Other Vulnerabilities

Posted: - Updated:

CVE-2020-0861

  • Release Date: 2020-03-10
  • Product Microsoft Windows
  • Affected Versions: Windows RT 8.x, Windows 8, 8.1, Windows 10, Windows Server 2012, 2012 R2, 2016, 2019 (Windows 7 is also likely affected by this)
  • Vulnerability Type: Kernel Memory Disclosure

  • Discovered By: Markus Piéton

  • Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0861

An information disclosure vulnerability exists when the Windows Network Driver Interface Specification (NDIS) improperly handles memory.

What type of information could be disclosed by this vulnerability?

The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory and kernel memory - unintentional read access to memory contents in kernel space from a user mode process.

RCE in Oracle Taelo - SmartOrg

  • Release Date: 2019-01-15
  • Product Oracle Taleo - SmartOrg
  • Vulnerability Type: Remote Code Execution

  • Discovered By: Markus Piéton of Code White GmbH

  • Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2019.html

typo3-ext-sa-2014-009

  • Title: Cross-Site Scripting in news
  • Release Date: 2014-06-03
  • Product Typo3 “News system” (news)
  • Affected Versions: all versions below 2.3.0 of branch 2.x.x, and all versions below 3.0.0 of branch 3.x.x
  • Vulnerability Type: Cross-Site Scripting

  • Discovered By: Markus Pieton and Vytautas Paulikas

  • Vendor Advisory: https://typo3.org/article/typo3-ext-sa-2014-009

CVE-2013-0536

  • Release Date: 2013-06-12
  • Product IBM Notes
  • Affected Versions: 8.0, 8.0.1, 8.0.2, 8.5, 8.5.1, 8.5.2, 8.5.3 before FP5, and 9.0 before IF2
  • Vulnerability Type: Elevation of Privilege
  • Discovered By: Markus Piéton

The Multi User Profile Cleanup service in IBM Notes 9.0 before IF2 (and all versions below using the service) allows an attacker to escalate their privileges during the next login session of a different user, see also SPR PJOK959J24.

Multiple Vulnerabilities in dotCMS

  • Title: Cross-Site Scripting in news
  • Release Date: 2014-04-21
  • Product dotCMS
  • Affected Versions: before 2.5.4
  • Vulnerability Type: Weak Password Generation

  • Discovered By: Hans-Martin Münch & Markus Piéton of it.sec GmbH & Co. KG

  • Vendor Advisories:
    • https://dotcms.com/security/SI-17
    • https://dotcms.com/security/SI-18
    • https://dotcms.com/security/SI-19
    • https://dotcms.com/security/SI-20
    • https://dotcms.com/security/SI-21
    • https://dotcms.com/security/SI-22
    • https://dotcms.com/security/SI-23

SI-17

The vulnerabilities in the user account management allow attackers to circumvent the access controls by brute-forcing weak passwords and using default users to gain possible access to administrative interface. The implementation of the password reset function allows a attacker to reset passwords and brute-force the newly set passwords easily without requiring access to the user’s mail address.

This includes a hidden system user that has the highest privileges.

SI-18

This vulnerability allows authenticated users to view arbitrary files on the server and execute commands on the systems as the user that is running dotCMS on the server. This potentially leads to a full compromise of the server if a high privileged user account is running the dotCMS application.

SI-19

dotCMS provides a XSS filter intended to prevent XSS vulnerabilities. This filter can be extended, either through updating the filtering regex or providing a separate filter/implementation of the filter.

dotCMS cannot block all XSS scripting from the administrative tooling or prevent customers from implementing code that does not sanitize incoming requests. Such code would hobble users from entering specific html and JavaScript code required for their specific implementations and implementations using future technologies.

SI-20

dotCMS employs a Comments feature that allows logged in users to comment on articles and pages. Proper security checks are missing so this feature can be misused by a attacker to post comments to the pages or use the “approve comment” function to send spam to arbitrary email addresses. Even if the comments are deactivated it is possible for a attacker to abuse the “approve comment” function to send spam to any email address.

SI-21

A attacker can use the discovered scripts to obtain a information about the server and it’s configuration. Including the internal IP address, hostname and other dotCMS configuration parameters. This can be leveraged in later attacks of the targeted system.

SI-22

Using an arbitrary URL redirect a attacker is able to send visiting clients to a web site of the attacker’s choosing. To successfully mount such a attack the attacker prepares a link to the dotCMS site that looks like a innocent link to an article. If the victim visits the link the browser gets redirected to the attacker’s controlled page.

SI-23

A header injection allows an attacker to insert arbitrary HTTP-Headers into the server’s response. This enables a attacker to change cookie values, add additional headers or in the case of a normal page to insert arbitrary code that gets executed as soon as the client receives the server’s response.

Multiple LimeSurvey Vulnerabilities

  • Release Date: 2012-09-04
  • Product LimeSurvey
  • Affected Versions: versions before 1.92
  • Vulnerability Type: SQL Injection
  • Discovered By: Markus Piéton of it.sec GmbH & Co. KG

1) Input passed via the sid parameter to admin/admin.php (when action is set to activate) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

  • PoC: https://bugs.limesurvey.org/view.php?id=6543

2) Input passed via the fixnumbering parameter to admin/admin.php (when action is set to activate and sid is set) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

  • PoC: https://bugs.limesurvey.org/view.php?id=6544

3) Input passed via the lang parameter to admin/admin.php (when action is set to previewquestion and sid and qid are set) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

  • PoC: https://bugs.limesurvey.org/view.php?id=6545

4) Input passed via the ugid parameter to admin/admin.php (when action is set to editusergroup) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

  • PoC: https://bugs.limesurvey.org/view.php?id=6546

Successful exploitation of vulnerabilities #1, #2, #3, and #4 requires Create survey permissions.

5) Input passed via the redirect parameter to index.php (when move is set to clearall and lang and sid are set) is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

  • PoC: https://bugs.limesurvey.org/view.php?id=6547
  • PoC @ Github: https://gist.github.com/3623557

6) The function to reload a saved survey is prone to XSS. At leastthree parameters are vulnerable.

  • Vulnerable parameters: loadname, loadpass, scid

  • PoC: https://bugs.limesurvey.org/view.php?id=6548
  • PoC @ Github: https://gist.github.com/marpie/3623601