| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 4 Aug 2014 16:30:15 -0500 From: Brandon Perry <bperry.volatile@...il.com> To: Douglas Held <risk@...glasheld.net> Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>, MustLive Websecurity <mustlive@...security.com.ua> Subject: Re: [FD] XXE Injection in HP Release Control It's not an 0day, I dropped this in may. On Mon, Aug 4, 2014 at 9:39 AM, Douglas Held <risk@...glasheld.net> wrote: > Hello MustLive, > > Did you disclose this to HP? You didn't mention whether this is 0-day or > disclosed (I think you usually publish your disclosure timeline) > > Thanks > Doug > > Date: Thu, 31 Jul 2014 23:58:51 +0300 > From: "MustLive" <mustlive@...security.com.ua> > To: <submissions@...ketstormsecurity.org>, > <fulldisclosure@...lists.org> > Subject: [FD] XXE Injection in HP Release Control > Message-ID: <00ad01cfad02$4c7d8cb0$ > 9b7a6fd5@pc> > Content-Type: text/plain; format=flowed; charset="windows-1251"; > reply-type=original > > Hello! > > I'll give you additional information concerning advisory HP Release Control > Authenticated XXE Exploit (http://1337day.com/exploit/description/22267). > Three different vulnerabilities were used in this exploit for successful > attack. For my attack it's needed to use only one vulnerability (exactly > the > XXE) to conduct attacks on other web sites from target host. > > ------------------------- > Affected products: > ------------------------- > > HP Release Control 9.20.0000 Build 395 and previous versions. > > ------------------------- > Affected vendors: > ------------------------- > > Hewlett-Packard. > > ---------- > Details: > ---------- > > HP Release Control is vulnerable to XXE Injection. > > Besides standard vectors of attacks with XXE Injection vulnerabilities > (such > as local file inclusion), which are usually mentioned in advisories, XXE > Injection also allows to conduct attacks on other sites. And with using > DAVOSET (DDoS attacks via other sites execution tool) it's possible to > automate such attacks. > > I wrote about such attacks in my 2012's article "Using XML External > Entities > (XXE) for attacks on other sites" > ( > > http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-August/008481.html > ) > and 2013's "Using XXE vulnerabilities for attacks on other sites" > ( > > http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-August/008887.html > ). > As I described in my articles, XXE vulnerabilities can be used for > conducting CSRF and DoS attacks on other sites (and at using multiple web > sites it's possible to conduct DDoS attacks). And my tool DAVOSET can be > used for conducting such attacks via XXE vulnerabilities. > > Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I > > So all vulnerable versions of HP Release Control can be used for attacks on > other sites via XXE Injection. > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists