VARIoT IoT vulnerabilities database

An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 devices. A lack of encryption in how the user login cookie (admin-auth) is stored on a victim's computer results in the admin password being discoverable by a local attacker, and usable to gain administrative access to the victim's router. The admin password is stored in base64 cleartext in an "admin-auth" cookie. An attacker sniffing the network at the time of login could acquire the router's admin password. Alternatively, gaining physical access to the victim's computer soon after an administrative login could result in compromise. Linksys WRT1900ACS The device contains cryptographic vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Linksys WRT1900ACS is a wireless router from Linksys. In Linksys WRT1900ACS version 1.0.3.187766, there is an encryption vulnerability in the storage method of user login key. The vulnerability stems from incorrect use of relevant cryptographic algorithms by network systems or products, resulting in improperly encrypted content, weak encryption, and storing sensitive information in plain text

vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter). vtiger CRM Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

SoMachine HVAC is PLC programming software. SoMachine HVAC has dll hijacking vulnerability when processing ppjs and ppjx files. Attackers can use this vulnerability to load malicious dlls and execute malicious code

Xiaomi Mi 5s Plus devices allow attackers to trigger touchscreen anomalies via a radio signal between 198 kHz and 203 kHz, as demonstrated by a transmitter and antenna hidden just beneath the surface of a coffee-shop table, aka Ghost Touch. Xiaomi Mi 5s Plus Devices have vulnerabilities related to authorization, permissions, and access control.Information may be tampered with. Xiaomi Mi 5s Plus is a smartphone of China Xiaomi Technology (Xiaomi). There is a security hole in Xiaomi Mi 5s Plus. Attackers can use the wireless signal between 198 kHz and 203 kHz to exploit this vulnerability to cause anomalies in the touch screen

On SOYAL AR-727H and AR-829Ev5 devices, all CGI programs allow unauthenticated POST access. SOYAL AR-727H and AR-829Ev5 The device contains an authentication vulnerability.Information may be tampered with. SOYAL AR-727H and SOYAL AR-829E are both display-type access controllers produced by China Taiwan SOYAL Company. Authorization issue vulnerabilities exist in SOYAL AR-727H and AR-829E. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products

A vulnerability in the BIOS upgrade utility of Cisco Unified Computing System (UCS) C-Series Rack Servers could allow an authenticated, local attacker to install compromised BIOS firmware on an affected device. The vulnerability is due to insufficient validation of the firmware image file. An attacker could exploit this vulnerability by executing the BIOS upgrade utility with a specific set of options. A successful exploit could allow the attacker to bypass the firmware signature-verification process and install compromised BIOS firmware on an affected device. Cisco Unified Computing System (UCS) C-Series Rack Server Contains vulnerabilities related to insufficient validation of data reliability.Information may be tampered with. Cisco Unified Computing System Central Software is prone to a security-bypass Vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This issue being tracked by Cisco Bug IDs CSCvp12824, CSCvp12840

