonsági hibát is tartalmaz:
a támadó hozzáférhet azokhoz a dokumentumokhoz is, amikhez nem lenne
joguk, valamint a webes felület XSS hibákat is tartalmaz.
Az AXIS Camera Control CamImage.CamImage.1 ActiveX vezérlője heap buffer
overflow hibát tartalmaz.
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aruba Networks Security Advisory
Title: DoS Vulnerability in Aruba Mobility Controller Caused by
Malformed EAP Frame.
Aruba Advisory ID: AID-12808
Revision: 1.0
For Public Release on 12/8/2008
+----------------------------------------------------
SUMMARY
A Denial of Service (DoS) vulnerability was discovered during standard
bug reporting procedures
in the Aruba Mobility Controller. A malformed EAP frame causes a process
crash on the Aruba
Mobility Controller causing a temporary DoS condition for new clients
configured to use EAP
authentication. Prior successful security association is not required to
cause this condition.
The Mobility Controller recovers automatically by restarting the
affected process.
AFFECTED ArubaOS VERSIONS
2.4.8.x-FIPS, 2.5.x, 3.1.x, 3.2.x, 3.3.1.x, and 3.3.2.x versions
DETAILS
Extensible Authentication Protocol (EAP) is a framework used for
authentication in wireless and
point-point connections (RFC 3748). Aruba Mobility Controller accepts
EAP frames on both wireless
interfaces (via its thin APs) and wired interfaces (via devices
connected to untrusted physical
ports on the controller). In 802.11 networks, EAP frames are only used
when WPA/WPA2 Enterprise
modes are being used.
A malformed EAP frame causes a process crash on the Aruba Mobility
Controller. An attacking station
does not need to have completed a successful security association prior
to launching this attack
against the controller.
IMPACT
An attacker can inject a malformed EAP frame and cause a process crash
on the Aruba Mobility
Controller. This causes a service outage for new clients configured to
use EAP authentication.
The Mobility Controller recovers automatically by restarting the
affected process. An attacker
could however cause a prolonged DoS condition by flooding the Aruba
Mobility Controller with
malicious EAP frames.
For wireless, this vulnerability only applies when operating in WPA/WPA2
Enterprise modes.
WPA/WPA2-PSK modes are unaffected by this vulnerability and so are
open/WEP based wireless networks.
This vulnerability does affect wired devices connected to untrusted
physical ports of the Mobility
Controller.
CVSS v2 BASE METRIC SCORE: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
WORKAROUNDS
Aruba Networks recommends that all customers that are using EAP
authentication apply the
appropriate patch(es) as soon as practical. However, in the event that
a patch cannot
immediately be applied, the following steps might help in mitigating the
risk:
- - - Aruba Mobility Controllers allows for a mode of operation where a
wireless client's
EAP communication terminates on the controller, rather than on an
authentication server (RADIUS
server, LDAP server etc.). The Mobility Controller in turn queries the
authentication server on
behalf of the client using non EAP messages. This mode is referred to as
"EAP-Offload" and is
immune to this vulnerability. Enabling this mode on the Mobility
Controller can be used as a
workaround until the patch(es) can be applied. EAP-Offload is not
supported for wired client
devices.
SOLUTION
Aruba Networks recommends that all customers apply the appropriate
patch(es) as soon as practical. However, in the event that a patch
can not immediately be applied, the workaround steps will help to mitigate
the risk.
+----------------------------------------------------
OBTAINING FIXED FIRMWARE
Aruba customers can obtain the firmware on the support website:
http://www.arubanetworks.com/support.
Aruba Support contacts are as follows:
1-800-WiFiLAN (1-800-943-4526) (toll free from within North America)
+1-408-754-1200 (toll call from anywhere in the world)
e-mail: support(at)arubanetworks.com
Please, do not contact either "wsirt(at)arubanetworks.com" or
"security(at)arubanetworks.com" for software upgrades.
