VARIoT IoT exploits database

Speedtouch USB Driver is prone to a locally exploitable format string vulnerability. The problem occurs due to insufficient sanitization of user-supplied data. This vulnerability may be exploited in order to have arbitrary code executed with superuser privileges.

3Com OfficeConnect ADSL Wireless 11g Firewall Router is reported prone to multiple unspecified vulnerabilities. The following issues were reported: An unspecified issue affects the DHCP service. Another issue is related to displaying two duplicate login IPs. An unspecified denial of service vulnerability may allow remote attackers to restart the device. This issue occurs due to insufficient boundary checks performed by the application. 3Com OfficeConnect ADSL Wireless 11g Firewall Router firmware versions prior to 1.27 are vulnerable to these issues. **UPDATE: it should be noted that the issue described as an error in displaying two duplicate IPs has been assigned it own BID as more information has become available. Please see '3Com OfficeConnect ADSL Wireless 11g Firewall Router Authentication Bypass Vulnerability' (BID 11438) for more information.

Cisco IOS telnet service is reported prone to a remote denial of service vulnerability. It is reported that an attacker can trigger this issue by sending a specially crafted TCP packet to a telnet or reverse telnet port of a Cisco device running IOS. All Cisco devices running IOS with a telnet or reverse telnet service are affected by this issue.

Axis Network Camera 2.x And Video Server 1-3 - Directory Traversal.. webapps exploit for CGI platform

Axis Network Camera 2.x And Video Server 1-3 - HTTP Authentication Bypass.. webapps exploit for CGI platform

Axis Network Camera 2.x And Video Server 1-3 - 'virtualinput.cgi' Arbitrary Command Execution. CVE-2004-2425CVE-9121 . webapps exploit for CGI platform

Cisco IOS is reported prone to a remote denial of service vulnerability. It is reported that the vulnerability manifests when a malformed Open Shortest Path First (OSPF) packet is handled by the vulnerable router. A remote attacker may exploit this condition in multiple routers that reside on the same network segment as the attacker, to trigger a device reset. The attacker may continuously transmit malicious OSPF packets to the target routers in order to effectively deny network services to legitimate hosts.

A remote buffer overflow vulnerability is reported in Check Point VPN-1 that may allow a remote attacker to execute arbitrary code in order to gain unauthorized access. This issue results from insufficient boundary checks performed by the application when processing user-supplied data. This overflow occurs during the initial key exchange process, and can be triggered with a single UDP packet. Since ISAKMP uses the UDP transport, a spoofed source address can be used in an attack. Check Point reports that for a single packet attack to succeed, VPN-1 must be configured for aggressive mode key exchange. Without aggressive mode, an attacker must initiate a real key negotiation session. This vulnerability can lead to remote code execution in the context of the VPN-1 process. This can lead to a complete system compromise. Check Point has released an advisory and fixes for this issue.

Apache - Arbitrary Long HTTP Headers Denial of Service (C). CVE-7269CVE-2004-0493 . dos exploit for Linux platform

The problem presents itself when an affected device handles a malformed or invalid Border Gateway Protocol (BGP) packet. During processing the offending packet the affected device will reset. It should be noted that this issue only affects devices with BGP enabled; BGP is not enabled by default. It has been reported that this issue would be very difficult to exploit as it would require injecting malicious packets into communication between trusted peers. An attacker may exploit this issue to cause the affected device to reset, taking several minutes to become functional. It is possible to create a persistent denial of service condition by continually transmitting malformed packets to the affected device.

Linksys - DHCP Information Disclosure. CVE-2004-0580CVE-6741 . remote exploit for Hardware platform

Sample proof of concept exploit that demonstrates the TCP vulnerability discovered by Paul A. Watson.

Sample proof of concept exploit that demonstrates the TCP vulnerability discovered by Paul A. Watson.

It has been reported that the Cisco Internet Operating System (IOS) is affected by a remote SNMP message processing denial of service vulnerability. This is caused by a design error that causes memory corruption in the affected system under certain circumstances. This issue may be leveraged to cause a denial of service condition in the affected device. The denial of service is due to a corruption of memory in the affected device. As a result, there may be other consequences, such as code execution. This has not been confirmed by Cisco.

Sample proof of concept exploit that demonstrates the TCP vulnerability discovered by Paul A. Watson.

Sample proof of concept exploit that demonstrates the TCP vulnerability discovered by Paul A. Watson.

Sample proof of concept exploit that demonstrates the TCP vulnerability discovered by Paul A. Watson.

A problem in the handling of out-of-sequence packets has been identified in BSD variants such as FreeBSD and OpenBSD. Because of this, it may be possible for remote attackers to deny service to legitimate users of vulnerable systems.

Cisco has reported the following vulnerabilities in Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600 Series: Cisco FWSM is prone to a buffer overrun vulnerability when handling HTTP Auth data. This would most likely result in a denial of service but could also potentially allow for arbitrary code execution (though this has not been confirmed). Cisco FWSM has also been reported to be prone to denial of service attacks via SNMPv3 messages. This will cause a vulnerable device to reboot. Both of these issues have been addressed in FWSM 1.1.3 and later for affected devices.

A remote format string vulnerability has been discovered in the detecttr.c traceroute detection tool, initially released in Phrack magazine. The problem occurs due to erroneous usage of the syslog() function, potentially making it prone to format string attacks via malformed hostnames. Successful exploitation of this issue could allow an attacker to execute arbitrary code on a vulnerable system with the privileges of the user invoking detecttr.