SSD Adivsory – QNAP QTS LDAP Authentication Remote Code Execution

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
Based on Linux, QNAP QTS 4 is a powerful operating system deployed on all QNAP Turbo NAS devices to bring performance and enhanced functionalities under an easy-to-use web GUI. QTS allows traditional NAS capabilities, in addition to advanced sharing features and mobile platforms support. Moreover, QTS supports custom applications to expand NAS functionalities for sharing and media streaming.
On top of a traditional Linux kernel (3.4.6, x86 64), QTS 4 provides NAS capabilities implemented in user-land and a web-based UI built using cgi-bin technology. Although SSH access is available on all QNAP devices, it is possible to completely manage the device using the web interface.
From the technical standpoint, QTS 4 web UI consists of two main components:
 

  • A web server thttpd and CGI binaries. In the default configuration, this service runs as ”admin”, a user with root permissions. On 80/tcp, the web server hosts a set of scripts to perform a redirect to port 8080/tcp. The service is also available over SSL (443/tcp) using Apache configured as a reverse-proxy, pointing to 8080/tcp. The webroot is located at /home/httpd.
$ ps aux | grep thttpd
5671 admin 3828 S /usr/local/sbin/Qthttpd -p 80 -nor -nos -u admin -d /home/Qhttpd -c **.*
5716 admin 3916 S /usr/local/sbin/_thttpd_ -p 58080 -nor -nos -u admin -d /home/httpd -c **.* -h 127.0.0.1 -i /var/lock/._thttpd_.pid

 

  • A set of custom binaries and standard Linux utilities (e.g. ldapsearch) that are invoked from the CGI scripts, to perform required tasks

By default, the web interface is available from remote hosts with no network filtering.
Vulnerability Overview
A code injection vulnerability has been discovered in the current version of QNAP QTS 4. As mentioned, this vulnerability affects all QNAP NAS products using LDAP authentication. Valid credentials are NOT required in order to exploit this issue, allowing a remote attacker to execute arbitrary system commands as root.
(more…)

SSD Advisory – ManageEngine Exchange Reporter Plus Auth Bypass / Arbitrary SQL Statement Execution

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
ManageEngine Exchange Reporter Plus is a web-based analysis and reporting solution for Microsoft Exchange Servers. Exchange Reporter Plus is a comprehensive MS Exchange reporting software that provides over 100 different reports on every aspect of the Microsoft Exchange Server environment.
Vulnerability Details
The ManageEngine Exchange Reporter product installs a JBoss server which listens on default port 8181 (tcp/http) for incoming requests. It offers an admin panel on that port.
Without authorization/authentication it is possible to visit the RunQuery.jsp script to execute arbitrary PostgreSQL statements. When the EXECUTE parameter is set to ‘true’, it is possible to pass arbitrary SQL queries through the QUERY parameter (stacked queries are allowed).
(more…)

SSD Advisory – Oracle Endeca Workbench (CAS) Beanshell Script Remote Code Execution / Session Generation Authentication Bypass

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
Oracle Endeca‘s Web (now called Oracle Commerce Guided Search/Experience Manager Documentation) commerce solution enables your company to deliver a personalized, consistent customer buying experience across all channels — online, in-store, mobile, or social. Whenever and wherever customers engage with your business, the Oracle Endeca Web commerce solution delivers, analyzes, and targets just the right content to just the right customer to encourage clicks and drive business results.
Vulnerability Details
A vulnerability in the session generation mechanism allows unauthenticated users to get “authenticated” status by accessing a page with certain parameters. A vulnerability in the /casconsole/messagebroker/amf file allows attackers that can generate a custom Action Message Format (AMF) file to cause the remote server to execute arbitrary code.
(more…)

SSD Advisory – Adobe Reader Combobox Code Execution

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
More powerful than other PDF software, Adobe Acrobat Reader DC is the free, trusted standard for viewing, printing, and annotating PDFs. And now, it’s connected to Adobe Document Cloud — so it’s easier than ever to work with PDFs on computers and mobile devices.
Vulnerability Details
A vulnerability in the way Adobe Reader handles comboxes allows a malicious user to send a specially crafted PDF file that once opened, and its presented combobox is accessed a code execution vulnerability can be triggered.
(more…)

SSD Advisory – Symantec Critical System Protection Remote Code Execution

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
Symantec Critical System Protection provides policy-based behavior control and detection for server and desktop computers. Symantec Critical System Protection includes management console and server components, and agent components that enforce policies on computers.
Vulnerability Details
The agent control interface of the SCSP Server (sis-agent) is affected by a remote unauthenticated code execution vulnerability. This interface is used by the IDS/IPS agents to communicate with the SCSP server: register themselves, fetch policy updates, report events, etc. Since all the protected hosts need to communicate with the SCSP Server we can expect that this interface will be exposed to wide network ranges.
(more…)