SSD Advisory – QNAP QTS Unauthenticated Remote Code Execution

Vulnerability Summary The following advisory describes a memory corruption vulnerability that can lead to an unauthenticated remote code execution in QNAP QTS versions 4.3.x and 4.2.x, including the 4.3.3.0299. QNAP Systems, Inc. is “a Taiwanese corporation that specializes in providing networked solutions for file sharing, virtualization, storage management and surveillance applications to address corporate, SMB, … Continue reading SSD Advisory – QNAP QTS Unauthenticated Remote Code Execution
Read more

SSD安全公告-Endian防火墙从存储型XSS到远程命令执行

漏洞概要 以下安全公告描述了在Endian防火墙5.0.3版本中存在的一个存储型XSS漏洞,成功利用该漏洞可造成远程代码执行。 Endian防火墙是一个“专注Linux安全的发行版本,,它是一个独立的,统一的安全管理操作系统。 Endian防火墙基于强化的Linux操作系统。” 漏洞提交者 一位独立的安全研究者向 Beyond Security 的 SSD 报告了该漏洞 厂商响应 厂商已经发布针对该漏洞的补丁。获取更多信息: https://help.endian.com/hc/en-us/articles/115012996087 漏洞详细信息 Endian防火墙是基于Linux的防火墙/网关。 它使用不同的颜色来标记其trusted,untrusted 和DMZ网络: 绿色 – trusted网络 红色 – untrusted 网络 橙色 – DMZ 蓝色 – WiFi 用户可控的输入没有经过充分过滤,通过从untrusted 网络(红色)发送电子邮件到DMZ上的邮件服务器(橙色),Endian防火墙会把来自untrusted 网络的电子邮件隔离。 当来自trusted网络(绿色)的用户登录到Endian Firewall WebAdmin并检查隔离区中的电子邮件(Services > Mail Quarantine > quarantine)时,会执行存储型XSS脚本。 漏洞证明 配置环境 安装Endian防火墙虚拟机并设置防火墙网络接口为以下IP: 绿色 – 192.168.0.190 红色 – 192.168.0.192 设置以下密码: Web管理员(admin/Password1) SSH管理员(root/Password1) 连接Webadmin接口,添加ORANGE网络并更改GREEN … Continue reading SSD安全公告-Endian防火墙从存储型XSS到远程命令执行
Read more

SSD安全公告-Linux内核XFRM权限提升漏洞

漏洞概要 以下安全公告描述了在Linux内核中发现的一个UAF漏洞,成功利用此漏洞的攻击者可以提升权限。漏洞存在于Netlink 套接字子系统 – XFRM. Netlink用于在内核和用户空间进程之间传输信息。 它由用户空间进程的标准基于套接字的接口和内核模块的内部内核API组成。 漏洞提交者 一位独立的安全研究员Mohamed Ghannam向Beyond Security的SSD报告了该漏洞 厂商响应 该漏洞已在补丁1137b5e中被修复(“ipsec:修复中止xfrm策略转储崩溃”) CVE: CVE-2017-16939 漏洞详细信息 非特权用户可以更改Netlink 套接字子系统 XFRM sk-> sk_rcvbuf的值(sk ==sock结构体对象)。 可以通过setsockopt(SO_RCVBUF)更改sk-> sk_rcvbuf的值为特定的范围。通过recvmsg/recv/read接收数据时,sk_rcvbuf表示接收缓冲区的大小。 sk_rcvbuf值是内核为skb(sk_buff结构体对象)分配的大小。 skb-> trusize是一个变量,它保持对已使用内存的追踪,为了避免内存浪费,方便管理,内核可以在运行时改变skb的大小。 例如,如果我们分配一个大的套接字缓冲区(skb),而我们只接收到1字节大小的数据包,内核将通过调用skb_set_owner_r来调整skb-> trusize的大小。 通过调用skb_set_owner_r修改sk-> sk_rmem_alloc(引用自原子变量sk-> sk_backlog.rmem_alloc)。 当创建XFRM netlink 套接字时,会调用xfrm_dump_policy函数,当我们关闭套接字时,xfrm_dump_policy_done会被调用。 当netlink_sock对象的cb_running值为true时调用xfrm_dump_policy_done。 xfrm_dump_policy_done会尝试清理由netlink_callback对象管理的xfrm walk条目。 当调用netlink_skb_set_owner_r(如skb_set_owner_r)时,它会更新sk_rmem_alloc。 netlink_dump(): 在上面的代码中,我们可以看到当sk-> sk_rcvbuf小于sk_rmem_alloc(注意我们可以通过stockpot控制sk-> sk_rcvbuf)时,netlink_dump()验证失败。 当满足sk-> sk_rcvbuf小于sk_rmem_alloc时,会跳转到函数的结尾,然而cb_running的值还没有被更改为false,netlink_dump()函数就返回了。 此时nlk-> cb_running为true,因此会调用xfrm_dump_policy_done()。 nlk-> cb.done指向xfrm_dump_policy_done,值得注意的是这个函数处理一个双向链表,所以如果利用这个漏洞引用一个可控的缓冲区,我们就可以实现任意内存读写。 漏洞证明 下面的代码在Ubuntu 17.04测试。
Read more

