Ixia ATI Update 2018-21 (343766)

Defects Resolved

Ticket Info
DE10012 Fixed an issue where SSL Evasion Profile settings "ServerCertificateFile" and "ServerKeyFile" where not set correctly.
DE10024 Fixed Strikes E18-5kzc1 and E18-0qxk1 to trigger vulnerability.
DE10044 The following strikes had their direction modified to "s2c": D10-36s01, D10-37f01, D10-3mg01, D10-3yz01, D10-4z001, D10-4z101, D10-4z401, D10-5ke01, D11-4jd01, D12-34b01, D09-4yb01, D10-3dm01, D10-5kg01, D10-5kx01, D12-34r01.
DE10045 'Send Flow' action of the DCE RPC protocol and 'DCE RPC' SuperFlow were marked as deprecated.
DE10051 Fixed Transaction ID (Request and Response ID) to match for Strike D18-0nf01.
DE10053 Strike E09-4gs01 was modified to exploit a real target.

Enhancements

Ticket Info
US89556 Conditional Requests were added after each Map Response action in 'DCE RPC MAPI Session' and 'DCE RPC MAPI with File Attachment' SuperFlows to match the IP and port from server response. These are needed to address the proxy scenario in which the IP and port received from proxy may differ from what is set on BPS server side.
US89561 The cookie token can be used through the Custom Header Name and Custom Header Value UI fields.
US89887 A new parameter "Attachment Transfer-encoding" has been added to the Send Email action. This paramater will take any of the 4 values, 8bit, base64, quoted-printable, uuencode. Based on the selection made the attachment would be encoded.  

New Protocols & Applications (2)

Name Category Info
Tumblr Sep18 Social Networking/Search Tumblr (stylized as tumblr) is a microblogging and social networking website founded by David Karp in 2007, and owned by Oath Inc. The service allows users to post multimedia and other content to a short-form blog. Users can follow other users' blogs. Bloggers can also make their blogs private. For bloggers many of the website's features are accessed from a "dashboard" interface. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Skype 8 Voice/Video/Media Skype is a telecommunications application software product that provides services like instant messaging, voice calls and video chat between computers, tablets, mobile devices, and smartwatches via the Internet and to regular telephones. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.

New Super Flows (3)

Name Category Info
Tumblr Sep18 Social Networking/Search Tumblr simulation of loading the login page, signing in, viewing the dashboard and posting a text as well as uploading a photo, visiting the explore (trending) page, sharing, reply, reblog and like a post, following and unfollowing a user and finally signing out. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Skype v8 Audio Call Voice/Video/Media Simulates a Skype v8 audio call. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.
Skype v8 IM Chat Voice/Video/Media Simulates a Skype v8 instant-messaging session. This protocol uses dynamically created flows to simulate the various internal actions performed by a modern Web browser. Because these dynamic flows may be large in number and may contain a large amount of generated data, profile creation and test initialization may require a considerable amount of time. The "Max. Request/Response Pairs per Action" and "Max. Generated File Size" flow parameters can be used to control the number and size of the interactions performed by the actions. DNS resolution is always performed for each host. Delete the DNS host from the Super Flow to disable this feature.

New Strikes (14)