The ABB HMI components implement hidden administrative accounts that are used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool "Panel Builder 600" to flash a new interface and Tags (MODBUS coils) mapping to the HMI. These credentials are the idal123 password for the IdalMaster account, and the exor password for the exor account. These credentials are used over both HTTP(S) and FTP. There is no option to disable or change these undocumented credentials. An attacker can use these credentials to login to ABB HMI to read/write HMI configuration files and also to reset the device. This affects ABB CP635 HMI, CP600 HMIClient, Panel Builder 600, IDAL FTP server, IDAL HTTP server, and multiple other HMI components. ABB HMI The component contains a vulnerability involving the use of hard-coded credentials.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. ABBPB610 is a software designed by ABB of Switzerland for the graphical user interface of the CP600 control panel platform. Multiple ABB Products are prone to a hard-coded credentials vulnerability. An attacker can exploit this issue to gain unauthorized access to the affected application, obtain sensitive information, cause denial-of-service conditions or execute arbitrary code on the affected system. The following products and versions are affected: ABB CP620 with firmware version 1.76 and earlier; ABB CP620-Web with firmware version 1.76 and earlier; ABB CP630 with firmware version 1.76 and earlier; ABB CP630-Web with firmware version 1.76 and earlier ; ABB CP635 with firmware version 1.76 and earlier; ABB CP635-B with firmware version 1.76 and earlier; ABB CP635-Web with firmware version 1.76 and earlier; ABB PB610 with firmware version 1.91 to 2.8.0.3674; ABB CP651-Web with firmware version 1.76 and earlier; ABB CP661 with firmware version 1.76 and earlier; ABB CP661-Web with firmware version 1.76 and earlier; ABB CP665-Web with firmware version 1.76 and earlier; ABB CP665 with firmware version 1.76 and earlier; ABB CP676-Web with firmware version 1.76 and earlier; ABB CP676 with firmware version 1.76 and earlier; ABB CP651 with firmware version 1.76 and earlier. Combining these actions can push malicious configuration and HMI code to the device. Affected systems ---------------- CP620, order code: 1SAP520100R0001, revision index G1 with BSP UN31 V1.76 and prior CP620, order code: 1SAP520100R4001, revision index G1 with BSP UN31 V1.76 and prior CP620-WEB, order code: 1SAP520200R0001, revision index G1 with BSP UN31 V1.76 and prior CP630, order code: 1SAP530100R0001, revision index G1 with BSP UN31 V1.76 and prior CP630-WEB, order code: 1SAP530200R0001, revision index G1 with BSP UN31 V1.76 and prior CP635, order code: 1SAP535100R0001, revision index G1 with BSP UN31 V1.76 and prior CP635, order code: 1SAP535100R5001, revision index G1 with BSP UN31 V1.76 and prior CP635-B, order code: 1SAP535100R2001, revision index G1 with BSP UN31 V1.76 and prior CP635-WEB, order code: 1SAP535200R0001, revision index G1 with BSP UN31 V1.76 and prior PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.3674CP651, order code: 1SAP551100R0001, revision index B1 with BSPUN30 V1.76 and prior CP651-WEB, order code: 1SAP551200R0001, revision index A0 with BSP UN30 V1.76 and prior CP661, order code: 1SAP561100R0001, revision index B1 with BSP UN30 V1.76 and prior CP661-WEB, order code: 1SAP561200R0001, revision index A0 with BSP UN30 V1.76 and prior CP665, order code: 1SAP565100R0001, revision index B1 with BSP UN30 V1.76 and prior CP665-WEB, order code: 1SAP565200R0001, revision index A0 with BSP UN30 V1.76 and prior CP676, order code: 1SAP576100R0001, revision index B1 with BSP UN30 V1.76 and prior CP676-WEB, order code: 1SAP576200R0001, revision index A0 with BSP UN30 V1.76 and prior Solution -------- Apply the patches or changes recommended by the vendor in their vulnerability advisories: - ABB CP635 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch - ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch - ABB CP651 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch Disclosure timeline ------------------- 04/02/2019 - Contacted ABB requesting disclosure coordination 05/02/2019 - Provided vulnerability details 05/06/2019 - Patch available 17/06/2019 - xen1thLabs public disclosure

A vulnerability in the Secure Shell (SSH) authentication function of Cisco IOS XR Software could allow an authenticated, remote attacker to successfully log in to an affected device using two distinct usernames. The vulnerability is due to a logic error that may occur when certain sequences of actions are processed during an SSH login event on the affected device. An attacker could exploit this vulnerability by initiating an SSH session to the device with a specific sequence that presents the two usernames. A successful exploit could result in logging data misrepresentation, user enumeration, or, in certain circumstances, a command authorization bypass. See the Details section for more information. Cisco IOS XR There is an authorization vulnerability in the software.Information may be obtained and information may be altered. An attacker can exploit this issue to gain unauthorized access, perform unintended actions and cause denial-of-service conditions. This may lead to further attacks. This issue is being tracked by Cisco Bug ID CSCvo03672. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products

A vulnerability in the authentication service of the Cisco Unified Communications Manager IM and Presence (Unified CM IM&P) Service, Cisco TelePresence Video Communication Server (VCS), and Cisco Expressway Series could allow an unauthenticated, remote attacker to cause a service outage for users attempting to authenticate, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient controls for specific memory operations. An attacker could exploit this vulnerability by sending a malformed Extensible Messaging and Presence Protocol (XMPP) authentication request to an affected system. A successful exploit could allow the attacker to cause an unexpected restart of the authentication service, preventing users from successfully authenticating. Exploitation of this vulnerability does not impact users who were authenticated prior to an attack. Multiple Cisco Products are prone to a denial-of-service vulnerability. This issue is being tracked by Cisco Bug IDs CSCvn00361, CSCvp51956. Cisco Expressway Series, etc. are all products of Cisco (Cisco). The vulnerability stems from the failure of the network system or product to properly validate the input data

A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to use a web browser and the privileges of the user to perform arbitrary actions on an affected device. For more information about CSRF attacks and potential mitigations, see Understanding Cross-Site Request Forgery Threat Vectors. Cisco Industrial Network Director is prone to a cross-site request-forgery vulnerability. This issue is being tracked by Cisco bug ID CSCvm30050. The system realizes automatic management through visual operation of industrial Ethernet infrastructure. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user

