Security Advisories & CVEs

Aside from pentests and trainings – from time to time – I do general security research of open source and commercial products as well as frameworks. During this free research work I've identified several vulnerabilities and responsibly disclosed them to the developers or vendors, helping their products becoming safer (without ordering a pentest).

The following list gives an overview of issues I've identified during this free research along with the security advisories or CVEs that were created. Due to the responsible disclosure process the advisory level of detail is kept at a minimum, while still being a benefit for the users of the software and the security community through a standard notification and CVE process. Where relevant, I work with CERT/CC or CERT-BUND for coordinating the communication and advisory creation. Often vendors follow the guidelines issued by the "Allianz für Cybersicherheit" for handling identified vulnerabilities. As a security researcher I follow MITRE's "CVE Identifier Reservation Guidelines for Researchers" as well as the "Guidelines for Security Vulnerability Reporting and Response" of the Organization for Internet Safety.

Overview

Details

CVE-2014-5516 CSRF protection bypass in "KonaKart" Java eCommerce product
The existing CSRF protection token of KonaKart Storefront Application was checked for every POST request properly. When modifying the request from POST method to GET method all state-changing actions worked as well, but the CSRF token protection was no longer enforced, allowing Cross-Site Request Forgery attacks.

KonaKart 7.3.0.0 fixes this vulnerability.
Exploitability: Logged-in victim needs to visit malicious webpage of attacker
Escalation: CSRF-based overwriting of victim account's mail address escalates to successful password reset process by attacker allowing account takeover
Researcher credit: Christian Schneider
See also: Credit from KonaKart vendor
Advisory (via BugTraq)
CVE

CVE-2014-5393 Path traversal to sensitive files in webroot in "JobScheduler" product
Using specially crafted requests to access the web interface of JobScheduler it is possible as an underprivileged user ("info" permission) to list directories and read contents of (sensitive) files from the installation of the JobScheduler web interface, which includes datasource configurations (for example hibernate.cfg.xml and sos_settings.ini) as well as permission config files (scheduler.xml). These can include passwords, depending on which auth backend was defined. This can also be misused to escalate to the higher "all" permission from the lower "info" permission.

JobScheduler 1.7.4241 as well as JobScheduler 1.6.4246 fixes this vulnerability.
Exploitability: Attacker accessing the JobScheduler Operations Center (JOC) in SOS JobScheduler remotely with malicious request
Escalation: Successful retrieval of database and other backend passwords or similar sensitive config files can lead to further compromises
Researcher credit: Christian Schneider
See also: Advisory from Software- & Organisations-Service GmbH (for JobScheduler 1.7.x)
Advisory from Software- & Organisations-Service GmbH (for JobScheduler 1.6.x)
Advisory (via BugTraq)
CVE

CVE-2014-5392 XML eXternal Entity (XXE) in "JobScheduler" product
Using a specially crafted request to access the web interface of JobScheduler it is possible to cause denial of service situations as well as list directories and contents of (sensitive) files from the filesystem of the server which has the JobScheduler web interface installed.

JobScheduler 1.7.4241 as well as JobScheduler 1.6.4246 fixes this vulnerability.
Exploitability: Attacker accessing the JobScheduler Operations Center (JOC) in SOS JobScheduler remotely with malicious request
Escalation: Successful retrieval of database and other backend passwords or similar sensitive config files can lead to further compromises
Researcher credit: Christian Schneider
See also: Advisory from Software- & Organisations-Service GmbH (for JobScheduler 1.7.x)
Advisory from Software- & Organisations-Service GmbH (for JobScheduler 1.6.x)
Advisory (via BugTraq)
CVE

CVE-2014-5391 DOM-based Cross-Site Scripting (XSS) in "JobScheduler" product
Using a specially crafted request to access the web interface of JobScheduler it is possible to execute DOM-based Cross-Site Scripting (XSS) attacks. The content of the hash-part is written using document.write() from location.hash directly into the HTML, resulting in the DOM-based XSS. This enables attackers to impersonate victim users (in context of the origin exposing the JobScheduler) when logged-in victims are accessing attacker supplied links/sites.

JobScheduler 1.7.4241 as well as JobScheduler 1.6.4246 fixes this vulnerability.
Exploitability: Victim needs to visit malicious webpage of attacker
Escalation: Escalation possible when the origin where the JobScheduler is integrated into is also serving other applications/content
Researcher credit: Christian Schneider
See also: Advisory from Software- & Organisations-Service GmbH (for JobScheduler 1.7.x)
Advisory from Software- & Organisations-Service GmbH (for JobScheduler 1.6.x)
Advisory (via BugTraq)
CVE

CVE-2014-3574 DoS in OOXML office documents against "Apache POI" library
Using a specially crafted (small) office document, which includes XML entity expansions, attackers can crash applications parsing it or make them behave unresponsive due to excessive memory consumption.