EXPLOITATION AND PUBLIC ANNOUNCEMENTS
This vulnerability will be announced at
Aruba W.S.I.R.T. Advisory:
http://www.arubanetworks.com/support/alerts/aid-12808.asc
SecurityFocus Bugtraq
http://www.securityfocus.com/archive/1
STATUS OF THIS NOTICE: Final
Although Aruba Networks cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Aruba Networks does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Aruba Networks may update
this advisory.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an uncontrolled
copy, and may lack important information or contain factual errors.
DISTRIBUTION OF THIS ANNOUNCEMENT
This advisory will be posted on Aruba's website at:
http://www.arubanetworks.com/support/alerts/aid-12808.asc
Future updates of this advisory, if any, will be placed on Aruba's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.
REVISION HISTORY
~ Revision 1.0 / 12-8-2008 / Initial release
ARUBA WSIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at
~ http://www.arubanetworks.com/support/wsirt.php
For reporting *NEW* Aruba Networks security issues, email can be sent to
wsirt(at)arubanetworks.com or security(at)arubanetworks.com. For sensitive
information we encourage the use of PGP encryption. Our public keys can be
found at
http://www.arubanetworks.com/support/wsirt.php
~ (c) Copyright 2008 by Aruba Networks, Inc.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkk9c5kACgkQp6KijA4qefU7vACg4RsVQOwBPeGRdcf7/iOmXQTE
RNcAnRvRz7XFOHeOyRCcMFI5FF1synMd
=e8RT
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Security Advisory
MSL-2008-002 - HTC Touch vCard over IP Denial of Service
Advisory Information
- --------------------
Title:
HTC Touch vCard over IP Denial of Service
Advisory ID:
MSL-2008-002
Advisory URL:
http://www.mseclab.com/index.php?page_id=110
Published:
2008-12-19
Updated:
2008-12-19
Vendor:
HTC
Platforms:
Touch Pro, Touch Cruise
Vulnerability Details
- ---------------------
Class:
Denial of Service
Remote:
Yes
Local:
No
Public References:
Not Assigned
Affected:
HTC Touch Pro, HTC Touch Cruiser
Not Affected:
Currently Unknown
Description:
UDP/9204 port is open and reachable both via WiFi and GPRS/UMTS
connection when the device is capable of sending and receiving SMS.
Port is always open on the Touch Pro, while on Touch Cruiser the port is
open when the SMS application is running.
UDP/9204 is associated with the service WAP-vCard and is used for
sending vCard files to the device, that are displayed as normal SMS to
users.
By flooding the device with multiple vCards it is possible to perform a
Denial of Service attack that affects usability, SMS handling and
connectivity.
By sending large number of vCards an attacker can achieve significant
device slowdown, making the UI sluggish and hard to use.
In some cases WiFi connections may be dropped (when vCards are sent via
WiFi), effectively disconnecting the device from the network.
On Touch Cruiser devices, SMS inbox can be completely filled by sending
more then 450 large vCards (size 32K).
The device will not be able to receive SMS anymore or to access the
message stored inside the device until SMS deletion occurs.
Additionally, when large vCards are sent, no acoustic notification (ring
tones) will be played upon incoming messages, making the attack more
silent and less noticeable by an user.
Battery removal may be needed, in some cases, for restoring normal
functionalities.
Manual deletion of all received SMS requires a very long time, making
the deletion of all the SMS the most viable option, but leading to loss
of all received SMS and requiring in any case a large amount of time
(even hours).
The faster option for restoring the device is performing a hard reset of
the device, leading to the loss of all the content saved on the handset.
The attack can be easily carried in all the scenarios where the device
IP stack is accessible to an attacker, such as Wireless LANs and Mobile
Networks assigning public IP addresses without any firewall protection.
Solutions & Workaround:
A personal firewall solution can be used for denying unwanted access to
the port, effectively avoiding possible attacks.