SSD Advisory – Dasan Unauthenticated Remote Code Execution

Vulnerability Summary The following advisory describes a buffer overflow that leads to remote code execution found in Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 Dasan Networks GPON ONT WiFi Router “is indoor type ONT dedicated for FTTH (Fibre to the Home) or FTTP (Fiber to the Premises) deployments. That … Continue reading SSD Advisory – Dasan Unauthenticated Remote Code Execution
Read more

SSD Advisory – Coredy CX-E120 Repeater Multiple Vulnerabilities

Vulnerabilities Summary The following advisory describes two (2) vulnerabilities found in Coredy CX-E120 Repeater. The Coredy CX-E120 WiFi Range Extender is “a network device with multifunction, which can be using for increasing the distance of a WiFi network by boosting the existing WiFi signal and enhancing the overall signal quality over long distances. An extender … Continue reading SSD Advisory – Coredy CX-E120 Repeater Multiple Vulnerabilities
Read more

SSD Advisory – ZTE ZXDSL Configuration Reset

Vulnerability Summary The following advisory describes a configuration reset vulnerability found in ZTE ZXDSL 831CII version 6.2. ZXDSL 831CII is “an ADSL access device to support multiple line modes. It supports ADSL2/ADSL2+ and is backward compatible to ADSL, even offers auto-negotiation capability for different flavors (G.dmt, T1.413 Issue 2) according to central office DSLAM’s settings … Continue reading SSD Advisory – ZTE ZXDSL Configuration Reset
Read more

SSD Advisory – Synology StorageManager smart.cgi Remote Command Execution

Vulnerability Summary The following advisory describes a remote command execution vulnerability found in Synology StorageManager. Storage Manager is “a management application that helps you organize and monitor the storage capacity on your Synology NAS. Depending on the model and number of installed hard drives, Storage Manager helps you accomplish the following tasks: Create different types … Continue reading SSD Advisory – Synology StorageManager smart.cgi Remote Command Execution
Read more

SSD Advisory – Linux Kernel XFRM Privilege Escalation

Vulnerability Summary The following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem – XFRM. Netlink is used to transfer information between the kernel and user-space processes. It consists of a standard sockets-based interface for user space processes and an internal kernel … Continue reading SSD Advisory – Linux Kernel XFRM Privilege Escalation
Read more

SSD Advisory – Cambium Multiple Vulnerabilities

Vulnerabilities Summary The following advisory describes three (3) vulnerabilities found in Cambium Network Updater Tool and Networks Services Server. The Network Updater Tool is “a free-of-charge tool that applies packages to upgrade the device types that the release notes for the release that you are using list as supported. Because this tool is available, an … Continue reading SSD Advisory – Cambium Multiple Vulnerabilities
Read more

SSD Advisory – DblTek Multiple Vulnerabilities

Vulnerabilities summary The following advisory describes 2 (two) vulnerabilities found in DblTek webserver. DBL is “specialized in VoIP products, especially GoIPs. We design, develop, manufacture, and sell our products directly and via distributors to customers. Our GoIP models now cover 1, 4, 8, 16, and 32-channel in order to meet the wide range of market … Continue reading SSD Advisory – DblTek Multiple Vulnerabilities
Read more
Page 1 of 612345...Last »