Apache POI 3.11-beta2 (released on 2014-08-22) as well as Apache POI 3.10.1 (released on 2014-08-18) fixes several XXE related vulnerabilities.
Exploitability: Application needs to parse malicious office document of attacker with POI
Escalation: Depends on type of XXE vulnerability exploited
Researcher credit: Phil Persad (who independently discovered a similar issue in POI)
Christian Schneider
See also: Credit from Apache (project page)
Announcement from Apache
Info from SecurityFocus
CVE

CVE-2014-3529 XML eXternal Entity (XXE) Information Disclosure against "Apache POI" library
The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Apache POI 3.11-beta2 (released on 2014-08-22) as well as Apache POI 3.10.1 (released on 2014-08-18) fixes several XXE related vulnerabilities.
Exploitability: Application needs to parse malicious office document of attacker with POI
Escalation: Depends on type of XXE vulnerability exploited
Researcher credit: Mohamed Ramadan (who independently discovered a similar issue in POI)
Christian Schneider
See also: Credit from Apache (project page)
Announcement from Apache
Info from SecurityFocus
CVE

CVE-2014-3160 Same-Origin Policy (SOP) bypass using SVG in "Google Chrome" browser
Attackers can bypass certain aspects of the Same-Origin Policy (SOP) of the Google Chrome browser using specially crafted SVG.

Chrome 36.0.1985.125 for Windows, Mac and Linux fixes this vulnerability.

Google Security rewarded the responsible disclosure of this Chrome vulnerability with a bug bounty.
Exploitability: Victim needs to visit malicious webpage of attacker
Escalation: Not possible
Researcher credit: Christian Schneider
See also: Advisory from Google
CVE

CVE-2014-3149 Reflected Cross-Site Scripting (XSS) in "Invision Power IP.Board" product
Using a specially crafted request to access the web forum software IP.Board it is possible to execute Reflected Cross-Site Scripting (XSS) attacks. Due to a token-based CSRF protection the actual exploitation is somewhat limited, since attackers have to trick victims (using Clickjacking or social engineering) into submitting an attacker supplied content.

IP.Board versions below 3.4.6 as well as versions 3.3.x should be secured by applying the patch available from the vendor URL at http://community.invisionpower.com/topic/399747-ipboard-33x-34x-security-update/
Exploitability: Clickjacking or social engineering required
Escalation: Not possible
Researcher credit: Christian Schneider
See also: Advisory from Invision Power
Advisory (via BugTraq)
CVE

CVE-2014-2843 Reflected Cross-Site Scripting (XSS) in "infoware MapSuite" product
Using a specially crafted URL to access the MapAPI it is possible to execute Reflected Cross-Site Scripting (XSS) attacks. This enables attackers to impersonate victim users (in context of the origin exposing the MapAPI) when logged-in victims are accessing attacker supplied links/sites.

MapSuite should be upgraded as soon as possible to:
  • 1.1.49 or later for MapSuite MapAPI 1.1.x users
  • 1.0.36 or later for MapSuite MapAPI 1.0.x users
Exploitability: Victim needs to visit malicious webpage of attacker
Escalation: Escalation possible when the origin where the MapAPI is integrated into is also serving other applications/content
Researcher credit: Christian Schneider
See also: Advisory (via BugTraq)
CVE

CVE-2014-2233 Server-Side Request Forgery (SSRF) in "infoware MapSuite" product
Using a specially crafted URL to access the MapAPI it is possible to issue HTTP(S) GET requests originating from the attacked server (behind the firewall) and to read the response. This enables attackers to access web servers that are not exposed to be accessed from the internet and thus allows to pivot further into the targeted network.

MapSuite should be upgraded as soon as possible to:
  • 1.1.49 or later for MapSuite MapAPI 1.1.x users
  • 1.0.36 or later for MapSuite MapAPI 1.0.x users
Exploitability: Exploitable by unauthenticated attackers
Escalation: Escalation possible when sensitive backend web servers are accessible (like unprotected internal-only admin consoles)
Researcher credit: Christian Schneider
See also: Advisory (via BugTraq)
CVE

CVE-2014-2232 Absolute Path Traversal in "infoware MapSuite" product
It is possible to traverse the server's filesystem (including listing of directory contents) and read files from the server's filesystem using a specially crafted URL to access the MapAPI. This enables attackers to get hold of sensitive files from the server containing passwords, configuration, source code, etc.

