Oliver’s Blog

Today I released a security advisory regarding GFI WebMonitor. WebMonitor is a filtering and monitoring solution for web traffic, which also protects against viruses, spyware, malware and phishing scams.

During a quick security analysis of the product, i figured out a way to inject script code, that will be executed automatically within the Administrator UI.

The advisory can be found here: GFIWebMonitor.txt

Added by Admin:  A screenshot, where i injected an iframe into the Admin Interface… just to visualize it to GFI’s security response

Some weeks ago i discovered some vulnerabilities within Astaro Security Gateway V7.

Among other features, the ASG works as a Webfilter, to regulate employees webbrowsing activity.

Due to weak input filtering, an attacker can use the vulnerabilities to inject persistant script code, which will be executed inside the ASG’s admin console.
It is also possible to conduct cross site scripting attacks against the webusers, protected by the ASG, due to a XSS vuln within the webbroxies error message handling.

All vulnerabilities are meanwhile fixed by the vendor. A detailed advisory will be published, soon ( or less soon, depending on my sparetime )

Today i’m going to publish an advisory regarding MailScan from Microworld. Microworld is a vendor of Antivirus, Anti-Spyware and Anti-Spam solutions. MailScan itself is “the world’s most advanced Real-Time Antivirus and AntiSpam solution for Mailservers”… at least this is what the company claims to be on their website….

MailScan now comes with a Webinterface, offering web based administration. Unfortunately the webinterface is offering this services also to hackers……. I did not come across a product from a security products vendor for a long time, that was as vulnerable as this one… it took me about 25 seconds to abuse the webinterface to access all files on the system without authentication by the stupid old directory traversal vulnerability…..

Since this vuln seemed to be to lame to publish as a separate vulnerability, i took some more time to research the authentication and session handling…. and i was surprised again…..
there was none…. ok, to be fair i have to say… almost none…. Authentication was implemented via cookie variables “user=admin” and “IsAdmin=true”

There were a lot more vulns which i stopped to enumerate after a time, because i got bored.
Some of them i added to the advisory which you can find here:
mailscan.txt

Today I published an advisory for the BitDefender Update Server. BitDefender is one of the larger vendors for Antivirus software.

The update servers function is to deliver new Antivirus patterns and engine updates to the software clients. Therefore it is using the http protocol and a http daemon. The daemon does not require authentication and is vulnerable to the oldest vulnerability known for webservers: The directory traversal attack.

This means everyone who is able to connect to the port of the Update Server with his webbrowser, is able to read all files on the server (at least on the same partition/drive), including Windows configuration files, password files etc., etc.

It also seems, that BitDefender does not have a dedicated response team, responsible for vulnerabilities within their own products. The mail I send to them, in order to inform them about their vulnerability was responded by an automated mail, requesting me to register on their website in order to access their support material…… sorry guys, i dont have time for such games…. please learn how other AV- and Softwarevendors are handling this!!!

You can find the original advisory here.

More of my humble advisories can be found on my website….

Symantec recently published an advisory regarding a DoS-Vulnerability within Perforce software, which i discovered about ten month ago… Well, 6 month ago i left symantec… but it is nice to see, that I’m still bringing an added value to Symantec

You can find more about the advisory

here and there

Last friday i published an advisory for Secure Computing’s Security Reporter. It is possible to bypass the authentication mechanism and to access all files on the partition. You can download the original advisory at http://www.oliverkarow.de/research/securityreporter.txt. It is also mirrored on securityfocus: http://www.securityfocus.com/bid/25027