Full Disclosure

A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

APPLE-SA-2020-09-16-5 Xcode 12.0

18 September 2020, 5:00 pm

Posted by Apple Product Security via Fulldisclosure on Sep 18

APPLE-SA-2020-09-16-5 Xcode 12.0

Xcode 12.0 is now available and addresses the following:

IDE Device Support
Available for: macOS Mojave 10.15.4 and later
Impact: An attacker in a privileged network position may be able to
execute arbitrary code on a paired device during a debug session over
the network
Description: This issue was addressed by encrypting communications
over the network to devices running iOS 14, iPadOS 14, tvOS 14, and
watchOS…

APPLE-SA-2020-09-16-4 watchOS 7.0

18 September 2020, 5:00 pm

Posted by Apple Product Security via Fulldisclosure on Sep 18

APPLE-SA-2020-09-16-4 watchOS 7.0

watchOS 7.0 is now available and addresses the following:

Keyboard
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to leak sensitive user
information
Description: A logic issue was addressed with improved state
management.
CVE-2020-9976: Rias A. Sherzad of JAIDE GmbH in Hamburg, Germany

Phone
Available for: Apple Watch Series 3 and later
Impact: The screen lock may not…

APPLE-SA-2020-09-16-3 Safari 14.0

18 September 2020, 5:00 pm

Posted by Apple Product Security via Fulldisclosure on Sep 18

APPLE-SA-2020-09-16-3 Safari 14.0

Safari 14.0 is now available and addresses the following:

WebKit
Available for: macOS Catalina and macOS Mojave, and included in macOS
Big Sur
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2020-9948: Brendan Draper (@6r3nd4n) working with Trend Micro
Zero Day Initiative

WebKit…

APPLE-SA-2020-09-16-2 tvOS 14.0

18 September 2020, 5:00 pm

Posted by Apple Product Security via Fulldisclosure on Sep 18

APPLE-SA-2020-09-16-2 tvOS 14.0

tvOS 14.0 is now available and addresses the following:

Assets
Available for: Apple TV 4K and Apple TV HD
Impact: An attacker may be able to misuse a trust relationship to
download malicious content
Description: A trust issue was addressed by removing a legacy API.
CVE-2020-9979: CodeColorist of Ant-Financial LightYear Labs

Keyboard
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may…

Posted by Apple Product Security via Fulldisclosure on Sep 18

APPLE-SA-2020-09-16-1 iOS 14.0 and iPadOS 14.0

iOS 14.0 and iPadOS 14.0 are now available and address the following:

AppleAVD
Available for: iPhone 6s and later, iPod touch 7th generation, iPad
Air 2 and later, and iPad mini 4 and later
Impact: An application may be able to cause unexpected system
termination or write kernel memory
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2020-9958: Mohamed…

Posted by Juan Avila on Sep 18

Vendor
————————————————-
Navy Federal – (https://www.navyfederal.org/

Product
————————————————-
Front pubic facing application

Credit
————————————————-
Arthrocyber
http://arthrocyber.com/research/#finding_7

David Reyes

Vulnerability Summary
————————————————-
The endpoint…

Posted by Havijoori via Fulldisclosure on Sep 18

Introduction
============
open_basedir security feature can be bypassed when Apache web server runs PHP scripts.

Proof of Concept
================
1. Set open_basedir as a security feature in php.ini file :
   open_basedir = /var/www/html:/tmp
2. Make a directory with the name of your web server's home directory inside your web server's home directory :
   mkdir -p /var/www/html/var/www/html
3. Make a symlink to a restricted…

Posted by Julien Ahrens (RCE Security) on Sep 15

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: Acronis Cyber Backup
Vendor URL: https://www.acronis.com
Type: Server-Side Request Forgery [CWE-918]
Date found: 2020-07-30
Date published: 2020-09-14
CVSSv3 Score: 8.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L)
CVE: CVE-2020-16171

2. CREDITS
==========
This vulnerability was discovered and…

Posted by Christian Folini on Sep 15

ModSecurity v3.0.x is affected by a Denial of Service vulnerability due to the
global matching of regular expressions. The combination of a non-anchored
regular expression and the ModSecurity “capture” action can be exploited via a
specially crafted payload.

While ModSecurity v2.x used to quit the execution of a regular expression
after the first match. ModSecurity v3.0.x silently changed the behavior to
global matching. This results in a…

Posted by Andreas Sperber on Sep 15

# Security Advisory
ARA-2020-005: Insecure Direct Object Reference (CVE-2020-15958)
## Affected Product(s) and Environment(s)
Product: 1CRM <=8.6.7, confirmed for CRBM System ENT-8.6.5, CRBM System
ENT-8.6.6 and Startup+ Edition 8.5.15
Environments: All host environments
## Security Risk
Severity: High
CVSS v3: 8.6
## Impact
Confidentiality: High
Integrity: None
Availability: None
## Exploitability
Access Vector: Network
Access Complexity: Low…

Posted by hyp3rlinx on Sep 11

[+] Title: Windows TCPIP Finger Command – C2 Channel and Bypassing Security
Software
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

Microsoft Windows TCPIP Finger Command "finger.exe" that ships with the OS,
can be used as a file…

Posted by Jason Geffner on Sep 11

CVE-2020-8152 – Elevation of Privilege in Backblaze
—————————————————

Summary
=======
Name: Elevation of Privilege in Backblaze
CVE: CVE-2020-8152
Discoverer: Jason Geffner
Vendor: Backblaze
Product: Backblaze for Windows and Backblaze for macOS
Risk: High
Discovery Date: 2020-03-13
Publication Data: 2020-09-08
Fixed Version: 7.0.0.439

Introduction
============
Per Wikipedia, Backblaze is "an online…

Posted by Jason Geffner on Sep 11

CVE-2020-8150 – Remote Code Execution as SYSTEM/root via Backblaze
——————————————————————

Summary
=======
Name: Remote Code Execution as SYSTEM/root via Backblaze
CVE: CVE-2020-8150
Discoverer: Jason Geffner
Vendor: Backblaze
Product: Backblaze for Windows and Backblaze for macOS
Risk: Critical
Discovery Date: 2020-03-13
Publication Data: 2020-09-08
Fixed Version: 7.0.1.433 (Windows) and 7.1.0.434…

Posted by Daniel Bishtawi via Fulldisclosure on Sep 11

Hello,

We are informing you about Cross-Site Scripting Vulnerabilities in IlchCMS
2.1.37.

Information
——————–

Advisory by Netsparker
Name: Cross-Site Scripting in IlchCMS
Affected Software: IlchCMS
Affected Versions: 2.1.37
Vendor Homepage: https://www.ilch.de/
Vulnerability Type: Cross-Site Scripting
Severity: Important
Status: Fixed
CVSS Score (3.0): 7.4 (High)
Netsparker Advisory Reference: NS-20-003

Technical Details…

Posted by Q C on Sep 11

Advisory: two vulnerabilities found in MikroTik's RouterOS

Details
=======

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: –
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team

Product Description
==================

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.

Description of vulnerabilities…