Wednesday, April 12, 2017

High Risk 0-day Vulnerability Found in Magento eCommerce

During the security audit of Magento Community Edition, a highly popular e-commerce platform, a high risk vulnerability was discovered that could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information. The vulnerability is based around an arbitrary file upload combined with a cross-site request forgery (CSRF) vulnerability as a main attack vector.

Despite the efforts of our team in notifying the vendor on more than one occasion since November 2016, the vulnerability remains unpatched.

Full vulnerability details are published as an advisory.

Regards,
DefenseCode Team

Monday, April 10, 2017

Apache Tomcat Vulnerabilities Found Using DefenseCode ThunderScan SAST

During the source code security analysis of Apache Tomcat with DefenseCode ThunderScan SAST solution, two different security issues were discovered, ranked as medium risk.
When exploited, discovered vulnerabilities can be abused to disclose and retrieve arbitrary files on server, such as Apache Tomcat configuration file with plain text usernames and passwords or any other file which Apache Tomcat has permission to access.
Full vulnerability details are published as an advisory and include ThunderScan screenshots for better understanding of the vulnerability.
Regards,
DefenseCode Team

Thursday, April 6, 2017

BroadCom UPnP Format String Preauth Root Exploit Aftermath (Few Years Later)

Hi,

Few years ago, we have discovered a remotely exploitable preauth Format
String vulnerability in Broadcom UPnP implementation used in popular
routers.
Vendors were notified and advisory was published -
http://defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf .
Broadcom fixed the vulnerability in their UPnP implementation and some
router vendors did it also.

Vulnerability was initially discovered on Cisco Linksys (now Belkin)
WRT54GL routers, but as stated before, vulnerable UPnP implementation
was used by many vendors.
Back in the days, Cisco fixed the vulnerability, but we are not sure
about all other router vendors and models because there are too many of
them.

When we initially discovered the vulnerability, Rapid7 also discovered
various overflows in other popular UPnP implementations, and published a
paper about it.
Rapid7 document about vulnerabilities they discovered in UPnP
implementations: https://community.rapid7.com/docs/DOC-2150
When they did the research, there were approx. 15 Million devices with
vulnerable Broadcom UPnP implementation discovered on the Internet,
probably many more in the Intranets.

We have written a paper about detailed exploitation steps for now fixed
Broadcom UPnP Format String vulnerability, but never published it due to
the severity of the bug.
Now, few years later, we feel comfortable to release a full research
paper with vulnerability details and exploitation steps for discovered
Format String vulnerability.
Big issue with routers is that they are rarely updated by users with new
firmware and there could be still a lot of vulnerable routers on the
Internet and in the Intranets.

Full research paper on discovery and exploitation of the Broadcom UPnP
Format String vulnerability can be found on the following link:

http://www.defensecode.com/whitepapers/From_Zero_To_ZeroDay_Network_Devices_Exploitation.txt

Since Broadcom and vendors that use their chipsets ship fixed versions of the UPnP implementation for some time now, the vulnerability isn't a 0day for some time. 

Still, we are sure there are plenty unpatched routers out there.

Regards,
DefenseCode Team

Tuesday, March 21, 2017

Brand New ThunderScan and Web Security Scanner

Hello,

It's been a while since our last post.
We have been working hard on improving our flagship products - ThunderScan Source Code Security Analyzer SAST and Web Security Scanner DAST solution.
We are pleased to say that there are brand new versions of both product ready for use.
Check out for more details on our website http://www.defensecode.com/.

Regards,
Leon Juranic

Wednesday, June 25, 2014

Back To The Future: Unix Wildcards Gone Wild

Hi,

We wanted to inform all major *nix distributions via our responsible
disclosure policy about this problem before posting it, because it is
highly likely that this problem could lead to local root access on many
distributions. But, since part of this research contained in the document
was mentioned on some blog entries, we are forced to release it in a
full version.


Download URL:
http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

Regards,
Leon Juranic

Wednesday, February 6, 2013

First public patch for Broadcom UPnP vulnerability

First public patch for Broadcom UPnP vulnerability from TP-Link.

