Wednesday, April 12, 2017

High Risk 0-day Vulnerability Found in Magento eCommerce

During the security audit of Magento Community Edition, a highly popular e-commerce platform, a high risk vulnerability was discovered that could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information. The vulnerability is based around an arbitrary file upload combined with a cross-site request forgery (CSRF) vulnerability as a main attack vector.

Despite the efforts of our team in notifying the vendor on more than one occasion since November 2016, the vulnerability remains unpatched.

Full vulnerability details are published as an advisory.

Regards,
DefenseCode Team

Monday, April 10, 2017

Apache Tomcat Vulnerabilities Found Using DefenseCode ThunderScan SAST

During the source code security analysis of Apache Tomcat with DefenseCode ThunderScan SAST solution, two different security issues were discovered, ranked as medium risk.
When exploited, discovered vulnerabilities can be abused to disclose and retrieve arbitrary files on server, such as Apache Tomcat configuration file with plain text usernames and passwords or any other file which Apache Tomcat has permission to access.
Full vulnerability details are published as an advisory and include ThunderScan screenshots for better understanding of the vulnerability.
Regards,
DefenseCode Team

Thursday, April 6, 2017

BroadCom UPnP Format String Preauth Root Exploit Aftermath (Few Years Later)

Hi,

Few years ago, we have discovered a remotely exploitable preauth Format
String vulnerability in Broadcom UPnP implementation used in popular
routers.
Vendors were notified and advisory was published -
http://defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf .
Broadcom fixed the vulnerability in their UPnP implementation and some
router vendors did it also.

Vulnerability was initially discovered on Cisco Linksys (now Belkin)
WRT54GL routers, but as stated before, vulnerable UPnP implementation
was used by many vendors.
Back in the days, Cisco fixed the vulnerability, but we are not sure
about all other router vendors and models because there are too many of
them.

When we initially discovered the vulnerability, Rapid7 also discovered
various overflows in other popular UPnP implementations, and published a
paper about it.
Rapid7 document about vulnerabilities they discovered in UPnP
implementations: https://community.rapid7.com/docs/DOC-2150
When they did the research, there were approx. 15 Million devices with
vulnerable Broadcom UPnP implementation discovered on the Internet,
probably many more in the Intranets.

We have written a paper about detailed exploitation steps for now fixed
Broadcom UPnP Format String vulnerability, but never published it due to
the severity of the bug.
Now, few years later, we feel comfortable to release a full research
paper with vulnerability details and exploitation steps for discovered
Format String vulnerability.
Big issue with routers is that they are rarely updated by users with new
firmware and there could be still a lot of vulnerable routers on the
Internet and in the Intranets.

Full research paper on discovery and exploitation of the Broadcom UPnP
Format String vulnerability can be found on the following link:

http://www.defensecode.com/whitepapers/From_Zero_To_ZeroDay_Network_Devices_Exploitation.txt

Since Broadcom and vendors that use their chipsets ship fixed versions of the UPnP implementation for some time now, the vulnerability isn't a 0day for some time. 

Still, we are sure there are plenty unpatched routers out there.

Regards,
DefenseCode Team