Digital Security Research Group

Vulnerabilities: vCenter Orchestrator - password disclosure

The vCenter Orchestrator (vCO) Web Configuration tool reflects back saved passwords as part of web page.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Vulnerabilities: Oracle Application Server - multiple security vulnerabilities

Oracle Application Server Containers has multiple HTTP Response Splitting vulnerabilities.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Vulnerabilities: ASUS Net4Switch ipswcom.dll ActiveX - buffer overflow vulnerability

ASUS Net4Switch contains ActiveX component ipswcom.dll which is vulnerable to buffer overflow attack.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Vulnerabilities: SAP MessagingSystem - information disclosure

Information disclosure in MessagingSystem servlet.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Vulnerabilities: SAP Internet Sales - XSS

SAP NetWeaver 7.0 Internet Sales (crm.b2b) has XSS vulnerability.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Exploits: ProSSHD v 1.2. Remote bind shell exploit (w/ASLR and DEP bypass using ROP)

Exploits: SAP GUI 7.10 WebViewer3D ActiveX - JIT-Spray Exploit

Exploits: Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF - JIT-Spray Exploit

Exploits: Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF - hardware DEP bypass

Exploits: Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF

Publications: Whitepaper "Python arsenal for Reverse Engineering" version 1.1

Python programming language has become a language of hackers. And it is not surprising, because it has all the necessary qualities: − Free − Portable − Powerful − Mixable − Easy to learn etc. A great role in this were played by such projects as IDA Pro, WinDBG, OllyDebug, gdb, which, being a de-facto standard among disassemblers and debuggers, eventually began to support the scripting engines in Python. Of course, they had maintained their own API for plug-in developing, and it was not a small number of them, but exactly with the appearance of the Python support they received a strong push in the development: increased the number of plug-in, increased community, and of course their flexibility also increased, which allowed them to interact both with each other and with other applications, using the best aspects of each other. But in the beginning of the path there was naturally only hacker spirit and idea.
Python arsenal for RE 1.1.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Publications: Whitepaper "Architecture and program vulnerabilities in SAP’s J2EE engine" from BlackHat USA 2011

Today, SAP NetWeaver is the most widespread platform for developing enterprise business applications. This talk will focus on one of the black holes called SAP J2EE engine. Some of the critical SAP products like SAP Portal, SAP Mobile, SAP XI and many other applications lay on J2EE engine which is apart from ABAP engine is less discussed but also critical. We will explain the architecture of SAP’s J2EE engine and give a complete tour into its internals. Thereafter, we will show a number of previously unknown architecture and program vulnerabilities from auth bypasses, smbrelays, internal scans, xml/soap attacks to insecure encryption algorithms and cross-system vulnerabilities in J2EE platform. Finally a chained attack which use multiple logic vulnerabilities and gives full control on SAP’s J2EE Engine will be demoed. A free tool will also be presented to automatically scan custom applications against this attack.“
A crushing blow at the heart SAP J2EE engine_whitepaper.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Publications: Whitepaper "Python arsenal for Reverse Engineering" version 1.0

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Publications: Presentation "DNS for EVIL" from CONFidence Krakov 2011

Talk about DNS reverse tunnel that author uses for penetration tests. Finally was published own reverse DNS shellcode and payload that was written special for pen-test tasks. This work also demonstrates how malware C&C and BOT can work together. The main idea of this work that it’s necessary to pay more attention to the DNS traffic.
dns_shl[1].pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Publications: Presentation "Forgotten World: Corporate Business Application Systems" from BlackHat DC 2011

Agenda: ‛Do you know where all the critical company data is stored? Do you know how easily you can be attacked by cybercriminals targeting this data? How can an attacker sabotage or commit espionage against your company having access just to one system? This paper will describe some basic and advanced threats and attacks on Enterprise Business Applications – the core of many companies.“

The talk will be about enterprise business applications, the way attackers can gain access to critical business data, steal money or disable technological corporate network like SCADA, using vulnerabilities and misconfigurations in the architecture of business applications. We will show the examples of various business applications including custom ones as well as the more popular ones, like SAP and JD Edwards and previously unknown vulnerabilities and attack methods that can be exploited not just for popping a shell, but to gain unauthorized access to business-critical data. These attack methods can also be useful in penetration tests against ERP systems. Many problems that will be shown cannot be easily patched because they are design flaws or business logic problems requiring re-design of a system.