From: http://forum.tp-link.com/showthread.php?2252-Fixed-a-critical-vulnerability-issue-related-to-UPnP

Fixed a critical vulnerability issue related to UPnP
Model : TD-W8960N
Hardware Version : V4
Following the release this week of a research paper from security firm
Rapid7 describing vulnerabilities in the widely used Intel/Portable UPnP SDK and MiniUPnP SDK stacks, security researchers from DefenseCode announced that they identified a critical vulnerability in a separate UPnP stack developed by Broadcom and used in devices with Broadcom chipsets, including one device from TP-LINK, the TD-W8960N.
http://www.defensecode.com/public/De...y_Advisory.pdf
Being aware of the urgency of this issue, our R&D solved it immediately and released a beta Firmware for the customers who are worried about this problem to download.
You can find this beta Firmware here:
http://www.tp-link.com/en/support/do...rsion=V4#tbl_j
At the end of February, we will release the official FW, solving the UPnP Vulnerability of TD-W8960N.


Regards,
DefenseCode

DefenseCode Security Advisory: Cisco Linksys Remote Preauth 0day Root Exploit Follow-Up



A few weeks ago, we have announced remote preauth root access exploit for
Cisco Linksys (http://www.youtube.com/watch?v=cv-MbL7KFKE).

Vulnerability details were disclosed here:
http://www.defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf

During further research, we have discovered that other router
manufacturers are also vulnerable to the same vulnerability, since
vulnerable Broadcom UPnP stack is used across multiple router vendors.

According to data from Rapid7, from 80 million routers discovered
during data gathering on the internet, ~15 million had Broadcom UPnP.
More info available here:
http://information.rapid7.com/upnp-webcast-video-page.html

Below is the partial list of other vulnerable router manufacturers and
models. Thanks to HD Moore of Rapid7 for data.

Regards,
Leon Juranic
CEO
DefenseCode
http://www.defensecode.com/



3Com

    -  ADSL Wireless Router

    -  Broadcom ADSL Router

    -  Internet Gateway Device



Actiontec

    -  GT784WN

    -  xDSL Router

    -  Broadcom ADSL Router

    -  DSL Modem implementing Qwest TR-064 v1.0 specification

    -  DSL Modem implementing TR-064 v1.0 specification



Actiontec Electronics

    -  Actiontec xDSL Router

    -  Verizon ADSL Router



ADBB

    -  DSL Router



ADB Broadband

    -  ADB ADSL Router

    -  Broadcom ADSL Router



ADB Broadband S.p.A.

    -  ADB ADSL Router



ADB Broadband S.p.A

    -  HomeStation ADSL Router




ADSL2+ Router  

    -  ADSL2/2+ Modem Router

    - ADSLRouter



ALBIS

    -  Router VLR-4300-I



Allied Telesis K.K.

    -  CG-BARFX3



Alpha

    -  ADSL Router

    -  DLink ADSL Router

    -  Sky ADSL Router



Alvarion

    -  Residential Gateway



ASB

    -  ADSL Router

    -  Alcatel-EG692HW Internet Sharing Gateway

    -  ChinaTelecom E8C(EPON) Gateway

    -  Home Gateway



Askey

    -  ADSL2+ Router

    -  ADSL Router



Askey Computer Corp.

    -  Wireless ADSL2+ Router



ASUS

    -  Wireless Router



ASUSTek

    -  ASUS ADSL Router

    -  ASUS Wireless Harddisk Drive

    -  ASUS Wireless Router



ASUSTek Computer Inc.

    -  ASUS Wireless Router

    -  Residential Gateway Device

    -  WL-500gPV2

    -  WL-500gP V2

    -  WL-520GU

    -  WL700gE



BEC_8800N

    -  BEC 8800N



BEC Technologies Inc.

    -  BEC 7800TN R2

    -  Broadcom ADSL Router



Belkin

    -  ADSL Router

    -  F5D8232-4 v1000

    -  N1 ADSL Router

    -  Wireless ADSL Router

    -  BoB

    -  iiNet BoB

    -  Wireless ADSL Router



Bellmann

    -  Broadcom ADSL Router



Billion

    -  BiPAC 7700N

    -  BiPAC 7700N R2



Billion Electric Co., Ltd.

    -  ADSL2+ Firewall Router

    -  BiPAC 7800VDOX

    -  BiPAC 7800VDPX

    -  home.gateway



Billion Electric Co.,Ltd.

    -  home.gateway



Billion Electric Co, PC Range Pty Ltd.

