Macedonian information security research and development laboratory

http://liquidworm.deviantart.com/art/The-Observers-301017154

http://liquidworm.deviantart.com/art/Shoo6-301016589

The vulnerability in Themida is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .TMD file. Successful exploitation may allow execution of arbitrary code.

WinLicense is prone to an unspecified memory corruption vulnerability. An attacker can exploit this issue by tricking a victim into opening a malicious XML file to execute arbitrary code and to cause denial-of-service conditions.

Advisories:

ZSL-2012-5079 – http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5079.php
ZSL-2012-5080 – http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5080.php

TCExam bellow version 11.2.012 is vulnerable to multiple XSS and SQL Injection attack. Update to version 11.2.012!

TCExam version 11.02.009, 11.2.010 and 11.2.011 tested.

********** Cross-Site Scripting Reflected (script name / parameter(s) / http method) **********

1. /admin/code/tce_colorpicker.php (frm, fld, tag) – GET
2. /admin/code/tce_edit_backup.php (backup_file) – POST
3. /admin/code/tce_edit_group.php (group_name, group_id) – POST
4. /admin/code/tce_edit_module.php (module_id, module_user_id) – POST
5. /admin/code/tce_edit_rating.php (test_id) – POST
6. /admin/code/tce_edit_subject.php (subject_module_id, subject_id) – POST
7. /admin/code/tce_edit_test.php (test_id) – POST
8. /admin/code/tce_filemanager.php (file) – POST
9. /admin/code/tce_select_mediafile.php (frm, fld, file) – GET, GET, POST
10. /admin/code/tce_select_users.php (new_group_id) – POST
11. /admin/code/tce_show_all_questions.php (subject_module_id) – POST
12. /admin/code/tce_show_result_user.php (test_id) – POST
13. /public/code/tce_user_change_email.php (xl_user_email) – POST
14. /public/code/tce_user_change_password.php (xl_newpassword) – POST
15. /public/code/tce_user_registration.php (xl_user_email, xl_newpassword, xl_user_birthdate) – POST

********** Cross-Site Scripting URI Based (script name) **********

1. /admin/code/index.php
2. /admin/code/tce_csv_users.php
3. /admin/code/tce_edit_answer.php
4. /admin/code/tce_edit_backup.php
5. /admin/code/tce_edit_group.php
6. /admin/code/tce_edit_module.php
7. /admin/code/tce_edit_question.php
8. /admin/code/tce_edit_rating.php
9. /admin/code/tce_edit_subject.php
10. /admin/code/tce_edit_test.php
11. /admin/code/tce_edit_user.php
12. /admin/code/tce_filemanager.php
13. /admin/code/tce_import_omr_answers.php
14. /admin/code/tce_import_xml_questions.php
15. /admin/code/tce_import_xml_users.php
16. /admin/code/tce_menu_modules.php
17. /admin/code/tce_menu_tests.php
18. /admin/code/tce_menu_users.php
19. /admin/code/tce_page_info.php
20. /admin/code/tce_select_mediafile.php
21. /admin/code/tce_select_users.php
22. /admin/code/tce_show_all_questions.php
23. /admin/code/tce_show_allresults_users.php
24. /admin/code/tce_show_online_users.php
25. /admin/code/tce_show_result_allusers.php
26. /admin/code/tce_show_result_questions.php
27. /admin/code/tce_show_result_user.php
28. /admin/code/tce_xml_users.php
29. /public/code/index.php
30. /public/code/tce_page_user.php
31. /public/code/tce_user_change_email.php
32. /public/code/tce_user_change_password.php
33. /public/code/tce_user_registration.php

********** Cross-Site Scripting in path (script name) **********

1. /admin/code
2. /public/code

********** SQL Injection (script name / parameter(s) / http method) **********

1. /admin/code/tce_edit_group.php (group_id) – POST
2. /admin/code/tce_edit_module.php (module_id, module_user_id) – POST
3. /admin/code/tce_edit_rating.php (test_id) – POST
4. /admin/code/tce_edit_subject.php (subject_module_id) – POST
5. /admin/code/tce_edit_test.php (test_id) – POST
6. /admin/code/tce_select_users.php (new_group_id) – POST
7. /admin/code/tce_show_all_questions.php (subject_module_id) – POST
8. /admin/code/tce_show_result_questions.php (orderdir, order_field) – POST, GET
9. /admin/code/tce_show_result_user.php (test_id) – POST

********** Possible Cookie Manupulation (script name / parameter(s) / http method) **********

1. /admin/code/tce_edit_group.php (group_id) – POST
2. /public/code/tce_user_registration.php (xl_user_email, xl_newpassword, xl_user_birthdate) – POST

Advisory ZSL-2011-5025: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5025.php
Advisory: ZSL-2011-5026: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5026.php

Zero Science Lab has discovered multiple vulnerabilities in various products developed by Native Instruments. Upon the discoveries, we’ve contacted the vendor to report all the issues. Their technical support, at first, were confused about our e-mail sent to them, thinking that we have troubles using their software. As we explained to them in details in the next e-mail, about QA, about security bulletins, about public disclosure policy, the security industry etc. they finally forwarded the conversation e-mails to the “corresponding” department, which we think that they don’t even have any related team to respond for these kind of incidents. Anywayz, no one shows interest from Native Instruments, thus are informed about the date of public disclosure (this post).

We haven’t tested all the software packages that NI offers, but we think that the rest of the apps are vulnerable to the similar vulns that we found, maybe more.