CVSS ID References Category Info
9.0 E18-rumj1 CVSS-9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C)
URL
Exploits This strike exploits a remote command execution in Imperva SecureSphere Web Application Firewall. The vulnerability resides in the lack of sanitization of the 'installer-address' parameter when the server statues is being queried. By exploiting this flaw, an attacker will be able to execute commands as the root user on the host system.
9.0 E18-5o0i1 CVE-2018-18322
CVSS-9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C)
URL
Exploits This strike exploits a remote command execution in CentOS Web Panel. The vulnerability is due to lack of parameter sanitization when executing service-related operations, with the service name passed as a GET parameter. By exploiting this vulnerability, an authenticated attacker is able to execute system commands as a root user.
9.0 E18-0pjj1 BID-105461
CVE-2018-8495
CVSS-9.0 (AV:N/AC:L/AU:S/C:C/I:C/A:C)
URL
Exploits This strike exploits a remote command execution in Microsoft Edge browser. The vulnerability is due to lack of parameter sanitization when running an external application with a crafted hyperlink as an argument. A user accessing an arbitrary page can be enticed to run a malicious script with a minimum of interaction, allowing the attacker to execute arbitrary commands on the system.
7.6 D18-0pir1 BID-105244
CVE-2018-8467
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
EXPLOITDB-45572
GOOGLE-1613
Denial This strike exploits a vulnerability in the Microsoft Edge Browser. Specifically, the vulnerability exists in the Javascript Chakra engine. It is possible to craft Javascript in such a way that illustrates an array type conversion check is not implemented for definite objects. If a native array is processed as a definite object type confusion can occur. This may lead to a denial of service condition in the browser, or potentially remote code execution.
7.6 D18-0piq3 BID-105243
CVE-2018-8466
CVSS-7.6 (AV:N/AC:H/AU:N/C:C/I:C/A:C)
EXPLOITDB-45571
GOOGLE-1612
Denial This strike exploits a vulnerability in the Microsoft Edge browser. Specifically, the vulnerability exists in the Javascript Chakra engine. It is possible to bypass the check whether a given object is an array by wrapping an object with the CrossSite class to replace the vtable of the object. This may lead to a denial of service condition in the browser, or potentially remote code execution.
7.5 E18-0z4k1 CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
EXPLOITDB-45524
Exploits This strike exploits a SQL injection vulnerability in the Jimtawl component 2.2.7 for Joomla!. The vulnerability is due to the improper sanitization of requests sent to the application. An attacker could exploit this vulnerability by sending specifically crafted packets, potentially resulting in the execution of SQL commands which may lead to information disclosure.
7.5 E18-5na91 CVE-2018-17377
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
EXPLOITDB-45468
Exploits This strike exploits a SQL injection vulnerability in the Questions component for Joomla!. The vulnerability is due to the improper sanitization of requests sent to the application. An attacker could exploit this vulnerability by sending specifically crafted packets, potentially resulting in the execution of SQL commands which may lead to information disclosure.
7.5 E18-5i0y1 CVE-2018-10562
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
EXPLOITDB-44576
URL
Exploits An arbitrary file overwrite vulnerability has been identified in Dasan GPON Home Router. The vulnerability is caused by the lack of proper input sanitisation of 'dest_host' parameter within the 'GponForm'. The vulnerability can be exploited by sending a specially-crafted POST request, allowing the attacker to execute arbitrary commands on the device with root privileges.
7.5 E18-0orv1 CVE-2018-7499
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
URL
ZDI-18-525
Exploits This strike exploits a buffer overflow vulnerability in Advantech WebAccess. The vulnerability is due to lack of boundary checks while copying user-supplied data into a stack buffer within BwPSLinkZip.exe. By building a special RPC request, an attacker can cause arbitrary code execution or abnormal termination within the context of the WebAccess process.
7.5 E18-mbpx1 BID-105313
CVE-2018-15959
CVSS-7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P)
SECURITYTRACKER-1041621
URL
Exploits This strike exploits a remote code execution vulnerability present in Adobe ColdFusion platform. The flaw is due to an insecure deserialization in the Remote Method Invocation (RMI) server which contains a vulnerable version of Apache Commons BeanUtils. By exploiting an unpatched version of the application, an attacker is thus able to remotely execute arbitrary code with the privileges of the user that is running the service.
6.8 E18-0pgo1 BID-105213
CVE-2018-8392
CVSS-6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P)
URL
Exploits This strike exploits a heap-based buffer overflow vulnerability in Microsoft JET Database Engine components of Microsoft Windows. The vulnerability is due to improper handling of input passed to 'ExcelReadTotalRecord' method within the 'msexcl40.DLL' library. The vulnerability can be exploited by crafting a malicious Excel file and enticing a user to download and open it. Successful exploitation may result in execution of arbitrary code with user privileges.
5.0 E18-0jzu1 CVE-2018-1306
CVSS-5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)
EXPLOITDB-45396
URL
Exploits A file upload vulnerability was found in Apache Pluto PortletV3AnnotatedDemo. The vulnerability is due to improper access control of user-supplied input when the portlet performs a file-uploading operation. Successful exploitation can result arbitrary file upload and possible remote code execution in the context of the user running the webserver.
5.0 E18-yu3u1 BID-104137
CVE-2018-1089
CVSS-5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P)
URL
Exploits A stack buffer overflow vulnerability has been found in Red Hat 389 Directory Server. The vulnerability is due to improper handling of 'ldapsearch' query parameters. An attacker can exploit this vulnerability by issuing a special 'ldapsearch' query, allowing arbitrary code execution in the context of the user running the 'ns-slapd' daemon. An unsuccessful attack will cause the daemon to crash.
4.3 E18-5m6i1 CVE-2018-15946
CVSS-4.3 (AV:N/AC:M/AU:N/C:P/I:N/A:N)
URL
Exploits This strike exploits an integer underflow vulnerability in Adobe Acrobat Reader. The vulnerability is due to improper parsing of an embedded font by the CoolType module. An exploit could be triggered by opening a crafted XPS document. Successful exploitation could result in information disclosure which could be used to further compromise the target system.