Aggregator

Submit #426417 / VDB-281555

Los navegadores web son nuestra principal vía de acceso a Internet. Actualmente, juegan un rol crucial en las organizaciones modernas,...

A vulnerability was found in ESAFENET CDG 5. It has been declared as critical. This vulnerability affects unknown code of the file /com/esafenet/servlet/policy/PrintPolicyService.java. The manipulation of the argument policyId leads to sql injection. This vulnerability was named CVE-2024-10279. The attack can be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in ESAFENET CDG 5. It has been classified as critical. This affects an unknown part of the file /com/esafenet/servlet/user/ReUserOrganiseService.java. The manipulation of the argument userId leads to sql injection. This vulnerability is uniquely identified as CVE-2024-10278. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in ESAFENET CDG 5 and classified as critical. Affected by this issue is some unknown functionality of the file /com/esafenet/servlet/ajax/UsbKeyAjax.java. The manipulation of the argument id leads to sql injection. This vulnerability is handled as CVE-2024-10277. The attack may be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #423832 / VDB-281554

Submit #423831 / VDB-281553

Submit #423830 / VDB-281552

A vulnerability has been found in Tektronix Sentry 6.0.9 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /?page=reports of the component Reports Page. The manipulation of the argument z leads to cross site scripting. This vulnerability is known as CVE-2024-10276. The attack can be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

Полицейский оказался клиентом крупнейшего хакерского рынка.

Submit #423695 / VDB-281551

A vulnerability, which was classified as critical, was found in Linux Kernel up to 6.6.57/6.11.4. Affected is the function mremap. The manipulation leads to memory corruption. This vulnerability is traded as CVE-2024-50066. The attack needs to be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

Submit #423495 / VDB-123782

新闻速览 •美国海关执法局间谍软件合同被叫停，将接受白宫审查 •澳大利亚发布首份商业AI产品使用隐私指南 •北 […]

在当今数字化时代，工业安全靶场正逐渐成为网络安全领域的一大热点。从默默无闻到备受关注，靶场的发展尚有许多难题要 […]

尽管企业服务数据库公司Crunchbase的数据显示，2024年第三季度，网络安全初创公司的风险投资下降了51 […]

新闻速览 •国家网络安全通报中心风险提示：重点防范境外恶意网址和恶意IP •国家数据局就《可信数据空间发展行动 […]

A vulnerability was found in Juniper Junos 8.5/9.0 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2009-3485. The attack may be initiated remotely. Furthermore, there is an exploit available.

1. 基本介绍1.1 概要

通用即插即用（英语：Universal Plug and Play，简称UPnP）是由“通用即插即用论坛”（UPnP™ Forum）推广的一套网络协议。该协议的目标是使家庭网络（数据共享、通信和娱乐）和公司网络中的各种设备能够相互无缝连接，并简化相关网络的实现。UPnP通过定义和发布基于开放、因特网通讯网协议标准的UPnP设备控制协议来实现这一目标。

1.2 结构组成

• 设备 - UPNP规范中的最基本单元。代表一个物理设备或包含多个物理设备的逻辑设备。
• 服务 - UPNP规范中的最小控制单元。代表设备提供的服务及调用API接口。
• 控制点 - UPNP所在网络的其他网络中UPNP设备。

1.3 协议过程

• 发现 - 简单发现服务
• 描述 - 通过远程访问URL，XML文件格式显示服务相关信息
• 控制 - 控制信息使用SOAP协议，XML文件格式显示。

2. 安全风险

UPnP由于设计上的缺陷而产生的漏洞，这些其中大多数漏洞是由于服务配置错误或实施不当造成的。

• 路由器设备作为代理，对内网进行渗透测试
• 开启端口映射，访问内部计算机

3. 威胁分析3.1 获得服务控制协议文档(SCPD)(1) 部分开启服务 - 1

(2) 部分开启服务 - 2

开启服务汇总

<serviceType>urn:schemas-upnp-org:service:Layer3Forwarding:1serviceType>
<serviceId>urn:upnp-org:serviceId:L3Forwarding1serviceId>
<SCPDURL>/L3F.xmlSCPDURL>
<controlURL>/ctl/L3FcontrolURL>
<eventSubURL>/evt/L3FeventSubURL>

<serviceType>urn:schemas-upnp-org:service:DeviceProtection:1serviceType>
<serviceId>urn:upnp-org:serviceId:DeviceProtection1serviceId>
<SCPDURL>/DP.xmlSCPDURL>
<controlURL>/ctl/DPcontrolURL>
<eventSubURL>/evt/DPeventSubURL>

<serviceType>urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1serviceType>
<serviceId>urn:upnp-org:serviceId:WANCommonIFC1serviceId>
<SCPDURL>/WANCfg.xmlSCPDURL>
<controlURL>/ctl/CmnIfCfgcontrolURL>
<eventSubURL>/evt/CmnIfCfgeventSubURL>

<serviceType>urn:schemas-upnp-org:service:WANIPConnection:2serviceType>
<serviceId>urn:upnp-org:serviceId:WANIPConn1serviceId>
<SCPDURL>/WANIPCn.xmlSCPDURL>
<controlURL>/ctl/IPConncontrolURL>
<eventSubURL>/evt/IPConneventSubURL>

<serviceType>urn:schemas-upnp-org:service:WANIPv6FirewallControl:1serviceType>
<serviceId>urn:upnp-org:serviceId:WANIPv6Firewall1serviceId>
<SCPDURL>/WANIP6FC.xmlSCPDURL>
<controlURL>/ctl/IP6FCtlcontrolURL>
<eventSubURL>/evt/IP6FCtleventSubURL

ControlURL是与特定服务进行通信的SOAP端点（实质上，该URL的GET / POST将触发操作）。

3.2 服务操作(SOAP)

假若路由器设备SOAP API暴露，我们就可以对设备进行操作，从而绕过防护。

(1) 直接访问控制

查看具体服务参数及对应接口

(2) 端口映射操作

Miranda是Kali提供的一款基于Python语言的UPNP客户端工具。它可以用来发现、查询和操作UPNP设备，尤其是网关设置。当路由器开启UPNP功能，存在相应的漏洞，就可以通过Miranda进行渗透和控制。https://github.com/kimocoder/miranda

优势 - 无需认证

• 将路由器80端口映射在外网端口8443

$ upnp> host send 0 WANConnectionDevice WANIPConnection AddPortMapping

• 获取设备端口映射列表

• 查看后端端口映射是否添加成功

• 查看映射是否成功

4. 安全风险

①代理跳板：黑客可以利用路由器的某些服务接管路由器的设备权限。②内网渗透：边界设备开启UPNP没有做好鉴权处理，会导致攻击者通过该服务队内部网络进行内部渗透。

5. UPNP攻击面

• 通过SCPD获取服务控制协议文档，查看可利用服务。
• 通过SOAP进行可利用服务操作，获取设备相关敏感信息及相应权限。

总结

UPNP协议通过端口转发和映射等功能，简化网络设备的安全配置，提供更方便的用户体验的同时，也带来不小的安全威胁。这就需要管理者花时间去研究如何调整UPnP的设置，而不是通过部署或优化其他安全组件，来提高其所处网络的整体安全态势。

A vulnerability, which was classified as critical, has been found in David Paleino WICD. This issue affects the function SetWiredProperty. The manipulation leads to improper input validation. The identification of this vulnerability is CVE-2012-2095. An attack has to be approached locally. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.