Archive for Disclosure
Author: Dave Lewis
May 7, 2008 at 9:28 pm · Filed under Critical Infrastructure, Disclosure, SCADA Security
Core Security, makers of the product Core Impact.
Nice folks.
I like the product.
Apparently they left the gate open and their brains ran away in the night. What am I talking about? Well, they posted a vulnerability in the software of SCADA vendor Wonderware.
From their posting:
A vulnerability was found in Wonderware SuiteLink Service (slssvc.exe) that could allow an un-authenticated remote attacker with the ability to connect to the SuiteLink service TCP port to shutdown the service abnormally by sending a malformed packet. Exploitation of the vulnerability for remote code execution has not been proven, but it has not been eliminated as a potential scenario.
Fine. Good catch. I have been lucky enough to work with 10+ vendors so far on security vulnerabilities including one donkey outfit in ‘07. But, the rest were all professional. I was patient as I waited for them to get their **** together.
Now, on the SCADA side of the line we have another world that would make the Mad Hatter quite perplexed. There are some EMS vendors that require you speak to them slowly as more than several sentences per minute and they might, regrettably, spontaneously combust. It would appear, based on their apparent time line that WW is potentially one such firm.
That, however, doesn’t merit this,
An attacker can trigger the memory allocation operation failure by specifying an abnormally large length field in a Registration packet. The following binary excerpt shows where the problem is:
And here they provide the binary analysis.
They left the tracks at this point. I have released several vulnerabilities to date and not once did I release the actual code for the specific problem. What would that accomplish? I gave them the opportunity to patch the problem. They were able to address the issue with their respective customers and I got the byline.
Again from their time line,
Core has learned over the course of 13 years working in this particular field that it is fundamental to provide precise and accurate technical information about problems.
But, releasing the actual binary analysis? Let go of my leg.
Not cool. So much for responsible disclosure.
Article Link
Thx to CJ, M, Darko, Melanie and Bob for sending this one in!
(ed note: I do enjoy stirring it up. Looks like this one did the trick.)
Author: Dave Lewis
March 11, 2008 at 3:10 pm · Filed under Disclosure, Liquidmatrix Advisory
Summary
Name: Adobe LiveCycle Workflow XSS Vulnerability
Release Date: 11 March 2008
Reference: LSD002-2008
CVE Number: CVE-2008-1202
Discover: Dave Lewis
Vendor: Adobe Systems
Product: LiveCycle Workflow 6.2 Management Web Interface
Systems Affected: version 6.2 (as tested)
NB. Other versions may be affected.
Risk: Important
Status: Published
Reference:
1) http://www.liquidmatrix.org/blog/2008/03/11/advisory-adobe-…ility/
2) http://www.adobe.com/support/security/bulletins/apsb08-10.html
Time Line
Discovered: 16 January 2008
Reported: 16 January 2008
Fixed: 5 March 2008
Patch Release: 11 March 2008
Published: 11 March 2008
Description
The Adobe LiveCycle Workflow management login page contains a vulnerability which is susceptible to a cross site scripting (XSS) attack.
Impact: a remote attacker could execute a XSS attack that could pass arbitrary html to the user and capture usernames/passwords.
Technical Details
Input passed to the URL of the web management login page is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Fix Information
This issue has been resolved.
The patch may be obtained from:
http://www.adobe.com/go/supportportal
Notes
I would like to thank the Adobe team for their attention to this problem and for their professionalism.
Liquidmatrix Security Digest
http://www.liquidmatrix.org/blog/
2255B Queen Street East
suite 156
Toronto, Ontario
Canada
M4E 1G3
Tags: Security Advisory, Advisory, Adobe Systems, Adobe LiveCycle Workflow
Author: Dave Lewis
February 8, 2008 at 8:58 am · Filed under Disclosure, Legal Aspects
Chris Soghoian, you know, the boarding pass guy, has an interesting piece on his blog about the efforts of large corporations to squash a proposed piece of legislation. This particular piece of legislation is apparently pro-consumer. Glad to see that the big guys are looking out for the average Joe. That’s sarcasm just in case you might have missed it.
From C|Net:
In a direct slap in the face to consumers, tech industry giants including Microsoft, AT&T, and Verizon are frantically engaged in an effort to kill pro-consumer provisions in a data breach notification bill currently being considered by the Indiana State Senate.
The bill would require that the state attorney general act as a single point of contact for data breaches. Any company that suffered a breach impacting one or more Indiana consumers would be required to notify the AG’s office. The bill would also make Indiana the only state in the country to to require the attorney general to post a copy of each report to its Web site–so that consumers, members of the press, and academics would have a single place to go to in order to find out about data breaches.
An excellent article. I would highly suggest reading the full post.