A vulnerability in Cisco Industrial Network Director could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks. The vulnerability is due to improper validation of content submitted to the affected application. An attacker could exploit this vulnerability by sending requests containing malicious values to the affected system. A successful exploit could allow the attacker to conduct XSS attacks. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This issue is being tracked by Cisco Bug ID CSCvm22833. The system realizes automatic management through visual operation of industrial Ethernet infrastructure. The vulnerability stems from the lack of correct validation of client data in WEB applications

A vulnerability in the web-based management interface of Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to access sensitive system information. The vulnerability is due to improper access control to files within the web-based management interface. An attacker could exploit this vulnerability by sending a malicious request to an affected device. A successful exploit could allow the attacker to access sensitive system information. Cisco Webex Meetings Server Contains an information disclosure vulnerability.Information may be obtained. This issue is being tracked by Cisco bug ID CSCvn76141. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in the WebEx conference solution. This vulnerability stems from configuration errors in network systems or products during operation

plural Marvell SSD Controller The device contains vulnerabilities related to security functions.Information may be tampered with. Marvell SSD Controller 88SS1074 is a solid-state hard drive controller from Marvell. This vulnerability is due to the lack of security measures such as authentication, access control, and rights management in network systems or products. The following products and versions are affected: Marvell SSD Controller 88SS1074 ; 88SS1079 ; 88SS1080 ; 88SS1093 ; 88SS1092 ; 88SS1095 ; 88SS9174 ; 88SS9175 ; 88SS9187 ; 88SS9188 ; 88SS9189 ; 88SS9190 ; 88SS1085 ; 88SS1087 ; 88SS1090 ; 88SS1100 ; 88SS1084 ; 88SS1088 ; 88SS1098

A vulnerability in Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway Series software could allow an unauthenticated, remote attacker to cause an affected system to send arbitrary network requests. The vulnerability is due to improper restrictions on network services in the affected software. An attacker could exploit this vulnerability by sending malicious requests to the affected system. A successful exploit could allow the attacker to send arbitrary network requests sourced from the affected system. Multiple Cisco Products are prone to an security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. These issues are being tracked by Cisco Bug ID CSCvj33774

The ABB CP635 HMI uses two different transmission methods to upgrade its firmware and its software components: "Utilization of USB/SD Card to flash the device" and "Remote provisioning process via ABB Panel Builder 600 over FTP." Neither of these transmission methods implements any form of encryption or authenticity checks against the new firmware HMI software binary files. ABB CP635 HMI Vulnerabilities related to certificate validation exist in the firmware and software components of.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ABBCP635HMI is a human-machine interface control panel from ABB, Switzerland. A security vulnerability exists in ABBCP635HMI due to the failure of the transport method to use any form of encryption or the reliability check of the binary of the new HMI software. An attacker could exploit the vulnerability to control the HMI or execute arbitrary code on the system. Multiple ABB Products are prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. Successful exploits will lead to other attacks. ABB CP635 HMI and CP651 HMI could allow a remote malicious user to execute arbitrary code on the system, caused by the lack of encryption for transmission methods

A vulnerability in the software update feature of Cisco Industrial Network Director could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Cisco Industrial Network Director Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This issue is being tracked by Cisco bug ID CSCvm20474. The system realizes automatic management through visual operation of industrial Ethernet infrastructure. The vulnerability stems from the failure of the network system or product to properly validate the input data

A vulnerability in the web-based management interface of Cisco Enterprise Chat and Email (ECE) Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the web interface or allow the attacker to access sensitive browser-based information. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCvo85826. Cisco Enterprise Chat and Email (CEC) is a suite of enterprise chat and email solutions from Cisco. This product mainly provides e-mail, chat and Web callback functions for other Cisco solutions. The vulnerability stems from the lack of correct validation of client data in WEB applications

There is a reflection XSS vulnerability in the HedEx products. Remote attackers send malicious links to users and trick users to click. Successfully exploit cloud allow the attacker to initiate XSS attacks. Affects HedEx Lite versions earlier than V200R006C00SPC007. HedEx Lite Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Huawei HedEx Lite is a product document manager of China Huawei (Huawei). This product supports functions such as product document download, management and reading. The vulnerability stems from the lack of correct validation of client data in WEB applications

