Posted by Jing Wang on Oct 20

Exploit Title: Newtelligence dasBlog Open Redirect Vulnerability
Product: dasBlog
Vendor: Newtelligence
Vulnerable Versions: 2.3 (2.3.9074.18820) 2.2 (2.2.8279.16125)
2.1(2.1.8102.813)
Tested Version: 2.3 (2.3.9074.18820)
Advisory Publication: OCT 15, 2014
Latest Update: OCT 15, 2014
Vulnerability Type: Open Redirect [CWE-601]
CVE Reference: CVE-2014-7292
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Credit: Wang Jing…

Posted by Jann Horn on Oct 20

Is this file on the android device or on the PC?

This causes calc.exe to be run on the PC, right?

Posted by David Daynard on Oct 20

Compliance Test Suite is one portion of the process OEMs use to certify
Android builds on shipping devices. I cannot think of any instance where
the average user would run the suite (which takes several hours to do and
is a fairly complicated process
https://source.android.com/compatibility/cts-intro.html )
Even if someone is building Android at home, there is no reason to run CTS
on home builds. I’m not saying this file shouldn’t be…

Posted by Grond on Oct 20

Before trying to sweep this thing under the carpet, you might want to
ask yourself two simple questions:
Is this kind of file ever *intended* to be used as an executable script?
If the answer is “no”; then you should apply fixes.
And:
Which is more expensive? Spending a couple of hours to fix this now,
or having someone chain this together with another (unforeseeable)
bug enabling easy exploitation a few years down the road, allowing…

Posted by Jeffrey Walton on Oct 19

Its not clear to me where its been proven. I think your post is
missing some information, like the smoking gun. (It may exist, you
just didn’t make it clear).

If I am reading the check-in correctly, it does not look like its a
MitM. Checking the CN to ensure a hostname match should be OK. But I
should probably read a bit more about the DistinguishedNameParser.

However, it is a policy violation of both the IETF and CA/Browser
Forums. Both…

Posted by Nick Kralevich on Oct 19

Nick from the Android Security team here.

In the future, please feel free to send these kinds of reports to
security () android com Please see
http://developer.android.com/guide/faq/security.html#issue for contact
information.

Android’s Compatibility Test Suite (CTS) is an executable software
package intended to be downloaded and run from your computer. Please
see https://source.android.com/compatibility/cts-intro.html for more…

Posted by Lord Tuskington on Oct 19

I disagree with Nick Kralevich’s response. An attacker who has the ability
to locally modify an XSL file should not be able to leverage this to
achieve code execution. This crosses a trust boundary.

As for why I didn’t report this to security () android com, when Google starts
paying corporate tax instead of dodging it, I will report issues privately.

Lord Tuskington
Chief Financial Taxdodger
Google

On Sun, Oct 19, 2014 at 7:28 PM,…

Posted by Lord Tuskington on Oct 19

The exploit is the same as for this issue:

http://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577

i.e.:

It parsed the entire subject distinguished name (DN)
for the occurrence of any <CN=> substring (regardles of field).

Therefore a DN of with a O field such as

O=”foo,CN=www.apache.org”

and a CN of “www.evil.org” and ordered such that the O appears prior to
the CN field would…

Posted by Артур Истомин on Oct 19

Very interesting. What about AOSP (android open source project)? They merge
them to their branch? I think Cyanogenmod team monitors only google’s
branch and nothing more.

Posted by Lord Tuskington on Oct 19

CTS parses api-coverage.xsl without providing the FEATURE_SECURE_PROCESSING
option. See lines 60-67 of
cts/tools/cts-api-coverage/src/com/android/cts/apicoverage/HtmlReport.java:

InputStream xsl =
CtsApiCoverage.class.getResourceAsStream(“/api-coverage.xsl”);
StreamSource xslSource = new StreamSource(xsl);
TransformerFactory factory = TransformerFactory.newInstance();
Transformer transformer = factory.newTransformer(xslSource);…