    -  home.gateway



BM

    -  ChinaTelecom E8C(EPON) Gateway



Broadcom

    -  3G Router

    -  Actiontec GT784WN

    -  Actiontec xDSL Router

    -  ADSL2+ 11n WiFi CPE

    -  ADSL2/2+ Modem Router

    -  ADSL Router

    -  ADSL Router

    -  ChinaTelecom E8 ADSL Router

    -  D-link ADSL Router

    -  D-Link ADSL Router

    -  DLink ADSL Router

    -  D-Link DSL-2640B

    -  D-Link DSL-2641B

    -  D-Link DSL-500B

    -  DSL2740B ADSL Router

    -  DSL Router

    -  HomeStation ADSL Router

    -  PHILEAS-WORLD

    -  PTCL ADSL Router

    -  Residential Gateway Device

    -  SemIndia Systems ADSL2Plus Router

    -  STOREX

    -  WL700g

    -  Zoom ADSL Router



BT

    -  Voyager 2091

    -  Voyager 220V

    -  Voyager 2091

    -  Voyager 2110

    -  Voyager 220V

    -  Voyager 2500V



Careca

    -  HRDSL108W 108M Wireless ADSL2+ router



CATCH-TEC

    -  ADSL2/2+ Modem Router



CDC POINT S.P.A

    -  ADSL2/2+ Modem Router



ChinaTelecom

    -  ASB Home Gateway



China Telecom

    -  ChinaNet EPON Router

    -  E8C(EPON) Gateway

    -  E8C Gateway

    -  Navigator 1-2 Gateway



Cisco Systems,Inc.

    -  Cisco ADSL Router



ClearAccess

    -  Broadcom ADSL Router

    -  D-Link DSL-2730B



Comtrend

    -  AR-5383n

    -  Broadcom ADSL Router

    -  single-chip ADSL router

    -  WAP-5850g

    -  Netcomm ADSL2+/3G Wi-Fi Router



Corega

    -  CG-BARMX2

    -  CG-WLBARAGM



Danalink

    -  Dynalink ADSL Router

    -  Dynalink Wireless ADSL2+ Router



DARE

    -  DareGlobal Home Gateway



Dare

    -  Router



Dare Inc.

    -  Dare ADSL2+ Modem/Wireless Router



DCOM

    -  ADSL Router



DGT

    -  VDSL Router



Digicom

    -  ADSL Router



Digital Data Communications, Inc

    -  FBR-1461A ADSL2+ Modem Router(X.X.X.X)

    -  FBR-1461 ADSL2+ Modem Router (X.X.X.X)



DIGITUS

    -  Internet Gateway Device



DIT

    -  Gateway



D-Link

    -  ADSL MODEM



D-link

    -  ADSL Router



D-LINK

    -  ADSL Router



DLink

    -  Alpha ADSL Router



D-Link Corporation.

    -  D-Link D-LinkDSL-2640B

    -  D-Link DSL-2640B

    -  D-LinkDSL-2640B

    -  D-LinkDSL-2641B

    -  D-Link DSL-2740B

    -  D-LinkDSL-2740B

    -  D-Link DSL-2740U

    -  D-Link DSL-2741B

    -  D-LinkDSL-2741B

    -  D-Link DSL-2750B

    -  D-LinkDSL-2750B



D-Link Corporation

    -  D-Link DSL6740U

    -  DSL-2640B

    -  DSL2740B

    -  DSL-2740B

    -  DSL-2740B Adsl Router

    -  DSL-2740B Adsl Router

    -  DSL-2740U Adsl Router

    -  DSL-2741B

    -  DSL-2741B Adsl Router

    -  DSL2750B

    -  DVA-G3670B Adsl Router



Dlink

    -  ADSL router

    -  ADSL Router

    -  D-Link ADSL Router

    -  ADSL Router

    -  DLink ADSL Router

    -  ADSL Router

    -  DSL-2500U

    -  DSL-2542B

    -  DSL-2640B

    -  DSL-2640U

    -  DSL-2730B

    -  D-Link DSL-2730B

    -  DSL2730U

    -  DSL-2730U

    -  DSL-2740EL

    -  DSL2750U

    -  DSL-2750U

    -  D-Link DSL-526B

    -  DSL-526B

    -  Router

    -  D-Link VDSL Router

    -  Wireless Router

    -  DSL-2542B

    -  DSL-2640B

    -  DSL-2640BT

    -  DSL-2640U

    -  DSL-2740B

    -  DSL-526B

    -  DSL-526B

    -  DSL-526B

    -  DVA-G3672B-LTT Networks ADSL Router

    -  DVA-G3672B Networks ADSL Router



DQ

    -  ADSL Router



DQ Technology, Inc.