Due to unencrypted and unauthenticated data communication, the wireless presenter Logitech R700 Laser Presentation Remote R-R0010 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device. The LogitechR700LaserPresentationRemoteR-R0010 is a wireless demonstration remote control from Logitech, Switzerland. An injection vulnerability exists in the LogitechR700LaserPresentationRemoteR-R0010. The vulnerability stems from the user's input of constructing commands, data structures, or records. The network system or product lacks proper verification of user input data, unfiltered or improperly filtered out special elements, resulting in system or product resolution or The explanation is wrong. Wrong way of interpreting. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2019-015 Product: R700 Laser Presentation Remote Manufacturer: Logitech Affected Version(s): Model R-R0010 (PID WD904XM and PID WD802XM) Tested Version(s): Model R-R0010 (PID WD904XM and PID WD802XM) Vulnerability Type: Insufficient Verification of Data Authenticity (CWE-345) Keystroke Injection Vulnerability Risk Level: High Solution Status: Open Manufacturer Notification: 2019-04-12 Solution Date: - Public Disclosure: 2019-06-04 CVE Reference: CVE-2019-12506 Author of Advisory: Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Logitech R700 Laser Presentation Remote is a wireless presenter using 2.4 GHz radio communication. By knowing the used data protocol, it is possible to inject packets in the data communication that are actually interpreted as keystrokes by the receiver on the target system. The following output of the developed proof-of-concept software tool illustrates a successful attack: # python2 logitech_presenter.py -a 7F:20:9E:C2:07 _____ ______ ___ _ _ _____ _ _ | __ \| ____|__ \| || | | __ \| | | | _ __ | |__) | |__ ) | || |_ | |__) | | __ _ _ _ ___ ___| |_ | '_ \| _ /| __| / /|__ _| | ___/| |/ _` | | | / __|/ _ \ __| | | | | | \ \| | / /_ | | | | | | (_| | |_| \__ \ __/ |_ |_| |_|_| \_\_| |____| |_| |_| |_|\__,_|\__, |___/\___|\__| __/ | |___/ Logitech Wireless Presenter Attack Tool v1.0 by Matthias Deeg - SySS GmbH (c) 2016 [*] Configure nRF24 radio [*] Actively searching for address 07:C2:9E:20:7F [*] Ping success on channel 8 [*] Ping success on channel 8 [*] Press <CTRL+C> to start keystroke injection ^C [*] Start keystroke injection ... [*] Done. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for this reported security vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-04-12: Vulnerability reported to manufacturer 2019-06-04: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Logitech R700 https://www.logitech.com/en-roeu/product/professional-presenter-r700 [2] Product website for Crazyradio PA https://www.bitcraze.io/crazyradio-pa/ [3] Bastille's nRF24 research firmware and tools https://github.com/BastilleResearch/nrf-research-firmware [4] SySS Security Advisory SYSS-2016-074 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-074.txt [5] SySS Security Advisory SYSS-2019-015 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-015.txt [6] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg of SySS GmbH. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAlz03CQACgkQ2aS/ajSt TauaVw/8CVXlyjP8Y1ngNcAzZzq+THJb5wRsjpe7bMdD3mEi3AQTxt9y+REQO95k xP+D2LvgCopG1k7opQ6iH+4nmgOmy2cYx9XhitBHTr/QZ6xKgCm/eTtNGMrTT2pF SS+/n/5dbPTwQk2VXi0py+QMxp+21u/vt/ftmQYPy2lMqcVftJ/G/ANzxUQEFy7D Nk/tNg6ev68JmarCKu0c0vDMghW8mnt1tQVe1yxjHs7zDYJVkUCwT/iHPbQ1Wbfq uJ5TAvZ/czMoSeGBl0H1vrPnU855MOjIwPJcrQJj9eMFdPilTir9svEw4+ngYxv8 55yMagHYPUUs/OiluPfSoXagw+f6bQZQi7YBhCMo3DVUFZbDij9r+kpijOMD8oEB b/76A8B+rfyjpzOm1A6eR3qFfTP65XXVZyd8+Rb7K/zyPoXoSS4WbMnpyGQ+BiWP 9VsrOshEeO3EqetVbgQURbzvs9FZjPRPBurF1y5ujrYksIs+LdQzoqlMR6r+EHTd Atzr10S6W7usTwtvl97luEteOrmjv2lgPpLz0R7bLhSyOJo+mCl75CunKDaWIyPm zTW+v5wWNcrEiTQyP/zmahkZO3YXKOqXlaLE9rs2Q2V9uuimenCR7MIoKHNLtKiv +lHVKdRMw2Cqmet/sTpRWSYGPnxm/DbxVyy8YUCZl/iDTyEQHAk= =8Kcd -----END PGP SIGNATURE-----