Additional Information
- ----------------------
Timeline:
2008-12-03: Issue discovery
2008-12-05: Initial Vendor Notification: Point of Contact requested via
contact form on website (No suitable e-mail available)
2008-12-14: Vendor Response: Customer support answered without providing
any suitable contact for vulnerability communication
2008-12-19: Public Disclosure
Vendor Statement:
None
- --
Mobile Security Lab
Website: www.mseclab.com <http://www.mseclab.com>
GPG Key Fingerprint
3CEC 8BFA 90C0 E620 B48C 2645 9C8C 642D A501 073F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJS7xTnIxkLaUBBz8RAuGRAJ9JWdbDH0/gFlHN7u9mcCBywalt0wCeP0eE
vlUaatlfC6NduuP7VlnkljM=
=xeLv
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
=============================================
INTERNET SECURITY AUDITORS ALERT 2007-002
- Original release date: 31st January, 2007
- Last revised: 22th December, 2008
- Discovered by: Daniel Fernandez Bleda
- Severity: 5/5
=============================================
I. VULNERABILITY
-------------------------
Multiple vulnerabilities in WiFi router COMTREND CT-536/HG-536+
II. BACKGROUND
-------------------------
The CT-536 is an 802.11g (54Mbps) wireless and wired Local Area
Network (WLAN) ADSL router. Four 10/100 Base-T Ethernet and single USB
ports provide wired LAN connectivity with an integrated 802.11g WiFi
WLAN Access Point (AP) for wireless connectivity. The CT-536 ADSL
router provides state of the art security features such as WPA data
encryption; Firewall, VPN pass through.
III. DESCRIPTION
-------------------------
Improper validation of micro_httpd server permits multiple attacks
though this stateless server. Also, access control is defficient and
do not control access at all. Credentials are send in clear text so
"user" could get them easily.
Some fields and data are not filtered so XSS attacks and bofs can DoS
the httpd config server. Some cases the result also applies not only
to http and the router needs reboot, loosing the configuration and
reseting to default values. This means default passwords, open
wireless network, etc.
IV. PROOF OF CONCEPT
-------------------------
1. User "user" (least privileged user, read only and limited access
configuration reding) can ask a not allowed resource and the server
will return the page asked. Included the password change resource:
http://192.168.0.1/password.html
2. The router sends the 3 users passwords in clear inside the html to
make a fast check during the password change.
3. Some points in the configuration description options are
vulenrables to Cross Site SCripting attacks due improper validatation:
http://192.168.0.1/scvrtsrv.cmd?action=add&srvName=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&srvAddr=192.168.1.1&proto=1,&eStart=1,&eEnd=1,&iStart=1,&iEnd=1
4. Some resources (i.e. NAT table are vulnerable to Buffer overflows
attacks) through the description fields that seems to kill the
micro_httpd server although the router continues routing. Also similar
behaviour is seen when asking for URLs that add %13 and %10 chars,
without matching micro_httpd checks "..", "../", "/../".
5. User "user" accesses with "admin" privileges when connecting
through TELNET service.
6. User "support" seems to not exist at all.
7. SSH service cannot substitute TELNET or HTTP due it seems not
exists at all in the router!
V. BUSINESS IMPACT
-------------------------
DoS of the Web Configuration interface although the router continues
routing.
DoS of router, causing a set to reset configuration, meaning the start
up of Wireless interface (activated by default) without any type of
protection and having the possibility to access the router or the network.
Reset of router configuration.
Access with "admin" (privileged) permissions to user "user".
VI. SYSTEMS AFFECTED
-------------------------
Firmware until version A101-302JAZ-C01_R05 (current)
VII. SOLUTION
-------------------------
Change the router.
VIII. REFERENCES
-------------------------
http://www.comtrend.com
http://www.acme.com/software/micro_httpd/
http://www.jazztel.com
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by
Daniel Fernandez Bleda (dfernandez (at) isecauditors (dot) com).