Article Link
Tags: Pro-Consumer, Data-Breach Legislation, Indiana State Senate
Author: Dave Lewis
January 29, 2008 at 9:16 am · Filed under Disclosure, Liquidmatrix Advisory, Vulnerability
Summary
Name: Tripwire Enterprise/Server XSS Vulnerability
Release Date: 29 January 2008
Reference: LSD001-2008
Discover: Dave Lewis
Vendor: Tripwire
Product: Tripwire Enterprise/Server Management Web Interface
Systems Affected: version 7.0 (as tested)
NB. Earlier versions are affected as well. Please upgrade.
Risk: Less Critical
Status: Published
Reference:
http://www.liquidmatrix.org/blog/2008/01/29/advisory-tripwire-…ility/
Description
The Tripwire Enterprise management login page contains a vulnerability which is susceptible to a cross site scripting (XSS) attack.
Impact: a remote attacker could execute a XSS attack that could pass arbitrary html to the user.
Technical Details
Input passed to the URL of the web management login page is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Fix Information
This issue has been resolved.
The patch may be obtained from:
http://www.tripwire.com (Patch 866 “te-7.0.0.866_patch.zip”)
Notes
I would like to thank the Tripwire team for their professionalism. I should note that the release of this advisory does not in any way negatively alter my view that Tripwire is a great audit and control suite.
Liquidmatrix Security Digest
http://www.liquidmatrix.org/blog/
2255B Queen Street East
suite 156
Toronto, Ontario
Canada
M4E 1G3
Tags: Security Advisory, Advisory, Triwpire, Tripwire Enterprise
Author: Dave Lewis
December 10, 2007 at 9:00 am · Filed under Disclosure, Liquidmatrix Advisory, Vulnerability
Summary
Name: Websense XSS Vulnerability
Release Date: 10 December 2007
Reference: LSD002-2007
Discover: Dave Lewis
CVE: Pending
Vendor: Websense
Product: Websense Enterprise and Websense Web Security Suite
Systems Affected: version 6.3 (as tested)
Risk: Less Critical
Status: Published
Reference:
http://www.liquidmatrix.org/blog/2007/12/10/advisory-websense-xss-vulnerability/
Time Line
Discovered: 8 November 2007
Reported: 8 November 2007
Fixed: 21 November 2007
Patch Release: 21 November 2007
Published: 10 December 2007
Description
Websense Enterprise and Websense Web Security Suite contain a vulnerability in the login page is susceptible to a cross site scripting (XSS) attack.
Impact: a remote attacker could execute a XSS attack that could pass arbitrary html to the user.
Technical Details
Input passed to the “username” field of the logon page is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Fix Information
This issue has now been resolved.
The patch may be obtained from:
http://www.websense.com (Hotfix #80)
Knowledge Base #1840
http://www.websense.com/SupportPortal/SupportKbs/1840.aspx
Notes
I would like to thank Dan and the rest of the Websense team for their professionalism. I should note that the release of this advisory was delayed due simply to an errant email.
Liquidmatrix Security Digest
http://www.liquidmatrix.org/blog/
2255B Queen Street East
suite 156
Toronto, Ontario
Canada
M4E 1G3
Tags: Security Advisory, Advisory, Websense, Websense Vulnerability
Author: Dave Lewis
December 5, 2007 at 9:10 am · Filed under Disclosure, Liquidmatrix Advisory, Vulnerability
Summary
Name: Cross Site Scripting in CiscoWorks
Release Date: 05 December 2007
Reference: LSD001-2007
Discover: Dave Lewis
CVE Number: CVE-2007-5582
Vendor: Cisco
Systems Affected: CiscoWorks version 2.6 (as tested)
All prior builds are affected
Risk: Medium
Status: Published (Vendor Confirmed, Patch Available)
Description
The initial CiscoWorks login page is susceptible to XSS attack.
Impact: attackers could execute XSS attacks that can harvest session cookies and username/passwords.
TimeLine
Discovered: 20 August 2007
Reported: 24 September 2007
Fixed: 5 November 2007
Patch Release: 5 December 2007
Published: 5 December 2007
Technical Details
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. Input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session.
Fix Information
This issue has now been resolved.
The patch may be obtained from:
http://www.cisco.com
Cisco Advisory
http://www.cisco.com/warp/public/707/cisco-sr-20071205-cw.shtml
I would like to thank Cisco for their prompt and professional response to this issue.
Liquidmatrix Security Digest
http://www.liquidmatrix.org/blog/
2255B Queen Street East
suite 156
Toronto, Ontario
Canada
M4E 1G3
Thanks: PortSwigger, Wade and pdp.
Author: Dave Lewis
November 8, 2007 at 11:00 am · Filed under Disclosure, Resources
In the course of submitting a security vulnerability to a vendor today, I was referred to the “Organization of Internet Safety” guidelines for reporting (.pdf) security vulnerabilities to vendors.
No worries.
I downloaded it and gave it a read. The part that struck me was that is was released in September 2004. So, I went to check for a possible newer version but, that’s the one. The most recent press release on the site dates from 2004 as well. Has this organization (which, admittedly, I only loosely recall) gone toes up?
Site Link
Tags: Vulnerability Disclosure, Vulnerabilities, Vendor Disclosure, OIS
Explore
Security Bloggers Network
