ESA-2017-063: RSA Archer® GRC Platform Multiple Vulnerabilities

Posted by EMC Product Security Response Center on Jun 30

ESA-2017-063 RSA Archer® GRC Platform Multiple Vulnerabilities

EMC Identifier: ESA-2017-063

CVE Identifier: CVE-2017-4998,CVE-2017-4999,CVE-2017-5000,CVE-2017-5001,CVE-2017-5002

Severity Rating: CVSSv3 Base Score: Please view details below for individual CVE scores

Affected Products

• RSA Archer version 5.4.1.3
• RSA Archer version 5.5.3.1
• RSA Archer version 5.5.2.3
• RSA Archer version 5.5.2
•…

Read more

Schneider Electric Pro-Face WinGP – Runtime.exe – Insecure Library Loading Allows Code Execution

Posted by Karn Ganeshen on Jun 30

[ICS] Schneider Electric Pro-Face WinGP – Runtime.exe – Insecure Library
Loading Allows Code Execution

Vendor: Schneider Electric
Equipment: Pro-Face WinGP
Vulnerability: Uncontrolled Search Path Element (DLL side-loading)

Advisory URL:
https://ipositivesecurity.com/2017/06/28/ics-schneider-electric-pro-face-wingp-insecure-library-loading-allows-code-execution/

————————

AFFECTED PRODUCTS

————————…

Read more

Microsoft Dynamic CRM 2016 – Cross-Site Scripting vulnerability

Posted by gregory draperi on Jun 30

Hello Everyone,

Product: MS Dynamic CRM 2016
Vendor: Microsoft

Vulnerability type: Cross Site Scripting
Vulnerable version: MS Dynamic CRM 2016 SP1 and previous
Vulnerable component: SyncFilterPage.aspx
Report confidence: Confirmed
Solution status: Not fixed by Vendor, will not patch the vuln.
Fixed versions: –
Researcher credits: Gregory DRAPERI
Vendor notification: 2017-05-30
Solution date:
Public disclosure: 2016-07-01
Reference:…

Read more

eVestigator Forensic PenTester v1 – Remote Code Execution via MITM

Posted by InterN0T via Fulldisclosure on Jun 30

# Exploit Title: eVestigator Forensic PenTester v1 – Remote Code Execution via MITM
# Date: 30/Jun/17
# Exploit Author: MaXe
# Vendor Homepage: https://play.google.com/store/apps/details?id=penetrationtest.eVestigator.com
# Software Link: See APK archive websites
# Screenshot: Refer to https://www.youtube.com/watch?v=cTu7yKTp8vc
# Version: V1
# Tested on: Android 4.0.3 (Google APIs) – API Level 15 – x86
# CVE : N/A
eVestigator Forensic PenTester…

Read more

Australian Education App – Remote Code Execution

Posted by InterN0T via Fulldisclosure on Jun 30

# Exploit Title: Australian Education App – Remote Code Execution
# Date: 30/Jun/17
# Exploit Author: MaXe
# Vendor Homepage: https://play.google.com/store/apps/details?id=a1.bestsafebrowser2.com
# Software Link: See APK archive websites
# Screenshot: Refer to https://www.youtube.com/watch?v=_DCz0OqJzBI
# Version: v6
# Tested on: Android 4.1.0 (Google APIs) – API Level 16 – x86
# CVE : N/A
Australian Education App – Remote Code Execution (No MITM…

Read more

BestSafe Browser FREE NoAds – Remote Code Execution

Posted by InterN0T via Fulldisclosure on Jun 30

# Exploit Title: BestSafe Browser FREE NoAds – Remote Code Execution
# Date: 30/Jun/17
# Exploit Author: MaXe
# Vendor Homepage: https://play.google.com/store/apps/details?id=a1.bestsafebrowser.com
# Software Link: See APK archive websites
# Screenshot: Refer to https://www.youtube.com/watch?v=VXNVzjsH0As
# Version: v3
# Tested on: Android 4.1.0 (Google APIs) – API Level 16 – x86
# CVE : N/A
BestSafe Browser FREE NoAds – Remote Code Execution (No…