X. REVISION HISTORY
-------------------------
January 30, 2007: Initial release
April 18, 2007: First contact with the vendor. Minor corrections.
November 09, 2007: Some corrections applied.
XI. DISCLOSURE TIMELINE
-------------------------
January 30, 2007: Vulnerability acquired by
Internet Security Auditors
April 18, 2007: Initial vendor notification sent. No response.
May 01, 2007: Second vendor notification.
Response: will be studied.
May 22, 2007: Third vendor contact. Reported to their vendor for
analysis.
August 07, 2007: Fourth Vendor contact. Problem seems to be not
much easy to correct. R/D Dept are studying the
solution.
November 09, 2007: Fifth Vendor contact. No response.
November 19, 2007: Sixth Vendor contact. No response.
December 07, 2007: Seventh Vendor contact. Chipset vendor is working.
November 11, 2008: Last Vendor contact. No response
December 22, 2008: Published.
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.
--- End Message ---
--- Begin Message ---
It appears it is possible to crash the IBM DataPower XS40 Security Gateway device by sending a simple (random?) string to it, over an established SSL-connection. The device reboots as a response to the input.
Tested vulnerable firmware is 3.6.1.5
Issue fixed as tested in 3.6.1.12
Tested as follows (entered attack-string is ´abc´ in this case):
openssl s_client -connect [IP]:[port]
Loading 'screen' into random state - done
CONNECTED(0000078C)
..
---
abc [enter][enter]
read:errno=0
After this, the device crashes and reboots
--- End Message ---
--- Begin Message ---
Dear all,
after informing Netgear about the unsafe handling of passwords on their WG102 Access Points nothing happened for several weeks. To inform other users about the potential threat to their networks I decided to share my findings.
WG102 offers the the typical SNMP write & SNMP read community password 'protection'. SNMPv2 is already known for weak security, yet NETGEAR goes one step further:
the SNMP write community (password) is accessible in cleartext via the MIB which is readable via the SNMP read community.
Affected Versions:
- Netgear WG102
- with Firmware 4.0.16
- Firmware 4.0.27 (latest as of 2009-01-09)
- other firmwares and similar products probably have the same bug (just an assumption!)
Possible consequences:
- leakage of admin/write password
- Once an attacker has SNMP write acccess, she can freely reconfigure the access point. Including e.g. redirect RADIUS authentication to a rogue server.
To reproduce:
enable snmp (default) and set different SNMP write/read passwords.
then on a different machine do:
snmpwalk -c READPASSWORD -v2c IP SNMPv2-SMI::enterprises.4526.4.3
the passwords are stored in ...4526.4.3.8.4.0 and ...4526.4.3.8.5.0
Proposed fixes:
do not enable SNMP at all. vendor fix required.
Best Regards
'Harm S.I. Vaittes'
--- End Message ---
--- Begin Message ---
Hi,
with the blue serial cable ( console cable ), with advanced serial port monitor
( http://www.aggsoft.com/serial-port-monitor.htm )
you can retrive admin password of this router without reset or re-firmware....
Hack Aethra SV 1042 Adsl/Voip Router
Mod: AETHRA STARVOICE SV 1042
Boot Version: 1.8.0.0
Boot Date: 25/02/2004 12:12
ATOS Version: 2.0.25 (0@unknow)
ATOS Date: 26/10/2004 11:04
StarVoice version: 1.4.18
StarVoice model: SV1042
Les version: 1.4.12
Exploit: Local
Vendor contacted 6 month ago, aethra have made a patch and informed all clients.
youtube
http://it.youtube.com/watch?v=_WK4KQJ8wVo
full
http://www.adrive.com/public/bb1b031b4b3ea243d7f61fcad55f57634e0c882356619b6e1cd538623e6969f5.html
bye
SmoKe
--- End Message ---
--- Begin Message ---
Some Ralinktech wireless cards drivers are suffer from integer overflow. by sending
malformed 802.11 Probe Request packet with no care about victim's MAC\BSS\SSID can cause to
remote code execution in kernel mode.
In order to exploit this issue, the attacker should send a Probe
Request packet with SSID length bigger then 128 bytes (but less then 256) when the victim's card is in ADHOC mode.
attacker shouldn't be on the same network nor even know the MAC\BSS\SSID, he can just send it broadcast.
Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the latest driver version.
Status: Unpatched ,vulnerability reported to vendor.
Oses: Windows\linux drivers.
Have fun!
Aviv
--- End Message ---
--- Begin Message ---
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-004
AXIS 70U Network Document Server - Privilege Escalation and XSS
http://dsecrg.com/pages/vul/show.php?id=60
Application: AXIS 70U Network Document Server (Web Interface)
Versions Affected: 3.0
Vendor URL: http://www.axis.com/
Bug: Local File Include and Privilege Escalation, Multiple Linked XSS
Exploits: YES
Reported: 20.10.2008
Vendor response: 20.10.2008
Last response: 02.01.2009
Vendor Case ID: 143027
Solution: NONE
Date of Public Advisory: 19.01.2009
Authors: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
Description
***********
Vulnerabilities found in Web Interface of device AXIS 70U Network Document Server.
1. Local File Include and Privilege Escalation.
Standard user can escalate privileges to administrator.
2. Multiple Linked XSS vulnerabilities
Details
*******
1. Local File Include and Privilege Escalation.
Local File Include vulnerability found in script user/help/help.shtml
User can unclude any local files even in admin folder.
Example:
http://[server]/user/help/help.shtml?/admin/this_server/this_server.shtml
2. Multiple Linked XSS vulnerabilities
Linked XSS vulnerability found in scripts:
user/help/help.shtml
user/help/general_help_user.shtml
Attacker can inject XSS script in URL.
Example:
http://[server]/user/help/help.shtml?<script>alert('DSecRG XSS')</script>
http://[server]/user/help/general_help_user.shtml?<script>alert('DSecRG XSS')</script>
Solution
********
Vendor decided that this vulnerability is not critical and there is no
patches for this firmware. But maybe he will patch issues on the next firmware release
Vendore response:
[13.01.2009]: "We don't see any major vulnerability issues with the current firmware of Axis 70U but we will consider the mentioned issues on the next firmware release."
About
*****
Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
Contact: research [at] dsec [dot] ru
http://www.dsecrg.com
http://www.dsec.ru
--- End Message ---
--- Begin Message ---
======================================================================
Secunia Research 23/01/2009
- AXIS Camera Control "image_pan_tilt" Property Buffer Overflow -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
* AXIS Camera Control version 2.40.0.0
NOTE: Prior versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System compromise
Where: Remote
======================================================================
3) Vendor's Description of Software
"AXIS Camera Control (ActiveX component) makes it possible to view
Motion JPEG video streams from an Axis Network Video product directly
in Microsoft Development Tools and Microsoft Internet Explorer."
Product Link:
http://www.axis.com/techsup/software/acc/index.htm
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in AXIS Camera
Control, which can be exploited by malicious people to compromise a
user's system.
The vulnerability is caused due to a boundary error in the
CamImage.CamImage.1 ActiveX control (AxisCamControl.ocx) and can be
exploited to cause a heap-based buffer overflow by assigning an overly
long string to the "image_pan_tilt" property.
Successful exploitation allows execution of arbitrary code, but
requires that the user is tricked into visiting and clicking a
malicious web page.
======================================================================
5) Solution
The vendor recommends removing the ActiveX control and using
AXIS Media Control as a replacement.
======================================================================
6) Time Table
09/01/2009 - Vendor notified.
09/01/2009 - Vendor response.
23/01/2009 - Public disclosure.
======================================================================
7) Credits
Discovered by Alin Rad Pop, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2008-5260 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2008-58/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
--- End Message ---