MapSuite should be upgraded as soon as possible to:
  • 1.1.49 or later for MapSuite MapAPI 1.1.x users
  • 1.0.36 or later for MapSuite MapAPI 1.0.x users
Exploitability: Exploitable by unauthenticated attackers
Escalation: Escalation possible when sensitive files (config, passwords, source) are read
Researcher credit: Christian Schneider
See also: Advisory (via BugTraq)
CVE

CVE-2014-2026 Reflected Cross-Site Scripting (XSS) in "Intrexx Professional" product
Using the request parameter of the search functionality it is possible to execute Reflected Cross-Site Scripting (XSS) attacks. This enables attackers to impersonate victim users (in context of the origin exposing the portal) when logged-in victims are accessing attacker supplied links/sites.

Intrexx Professional should be upgraded as soon as possible to:
  • "Online Update 10" or later for Intrexx Professional 6.0 users
  • "Online Update 0905" or later for Intrexx Professional 5.2 users
Exploitability: Victim needs to visit malicious webpage of attacker
Escalation: Escalation possible when the origin of the portal is also serving other applications/content
Researcher credit: Christian Schneider
See also: Advisory from United Planet
Patch Listings from United Planet
CVE

CVE-2014-2025 Remote Code Execution (RCE) via Unrestricted Upload in "Intrexx Professional" product
Using an unrestricted file upload it is possible to execute arbitrary code on the remote server by uploading and remotely executing a malicious file that contains code by the attacker.

Intrexx Professional should be upgraded as soon as possible to:
  • "Online Update 10" or later for Intrexx Professional 6.0 users
  • "Online Update 0905" or later for Intrexx Professional 5.2 users
Exploitability: Exploitable by unauthenticated attackers
Escalation: Escalation possible by further pivoting into internal network via compromised servers
Researcher credit: Christian Schneider
See also: Advisory from United Planet
Patch Listings from United Planet
CVE

CVE-2014-0043 Information Disclosure in "Apache Wicket" web framework
By issuing requests to special URLs handled by the Apache Wicket web framework it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.

The application developers are recommended to upgrade to:
  • Apache Wicket 6.14.0
  • Apache Wicket 1.5.11
Exploitability: Exploitable by unauthenticated attackers
Escalation: Not possible
Researcher credit: Christian Schneider
See also: Advisory from Apache
CVE

Reflected Cross-Site Scripting (XSS) + Server-Side Request Forgery (SSRF)
in "WebService Test Page" (of Oracle WebLogic server console)
By making a specially crafted (attacker controlled) WDSL file available online and using a specially crafted URL with the "WebService Test Page" (which is part of the installation of WebLogic application server) reflected XSS attacks and SSRF attacks are possible:
  • XSS: As the "WebService Test Page" is running same-origin with the WebLogic administration console, the XSS victim – if logged in with the administration console – can be exploited to unwillingly (without user interaction and notice) deploy and execute attacker's code on the WebLogic application server. This escalation to a Remote Code Execution (RCE) was fully demonstrated in the vulnerability report with a fresh installation of WebLogic server. This was possible due to the fact that the CSRF protection of the WebLogic administration console could be bypassed with the same-origin XSS of the WebLogic "WebService Test Page".
  • SSRF: It allows attackers to further pivot into the internal network behind the firewall, as well as enumerate the server's filesystem for existance of files and cause DoS conditions.
Oracle responded that the vulnerable "WebService Test Page" is automatically deployed in WebLogic installations only when running in "development" or "test" mode and not when running in "production" mode. Though, I've found (apparently misconfigured) production systems with WebLogic's "WebService Test Page" online. The application "WebService Test Page" was discarded and completely removed from the WebLogic product line (effective with WebLogic server 12.1.2) by Oracle after my report.
Exploitability: Exploitable by unauthenticated attackers (SSRF)
Victim needs to visit malicious webpage of attacker (XSS)
Escalation: Escalation to Remote Code Execution (RCE) when victim is authenticated
Researcher credit: Christian Schneider
See also: Credit from Oracle as Security-In-Depth Contributor
Article about the danger of CSRF with same-origin XSS

CVE-2012-1712 Path Traversal in "Java Server Faces (JSF)" web framework
(Oracle & Liferay)
A specially crafted URL string used against JSF portlets can be exploited to read any file from the application's classpath (like web.xml, config properties files, source code, datasource config, etc.). The vulnerability was demonstrated against a Liferay portal running on Apache Tomcat application server. It also works on other JavaEE application servers, as long as JSF portlets are used.
Exploitability: Exploitable by unauthenticated attackers
Escalation: Escalation possible when sensitive files (config, passwords, source) are read
Researcher credit: Christian Schneider
See also: Advisory from Oracle
CVE