Whitepaper can be downloaded here
Forgotten World - Corporate Business Application Systems (Polyakov,Smith at BlackHat DC).pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

News: ERPScan researchers guard Adobe

Adobe, the global leader in digital marketing and digital media solutions, thanks Dmitry Chastukhin, ERPScan lead assessor, for the dangerous vulnerabilities that he has found at Adobe.Com in the framework of research conducted by Digital Security Research Group, a subdivision of ERPScan.

The website contained several vulnerabilities which allow compromising user accounts and getting additional information about the system so that an attacker could devise specific attack vectors with the gathered data. A possibility of injecting malicious code into the web page was also revealed, which would do serious harm to the public image of the company if exploited. In the course of one of the possible attacks, a hacker could replace legitimate content with malware, so that downloading a regular Adobe Flash Player update would lead to infection of millions PCs worldwide. Thanks to ERPScan researchers, no hacker can exploit the security breach anymore.

‛I hope other world-famous corporations like Adobe will follow suit and pay more attention to the security of their web sites. A web representation of company as a basis for their reputation must be undervalued“, Dmitry comments on his findings.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

News: ERPScan has released a new version of Security Scanner for SAP: ERPScan v2.0

ERPScan company, one of the key players in ERP security, has released ERPScan Security Scanner for SAP 2.0 – a complex solution to continuously monitor all areas of SAP security, from vulnerability assessment and misconfigurations to ABAP code review and analysis of business-critical privileges.

One of the most significant changes is a new module which can make static analysis of ABAP code security. It makes ERPScan the only solution on the market which makes both security assessment of platform and code review. We have also significantly increased the number of anonymous checks which can be performed in Penetration testing mode to help companies identify issues without using credentials in the system. The new engine can help to perform audit and compliance checks not just through RFC – it allows making complete scan through the web-interface which is a great feature for external penetration tests and can make pen-testers’ lives easier.

‛Today, almost all critical operations like procurements, stock resources management, human resources management, financial reports and much more, and all the data related to them, are stored in SAP system. This is why the main target for an insider or an external attacker would be to gain illicit access to SAP with the purpose of malicious manipulation of company resources. In spite of the increasing popularity of ERP systems security in the security community, companies are still vulnerable to cybercriminal and insider attacks. At this moment SAP has released more than 2000 Security notes closing various vulnerabilities, which is quite a lot, especially if you keep in mind that sometimes it is enough to get access to all business critical data through only one issue. An example was presented at BlackHat last summer. On the other side, almost every company develops custom ABAP code which can also have vulnerabilities and backdoors left by developers“, said Alexander Polyakov, CTO of ERPScan.

Using ERPScan, all kinds of customers can decrease their expenses and get different benefits.

Consulting companies can save time and resources. ERPScan allows them to significantly simplify the task of assessment by automating most of the ordinary checks, so auditors can pay more attention to the analysis of the customized part. Moreover, the unique database of checks gives consulting companies competitive advantages.
CISOs can effectively monitor security of SAP systems and prevent insider and hacker threats.
Penetration testers can easily perform black-box and white-box assessments of SAP with the largest knowledge base in the world and 0-day vulnerabilities.
SAP team can manage business-critical authorizations and control development by applying preventive measures.

‛SAP security assessment, according to our experience, usually takes quite a long time. Additionally, the complexity of the system and the large amount of different installation types require the participation of specialists from various fields of security. Even the application server may have either ABAP or Java platform, and they require completely different specialists, not to mention particular applications and modules. ERPScan allows you to significantly simplify the task of assessment by automating most of the ordinary checks, so you can pay more attention to the analysis of the customized part“, said Alexander Polyakov.

More new functions:

Support of different web application types (bsp/iviews/jsp/webservices/webdynpro’s)
More than 5000 different checks covering misconfigurations, vulnerabilities, access to web-applications; search for 50 different types of vulnerabilities in ABAP code
Elaborated black-box vulnerability assessment
Cataloguing of SAP systems and services

‛Earlier, you needed to implement many different solutions to secure SAP from threats, now it is all in one place“, said Ilya Medvedovsky, CEO of ERPScan.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

News: Installation of vendor's patch does not always guarantee security

Experts from ERPScan Company, specialized in business applications security and SAP security, found out that even well-timed installation of vendor’s patch does not always guarantee security because the fixes are not always correct. In 2011, three critical patches from the key software vendors like SAP, IBM and VMware actually did not fix or not completely fixed vulnerabilities that ERPScan or other researchers had found in their products. This allows potential attackers to continue exploiting the vulnerabilities, whereas all most scanners and auditors would say that the problem is no more because patch is installed.

