Breaking

Multiple Vulnerabilities in UNIFY OpenScape Desk Phone CP600

We recently identified security issues in the UNIFY OpenScape Desk Phone CP600 HFA software. We disclosed the vulnerabilities to Unify, as a fix is now provided we want to give a brief overview of the vulnerability affecting the web interface.

 

We were able to identify the following vulnerabilities in the Web interface of the telephone:

 

  • Command Injection in Picture Delete function of OpenScape Desk Phone Webportal
  • Unauthenticated Arbitrary File Access in the OpenScape Desk Phone Webportal
  • Memory Corruption in the OpenScape Desk Phone Webservice
  • Missing Hardening of the OpenScape Desk Phone Webservice Binary
  • Cross Site Request Forgery Missing in the OpenScape Desk Phone Webservice

 

For this blog post we will take a look at the command injection and how we exploited it.

 

The fixed version is V1 R2.7.0. More information about the OpenScape CP Desk Phones including release notes can be found under:

Continue reading “Multiple Vulnerabilities in UNIFY OpenScape Desk Phone CP600”

Continue reading
Breaking

Analyzing yet another Smart Home device

As you have probably already recognized, some of us here at ERNW are doing research in the area of smart home technologies e.g. KNX. Recently, we took a deeper look into a device which is used to control a smart home system produced by the vendor BAB TECHNOLOGIE GmbH called “eibPort”. This device can be used to control smart home systems based on different technologies e.g. EnoCean or KNX depending on the version of the device. Continue reading “Analyzing yet another Smart Home device”

Continue reading
Breaking

Linq Injection – From Attacking Filters to Code Execution

Some of you (especially the .Net guys) might have heard of the query language Linq (Language Integrated Query) used by Microsoft .Net applications and web sites. It’s used to access data from various sources like databases, files and internal lists. It can internally transform the accessed data in application objects and provides filter mechanisms similar to SQL. As it is used directly inside the application source code, it will be processed at compile time and not interpreted at runtime. While this provides a great type safety and almost no attack surface for injection attacks (except from possible handling problems in the different backends), it is extremely difficult to implement a dynamic filter system (e.g. for datatables which should allow users to select the column to filter on). That’s probably the reason why Scott Guthrie (Executive Vice President of the Cloud and Enterprise group in Microsoft, also one of the founders of the .Net project) presented the System.Linq.Dynamic package as part of the VS-2008 samples in 2008. This library allows to build Linq queries at runtime and therefore simplify dynamic filters. But as you may know, dynamic interpretation of languages based on user input is most of the time not the best option….

Continue reading “Linq Injection – From Attacking Filters to Code Execution”

Continue reading
Breaking

DameWare Vulnerability

In course of a recent research project, I had a look at SolarWinds DameWare, which is a commercial Remote Access Software product running on Windows Server. I identified a remote file download vulnerability in the download function for the client software that can be exploited remotely and unauthenticated and that allows to download arbitrary files from the server that is running the software.

Continue reading “DameWare Vulnerability”

Continue reading
Breaking

Classic Web Vulns Found in Google Search Appliance 7.4

Google Search AppliancesHi all,

I’ve recently found some sort of classic web vulnerabilities in the Google Search Appliance (GSA) and as they are now fixed [0][1][2], I’d like to share them with you.

First of all, some infrastructure details about the GSA itself. The GSA is used by companies to apply the Google search algorithms to their internal documents without publishing them to cloud providers. To accomplish this task, the GSA provides multiple interfaces including a search interface, an administrative interface and multiple interfaces to index the organization’s data. Continue reading “Classic Web Vulns Found in Google Search Appliance 7.4”

Continue reading
Misc

Another Perspective in Vulnerability Disclosure

As you know we (as in ERNW) are quite involved when it comes to vulnerability disclosure and we’ve tried to contribute to a discussion at several occasions, such as Reflections on Vulnerability Disclosure and ERNW Newsletter 50 Vulnerability Disclosure Reflections Case Study.

In this post I want to add (yet) another perspective, motivated by a disclosure procedure which just happened recently. Continue reading “Another Perspective in Vulnerability Disclosure”

Continue reading
Breaking

Xen XSA 155: Double fetches in paravirtualized devices

As part of my research on the security of paravirtualized devices, I reported a number of vulnerabilities to the Xen security team, which were patched today. All of them are double fetch vulnerabilities affecting the different backend components used for paravirtualized devices. While the severity and impact of these bugs varies heavily and is dependent on a lot of external factors, I would recommend patching them as soon as possible. In the rest of this blog post I’ll give a short teaser about my research with full details coming out in the first quarter of 2016 .

Continue reading “Xen XSA 155: Double fetches in paravirtualized devices”

Continue reading