    -  ADSL2+ 11n WiFi CPE

    -  ADSL2+ CPE

    - DSL-2542BNetworksADSLRouter

    - DSL-2642BNetworksADSLRouter

    - DSL-2730BNetworksADSLRouter

    - DSL-2730UNetworksADSLRouter



DSL

    -  ARouter

    - DSLRouter

    -  TW ARouter



Dynalink

    -  ADSL2+ Router

    -  ADSL2+ Wireless Modem Router

    -  Wireless ADSL2+ Router



ENKOM

    -  AMIS Router



FAMNET

    -  ADSL Router



FiberHome

    -  ADSL Router

    -  Broadcom ADSL Router



Glitel

    -  Broadcom ADSL Router



gmesh

    -  ADSL Router



huaqin

    -  HGU421 Router

    -  HGU421 v3 Router



Huawei-3Com

    -  BR204+



Huawei

    -  Echolife ADSL Router

    -  EchoLife Home Gateway

    -  HG227

    -  ADSL Router

    -  Residential Gateway Device



Huawei Technologies Co., Ltd

    -  EchoLife HG520



iBall Baton

    -  150M Wireless-N ADSL2+ Router



iiNet

    -  BoB2

    -  BoBLite



Innoband

    -  DSL Router



Inteno

    -  Broadcom ADSL Router

    -  DSL Router

    -  Residential Gateway



Intercross

    -  Broadcom ADSL Router

    - InternetGatewayDevice



IskraTEL

    -  Broadcom ADSL Router



ITI Ltd.

    -  ITI ADSL2+ Modem/Wireless Router

    -  ITI Ltd.ADSL2Plus Modem/Router



K?NIG

    -  ADSL2/2+ Modem Router

    -  ADSL2/2+ Modem Router



Kunhar Peripherals Pvt Ltd

    -  54M Wireless ADSL2+ router



LevelOne

    -  FBR-1461B



Linksys by Cisco

    -  Linksys WRT54G

    -  Linksys WRT54GL



Linksys Inc.

    -  DD-WRT Router (X.X.X.X)

    -  Linksys MA568243

    -  Linksys ma890673

    -  Linksys WRT150N

    -  Linksys WRT54GL

    -  Linksys WRT54GS-PC

    -  Linksys wrt54gs v4

    -  Linksys WRT54GS (X.X.X.X)

    -  Residential Gateway Device



Linksys

    -  Internet Gateway Device

    -  Wireless Router



MAXON

    -  Residential Gateway Device



MEDIACOM  Wireless-N ADSL2+ Router

MEDIACOM  Wireless-N ADSL2+ Router     -  ADSL2+ Router



Micronet Communications Inc.

    -  Micronet WLAN ADSL2+ Modem Router



Micro-Star International

    -  Residential Gateway Device



Minitar Corporation

    -  Residential Gateway Device



Motorola

    -  Residential Gateway Device



NB

    -  DSL-2740B



NetComm

    -  Broadcom ADSL Router



NetComm Limited

    -  NetComm ADSL2+ Router

    -  NetComm ADSL2+ Wireless Router

    -  11n Wireless ADSL2+ Router

    -  11n Wireless ADSL Router

    -  Netcomm ADSL2+/3G Wi-Fi Router

    -  ADSL2+ Router

    -  ADSL2+ Wireless Router

    -  NB6 ADSL2+ Router

    -  NB6Plus4W ADSL2+ Wireless Modem Router

    -  NB6PLUS4W Wireless ADSL2+ Router

    -  NB6W Wireless ADSL2+ Router

    -  WiFi Data and VoIP Gateway



NetComm Wireless Limited

    -  NetComm ADSL2+ Router

    -  NetComm ADSL2+ Wireless Router



Netgear

    -  Broadcom ADSL Router

    -  ADSL2+ Router

    -  ADSL Router

    -  RP614v4



Neuf Telecom

    -  Trio4



NewMedia-NET GmbH

    -  DD-WRT Router (X.X.X.X)



OPTICOM

    -  DSLink 279



Orcon

    -  Genius

    -  GeniusLite

    -  Orcon

    - P-660HN-51



PENTAGRAM

    -  home.gateway



PhoebeMicro

    -  Internet Gateway Device



Pirelli

    -  ADSL Router



Pirelli Broadband Solutions

    -  HomeStation ADSL Router



PLANET

    -  ADN-4000



Planex

    -  BLW-54CW

    -  Internet Gateway Device



QTECH

    -

    -  Broadcom ADSL Router

    -  QTECH

    -  Residential Gateway

    - ResidentialGatewayDevice



ROTAL

    -  Wireless ADSL2+ Router



Router

    -  ADSL Router

    -  Router



Sagem

    -  AFAQ DSL SHAMEL ROUTER



Sagemcom

    -  ADSL Router

    -  ADSL Router



SemIndia Systems Private Ltd.

