Category: ADVISORIES

ADVISORIES | March 2, 2021

CNJ PJeOffice Remote Code Execution in Update Mechanism

By Tiago Assumpcao & Robert Connolly

Brasil CNJ’s Processo Judicial Eletrônico (PJe) system processes judicial data with the objective of fulfilling the needs of the Brazilian Judiciary Power: the Superior, Military, Labor, and Electoral Courts; the courts of both the Federal Union and individual states; and specialized justice systems that handle ordinary law and employment tribunals at both the federal and state level.

The main goal of PJeOffice is to guarantee the legal authenticity and integrity of documents and processes through digital signatures. It is employed by lawyers, judges, and high-level officials, such as prosecutors and ministers.

The application’s update system is vulnerable to remote code execution, with two immediate implications.

Access the Advisory

ADVISORIES | June 18, 2020

Moog EXO Series Multiple Vulnerabilities

By Mario Ballano Gabriel Gonzalez Josep Pi Rodriguez & Simon Robin

Moog Inc. (Moog) offers a wide range of camera and video surveillance solutions. These can be network-based or part of more complex tracking systems. The products affected by the vulnerabilities in this security advisory are part of the EXO series, “built tough to withstand extreme temperature ranges, power surges, and heavy impacts.” These units are configurable from a web application. The operating systems running on these cameras are Unix-based.

  • ONVIF Web Service Authentication Bypass
  • Undocumented Hardcoded Credentials
  • Multiple Instances of Unauthenticated XML External Entity (XXE) Attacks
  • statusbroadcast Arbitrary Command Execution as root

Access the Advisory (PDF)

ADVISORIES |

Verint PTZ Cameras Multiple Vulnerabilities

By Mario Ballano Gabriel Gonzalez Josep Pi Rodriguez & Simon Robin

Verint Systems Inc. (Verint) sells software and hardware solutions to help its clients perform data analysis. Verint also offers IP camera systems and videos solutions. Most of these cameras are configurable from a web application. The operating systems running on these cameras are Unix-based.

  • DM Autodiscovery Service Stack Overflow
  • FTP root User Enabled
  • Undocumented Hardcoded Credentials

Access the Advisory (PDF)

ADVISORIES | May 14, 2020

GE Grid Solutions Reason RT430 GNSS Precision-Time Clock Multiple Vulnerabilities

By Ehab Hussein
GE Grid Solutions’ Reason RT430 GNSS Precision-Time Clock is referenced to GPS and GLONASS satellites. Offering a complete solution, these clocks are the universal precision time synchronization units, with an extensive number of outputs which supports many timing protocols. including the DST rules frequently used on power systems applications. In accordance with IEEE 1588 Precision Time Protocol (PTP), the RT430 is capable of providing multiple IEDs synchronization with better than 100ns time accuracy over Ethernet networks. Despite being likely to never lose time synchronization from satellites, the RT430 GNSS features a TCXO as its standard internal oscillator ensuring free-running accuracy when clock is not locked. IOActive found that the RT430’s web application exposed several shell scripts that allowed authentication to be bypassed, leading to a full compromise of the device.
Access the PDF
 
ADVISORIES | March 23, 2020

GE Reason S20 Industrial Managed Ethernet Switch Multiple Vulnerabilities

By Daniel Martinez

The S20 Ethernet Switch is a device manufactured by GE Grid Solution which is deployed in industrial environments. This device is part of ICS/SCADA architectures.

Stored XSS flaws can result in a large number of possible exploitation scenarios. With most XSS flaws, the entirety of the JavaScript language is available to the malicious user.

ADVISORIES | March 6, 2020

pppd Vulnerable to Buffer Overflow Due to a Flaw in EAP Packet Processing (CVE-2020-8597)

By Ilja van Sprundel

Due to a flaw in the Extensible Authentication Protocol (EAP) packet processing in the Point-to-Point Protocol Daemon (pppd), an unauthenticated remote attacker may be able to cause a stack buffer overflow, which may allow arbitrary code execution on the target system.

This vulnerability is due to an error in validating the size of the input before copying the supplied data into memory. As the validation of the data size is incorrect, arbitrary data can be copied into memory and cause memory corruption possibly leading to the execution of unwanted code.

ADVISORIES | January 17, 2020

Android (AOSP) Download Provider SQL Injection in Query Sort Parameter (CVE-2019-2196)

By Daniel Kachakil

A malicious application with the INTERNET permission granted could retrieve all entries from the Download Provider internal database, bypassing all currently implemented access control mechanisms, by exploiting an SQL injection in the sort parameter (ORDER BY clause) and appending a LIMIT clause, which allows expressions, including subqueries.

The information retrieved from this provider may include potentially sensitive information such as file names, descriptions, titles, paths, URLs (which may contain sensitive parameters in the query strings), cookies, custom HTTP headers, etc., for applications such as Gmail, Google Chrome, the Google Play Store, etc.

ADVISORIES |

Android (AOSP) Download Provider SQL Injection in Query Selection Parameter (CVE-2019-2198)

By Daniel Kachakil

A malicious application with the INTERNET permission granted could retrieve all entries from the Download Provider internal database, bypassing all currently implemented access control mechanisms by exploiting an SQL injection in the selection clause.

The information retrieved from this provider may include potentially sensitive information such as file names, descriptions, titles, paths, URLs (that may contain sensitive parameters in the query strings), cookies, custom HTTP headers, etc., for applications such as Gmail, Google Chrome, the Google Play Store, etc.

ADVISORIES |

Android (AOSP) TV Provider SQL Injection in Query Projection Parameter (CVE-2019-2211)

By Daniel Kachakil

A malicious application without any granted permission could retrieve all entries from the TV Provider internal database, bypassing all currently implemented access control mechanisms by exploiting an SQL injection in the projection parameter.

The information retrieved from this provider may include personal and potentially sensitive information about other installed applications and user preferences, habits, and activity, such as available channels and programs, watched programs, recorded programs, and titles in the “watch next” list.

ADVISORIES | October 24, 2019

Buffer Overflow, Cross-Site Scripting / Request Forgery, URI Injection, Insecure SSH Key Exchange in Antaira LMX-0800AG

By Alexander Bolshev & Tao Sauvage

(eight advisories in document) Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is affected by a memory corruption vulnerability when processing cookies. An unauthenticated attacker could leverage the vulnerability to take full control over the switch.

It is also affected by a memory corruption vulnerability when processing ioIndex GET parameter values. An attacker with valid credentials for the web interface could leverage the vulnerability to take full control of the switch.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is affected by a reflected cross-site scripting (XSS) vulnerability when accessing non-existent paths. An attacker could trick an operator into opening a booby-trapped link and exfiltrate the operator’s credentials or perform actions without the operator’s consent.

It is also affected by multiple cross-site request forgery (CSRF) vulnerabilities. An attacker could trick an operator to visit a malicious page that will perform actions on behalf of the victim without the victim’s knowledge or consent. The attacker could for instance change the settings of the switch or create a rogue user with admin privileges.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is insecurely parsing the System Property field from incoming Link Layer Discovery Protocol (LLDP) packets. An attacker in an adjacent network could send malicious LLDP packets that will inject arbitrary clickable links on the web interface’s LLDP neighbors page, which could lead to different social engineering ruses.

It is also supporting weak SSH key exchange methods and ciphers. An attacker could leverage these weaknesses to potentially decrypt traffic or place a rogue computer between the device and the operator.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is insecurely storing passwords on the device. The passwords are stored base64-encoded, which can be trivially decoded by an attacker with access to the configuration.

Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) discloses sensitive information (e.g. stack traces) in the serial console. An attacker with physical access to the device could leverage the information to help discover and develop exploits.