Due to unencrypted and unauthenticated data communication, the wireless presenter Inateck WP2002 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device. Inateck WP2002 Contains vulnerabilities related to insufficient validation of data reliability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. InateckTechnologyInateckWP2002 is a wearable wireless demonstration remote control from InateckTechnology of the United States. A data forgery vulnerability exists in InateckTechnologyInateckWP2002. The vulnerability stems from a network system or product that does not adequately verify the source or authenticity of the data. Attackers can use fake data to attack. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2019-008 Product: 2.4 GHz Wearable Wireless Presenter WP2002 Manufacturer: Inateck Affected Version(s): n/a Tested Version(s): n/a Vulnerability Type: Insufficient Verification of Data Authenticity (CWE-345) Keystroke Injection Vulnerability Risk Level: High Solution Status: Open Manufacturer Notification: 2019-03-22 Solution Date: - Public Disclosure: 2019-06-04 CVE Reference: CVE-2019-12504 Author of Advisory: Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Inateck WP2002 is a ring-shaped wearable wireless presenter using 2.4 GHz radio communication. The manufacturer describes the product as follows: " * Easy to Use: Uses 2.4 GHz USB wireless connection, with receiving distance reaching 20 meters. You\x92re free to move in a large space when wearing it on fingers. No driver needed, just plug and play! * Ring-shaped design. You can wear it on your fingers (the ring is adjustable). Free your hands and have more body language, which will let your speech become more attractive. * Multi-functional: By controlling the three function keys in control key area, you can turn pages, open full screen, close the screen, and access a hyperlink. * Prolonged working use. Full charge allows a continuous working time of 15 days. Battery life is powerful, which greatly facilitates frequent use. * Fits Powerpoint, Keynote(except hyperlink and windows switch functions), and supports page turning function with Google Slides and Prezi. Compatible with Windows XP/7/8/8.1/10, Mac OS, Linux, Android and etc. By knowing the used data protocol, it is possible to inject packets in the data communication that are actually interpreted as keystrokes by the receiver on the target system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS GmbH could successfully perform keystroke injection attacks against the wireless presenter Inateck WP2002 using the open-source software tool Universal Radio Hacker [2] in combination with the software-defined radio HackRF One [3]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for this reported security vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-03-22: Vulnerability reported to manufacturer 2019-06-04: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Inateck WP2002 https://www.inateck.com/de/kabellos-praesentationsgeraet-laiserpointer-presenter-fernbedienung-powerpoint-keynote-usb-adapter-plug-and-play-schwarz-wp2002.html [2] Universal Radio Hacker (URH) https://github.com/jopohl/urh [3] HackRF One by Great Scott Gadgets https://greatscottgadgets.com/hackrf/ [4] SySS Security Advisory SYSS-2019-008 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-008.txt [5] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg of SySS GmbH. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAlz026AACgkQ2aS/ajSt Tat6lg/+MQTKSUU+x1a3pW14hk2EdcKwxNOxhZWTGIpRNV1fDM/vH4Nqki/csVY4 ymi0i5g3XfJIFmv6CBsBOCw+CFCwde2Al0WZjdEgo+U83ObwfKMO96AV7U4Aed/2 +UoutKUJf3i/DAKZvI7ucWIn87BINORjZOvbjsqIowDeTEnj6UMSx4tACcxoeMoI l7+KhJsCpfxLemFpFv9qdIwyNuirOVAEmcDA2U7jtowNMGcZAe/EtnwbIGg1/hXU 3OViS9aZ55saVMvQR2Lfo8ZlVTS7t3NfNgv4/5Dxme2zhFEQWuJY97D18kPFr5/W BHC2pPKF7g/tZRbxF9MJnqtzrCU573tFCwaFXilNOY3hESAB7GTF14gAN8hcPAdv LiTXH5CCGL9IsQgOGJoJVY0LrBTdFbCqkR1WdCIJdkwP5/dSXCwfQ0eefH5cOrOG ie7UJBAyNTfmzwqJunkNr/l31tBBCCJadIATMh0o/dzEd5/nBq3ZH8CnrKvlarVl JQPgerPglaKM5bveOXo/FEtU0HT+nPqpBwxImJBxXWjzzOVuyZZn0/OW4U08qVYs iDBKbeG1WppPDaFCTDgVEccZH4UDcSVzJuEGiX9wocWJnQqTFHXqKkmxaMPAeTgZ VAU6Lu3MTMdjeqyhIjk6j5BqEJmfMawCduZJSTbcotXJ0eqL6V0= =QvHb -----END PGP SIGNATURE-----