    -  SemIndia ADSL2Plus Modem/Router



SemIndia Systems Pvt. Ltd.

    -  SemIndia Systems ADSL2Plus Modem Router

    -  SemIndia Systems ADSL2Plus Modem/Wireless Router



SIEMENS

    -  alice.box



Siemens

    -  ADSL SL2-141

    -  ADSL SL2-141-I

    -  Gigaset SE515B

    -  SL2-141-I



SimpleTech

    -  OdenShare

    -  SimpleShare



Sinus

    -  1054 DSL



SmartLink

    -  ADSL Router



Sparklan

    -  Internet Gateway Device



Speedport

    -  500V

    -  W 500V



Starbridge Networks

    -  Broadcom ADSL Router



Star-Net

    -  Broadcom ADSL Router



STAR-NET

    -  Broadcom ADSL Router



Sveasoft Inc.

    -  Residential Gateway Device



TARGA WR 500 VoIP

    -  TARGA WR 500 VoIP



Tecom

    -  DSL Router



TeleWell Oy (http://www.telewell.fi)

TeleWell Oy (http://www.telewell.fi)     -  TeleWell.gateway



Telsey

    -  ADSL Router



TELUS

    -  VSG1432



Tenda

    -  ADSL2/2+ Modem Router



Tenda/Imex

    -  W150D



Tenda/lmex

    -  ADSL2+ Ethernet Modem Router

    -  ADSL Router

    -  Gateway



TOPTRONICS

    -  ADSL Router



TP-LINK

    -  ADSL Router

    -  54M Wireless ADSL2+ router

    -  ADSL2+ Modem Router

    -  ADSL2+ Router

    -  ADSL2+ Router Modem

    -  ADSL Router

    -  Wireless ADSL2+ Modem Router

    -  Wireless ADSL2+ router

    -  Wireless ADSL2+ Router

    -  Wireless N ADSL2+ Modem Router TD-W8960N



U.S. Robotics Corporation

    -  Internet Gateway Device



U.S. Robotics

    -  USRobotics ADSL2+ Router

    -  ADSL 4 Port Router

    -  ADSL 4-Port Router

    -  USR8561



UTStarcom Inc.

    -  UTStarcom ADSL2+ Modem Router



UTstarcom Inc.

    -  UTstarcom ADSL2+ Modem/Wireless Router

    -  UTStarcom ADSL2+ Modem/Wireless Router

    - VSG1432-B101

    - VSG1435-B101



WIN

    -  eNet660S



WorldNet

    -  ADSL Router



XAVi

    -  DSL Router



Zhone Technologies.

    -  UPnP v1.0



Zhone

    -  Gateway

    -  Wireless Gateway



ZISA

    -  ADSL Router



ZTE

    -  ADSL Router

    -  Broadcom ADSL Router



ZTE Corporation

    -  ZXDSL 931 Series Device

    -  Home Gateway

    -  ZXDSL 531B



ZyXEL Communication Crop.

    -  P-870H-51A V2 UPnP

    -  P-870H-51b UPnP

    -  P-870H-53A V2 UPnP

    -  P-870HN-51b UPnP

    -  P-870HN-51D UPnP

    -  P-870HN-53b UPnP

    -  P-870HNU-51b

    -  VSG1435-B101

    -  Wireless Broadband Router

    -  ZyXEL UPnP v1.0



ZyXEL

    -  P-660HN-51

    -  P-870HN-53b

    -  P-873HNU-51B

    -  P-873HNUP-51B

    -  Qwest TR-064 v1.0

    -  VMG1312-B30A

    -  VSG1432-B101

    -  VSG1435-B101

    -  ADSL Router

    -  TR64 Router

    -  UPnP Router

    -  VDSL Router



ZYXEL

    -  ZyXEL VDSL Router

    -  xDSL Router