lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 4 Aug 2014 16:30:15 -0500
From: Brandon Perry <bperry.volatile@...il.com>
To: Douglas Held <risk@...glasheld.net>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
	MustLive Websecurity <mustlive@...security.com.ua>
Subject: Re: [FD] XXE Injection in HP Release Control

It's not an 0day, I dropped this in may.


On Mon, Aug 4, 2014 at 9:39 AM, Douglas Held <risk@...glasheld.net> wrote:

> Hello MustLive,
>
> Did you disclose this to HP? You didn't mention whether this is 0-day or
> disclosed (I think you usually publish your disclosure timeline)
>
> Thanks
> Doug
>
> Date: Thu, 31 Jul 2014 23:58:51 +0300
> From: "MustLive" <mustlive@...security.com.ua>
> To: <submissions@...ketstormsecurity.org>,
>         <fulldisclosure@...lists.org>
> Subject: [FD] XXE Injection in HP Release Control
> Message-ID: <00ad01cfad02$4c7d8cb0$
> 9b7a6fd5@pc>
> Content-Type: text/plain; format=flowed; charset="windows-1251";
>         reply-type=original
>
> Hello!
>
> I'll give you additional information concerning advisory HP Release Control
> Authenticated XXE Exploit (http://1337day.com/exploit/description/22267).
> Three different vulnerabilities were used in this exploit for successful
> attack. For my attack it's needed to use only one vulnerability (exactly
> the
> XXE) to conduct attacks on other web sites from target host.
>
> -------------------------
> Affected products:
> -------------------------
>
> HP Release Control 9.20.0000 Build 395 and previous versions.
>
> -------------------------
> Affected vendors:
> -------------------------
>
> Hewlett-Packard.
>
> ----------
> Details:
> ----------
>
> HP Release Control is vulnerable to XXE Injection.
>
> Besides standard vectors of attacks with XXE Injection vulnerabilities
> (such
> as local file inclusion), which are usually mentioned in advisories, XXE
> Injection also allows to conduct attacks on other sites. And with using
> DAVOSET (DDoS attacks via other sites execution tool) it's possible to
> automate such attacks.
>
> I wrote about such attacks in my 2012's article "Using XML External
> Entities
> (XXE) for attacks on other sites"
> (
>
> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-August/008481.html
> )
> and 2013's "Using XXE vulnerabilities for attacks on other sites"
> (
>
> http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-August/008887.html
> ).
> As I described in my articles, XXE vulnerabilities can be used for
> conducting CSRF and DoS attacks on other sites (and at using multiple web
> sites it's possible to conduct DDoS attacks). And my tool DAVOSET can be
> used for conducting such attacks via XXE vulnerabilities.
>
> Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I
>
> So all vulnerable versions of HP Release Control can be used for attacks on
> other sites via XXE Injection.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists