Category: ADVISORIES

ADVISORIES | October 24, 2019

Buffer Overflow, Cross-Site Scripting / Request Forgery, URI Injection, Insecure SSH Key Exchange in Antaira LMX-0800AG

By Alexander Bolshev & Tao Sauvage

(eight advisories in document) Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is affected by a memory corruption vulnerability when processing cookies. An unauthenticated attacker could leverage the vulnerability to take full control over the switch.

It is also affected by a memory corruption vulnerability when processing ioIndex GET parameter values. An attacker with valid credentials for the web interface could leverage the vulnerability to take full control of the switch.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is affected by a reflected cross-site scripting (XSS) vulnerability when accessing non-existent paths. An attacker could trick an operator into opening a booby-trapped link and exfiltrate the operator’s credentials or perform actions without the operator’s consent.

It is also affected by multiple cross-site request forgery (CSRF) vulnerabilities. An attacker could trick an operator to visit a malicious page that will perform actions on behalf of the victim without the victim’s knowledge or consent. The attacker could for instance change the settings of the switch or create a rogue user with admin privileges.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is insecurely parsing the System Property field from incoming Link Layer Discovery Protocol (LLDP) packets. An attacker in an adjacent network could send malicious LLDP packets that will inject arbitrary clickable links on the web interface’s LLDP neighbors page, which could lead to different social engineering ruses.

It is also supporting weak SSH key exchange methods and ciphers. An attacker could leverage these weaknesses to potentially decrypt traffic or place a rogue computer between the device and the operator.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is insecurely storing passwords on the device. The passwords are stored base64-encoded, which can be trivially decoded by an attacker with access to the configuration.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) discloses sensitive information (e.g. stack traces) in the serial console. An attacker with physical access to the device could leverage the information to help discover and develop exploits.

ADVISORIES | August 31, 2019

Reflected Cross-site Scripting in Microsoft Power BI

By Daniel Martinez

The application is vulnerable to reflected cross-site scripting (XSS). The requested data, which contains JavaScript code, is reflected in the response. Attackers could trick users into following a link or navigating to a page that posts a malicious JavaScript statement to the vulnerable site, causing the malicious JavaScript to be rendered by the site and executed by the victim client. The JavaScript code could be used for several purposes including stealing user cookies or as a second step to hijacking a
user’s session. Another attack plan could include the possibility of inserting HTML instead of JavaScript to change/modify the contents of the vulnerable page, which could be used to trick the client.

ADVISORIES | June 17, 2019

Configuration Shell Escape injecting OS/IPV6 commands, and HTML Injection in LLDP Packet System Name Field Leading to Persistent Cross-site Scripting in Antaira LMX-0800AG

By Alexander Bolshev

(two advisories in document) An authenticated malicious user with access to the web interface (with manager privileges) or via SSH/Serial connection (with enable/config privileges) can inject Operating System (OS) commands in ipv6 commands, which will be executed with root privileges on the switch.

An unauthenticated attacker located in an adjacent network could send malicious Link Layer Discovery Protocol (LLDP) packets containing JavaScript code embedded in the System Names attribute. It should be noted that LLDP discovery is not enabled by default in firmware v2.8.

ADVISORIES | May 23, 2019

ASUS – ZenUI Launcher AppLockReceiver | AppLockProvider Exposed

By Tao Sauvage

(2) A malicious application without any permission could remove applications and gain read and write access from the list of locked applications configured in AppLock, therefore bypassing the security pattern configured by the user to protect them. (two advisories in document)

ADVISORIES |

ASUS – ZenUI Dialer & Contacts PrivateContactsProvider | BlockListProvider Exposed

By Tao Sauvage

(2) A malicious application without any permission could gain read and write access to the list of Private Contacts and blocked numbers configured in ZenUI Dialer & Contacts. (two advisories in document)

ADVISORIES |

ASUS – ZenUI Messaging PrivateSmsProvider-PrivateMmsProvider | SmsReceiverService Exposed

By Tao Sauvage

(2) A malicious application without any permission could gain read and write access to the private SMS and MMS messages configured in ZenUI Messaging as well as send arbitrary SMS messages to arbitrary phone numbers. (two advisories in document)

ADVISORIES | April 1, 2019

Android (AOSP) Download Provider Request Headers Disclosure (CVE-2018-9546)

By Daniel Kachakil

A malicious application with the INTERNET permission granted could retrieve all entries from the Download Provider request headers table.

These headers may include sensitive information, such as session cookies or authentication headers, for any download started from the Android Browser or Google Chrome, among other applications.

Consider the impact that this would have on a user downloading a file from an authenticated website or URL. For example, an electronic statement file from an online bank or an attachment from corporate webmail may allow an attacker to impersonate the user on these platforms.

ADVISORIES |

Android (AOSP) Download Provider Permission Bypass (CVE-2018-9468)

By Daniel Kachakil

A malicious application without any granted permission could retrieve all entries from the Download Provider, bypassing all currently implemented access control mechanisms. The level of access will be similar to having the ACCESS_ALL_DOWNLOADS permission granted, which is a signature-protected permission.

The information retrieved from this provider may include potentially sensitive information such as file names, descriptions, titles, paths, URLs (that may contain sensitive parameters in the query strings), etc., for applications such as Gmail, Chrome, or the Google Play Store.

ADVISORIES |

Android (AOSP) Download Provider SQL Injection (CVE-2018-9493)

By Daniel Kachakil

By exploiting an SQL injection vulnerability, a malicious application without any permission granted could retrieve all entries from the Download Provider, bypassing all currently implemented access control mechanisms. Also, applications that were granted limited permissions, such as INTERNET, can also access all database contents from a different URI.

The information retrieved from this provider may include potentially sensitive information such as file names, descriptions, titles, paths, URLs (that may contain sensitive parameters in the query strings), etc., for applications such as Gmail, Chrome, or the Google Play Store.

Further access to the downloaded contents may be possible as well, depending on the permissions granted to the app and files.

ADVISORIES | February 1, 2019

Synaptics TouchPad SynTP Driver Leaks Multiple Kernel Addresses

By Enrique Nissim

Synaptics TouchPad Windows driver leaks multiple kernel addresses and pointers to unprivileged user mode programs. This could be used by an attacker to bypass Windows Kernel Address Space Layout Randomization (KASLR).
(CVE-2018-15532)