On the BlackHat Europe conference held from March 14 to March 16, Alexey Sintsov, head of information security audit department in ERPScan Company, shared his experience in penetration testing and presented the results of a recently conducted research of Lotus Domino security.

His presentation told about lack of time and frequently desire for companies to dig into the details of existing vulnerabilities to exploit them, and how it often impairs the quality of their work.

In the demonstration, a private vulnerability in Lotus Domino was quite quickly disassembled, the resulting exploit used, the existing patch bypassed and a critical 0-day vulnerability found. The result was an attack on the Domino Controller service (the Lotus Domino administration service) which allows full server compromise.

Vulnerable services were also exposed which, one would suppose, should not be accessible from the Internet. Moreover, in the course of the research, services with the 0-day vulnerability and ever older vulnerabilities were found on the USA government servers (the .gov domain), on the servers of Russian universities and, curiously enough, even in the corporate network of IBM itself.

Thus, it can be concluded that penetration threats are quite easily actualized for pretty much any network; even governments and corporate giants are vulnerable to attacks from the Internet, such as those made by LulzSec and Anonymous.

Links to vulnerabilities:

Vulnerability in IBM Lotus (ZDI)
Vulnerability in VMware (Advisory,Vendor’s patch)
Vulnerabilities in SAP (Advisory, New patch, Old patch); another one is still being patched again.

Alexey’s presentation can be found here.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

News: SAP critical patch update March 2012

SAP has released monthly critical patch update for March 2012. This patch update closes many vulnerabilities in SAP products. This month, 2 vulnerabilities found by ERPScan researchers Dmitriy Chastukhin and Alexey Tyurin were closed.

Detailed list of corrected vulnerabilities is below:

An XSS vulnerability was found in SAP Portal. An attacker can use the XSS vulnerability by sending a link to malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can gain access to user session and gain control over business-critical information which can be accessed by victim. Update is available in SAP Note 1656549. Criticality, according to CVSS, is 4.3.
Missing authorization checks in RFC function from BASIS module. Update is available in SAP Note 1657891. Criticality, according to CVSS, is 2.3. An attacker can execute vulnerable transaction, program or RFC function remotely without authentication because authorization check is missing. It can lead to different threats from information disclosure to full system compromise.

SAP has traditionally published acknowledgements for found vulnerabilities to security researchers from DSecRG on their acknowledgement page.

It is highly recommended to patch all those issues to prevent business risks.

Advisories for those issues with technical details will be available within 3 months on ERPScan.com and also on DSecRG.com.

Exploits will be available soon in ERPScan Security Scanner and ERPScan SaaS.

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

News: DSecRG supports Project BaseCamp by releasing WAGO PLC 0-day vulnerabilities

One of the key events in SCADA and PLC security – the S4ICS symposium – took place in Miami on January, 18 to 19.

Aside from several reports and SCADA security trainings, the results of a colossal project, dedicated to research of vulnerabilities in industrial controllers, were presented to the symposium.

The project was named Project Basecamp.

The following industrial controllers were examined:

General Electric D20ME

Koyo/Direct LOGIC H4-ES

Rockwell Automation/Allen-Bradley ControlLogix

Rockwell Automation/Allen-Bradley MicroLogix

Schneider Electric Modicon Quantum

Schweitzer SEL-2032 (a communication module for relays)

The DSecRG researchers decided to support the project by their independent research and added the 750 series WAGO controller to the list. They have also published a variety of 0-day vulnerabilities for this controller and for the SCADA systems of wellintech KingSCADA and OPC Systems.NET, to draw the public attention to this problem once more.

The following links lead to the details about found vulnerabilities:

http://dsecrg.com/pages/vul/show.php?id=401
http://dsecrg.com/pages/vul/show.php?id=402
http://dsecrg.com/pages/vul/show.php?id=403
http://dsecrg.com/pages/vul/show.php?id=404
http://dsecrg.com/pages/vul/show.php?id=405
http://dsecrg.com/pages/vul/show.php?id=406
http://dsecrg.com/pages/vul/show.php?id=407

The results of the Project BaseCamp research are available here:

http://www.digitalbond.com/2012/01/19/project-basecamp-at-s4/
http://www.wired.com/threatlevel/2012/01/scada-exploits/
http://reversemode.com/downloads/logix_report_basecamp.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary