RESOURCES

Thought leaders in information security, we conduct radical, world-changing research and deliver renowned presentations around the world.
Disclosures | ADVISORIES | June 18, 2020

Moog EXO Series Multiple Vulnerabilities

Moog Inc. (Moog) offers a wide range of camera and video surveillance solutions. These can be network-based or part of more complex tracking systems. The products affected by the vulnerabilities in this security advisory are part of the EXO series, “built tough to withstand extreme temperature ranges, power surges, and heavy impacts.” These units are configurable from a web application. The operating systems running on these cameras are Unix-based. ONVIF Web Service Authentication Bypass Undocumented Hardcoded Credentials Multiple Instances of Unauthenticated XML External Entity (XXE) Attacks statusbroadcast Arbitrary Command Execution…

Launch PDF
Mario Ballano Gabriel Gonzalez Josep Pi Rodriguez & Simon Robin
Disclosures | ADVISORIES |

Verint PTZ Cameras Multiple Vulnerabilities

Verint Systems Inc. (Verint) sells software and hardware solutions to help its clients perform data analysis. Verint also offers IP camera systems and videos solutions. Most of these cameras are configurable from a web application. The operating systems running on these cameras are Unix-based. DM Autodiscovery Service Stack Overflow FTP root User Enabled Undocumented Hardcoded Credentials Access the Advisory (PDF)

Launch PDF
Mario Ballano Gabriel Gonzalez Josep Pi Rodriguez & Simon Robin
Disclosures | ADVISORIES | May 14, 2020

GE Grid Solutions Reason RT430 GNSS Precision-Time Clock Multiple Vulnerabilities

GE Grid Solutions’ Reason RT430 GNSS Precision-Time Clock is referenced to GPS and GLONASS satellites. Offering a complete solution, these clocks are the universal precision time synchronization units, with an extensive number of outputs which supports many timing protocols. including the DST rules frequently used on power systems applications. In accordance with IEEE 1588 Precision Time Protocol (PTP), the RT430 is capable of providing multiple IEDs synchronization with better than 100ns time accuracy over Ethernet networks. Despite being likely to never lose time synchronization from satellites, the RT430 GNSS features…

Launch PDF
Ehab Hussein
Disclosures | ADVISORIES | March 6, 2020

pppd Vulnerable to Buffer Overflow Due to a Flaw in EAP Packet Processing (CVE-2020-8597)

Due to a flaw in the Extensible Authentication Protocol (EAP) packet processing in the Point-to-Point Protocol Daemon (pppd), an unauthenticated remote attacker may be able to cause a stack buffer overflow, which may allow arbitrary code execution on the target system. This vulnerability is due to an error in validating the size of the input before copying the supplied data into memory. As the validation of the data size is incorrect, arbitrary data can be copied into memory and cause memory corruption possibly leading to the execution of unwanted code.

Launch PDF
Ilja van Sprundel
Disclosures | ADVISORIES | January 17, 2020

Android (AOSP) Download Provider SQL Injection in Query Sort Parameter (CVE-2019-2196)

A malicious application with the INTERNET permission granted could retrieve all entries from the Download Provider internal database, bypassing all currently implemented access control mechanisms, by exploiting an SQL injection in the sort parameter (ORDER BY clause) and appending a LIMIT clause, which allows expressions, including subqueries. The information retrieved from this provider may include potentially sensitive information such as file names, descriptions, titles, paths, URLs (which may contain sensitive parameters in the query strings), cookies, custom HTTP headers, etc., for applications such as Gmail, Google Chrome, the Google Play…

Launch PDF
Daniel Kachakil
Disclosures | ADVISORIES |

Android (AOSP) Download Provider SQL Injection in Query Selection Parameter (CVE-2019-2198)

A malicious application with the INTERNET permission granted could retrieve all entries from the Download Provider internal database, bypassing all currently implemented access control mechanisms by exploiting an SQL injection in the selection clause. The information retrieved from this provider may include potentially sensitive information such as file names, descriptions, titles, paths, URLs (that may contain sensitive parameters in the query strings), cookies, custom HTTP headers, etc., for applications such as Gmail, Google Chrome, the Google Play Store, etc.

Launch PDF
Daniel Kachakil
Disclosures | ADVISORIES |

Android (AOSP) TV Provider SQL Injection in Query Projection Parameter (CVE-2019-2211)

A malicious application without any granted permission could retrieve all entries from the TV Provider internal database, bypassing all currently implemented access control mechanisms by exploiting an SQL injection in the projection parameter. The information retrieved from this provider may include personal and potentially sensitive information about other installed applications and user preferences, habits, and activity, such as available channels and programs, watched programs, recorded programs, and titles in the “watch next” list.

Launch PDF
Daniel Kachakil
Disclosures | ADVISORIES | October 24, 2019

Buffer Overflow, Cross-Site Scripting / Request Forgery, URI Injection, Insecure SSH Key Exchange in Antaira LMX-0800AG

(eight advisories in document) Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is affected by a memory corruption vulnerability when processing cookies. An unauthenticated attacker could leverage the vulnerability to take full control over the switch. It is also affected by a memory corruption vulnerability when processing ioIndex GET parameter values. An attacker with valid credentials for the web interface could leverage the vulnerability to take full control of the switch. Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is affected by…

Launch PDF
Alexander Bolshev & Tao Sauvage
Disclosures | ADVISORIES | June 17, 2019

Configuration Shell Escape injecting OS/IPV6 commands, and HTML Injection in LLDP Packet System Name Field Leading to Persistent Cross-site Scripting in Antaira LMX-0800AG

(two advisories in document) An authenticated malicious user with access to the web interface (with manager privileges) or via SSH/Serial connection (with enable/config privileges) can inject Operating System (OS) commands in ipv6 commands, which will be executed with root privileges on the switch. An unauthenticated attacker located in an adjacent network could send malicious Link Layer Discovery Protocol (LLDP) packets containing JavaScript code embedded in the System Names attribute. It should be noted that LLDP discovery is not enabled by default in firmware v2.8.

Launch PDF
Alexander Bolshev
Disclosures | ADVISORIES | May 23, 2019

ASUS – ZenUI Launcher AppLockReceiver | AppLockProvider Exposed

(2) A malicious application without any permission could remove applications and gain read and write access from the list of locked applications configured in AppLock, therefore bypassing the security pattern configured by the user to protect them. (two advisories in document)

Launch PDF
Tao Sauvage

Arm IDA and Cross Check: Reversing the 787’s Core Network

IOActive has documented detailed attack paths and component vulnerabilities to describe the first plausible, detailed public attack paths to effectively reach the avionics network on a 787, commercial airplane from either non-critical domains, such as Passenger Information and Entertainment Services, or even external networks.

ACCESS THE WHITEPAPER


IOACTIVE CORPORATE OVERVIEW (PDF)IOACTIVE SERVICES OVERVIEW (PDF)


IOACTIVE ARCHIVED WEBINARS