Here are the advisories:

Native Instruments Service Center 2.2.5 Local Privilege Escalation Vulnerability – ZSL-2010-4981
Native Instruments Massive 1.1.4 KSD File Handling Use-After-Free Vulnerability – ZSL-2010-4980
Native Instruments Kontakt 4 Player NKI File Syntactic Analysis Buffer Overflow PoC – ZSL-2010-4979
Native Instruments Reaktor 5 Player v5.5.1 Heap Memory Corruption Vulnerability – ZSL-2010-4978
Native Instruments Traktor Pro 1.2.6 Stack-based Buffer Overflow Vulnerability – ZSL-2010-4977
Native Instruments Kontakt 4 Player v4.1.3 Insecure Library Loading Vulnerability – ZSL-2010-4976
Native Instruments Service Center 2.2.5 Insecure Library Loading Vulnerability – ZSL-2010-4975
Native Instruments Reaktor 5 Player v5.5.1 Insecure Library Loading Vulnerability – ZSL-2010-4974
Native Instruments Guitar Rig 4 Player v4.1.1 Insecure Library Loading Vulnerability – ZSL-2010-4973

Some SSs:

Vendor: OIC Group Inc.
Product web page: http://www.exponentcms.org
Affected version: 0.97

Summary: Open Source Content Management System (PHP+MySQL).

Desc: Exponent CMS suffers from multiple vulnerabilities:

#1. Local File Inclusion / File Disclosure Vulnerability
#2. Arbitrary File Upload / File Modify Vulnerability
#3. Reflected Cross-Site Scripting Vulnerability

(1) LFI/FD occurs when input passed thru the params:
- “action”
- “expid”
- “ajax_action”
- “printerfriendly”
- “section”
- “module”
- “controller”
- “int”
- “src”
- “template”
- “page”
- “_common”

to the scripts:
- “index.php”
- “login_redirect.php”
- “mod_preview.php”
- “podcast.php”
- “popup.php”
- “rss.php”

is not properly verified before being used to include files.
This can be exploited to include files from local resources
with directory traversal attacks and URL encoded NULL bytes.

(2) AFU/E occurs due to an error in:
- “upload_fileuploadcontrol.php”
- “upload_standalone.php”
- “manifest.php”
- “delete.php”
- “edit.php”
- “manage.php”
- “rank_switch.php”
- “save.php”
- “view.php”
- “class.php”
- “deps.php”
- “delete_form.php”
- “delete_process.php”
- “search.php”
- “send_feedback.php”
- “viewday.php”
- “viewmonth.php”
- “viewweek.php”
- “testbot.php”
- “activate_bot.php”
- “deactivate_bot.php”
- “manage_bots.php”
- “run_bot.php”
- “class.php”
- “delete_board.php”
- “delete_post.php”
- “edit_board.php”
- “edit_post.php”
- “edit_rank.php”
- “monitor_all_boards.php”
- “monitor_board.php”
- “monitor_thread.php”
- “preview_post.php”
- “save_board.php”
- “save_post.php”
- “save_rank.php”
- “view_admin.php”
- “view_board.php”
- “view_rank.php”
- “view_thread.php”
- “banner_click.php”
- “ad_delete.php”
- “ad_edit.php”
- “ad_save.php”
- “af_delete.php”
- “af_edit.php”
- “af_save.php”
- “delete_article.php”
- “edit_article.php”
- “save_article.php”
- “save_submission.php”
- “submit_article.php”
- “view_article.php”
- “view_submissions.php”
- “coretasks.php”
- “htmlarea_tasks.php”
- “search_tasks.php”
- “clear_smarty_cache.php”
- “configuresite.php”
- “config_activate.php”
- “config_configuresite.php”
- “config_delete.php”
- “config_save.php”
- “examplecontent.php”
- “finish_install_extension.php”
- “gmgr_delete.php”
- “gmgr_editprofile.php”
- “gmgr_membership.php”
- “gmgr_savegroup.php”
- “gmgr_savemembers.php”

as it allows uploads of files with multiple extensions to a
folder inside the web root. This can be exploited to execute
arbitrary PHP code by uploading a specially crafted PHP script.

The uploaded files are stored in: [CMS_ROOT_HOST]\files

(3) XSS occurs when input passed to the params:
- “u”
- “expid”
- “ajax_action”
- “ss”
- “sm”
- “url”
- “rss_url”
- “lang”
- “toolbar”
- “section”
- “section_name”
- “src”

in scripts:
- “slideshow.js.php”
- “picked_source.php”
- “magpie_debug.php”
- “magpie_simple.php”
- “magpie_slashbox.php”
- “test.php”
- “fcktoolbarconfig.js.php”
- “section_linked.php”
- “index.php”

is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script
code in a user’s browser session in context of an affected site.

Tested on: Microsoft Windows XP Professional SP3 (English)
Apache 2.2.14 (Win32)
MySQL 5.1.41
PHP 5.3.1

Vendor status: [09.10.2010] Vulnerabilities discovered.
[10.10.2010] Vendor contacted.
[13.10.2010] No reply from vendor.
[14.10.2010] Public advisory released.

Advisory ID: ZSL-2010-4969
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4969.php

Vulnerabilities discovered by: Gjoko ‘LiquidWorm’ Krstic
liquidworm gmail com
Zero Science Lab – http://www.zeroscience.mk

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4969.php

Raw analysis (hi 5 John Leitch): Log_Exponent.txt (616 KB)