Read more

Humax Digital HG100R multiple vulnerabilities

Posted by The Gambler on Jun 30

Humax Digital HG100R multiple vulnerabilities
Device: Humax HG100R
Software Version: VER 2.0.6

– Backup file download (CVE-2017-7315)
An issue was discovered on Humax Digital HG100R 2.0.6 devices, a modem commonly used by ISPs to provide ADSL internet
service to household and small business users. (CHECA ESSA INFO)
To download the backup file it’s not required the use of credentials or any authentication, and the router credentials
are…

Read more

Wikileaks Reveals CIA Malware that Hacks & Spy On Linux Computers

cia-linux-hacking-tool-malware

WikiLeaks has just published a new batch of the ongoing Vault 7 leak, this time detailing an alleged CIA project that allowed the agency to hack and remotely spy on computers running the Linux operating systems.

Dubbed OutlawCountry, the project allows the CIA hackers to redirect all outbound network traffic on the targeted computer to CIA controlled computer systems for exfiltrate and infiltrate data.

The OutlawCountry Linux hacking tool consists of a kernel module, which the CIA hackers load via shell access to the targeted system and create a hidden Netfilter table with an obscure name on a target Linux user.

“The new table allows certain rules to be created using the “iptables” command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known. When the Operator removes the kernel module, the new table is also removed,” CIA’s leaked user manual reads.

Although the installation and persistence method of the OutlawCountry tool is not described in detail in the document, it seems like the CIA hackers rely on the available CIA exploits and backdoors to inject the kernel module into a targeted Linux operating system.

However, there are some limitations to using the tool, such as the kernel modules only work with compatible Linux kernels.

“OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain,” WikiLeaks says.

Previous Vault 7 CIA Leaks

Last week, WikiLeaks dumped a classified CIA malware that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.

Dubbed ELSA, the malware captures the IDs of nearby public hotspots and then matches them with the global database of public Wi-Fi hotspots’ locations.

Since March, the whistleblowing group has published 14 batches of “Vault 7” series, which includes the latest and last week leaks, along with the following batches:

  • Brutal Kangaroo – a CIA tool suite for Microsoft Windows that targets closed networks or air-gapped computers within an enterprise or organization without requiring any direct access.
  • Cherry Blossom – a CIA’s framework, generally a remotely controllable firmware-based implant, used for monitoring the Internet activity of the target systems by exploiting flaws in WiFi devices.
  • Pandemic – a CIA’s project that allowed the spying agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
  • Athena – an agency’s spyware framework that has been designed to take full control over the infected Windows machines remotely, and works with every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.
  • AfterMidnight and Assassin – Two apparent CIA’s malware frameworks for the Microsoft Windows platform that is meant to monitor and report back actions on the infected remote host computer and execute malicious code.
  • Archimedes – A man-in-the-middle attack tool allegedly built by the spying agency to target computers inside a Local Area Network (LAN).
  • Scribbles – A piece of software reportedly designed to embed ‘web beacons’ into confidential documents, allowing the CIA hackers to track insiders and whistleblowers.
  • Grasshopper – A framework that allowed the CIA to easily create custom malware for breaking into Microsoft’s Windows and bypassing antivirus protection.
  • Marble – The source code of a secret anti-forensic framework, primarily an obfuscator or a packer used by the spying agency to hide the actual source of its malware.
  • Dark Matter – Hacking exploits the agency designed and used to target iPhones and Mac machines.
  • Weeping Angel – Spying tool used by the CIA to infiltrate smart TV’s, transforming them into covert microphones in target’s pocket.
  • Year Zero – CIA hacking exploits for popular hardware and software.

Powered by WPeMatico

CVE-2017-2298

The mcollective-sshkey-security plugin before 0.5.1 for Puppet uses a server-specified identifier as part of a path where a file is written. A compromised server could use this to write a file to an arbitrary location on the client with the filename appended with the string “_pub.pem”.

Read More

CVE-2017-2292

Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.

Read More